fix: reduce rebuild wait bottlenecks

.gitea/workflows/deploy.yml

@@ -593,6 +593,7 @@ jobs:
       - name: Wait for Rancher
         env:
           KUBECONFIG: outputs/kubeconfig
+          RANCHER_BOOTSTRAP_PASSWORD: ${{ secrets.RANCHER_BOOTSTRAP_PASSWORD }}
         run: |
           set -euo pipefail
           wait_for_resource() {
@@ -815,6 +816,14 @@ jobs:
               kubectl -n flux-system annotate externalsecret/rancher-bootstrap-password external-secrets.io/force-sync="${force_sync}" --overwrite || true
               kubectl -n cattle-system annotate externalsecret/rancher-bootstrap-password external-secrets.io/force-sync="${force_sync}" --overwrite || true
 
+              if [ -n "${RANCHER_BOOTSTRAP_PASSWORD}" ]; then
+                for namespace in flux-system cattle-system; do
+                  kubectl -n "${namespace}" create secret generic rancher-bootstrap-password \
+                    --from-literal=bootstrapPassword="${RANCHER_BOOTSTRAP_PASSWORD}" \
+                    --dry-run=client -o yaml | kubectl apply -f -
+                done
+              fi
+
               if kubectl -n flux-system get secret/rancher-bootstrap-password >/dev/null 2>&1 \
                 && kubectl -n cattle-system get secret/rancher-bootstrap-password >/dev/null 2>&1; then
                 return 0
@@ -846,8 +855,6 @@ jobs:
           wait_for_resource cattle-system deployment/cattle-system-rancher 600
           kubectl -n cattle-system rollout status deployment/cattle-system-rancher --timeout=900s
           wait_for_resource cattle-system deployment/rancher-webhook 900
-          pull_image_on_matching_pod_nodes cattle-system app=rancher-webhook registry.rancher.com/rancher/rancher-webhook:v0.9.3 12 10
-          kubectl -n cattle-system rollout restart deployment/rancher-webhook
           kubectl -n cattle-system rollout status deployment/rancher-webhook --timeout=900s
           wait_for_resource cattle-system issuer/cattle-system-rancher 900
           wait_for_resource cattle-system certificate/tls-rancher-ingress 900

ansible/roles/k3s-registry-mirror/defaults/main.yml

@@ -12,3 +12,5 @@ k3s_registry_mirrors:
     port: 5003
   oci.external-secrets.io:
     port: 5004
+  registry.rancher.com:
+    port: 5005

ansible/site.yml

@@ -161,11 +161,15 @@
       when: kube_vip_rollout.rc != 0
 
     - name: Wait for control plane node readiness
-      command: kubectl wait --for=condition=Ready node/{{ item }} --timeout=30s
+      shell: |
+        set -euo pipefail
+        kubectl get node/{{ item }} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' | grep -qx True
+      args:
+        executable: /bin/bash
       register: control_plane_ready
       until: control_plane_ready.rc == 0
-      retries: 20
-      delay: 15
+      retries: 90
+      delay: 10
       changed_when: false
       loop: "{{ groups['control_plane'] }}"
 

scripts/setup-proxmox-registry-cache.sh

@@ -70,9 +70,10 @@ write_config ghcr 5001 https://ghcr.io
 write_config quay 5002 https://quay.io
 write_config k8s 5003 https://registry.k8s.io
 write_config external-secrets 5004 https://oci.external-secrets.io
+write_config rancher 5005 https://registry.rancher.com
 
 systemctl daemon-reload
-for name in dockerhub ghcr quay k8s external-secrets; do
+for name in dockerhub ghcr quay k8s external-secrets rancher; do
   systemctl enable --now "docker-registry-cache@${name}.service"
 done
 
@@ -81,4 +82,5 @@ systemctl --no-pager --full status \
   docker-registry-cache@ghcr.service \
   docker-registry-cache@quay.service \
   docker-registry-cache@k8s.service \
-  docker-registry-cache@external-secrets.service
+  docker-registry-cache@external-secrets.service \
+  docker-registry-cache@rancher.service