From b2244d0c02c0972a67caf26ce20a1e2112f158c8 Mon Sep 17 00:00:00 2001
From: Tower Bot <tower@odoosky.org>
Date: Thu, 30 Apr 2026 12:50:25 +0300
Subject: [PATCH] =?UTF-8?q?tower=200.61.8=20=E2=80=94=20Phase=20H=20substr?=
 =?UTF-8?q?ate=20completeness?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

bootstrap.sh now writes /etc/rancher/k3s/registries.yaml BEFORE k3s
starts, mapping the cluster-platform-v3 registry's in-cluster DNS
hostname to the localhost NodePort the host's containerd can reach.
Without this, every Odoo Pod ImagePullBackOffs on its addon
initContainers — caught 2026-04-30 mid-migrate.

ApplyConnectSecrets now also applies docker-mirror-pull (a docker-
config-json Secret in odoosky-system) when the platform-side env
provides DOCKER_MIRROR_{REGISTRY,USERNAME,PASSWORD}. Until today
the customer cluster's BuildKit Jobs sat in Init:0/1 for ~14 minutes
waiting on a non-existent docker-mirror-pull, blocking every
addon-build the migrate flow needs.

Both gaps were silent — neither produced a visible error in Tower's
op log; the cluster sat there waiting on a kubelet that couldn't
resolve and a Job that couldn't mount. Connect now fully provisions
both at substrate setup time, no manual post-step.

Threads:
  - new EnvProvider methods: DockerMirror{Registry,Username,Password}
  - new ConnectSecrets fields + applier method
  - chart values pull from existingSecret keys DOCKER_MIRROR_*
  - bootstrap.sh idempotent registries.yaml + systemctl restart on
    re-Connect to pick up updated routing rules
---
 templates/backend-deployment.yaml | 26 ++++++++++++++++++++++++++
 values.yaml                       |  2 +-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/templates/backend-deployment.yaml b/templates/backend-deployment.yaml
index 814a4cd..288be6e 100644
--- a/templates/backend-deployment.yaml
+++ b/templates/backend-deployment.yaml
@@ -101,6 +101,32 @@ spec:
             - name: TOWER_OPS_PERSIST_PATH
               value: /var/lib/tower/operations.json
             {{- end }}
+            # Docker-mirror credentials threaded into Connect's
+            # ApplyConnectSecrets so every customer cluster gets a
+            # docker-mirror-pull Secret automatically. Phase H —
+            # without these, every connected cluster wedged on
+            # addon-build with "secret docker-mirror-pull not found".
+            #
+            # Read from the same existingSecret as the rest of the
+            # platform credentials so they're rotated together.
+            - name: TOWER_DOCKER_MIRROR_REGISTRY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.existingSecret }}
+                  key: DOCKER_MIRROR_REGISTRY
+                  optional: true
+            - name: TOWER_DOCKER_MIRROR_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.existingSecret }}
+                  key: DOCKER_MIRROR_USERNAME
+                  optional: true
+            - name: TOWER_DOCKER_MIRROR_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.existingSecret }}
+                  key: DOCKER_MIRROR_PASSWORD
+                  optional: true
           readinessProbe:
             httpGet:
               path: /healthz
diff --git a/values.yaml b/values.yaml
index 07e5866..d2afe8f 100644
--- a/values.yaml
+++ b/values.yaml
@@ -9,7 +9,7 @@ backend:
     # so every cluster that runs Tower needs the same imagePullSecret
     # provisioned out-of-band (until cluster-platform-v3 owns it).
     repository: registry.odoosky.cloud/odoosky/docker-mirror/tower
-    tag: "0.61.7"
+    tag: "0.61.8"
     pullPolicy: IfNotPresent
   imagePullSecrets:
     - name: docker-mirror-pull