309f83ec8c
Task 1's recovery from the broken `:latest` image rollout left keel.sh/policy=never set imperatively via `kubectl annotate` — out of TF, which violates the "all infra via TF" rule. Now codified alongside match-tag, trigger, pollSchedule. Removed those three keys from ignore_changes (was the original "Keel manages these" pattern, no longer correct for this deployment). Also added KYVERNO_LIFECYCLE_V1 ignore_changes on the presence_schema migration Job so future applies don't try to replace it over the Kyverno-injected ndots dns_config. Verified: 0 added, 3 changed (unrelated pre-existing drift on beadboard/workbench/service), 0 destroyed. Dolt pod uninterrupted (revision 13 preserved). |
||
|---|---|---|
| .. | ||
| .terragrunt-cloudflare-skip | ||
| cloudflare_provider.tf | ||
| main.tf | ||
| secrets | ||
| terragrunt.hcl | ||
| tiers.tf | ||