fix: Kaniko push permission check timeout against Harbor #23

New issue

Closed

opened 2026-03-27 05:04:11 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-03-27 05:04:11 +00:00

Owner

Copy link

Type

Bug

Lineage

Related to forgejo_admin/pal-e-platform#193 (parent issue).

Repo

forgejo_admin/westside-contracts

What Broke

Kaniko build-and-push step times out during push permission check. The insecure-registry setting does not apply to Kaniko's push permission check, which uses a separate HTTPS transport that probes port 443 against Harbor's internal HTTP-only endpoint. This causes a 30s TLS dial timeout before the build fails.

Repro Steps

1. Push to main on westside-contracts
2. Woodpecker triggers build-and-push step with Kaniko
3. Observe: Kaniko hangs for 30s on push permission check, then fails with TLS timeout

Expected Behavior

Kaniko should skip the push permission check and push directly to Harbor over HTTP via the insecure registry path.

Environment

• Cluster/namespace: prod/woodpecker
• Service version/commit: woodpeckerci/plugin-kaniko:2.3.0
• Related alerts: CI build failures on westside-contracts

Acceptance Criteria

• Bug no longer reproduces — Kaniko pushes to Harbor without TLS timeout
• CI pipeline completes successfully for westside-contracts

Related

• forgejo_admin/pal-e-platform#193 — parent issue tracking Kaniko permission check fix

### Type Bug ### Lineage Related to `forgejo_admin/pal-e-platform#193` (parent issue). ### Repo `forgejo_admin/westside-contracts` ### What Broke Kaniko build-and-push step times out during push permission check. The `insecure-registry` setting does not apply to Kaniko's push permission check, which uses a separate HTTPS transport that probes port 443 against Harbor's internal HTTP-only endpoint. This causes a 30s TLS dial timeout before the build fails. ### Repro Steps 1. Push to main on westside-contracts 2. Woodpecker triggers build-and-push step with Kaniko 3. Observe: Kaniko hangs for 30s on push permission check, then fails with TLS timeout ### Expected Behavior Kaniko should skip the push permission check and push directly to Harbor over HTTP via the insecure registry path. ### Environment - Cluster/namespace: prod/woodpecker - Service version/commit: woodpeckerci/plugin-kaniko:2.3.0 - Related alerts: CI build failures on westside-contracts ### Acceptance Criteria - [x] Bug no longer reproduces — Kaniko pushes to Harbor without TLS timeout - [x] CI pipeline completes successfully for westside-contracts ### Related - `forgejo_admin/pal-e-platform#193` — parent issue tracking Kaniko permission check fix

forgejo_admin referenced this issue from a pull request that will close it, 2026-03-27 05:04:26 +00:00

fix: Kaniko skip-push-permission-check (#193) #24

forgejo_admin closed this issue 2026-03-27 05:21:00 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

29-add-age-based-team-reassignment-clause-t

23-fix-kaniko-push-permission-check-timeout

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/westside-contracts#23

No description provided.