fix: use Rancher registry for webhook image

2026-04-26 01:35:16 +00:00
parent 9879de5a86
commit a4f1d179e9
2 changed files with 42 additions and 0 deletions
@@ -611,6 +611,41 @@ jobs:
            exit 1
          }

+          pull_image_on_matching_pod_nodes() {
+            local namespace="$1"
+            local selector="$2"
+            local image="$3"
+            local attempts="$4"
+            local sleep_seconds="$5"
+            local nodes
+
+            nodes="$(kubectl -n "${namespace}" get pods -l "${selector}" -o jsonpath='{range .items[*]}{.spec.nodeName}{"\n"}{end}' 2>/dev/null | sort -u)"
+            if [ -z "${nodes}" ]; then
+              echo "No pods found for ${namespace}/${selector}; skipping targeted image pull for ${image}" >&2
+              return 0
+            fi
+
+            for node in ${nodes}; do
+              local node_ip
+              local pulled=false
+              node_ip="$(kubectl get node "${node}" -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')"
+
+              for attempt in $(seq 1 "${attempts}"); do
+                echo "Pre-pulling ${image} on ${node}/${node_ip} (${attempt}/${attempts})"
+                if ssh -i "$HOME/.ssh/id_ed25519" -o StrictHostKeyChecking=no -o ConnectTimeout=10 "ubuntu@${node_ip}" \
+                  "sudo k3s crictl inspecti '${image}' >/dev/null 2>&1 || (sudo k3s crictl pull '${image}' && sudo k3s crictl inspecti '${image}' >/dev/null 2>&1)"; then
+                  pulled=true
+                  break
+                fi
+                sleep "${sleep_seconds}"
+              done
+
+              if [ "${pulled}" != "true" ]; then
+                echo "Best-effort targeted image pre-pull did not complete for ${image} on ${node}/${node_ip}" >&2
+              fi
+            done
+          }
+
          echo "Waiting for Rancher..."
          wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-rancher 600
          kubectl -n flux-system annotate kustomization/addon-rancher reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite
@@ -622,6 +657,8 @@ jobs:
          wait_for_resource cattle-system deployment/cattle-system-rancher 600
          kubectl -n cattle-system rollout status deployment/cattle-system-rancher --timeout=900s
          wait_for_resource cattle-system deployment/rancher-webhook 900
+          pull_image_on_matching_pod_nodes cattle-system app=rancher-webhook registry.rancher.com/rancher/rancher-webhook:v0.9.3 12 10
+          kubectl -n cattle-system rollout restart deployment/rancher-webhook
          kubectl -n cattle-system rollout status deployment/rancher-webhook --timeout=900s
          wait_for_resource cattle-system issuer/cattle-system-rancher 900
          wait_for_resource cattle-system certificate/tls-rancher-ingress 900
@@ -29,6 +29,11 @@ spec:
        value: "true"
      - name: CATTLE_FEATURES
        value: "managed-system-upgrade-controller=false"
+    webhook:
+      image:
+        repository: registry.rancher.com/rancher/rancher-webhook
+        tag: v0.9.3
+        imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 500m