From ee6417c18ec77ee86075d166a87a544a4494435a Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Thu, 23 Apr 2026 05:55:14 +0000
Subject: [PATCH] fix: pre-pull core bootstrap images on cp1 before Flux
 bootstrap

Fresh clusters were repeatedly timing out while kubelet pulled the pause image,
k3s packaged component images, and Flux controller images onto the first
control plane. Pre-pull the core control-plane bootstrap images into
containerd on cp-1 so Flux and packaged addons start from a warm cache instead
of racing registry TLS timeouts.
---
 .../roles/bootstrap-image-prepull/defaults/main.yml  | 12 ++++++++++++
 ansible/roles/bootstrap-image-prepull/tasks/main.yml | 10 ++++++++++
 ansible/site.yml                                     |  7 +++++++
 3 files changed, 29 insertions(+)
 create mode 100644 ansible/roles/bootstrap-image-prepull/defaults/main.yml
 create mode 100644 ansible/roles/bootstrap-image-prepull/tasks/main.yml

diff --git a/ansible/roles/bootstrap-image-prepull/defaults/main.yml b/ansible/roles/bootstrap-image-prepull/defaults/main.yml
new file mode 100644
index 0000000..ee6d5aa
--- /dev/null
+++ b/ansible/roles/bootstrap-image-prepull/defaults/main.yml
@@ -0,0 +1,12 @@
+---
+bootstrap_prepull_images:
+  - docker.io/rancher/mirrored-pause:3.6
+  - docker.io/rancher/mirrored-coredns-coredns:1.14.2
+  - docker.io/rancher/mirrored-metrics-server:v0.8.1
+  - docker.io/rancher/local-path-provisioner:v0.0.35
+  - docker.io/rancher/mirrored-library-traefik:3.6.10
+  - docker.io/rancher/klipper-helm:v0.9.14-build20260309
+  - ghcr.io/fluxcd/source-controller:v1.8.0
+  - ghcr.io/fluxcd/kustomize-controller:v1.8.1
+  - ghcr.io/fluxcd/helm-controller:v1.5.1
+  - ghcr.io/fluxcd/notification-controller:v1.8.1
diff --git a/ansible/roles/bootstrap-image-prepull/tasks/main.yml b/ansible/roles/bootstrap-image-prepull/tasks/main.yml
new file mode 100644
index 0000000..d331d42
--- /dev/null
+++ b/ansible/roles/bootstrap-image-prepull/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Pre-pull bootstrap images into containerd
+  command: /usr/local/bin/ctr -n k8s.io images pull {{ item }}
+  register: bootstrap_image_pull
+  retries: 12
+  delay: 15
+  until: bootstrap_image_pull.rc == 0
+  loop: "{{ bootstrap_prepull_images }}"
+  changed_when: true
+  failed_when: false
diff --git a/ansible/site.yml b/ansible/site.yml
index 820d9eb..3d0dbad 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -102,6 +102,13 @@
   roles:
     - k3s-agent
 
+- name: Pre-pull bootstrap control-plane images
+  hosts: control_plane[0]
+  become: true
+
+  roles:
+    - bootstrap-image-prepull
+
 - name: Pre-pull Rancher bootstrap images
   hosts: cluster
   become: true