bootstrap.sh now writes /etc/rancher/k3s/registries.yaml BEFORE k3s
starts, mapping the cluster-platform-v3 registry's in-cluster DNS
hostname to the localhost NodePort the host's containerd can reach.
Without this, every Odoo Pod ImagePullBackOffs on its addon
initContainers — caught 2026-04-30 mid-migrate.
ApplyConnectSecrets now also applies docker-mirror-pull (a docker-
config-json Secret in odoosky-system) when the platform-side env
provides DOCKER_MIRROR_{REGISTRY,USERNAME,PASSWORD}. Until today
the customer cluster's BuildKit Jobs sat in Init:0/1 for ~14 minutes
waiting on a non-existent docker-mirror-pull, blocking every
addon-build the migrate flow needs.
Both gaps were silent — neither produced a visible error in Tower's
op log; the cluster sat there waiting on a kubelet that couldn't
resolve and a Job that couldn't mount. Connect now fully provisions
both at substrate setup time, no manual post-step.
Threads:
- new EnvProvider methods: DockerMirror{Registry,Username,Password}
- new ConnectSecrets fields + applier method
- chart values pull from existingSecret keys DOCKER_MIRROR_*
- bootstrap.sh idempotent registries.yaml + systemctl restart on
re-Connect to pick up updated routing rules
Lets the substrate endpoint surface the running tag without depending on Go ldflag tricks. Single source of truth: bumping the chart tag automatically bumps what the UI displays.
