From a4f1d179e9ab7973af400ac52df60667336513fc Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sun, 26 Apr 2026 01:35:16 +0000
Subject: [PATCH] fix: use Rancher registry for webhook image

---
 .gitea/workflows/deploy.yml                   | 37 +++++++++++++++++++
 .../addons/rancher/helmrelease-rancher.yaml   |  5 +++
 2 files changed, 42 insertions(+)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index a5cc1fc..653878e 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -611,6 +611,41 @@ jobs:
             exit 1
           }
 
+          pull_image_on_matching_pod_nodes() {
+            local namespace="$1"
+            local selector="$2"
+            local image="$3"
+            local attempts="$4"
+            local sleep_seconds="$5"
+            local nodes
+
+            nodes="$(kubectl -n "${namespace}" get pods -l "${selector}" -o jsonpath='{range .items[*]}{.spec.nodeName}{"\n"}{end}' 2>/dev/null | sort -u)"
+            if [ -z "${nodes}" ]; then
+              echo "No pods found for ${namespace}/${selector}; skipping targeted image pull for ${image}" >&2
+              return 0
+            fi
+
+            for node in ${nodes}; do
+              local node_ip
+              local pulled=false
+              node_ip="$(kubectl get node "${node}" -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')"
+
+              for attempt in $(seq 1 "${attempts}"); do
+                echo "Pre-pulling ${image} on ${node}/${node_ip} (${attempt}/${attempts})"
+                if ssh -i "$HOME/.ssh/id_ed25519" -o StrictHostKeyChecking=no -o ConnectTimeout=10 "ubuntu@${node_ip}" \
+                  "sudo k3s crictl inspecti '${image}' >/dev/null 2>&1 || (sudo k3s crictl pull '${image}' && sudo k3s crictl inspecti '${image}' >/dev/null 2>&1)"; then
+                  pulled=true
+                  break
+                fi
+                sleep "${sleep_seconds}"
+              done
+
+              if [ "${pulled}" != "true" ]; then
+                echo "Best-effort targeted image pre-pull did not complete for ${image} on ${node}/${node_ip}" >&2
+              fi
+            done
+          }
+
           echo "Waiting for Rancher..."
           wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-rancher 600
           kubectl -n flux-system annotate kustomization/addon-rancher reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite
@@ -622,6 +657,8 @@ jobs:
           wait_for_resource cattle-system deployment/cattle-system-rancher 600
           kubectl -n cattle-system rollout status deployment/cattle-system-rancher --timeout=900s
           wait_for_resource cattle-system deployment/rancher-webhook 900
+          pull_image_on_matching_pod_nodes cattle-system app=rancher-webhook registry.rancher.com/rancher/rancher-webhook:v0.9.3 12 10
+          kubectl -n cattle-system rollout restart deployment/rancher-webhook
           kubectl -n cattle-system rollout status deployment/rancher-webhook --timeout=900s
           wait_for_resource cattle-system issuer/cattle-system-rancher 900
           wait_for_resource cattle-system certificate/tls-rancher-ingress 900
diff --git a/infrastructure/addons/rancher/helmrelease-rancher.yaml b/infrastructure/addons/rancher/helmrelease-rancher.yaml
index 9d670af..e9dd725 100644
--- a/infrastructure/addons/rancher/helmrelease-rancher.yaml
+++ b/infrastructure/addons/rancher/helmrelease-rancher.yaml
@@ -29,6 +29,11 @@ spec:
         value: "true"
       - name: CATTLE_FEATURES
         value: "managed-system-upgrade-controller=false"
+    webhook:
+      image:
+        repository: registry.rancher.com/rancher/rancher-webhook
+        tag: v0.9.3
+        imagePullPolicy: IfNotPresent
     resources:
       requests:
         cpu: 500m