fix: seed cert-manager images before flux

2026-04-27 00:04:19 +00:00
parent d925eeac3f
commit d050e8962a
3 changed files with 19 additions and 2 deletions
@@ -425,6 +425,11 @@ jobs:
            ghcr.io/tailscale/k8s-operator:v1.96.5 \
            ghcr.io/tailscale/tailscale:v1.96.5 \
            registry.k8s.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2 \
+            docker.io/rancher/mirrored-pause:3.6 \
+            quay.io/jetstack/cert-manager-controller:v1.17.2 \
+            quay.io/jetstack/cert-manager-cainjector:v1.17.2 \
+            quay.io/jetstack/cert-manager-webhook:v1.17.2 \
+            quay.io/jetstack/cert-manager-startupapicheck:v1.17.2 \
            docker.io/grafana/loki:3.5.7 \
            docker.io/kiwigrid/k8s-sidecar:1.30.10 \
            docker.io/grafana/promtail:3.0.0 \
@@ -712,6 +717,14 @@ jobs:
            ghcr.io/fluxcd/notification-controller:v1.8.1; do
            import_required_image "${image}" "${PRIMARY_CP_IP}"
          done
+          for image in \
+            docker.io/rancher/mirrored-pause:3.6 \
+            quay.io/jetstack/cert-manager-controller:v1.17.2 \
+            quay.io/jetstack/cert-manager-cainjector:v1.17.2 \
+            quay.io/jetstack/cert-manager-webhook:v1.17.2 \
+            quay.io/jetstack/cert-manager-startupapicheck:v1.17.2; do
+            import_required_image_on_all_nodes "${image}"
+          done
          # Apply CRDs and controllers first
          kubectl apply -f clusters/prod/flux-system/gotk-components.yaml
          # Wait for CRDs to be established
@@ -732,6 +745,9 @@ jobs:
          flux_rollout_status helm-controller
          kubectl -n flux-system wait --for=condition=Ready gitrepository/platform --timeout=300s
          kubectl -n flux-system wait --for=condition=Ready kustomization/infrastructure --timeout=600s
+          kubectl -n flux-system annotate kustomization/addon-cert-manager reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite
+          kubectl -n flux-system wait --for=condition=Ready kustomization/addon-cert-manager --timeout=1200s
+          kubectl -n flux-system wait --for=condition=Ready helmrelease/cert-manager --timeout=1200s
          # Wait directly on the ESO Helm objects; Kustomization readiness hides useful failure details.
          wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-external-secrets 600
          kubectl -n flux-system annotate kustomization/addon-external-secrets reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite
@@ -776,7 +792,7 @@ jobs:
          kubectl annotate storageclass flash-nfs storageclass.kubernetes.io/is-default-class=true --overwrite
          kubectl get storageclass flash-nfs

-      - name: Wait for Rancher and backup operator
+      - name: Wait for Rancher
        env:
          KUBECONFIG: outputs/kubeconfig
        run: |