OpenStaticFish/HetznerTerra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: warm External Secrets image before install
Deploy Cluster / Terraform (push) Successful in 32s
Details
Deploy Cluster / Ansible (push) Failing after 21m10s
Details

Browse Source
This commit is contained in:
MichaelFisher1997
2026-04-25 19:46:21 +00:00
parent 17f1815e7f
commit 3c06e046c2
2 changed files with 38 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/deploy.yml
+26 -14
View File
@@ -292,6 +292,30 @@ jobs:
done
}
pull_required_image() {
local image="$1"
local host_ip="$2"
local attempts="$3"
local sleep_seconds="$4"
local failure_message="$5"
local pulled=false
for attempt in $(seq 1 "${attempts}"); do
echo "Pre-pulling ${image} on ${host_ip} (${attempt}/${attempts})"
if ssh -i "$HOME/.ssh/id_ed25519" -o StrictHostKeyChecking=no -o ConnectTimeout=10 "ubuntu@${host_ip}" \
"sudo k3s crictl inspecti '${image}' >/dev/null 2>&1 || ((sudo k3s crictl pull --platform linux/amd64 '${image}' || sudo k3s crictl pull '${image}') && sudo k3s crictl inspecti '${image}' >/dev/null 2>&1)"; then
pulled=true
break
fi
sleep "${sleep_seconds}"
done
if [ "${pulled}" != "true" ]; then
echo "${failure_message} ${image} on ${host_ip}" >&2
exit 1
fi
}
eso_diagnostics() {
kubectl -n flux-system get kustomizations,ocirepositories,helmrepositories,helmcharts,helmreleases || true
kubectl -n flux-system describe kustomization addon-external-secrets || true
@@ -418,20 +442,7 @@ jobs:
ghcr.io/fluxcd/kustomize-controller:v1.8.1 \
ghcr.io/fluxcd/helm-controller:v1.5.1 \
ghcr.io/fluxcd/notification-controller:v1.8.1; do
pulled=false
for attempt in $(seq 1 "${FLUX_IMAGE_PULL_ATTEMPTS}"); do
echo "Pre-pulling ${image} on ${PRIMARY_CP_IP} (${attempt}/${FLUX_IMAGE_PULL_ATTEMPTS})"
if ssh -i "$HOME/.ssh/id_ed25519" -o StrictHostKeyChecking=no -o ConnectTimeout=10 "ubuntu@${PRIMARY_CP_IP}" \
"sudo k3s crictl inspecti '${image}' >/dev/null 2>&1 || ((sudo k3s crictl pull --platform linux/amd64 '${image}' || sudo k3s crictl pull '${image}') && sudo k3s crictl inspecti '${image}' >/dev/null 2>&1)"; then
pulled=true
break
fi
sleep "${FLUX_IMAGE_PULL_SLEEP}"
done
if [ "${pulled}" != "true" ]; then
echo "Failed to pre-pull required Flux image ${image} on ${PRIMARY_CP_IP}" >&2
exit 1
fi
pull_required_image "${image}" "${PRIMARY_CP_IP}" "${FLUX_IMAGE_PULL_ATTEMPTS}" "${FLUX_IMAGE_PULL_SLEEP}" "Failed to pre-pull required Flux image"
done
# Apply CRDs and controllers first
kubectl apply -f clusters/prod/flux-system/gotk-components.yaml
@@ -456,6 +467,7 @@ jobs:
# Wait directly on the ESO Helm objects; Kustomization readiness hides useful failure details.
wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-external-secrets 600
kubectl -n flux-system annotate kustomization/addon-external-secrets reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite
pull_required_image oci.external-secrets.io/external-secrets/external-secrets:v2.1.0 "${PRIMARY_CP_IP}" 45 10 "Failed to pre-pull required External Secrets image"
wait_for_flux_oci_helm_release external-secrets external-secrets external-secrets 600s 600
wait_for_resource "" crd/clustersecretstores.external-secrets.io 900
wait_for_resource "" crd/externalsecrets.external-secrets.io 900
infrastructure/addons/external-secrets/helmrelease-external-secrets.yaml
+12
View File
@@ -19,13 +19,25 @@ spec:
retries: 3
values:
installCRDs: true
image:
repository: oci.external-secrets.io/external-secrets/external-secrets
tag: v2.1.0
pullPolicy: IfNotPresent
nodeSelector:
kubernetes.io/hostname: k8s-cluster-cp-1
webhook:
failurePolicy: Ignore
image:
repository: oci.external-secrets.io/external-secrets/external-secrets
tag: v2.1.0
pullPolicy: IfNotPresent
nodeSelector:
kubernetes.io/hostname: k8s-cluster-cp-1
certController:
image:
repository: oci.external-secrets.io/external-secrets/external-secrets
tag: v2.1.0
pullPolicy: IfNotPresent
nodeSelector:
kubernetes.io/hostname: k8s-cluster-cp-1
serviceMonitor: