Use build-arg for Dockerfile registry to avoid DERP relay failures in Kaniko

ldraney commented

2026-06-04 04:15:58 +00:00

Owner

Type

Feature

Lineage

Standalone — discovered during deploy monitoring session. Pipeline 154, 157, 158 all failed on the same DERP relay stream error before 161 succeeded.

Repo

ldraney/landscaping-assistant

User Story

As a developer merging to main
I want Kaniko to pull base images from the internal Harbor registry
So that builds don't randomly fail due to Tailscale DERP relay stream errors

Context

The Dockerfile's FROM statements reference harbor.tail5b443a.ts.net (external URL). When Kaniko builds inside the cluster, it pulls these base images through the Tailscale DERP relay instead of the internal Harbor service. The DERP relay intermittently drops large transfers with stream error: INTERNAL_ERROR; received from peer, causing build-and-push failures that require manual pipeline restarts.

This caused 3 consecutive pipeline failures during a deploy on 2026-06-03, delaying a production hotfix by ~30 minutes.

The fix: parameterize the registry in the Dockerfile with a build arg that defaults to the external URL (preserving local docker build compatibility) and override it to the internal URL in .woodpecker.yaml via Kaniko's --build-arg.

File Targets

Files to modify:

Dockerfile — add ARG REGISTRY=harbor.tail5b443a.ts.net and use ${REGISTRY} in FROM statements
.woodpecker.yaml — add build_args: "REGISTRY=harbor.harbor.svc.cluster.local" to the Kaniko step settings

Files NOT to touch:

docker-compose.yml — dev uses the pre-built image directly, doesn't build the Dockerfile

Acceptance Criteria

Dockerfile FROM statements use ${REGISTRY}/library/ruby-rails-build:latest and ${REGISTRY}/library/ruby-rails-runtime:latest
Default ARG REGISTRY=harbor.tail5b443a.ts.net preserves local docker build compatibility
Kaniko step overrides to internal URL via build_args
Pipeline build-and-push succeeds without DERP relay dependency
Local docker build . still works without passing --build-arg

Test Expectations

Pipeline builds successfully on push to branch
Kaniko logs show image pull from harbor.harbor.svc.cluster.local, not harbor.tail5b443a.ts.net
Run command: push to branch and check Woodpecker build-and-push logs

Constraints

Must keep local docker build working without extra flags
Kaniko plugin must support build_args setting (verify in plugin docs)
Internal Harbor URL requires insecure: true in Kaniko config (already set)

Checklist

PR opened
Tests pass
No unrelated changes

landscaping-assistant — project
ldraney/base-images — source of the base images being pulled
ldraney/landscaping-assistant #69 — CI optimization (related infra work)

### Type Feature ### Lineage Standalone — discovered during deploy monitoring session. Pipeline 154, 157, 158 all failed on the same DERP relay stream error before 161 succeeded. ### Repo `ldraney/landscaping-assistant` ### User Story As a developer merging to main I want Kaniko to pull base images from the internal Harbor registry So that builds don't randomly fail due to Tailscale DERP relay stream errors ### Context The Dockerfile's FROM statements reference `harbor.tail5b443a.ts.net` (external URL). When Kaniko builds inside the cluster, it pulls these base images through the Tailscale DERP relay instead of the internal Harbor service. The DERP relay intermittently drops large transfers with `stream error: INTERNAL_ERROR; received from peer`, causing build-and-push failures that require manual pipeline restarts. This caused 3 consecutive pipeline failures during a deploy on 2026-06-03, delaying a production hotfix by ~30 minutes. The fix: parameterize the registry in the Dockerfile with a build arg that defaults to the external URL (preserving local `docker build` compatibility) and override it to the internal URL in `.woodpecker.yaml` via Kaniko's `--build-arg`. ### File Targets Files to modify: - `Dockerfile` — add `ARG REGISTRY=harbor.tail5b443a.ts.net` and use `${REGISTRY}` in FROM statements - `.woodpecker.yaml` — add `build_args: "REGISTRY=harbor.harbor.svc.cluster.local"` to the Kaniko step settings Files NOT to touch: - `docker-compose.yml` — dev uses the pre-built image directly, doesn't build the Dockerfile ### Acceptance Criteria - [ ] Dockerfile FROM statements use `${REGISTRY}/library/ruby-rails-build:latest` and `${REGISTRY}/library/ruby-rails-runtime:latest` - [ ] Default `ARG REGISTRY=harbor.tail5b443a.ts.net` preserves local docker build compatibility - [ ] Kaniko step overrides to internal URL via build_args - [ ] Pipeline build-and-push succeeds without DERP relay dependency - [ ] Local `docker build .` still works without passing --build-arg ### Test Expectations - [ ] Pipeline builds successfully on push to branch - [ ] Kaniko logs show image pull from `harbor.harbor.svc.cluster.local`, not `harbor.tail5b443a.ts.net` - Run command: push to branch and check Woodpecker build-and-push logs ### Constraints - Must keep local `docker build` working without extra flags - Kaniko plugin must support `build_args` setting (verify in plugin docs) - Internal Harbor URL requires `insecure: true` in Kaniko config (already set) ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `landscaping-assistant` — project - `ldraney/base-images` — source of the base images being pulled - `ldraney/landscaping-assistant #69` — CI optimization (related infra work)