tower 0.61.8 — Phase H substrate completeness
bootstrap.sh now writes /etc/rancher/k3s/registries.yaml BEFORE k3s
starts, mapping the cluster-platform-v3 registry's in-cluster DNS
hostname to the localhost NodePort the host's containerd can reach.
Without this, every Odoo Pod ImagePullBackOffs on its addon
initContainers — caught 2026-04-30 mid-migrate.
ApplyConnectSecrets now also applies docker-mirror-pull (a docker-
config-json Secret in odoosky-system) when the platform-side env
provides DOCKER_MIRROR_{REGISTRY,USERNAME,PASSWORD}. Until today
the customer cluster's BuildKit Jobs sat in Init:0/1 for ~14 minutes
waiting on a non-existent docker-mirror-pull, blocking every
addon-build the migrate flow needs.
Both gaps were silent — neither produced a visible error in Tower's
op log; the cluster sat there waiting on a kubelet that couldn't
resolve and a Job that couldn't mount. Connect now fully provisions
both at substrate setup time, no manual post-step.
Threads:
- new EnvProvider methods: DockerMirror{Registry,Username,Password}
- new ConnectSecrets fields + applier method
- chart values pull from existingSecret keys DOCKER_MIRROR_*
- bootstrap.sh idempotent registries.yaml + systemctl restart on
re-Connect to pick up updated routing rules
This commit is contained in:
Tower Bot
@@ -101,6 +101,32 @@ spec:
|
|||||||
- name: TOWER_OPS_PERSIST_PATH
|
- name: TOWER_OPS_PERSIST_PATH
|
||||||
value: /var/lib/tower/operations.json
|
value: /var/lib/tower/operations.json
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
# Docker-mirror credentials threaded into Connect's
|
||||||
|
# ApplyConnectSecrets so every customer cluster gets a
|
||||||
|
# docker-mirror-pull Secret automatically. Phase H —
|
||||||
|
# without these, every connected cluster wedged on
|
||||||
|
# addon-build with "secret docker-mirror-pull not found".
|
||||||
|
#
|
||||||
|
# Read from the same existingSecret as the rest of the
|
||||||
|
# platform credentials so they're rotated together.
|
||||||
|
- name: TOWER_DOCKER_MIRROR_REGISTRY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ .Values.config.existingSecret }}
|
||||||
|
key: DOCKER_MIRROR_REGISTRY
|
||||||
|
optional: true
|
||||||
|
- name: TOWER_DOCKER_MIRROR_USERNAME
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ .Values.config.existingSecret }}
|
||||||
|
key: DOCKER_MIRROR_USERNAME
|
||||||
|
optional: true
|
||||||
|
- name: TOWER_DOCKER_MIRROR_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ .Values.config.existingSecret }}
|
||||||
|
key: DOCKER_MIRROR_PASSWORD
|
||||||
|
optional: true
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
path: /healthz
|
path: /healthz
|
||||||
|
|||||||
@@ -9,7 +9,7 @@ backend:
|
|||||||
# so every cluster that runs Tower needs the same imagePullSecret
|
# so every cluster that runs Tower needs the same imagePullSecret
|
||||||
# provisioned out-of-band (until cluster-platform-v3 owns it).
|
# provisioned out-of-band (until cluster-platform-v3 owns it).
|
||||||
repository: registry.odoosky.cloud/odoosky/docker-mirror/tower
|
repository: registry.odoosky.cloud/odoosky/docker-mirror/tower
|
||||||
tag: "0.61.7"
|
tag: "0.61.8"
|
||||||
pullPolicy: IfNotPresent
|
pullPolicy: IfNotPresent
|
||||||
imagePullSecrets:
|
imagePullSecrets:
|
||||||
- name: docker-mirror-pull
|
- name: docker-mirror-pull
|
||||||
|
|||||||
Reference in New Issue
Block a user