Registry as NodePort (30500) so kubelet can pull via host loopback while in-cluster pods push via cluster DNS

2026-04-27 00:56:47 +03:00
parent a1dbe14c20
commit 0c17429d4c
2 changed files with 13 additions and 1 deletions
--- a/templates/registry.yaml
+++ b/templates/registry.yaml
@@ -82,11 +82,17 @@ metadata:
  labels:
    odoosky.io/component: registry
 spec:
-  type: ClusterIP
+  # NodePort, not ClusterIP. The kubelet runs on the host and can't
+  # resolve cluster DNS, so it pulls images via 127.0.0.1:<nodePort>
+  # mapped in /etc/rancher/k3s/registries.yaml. In-cluster build Jobs
+  # push to the cluster-DNS hostname, which routes through the
+  # ClusterIP. Same registry, two reachability paths.
+  type: NodePort
  ports:
    - name: http
      port: {{ .Values.registry.service.port }}
      targetPort: 5000
+      nodePort: {{ .Values.registry.service.nodePort }}
  selector:
    odoosky.io/component: registry
 {{- end }}
--- a/values.yaml
+++ b/values.yaml
@@ -19,6 +19,12 @@ registry:
  # the hostname for HTTP image pulls.
  service:
    port: 5000
+    # NodePort the kubelet on each node uses to reach the registry
+    # (via the host-side 127.0.0.1:<nodePort> mirror entry in
+    # /etc/rancher/k3s/registries.yaml). Picked outside the default
+    # 30000-32767 NodePort range's busy zone; change if the cluster
+    # already uses 30500 for something else.
+    nodePort: 30500
  # Storage. The registry survives node restarts but is recreatable —
  # if the PVC is wiped, Tower's ensureAddonImage will rebuild any
  # missing images from Gitea source on demand. So we don't need a