Kaniko build-arg override breaks base image pull via cluster-internal address #77

New issue

Closed

opened 2026-06-04 04:36:28 +00:00 by ldraney · 0 comments

ldraney commented 2026-06-04 04:36:28 +00:00

Owner

Copy link

Type

Bug

Lineage

Regression from ldraney/landscaping-assistant #76 — build-arg override introduced in that PR.

Repo

ldraney/landscaping-assistant

What Broke

Pipelines #171, #172, #173 all fail at build-and-push. Kaniko tries to pull the base image from harbor.harbor.svc.cluster.local (overridden via build_args in .woodpecker.yaml) but can't connect — HTTPS times out on 443, HTTP refused on 80. The Dockerfile defaults REGISTRY to harbor.tail5b443a.ts.net (Tailscale FQDN) which works reliably, but the CI config overrides it to the cluster-internal address.

error building image: Get "https://harbor.harbor.svc.cluster.local/v2/": dial tcp 10.43.131.178:443: i/o timeout
Get "http://harbor.harbor.svc.cluster.local/v2/": dial tcp 10.43.131.178:80: connect: connection refused

Push to harbor.harbor.svc.cluster.local works fine (pipeline #164 confirmed). The issue is pull-side only.

Repro Steps

1. Merge any PR to main
2. Pipeline triggers, lint + test pass
3. build-and-push step fails pulling base image from cluster-internal Harbor

Expected Behavior

Kaniko pulls base images via the Tailscale FQDN (Dockerfile default) and pushes via the cluster-internal address. Both paths work.

Environment

• Cluster/namespace: prod / woodpecker
• Service version/commit: HEAD of main after PR #76
• Related alerts: none

Acceptance Criteria

• Pipeline builds and pushes image successfully on merge to main
• Base image pull uses reliable Tailscale FQDN
• Push still uses cluster-internal address

Related

• ldraney/landscaping-assistant #23 — parent CI optimization issue
• ldraney/landscaping-assistant #76 — PR that introduced the regression
• landscaping-assistant — project this affects

### Type Bug ### Lineage Regression from `ldraney/landscaping-assistant #76` — build-arg override introduced in that PR. ### Repo `ldraney/landscaping-assistant` ### What Broke Pipelines #171, #172, #173 all fail at `build-and-push`. Kaniko tries to pull the base image from `harbor.harbor.svc.cluster.local` (overridden via `build_args` in `.woodpecker.yaml`) but can't connect — HTTPS times out on 443, HTTP refused on 80. The Dockerfile defaults `REGISTRY` to `harbor.tail5b443a.ts.net` (Tailscale FQDN) which works reliably, but the CI config overrides it to the cluster-internal address. ``` error building image: Get "https://harbor.harbor.svc.cluster.local/v2/": dial tcp 10.43.131.178:443: i/o timeout Get "http://harbor.harbor.svc.cluster.local/v2/": dial tcp 10.43.131.178:80: connect: connection refused ``` Push to `harbor.harbor.svc.cluster.local` works fine (pipeline #164 confirmed). The issue is pull-side only. ### Repro Steps 1. Merge any PR to main 2. Pipeline triggers, lint + test pass 3. `build-and-push` step fails pulling base image from cluster-internal Harbor ### Expected Behavior Kaniko pulls base images via the Tailscale FQDN (Dockerfile default) and pushes via the cluster-internal address. Both paths work. ### Environment - Cluster/namespace: prod / woodpecker - Service version/commit: HEAD of main after PR #76 - Related alerts: none ### Acceptance Criteria - [ ] Pipeline builds and pushes image successfully on merge to main - [ ] Base image pull uses reliable Tailscale FQDN - [ ] Push still uses cluster-internal address ### Related - `ldraney/landscaping-assistant #23` — parent CI optimization issue - `ldraney/landscaping-assistant #76` — PR that introduced the regression - `landscaping-assistant` — project this affects

ldraney referenced this issue from a commit 2026-06-04 04:37:04 +00:00

Remove build_args override so Kaniko pulls via Tailscale FQDN

ldraney referenced this issue from a pull request that will close it, 2026-06-04 04:37:14 +00:00

Remove build_args override so Kaniko pulls via Tailscale FQDN #78

ldraney referenced this issue 2026-06-04 04:38:07 +00:00

Remove build_args override so Kaniko pulls via Tailscale FQDN #78

ldraney closed this issue 2026-06-04 04:38:54 +00:00

ldraney referenced this issue from a commit 2026-06-04 04:43:42 +00:00

Use cluster-internal registry with --insecure-pull for Kaniko

ldraney referenced this issue from a pull request that will close it, 2026-06-04 04:43:56 +00:00

Use cluster-internal registry with --insecure-pull for Kaniko #79

ldraney referenced this issue 2026-06-04 04:45:18 +00:00

Use cluster-internal registry with --insecure-pull for Kaniko #79

ldraney referenced this issue from a commit 2026-06-04 04:45:43 +00:00

Use cluster-internal registry with --insecure-pull for Kaniko

ldraney referenced this issue 2026-06-04 05:22:25 +00:00

Kaniko build-and-push intermittently fails: cluster-internal Harbor unreachable #82

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs/update-app-architecture

revert-213

move-other-crew-bottom-remove-schedule

feature/today-view-improvements

154-enable-assume-ssl

revert-145-person-icon

docs/user-stories-auth

docs/update-infra-pipeline-post-incident

fix-cache-step-blocking-deploy

fix-kaniko-registry-pull

deactivate-from-today

feature/quick-address-entry

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/landscaping-assistant#77

No description provided.