fix(infra): move Keel annotations to StatefulSet metadata

Keel reads annotations from the workload's metadata, not the pod template. Moving annotations from spec.template.metadata to metadata fixes auto-updates. Also: - Set NAMESPACE="" on Keel deployment to watch all namespaces - Keep ghcr credentials config (optional, for private registries) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-23 18:44:38 -06:00
parent c1809d72ae
commit 747bc4a5f0
1 changed files with 9 additions and 7 deletions
--- a/infra/terraform/app.tf
+++ b/infra/terraform/app.tf
@@ -125,6 +125,13 @@ resource "kubernetes_stateful_set" "app" {
    labels = {
      app = "abaci-app"
    }
+    # Keel annotations for automatic image updates
+    # These MUST be on the StatefulSet metadata, not just the pod template
+    annotations = {
+      "keel.sh/policy"       = "force"     # Update even for same tags (:latest)
+      "keel.sh/trigger"      = "poll"      # Use registry polling
+      "keel.sh/pollSchedule" = "@every 2m" # Check every 2 minutes
+    }
  }

  spec {
@@ -150,13 +157,8 @@ resource "kubernetes_stateful_set" "app" {
        labels = {
          app = "abaci-app"
        }
-        # Keel annotations for automatic image updates
-        # When a new :latest image is pushed, Keel triggers a rolling update
-        annotations = {
-          "keel.sh/policy"       = "force"     # Update even for same tags (:latest)
-          "keel.sh/trigger"      = "poll"      # Use registry polling
-          "keel.sh/pollSchedule" = "@every 2m" # Check every 2 minutes
-        }
+        # Note: Keel annotations are on the StatefulSet metadata above, not here
+        # Pod template annotations are for other purposes
      }

      spec {