5d236c2352
Prep for moving payslip-ingest's image build off-infra to GitHub Actions -> ghcr.io (ADR-0002 wave 2, issue #24). One stack commit before onboarding: - image base repointed forgejo.viktorbarzin.me/viktor/payslip-ingest -> ghcr.io/viktorbarzin/payslip-ingest (private ghcr package) - ghcr-credentials imagePullSecrets added on the Deployment AND the actualbudget-payroll-sync CronJob pod specs (namespace is already in the kyverno sync-ghcr-credentials allowlist; secret verified present) - the CronJob's SHA pin is retired: terragrunt image_tag 4f70681d -> latest plus explicit imagePullPolicy Always on the cron container, per the fleet convention for owned-app CronJobs — one less set-image target, and the cron can never go back to pulling the dead Forgejo tag The Deployment keeps KEEL_IGNORE_IMAGE; its concrete :sha8 tag is set by the Woodpecker deploy pipeline after each GHA build. Closes: nothing yet — the repo-side onboarding (offinfra-onboard) follows. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
28 lines
793 B
HCL
28 lines
793 B
HCL
include "root" {
|
|
path = find_in_parent_folders()
|
|
}
|
|
|
|
dependency "platform" {
|
|
config_path = "../platform"
|
|
skip_outputs = true
|
|
}
|
|
|
|
dependency "vault" {
|
|
config_path = "../vault"
|
|
skip_outputs = true
|
|
}
|
|
|
|
dependency "external-secrets" {
|
|
config_path = "../external-secrets"
|
|
skip_outputs = true
|
|
}
|
|
|
|
inputs = {
|
|
# :latest — CI drives the rollout (ADR-0002, issue #24): every master push
|
|
# builds :<sha8> + :latest on ghcr, then the Woodpecker deploy pipeline sets
|
|
# the Deployment to the concrete SHA (image is KEEL_IGNORE_IMAGE'd in the
|
|
# stack). The actualbudget-payroll-sync CronJob tracks :latest with
|
|
# imagePullPolicy Always — the old SHA pin (4f70681d, a Forgejo-only tag)
|
|
# is retired so the cron can never reference the dead registry path.
|
|
image_tag = "latest"
|
|
}
|