Registry as NodePort (30500) so kubelet can pull via host loopback while in-cluster pods push via cluster DNS

templates/registry.yaml

@@ -82,11 +82,17 @@ metadata:
   labels:
     odoosky.io/component: registry
 spec:
-  type: ClusterIP
+  # NodePort, not ClusterIP. The kubelet runs on the host and can't
+  # resolve cluster DNS, so it pulls images via 127.0.0.1:<nodePort>
+  # mapped in /etc/rancher/k3s/registries.yaml. In-cluster build Jobs
+  # push to the cluster-DNS hostname, which routes through the
+  # ClusterIP. Same registry, two reachability paths.
+  type: NodePort
   ports:
     - name: http
       port: {{ .Values.registry.service.port }}
       targetPort: 5000
+      nodePort: {{ .Values.registry.service.nodePort }}
   selector:
     odoosky.io/component: registry
 {{- end }}