From ff08c685cd81efe4cf36595532a9ddf4be9391b5 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 12 Jun 2026 20:13:50 +0000
Subject: [PATCH] =?UTF-8?q?tts:=20image=20is=20TF-owned=20=E2=80=94=20drop?=
 =?UTF-8?q?=20the=20copied=20KEEL=20ignore=20so=20the=20GHCR=20switch=20ap?=
 =?UTF-8?q?plies?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The deployment's lifecycle.ignore_changes still ignored the container
image (copied from the keel-managed tripit pattern), which would have
made the previous commit's GHCR switch a silent no-op on apply. Keel
cannot poll the private GHCR repo anyway; the pinned sha tag is
terraform's to manage.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 stacks/tts/main.tf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/stacks/tts/main.tf b/stacks/tts/main.tf
index 30bd8eff..298f6bf9 100644
--- a/stacks/tts/main.tf
+++ b/stacks/tts/main.tf
@@ -451,8 +451,9 @@ resource "kubernetes_deployment" "chatterbox" {
     ignore_changes = [
       # Off-peak CronJobs own the replica count — don't let apply reset it.
       spec[0].replicas,
-      spec[0].template[0].spec[0].dns_config,         # KYVERNO_LIFECYCLE_V1
-      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      # image is TF-OWNED (pinned GHCR sha tag) — NOT keel-managed: keel can't
+      # poll the private GHCR repo, and the 2026-06-12 registry switch must apply.
       metadata[0].annotations["keel.sh/match-tag"],
       metadata[0].annotations["keel.sh/policy"],
       metadata[0].annotations["keel.sh/trigger"],