diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index b4fa059..3254555 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -593,6 +593,7 @@ jobs: - name: Wait for Rancher env: KUBECONFIG: outputs/kubeconfig + RANCHER_BOOTSTRAP_PASSWORD: ${{ secrets.RANCHER_BOOTSTRAP_PASSWORD }} run: | set -euo pipefail wait_for_resource() { @@ -815,6 +816,14 @@ jobs: kubectl -n flux-system annotate externalsecret/rancher-bootstrap-password external-secrets.io/force-sync="${force_sync}" --overwrite || true kubectl -n cattle-system annotate externalsecret/rancher-bootstrap-password external-secrets.io/force-sync="${force_sync}" --overwrite || true + if [ -n "${RANCHER_BOOTSTRAP_PASSWORD}" ]; then + for namespace in flux-system cattle-system; do + kubectl -n "${namespace}" create secret generic rancher-bootstrap-password \ + --from-literal=bootstrapPassword="${RANCHER_BOOTSTRAP_PASSWORD}" \ + --dry-run=client -o yaml | kubectl apply -f - + done + fi + if kubectl -n flux-system get secret/rancher-bootstrap-password >/dev/null 2>&1 \ && kubectl -n cattle-system get secret/rancher-bootstrap-password >/dev/null 2>&1; then return 0 @@ -846,8 +855,6 @@ jobs: wait_for_resource cattle-system deployment/cattle-system-rancher 600 kubectl -n cattle-system rollout status deployment/cattle-system-rancher --timeout=900s wait_for_resource cattle-system deployment/rancher-webhook 900 - pull_image_on_matching_pod_nodes cattle-system app=rancher-webhook registry.rancher.com/rancher/rancher-webhook:v0.9.3 12 10 - kubectl -n cattle-system rollout restart deployment/rancher-webhook kubectl -n cattle-system rollout status deployment/rancher-webhook --timeout=900s wait_for_resource cattle-system issuer/cattle-system-rancher 900 wait_for_resource cattle-system certificate/tls-rancher-ingress 900 diff --git a/ansible/roles/k3s-registry-mirror/defaults/main.yml b/ansible/roles/k3s-registry-mirror/defaults/main.yml index 3b6e516..c21e14b 100644 --- a/ansible/roles/k3s-registry-mirror/defaults/main.yml +++ b/ansible/roles/k3s-registry-mirror/defaults/main.yml @@ -12,3 +12,5 @@ k3s_registry_mirrors: port: 5003 oci.external-secrets.io: port: 5004 + registry.rancher.com: + port: 5005 diff --git a/ansible/site.yml b/ansible/site.yml index c6663f7..10ff3aa 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -161,11 +161,15 @@ when: kube_vip_rollout.rc != 0 - name: Wait for control plane node readiness - command: kubectl wait --for=condition=Ready node/{{ item }} --timeout=30s + shell: | + set -euo pipefail + kubectl get node/{{ item }} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' | grep -qx True + args: + executable: /bin/bash register: control_plane_ready until: control_plane_ready.rc == 0 - retries: 20 - delay: 15 + retries: 90 + delay: 10 changed_when: false loop: "{{ groups['control_plane'] }}" diff --git a/scripts/setup-proxmox-registry-cache.sh b/scripts/setup-proxmox-registry-cache.sh index e66793c..870fc8d 100755 --- a/scripts/setup-proxmox-registry-cache.sh +++ b/scripts/setup-proxmox-registry-cache.sh @@ -70,9 +70,10 @@ write_config ghcr 5001 https://ghcr.io write_config quay 5002 https://quay.io write_config k8s 5003 https://registry.k8s.io write_config external-secrets 5004 https://oci.external-secrets.io +write_config rancher 5005 https://registry.rancher.com systemctl daemon-reload -for name in dockerhub ghcr quay k8s external-secrets; do +for name in dockerhub ghcr quay k8s external-secrets rancher; do systemctl enable --now "docker-registry-cache@${name}.service" done @@ -81,4 +82,5 @@ systemctl --no-pager --full status \ docker-registry-cache@ghcr.service \ docker-registry-cache@quay.service \ docker-registry-cache@k8s.service \ - docker-registry-cache@external-secrets.service + docker-registry-cache@external-secrets.service \ + docker-registry-cache@rancher.service