From 55d7b8201e3d2603ad0388e7138b3327540e7bf9 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Wed, 22 Apr 2026 11:33:13 +0000
Subject: [PATCH] fix: make Rancher image pre-pull best effort and disable
 managed SUC

Docker Hub TLS handshakes are too flaky to make pre-pulling a hard bootstrap
requirement. Treat image pre-pull as opportunistic and disable Rancher's
managed system-upgrade-controller feature so that image is removed from the
critical install path while Rancher and its webhook converge.
---
 ansible/roles/rancher-image-prepull/tasks/main.yml     | 1 +
 infrastructure/addons/rancher/helmrelease-rancher.yaml | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/ansible/roles/rancher-image-prepull/tasks/main.yml b/ansible/roles/rancher-image-prepull/tasks/main.yml
index 7ee4d25..3f9ee9e 100644
--- a/ansible/roles/rancher-image-prepull/tasks/main.yml
+++ b/ansible/roles/rancher-image-prepull/tasks/main.yml
@@ -7,3 +7,4 @@
   until: rancher_image_pull.rc == 0
   loop: "{{ rancher_images_to_prepull }}"
   changed_when: true
+  failed_when: false
diff --git a/infrastructure/addons/rancher/helmrelease-rancher.yaml b/infrastructure/addons/rancher/helmrelease-rancher.yaml
index dd7b243..e1a3b6f 100644
--- a/infrastructure/addons/rancher/helmrelease-rancher.yaml
+++ b/infrastructure/addons/rancher/helmrelease-rancher.yaml
@@ -28,6 +28,8 @@ spec:
     extraEnv:
       - name: CATTLE_PROMETHEUS_METRICS
         value: "true"
+      - name: CATTLE_FEATURES
+        value: "managed-system-upgrade-controller=false"
     resources:
       requests:
         cpu: 500m