#110 - Fix Kaniko cache_repo path — remove doubled registry prefix - ldraney/landscaping-assistant

ldraney commented

2026-06-05 04:06:45 +00:00

Owner

Summary

Fix the cache_repo path so Kaniko layer caching actually works. The plugin prepends the registry setting automatically, so the full URL in PR #106 caused a doubled path and 401 Unauthorized on cache pushes.

Changes

Change cache_repo from harbor.harbor.svc.cluster.local/landscaping-assistant/cache to landscaping-assistant/cache
The plugin prepends harbor.harbor.svc.cluster.local/ automatically, producing the correct path

Before (pipeline #226 logs):

Pushing image to harbor.harbor.svc.cluster.local/harbor.harbor.svc.cluster.local/landscaping-assistant/cache:...
WARN Error uploading layer to cache: ... 401 Unauthorized

After: harbor.harbor.svc.cluster.local/landscaping-assistant/cache (correct path, robot account has access)

Test Plan

PR pipeline passes lint + test
After merge, verify build-and-push logs show cache layer pushes WITHOUT 401 errors
On second merge (without Gemfile changes), verify Kaniko logs show "Found cached layer" messages and reduced build time

Review Checklist

One-line fix in .woodpecker.yaml
No secrets or credentials
Root cause identified from pipeline #226 logs

Follow-up fix for PR #106 (Enable Kaniko registry-based layer caching)
docs/infrastructure-and-pipeline.md — will update after confirming cache works

## Summary Fix the cache_repo path so Kaniko layer caching actually works. The plugin prepends the `registry` setting automatically, so the full URL in PR #106 caused a doubled path and 401 Unauthorized on cache pushes. ## Changes - Change `cache_repo` from `harbor.harbor.svc.cluster.local/landscaping-assistant/cache` to `landscaping-assistant/cache` - The plugin prepends `harbor.harbor.svc.cluster.local/` automatically, producing the correct path **Before (pipeline #226 logs):** ``` Pushing image to harbor.harbor.svc.cluster.local/harbor.harbor.svc.cluster.local/landscaping-assistant/cache:... WARN Error uploading layer to cache: ... 401 Unauthorized ``` **After:** `harbor.harbor.svc.cluster.local/landscaping-assistant/cache` (correct path, robot account has access) ## Test Plan - [ ] PR pipeline passes lint + test - [ ] After merge, verify build-and-push logs show cache layer pushes WITHOUT 401 errors - [ ] On second merge (without Gemfile changes), verify Kaniko logs show "Found cached layer" messages and reduced build time ## Review Checklist - [x] One-line fix in `.woodpecker.yaml` - [x] No secrets or credentials - [x] Root cause identified from pipeline #226 logs ## Related Notes - Follow-up fix for PR #106 (Enable Kaniko registry-based layer caching) - `docs/infrastructure-and-pipeline.md` — will update after confirming cache works

ldraney added 1 commit

2026-06-05 04:06:45 +00:00

Fix Kaniko cache_repo path — plugin prepends registry automatically

ci/woodpecker/push/woodpecker Pipeline was successful

Details

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

CI / scan_ruby (pull_request) Has been cancelled

Details

CI / scan_js (pull_request) Has been cancelled

Details

CI / lint (pull_request) Has been cancelled

Details

942e7a2a4c

The Kaniko plugin prepends the `registry` setting to `cache_repo`, so
the full URL caused a doubled path:
harbor.harbor.svc.cluster.local/harbor.harbor.svc.cluster.local/landscaping-assistant/cache

This hit 401 Unauthorized because the doubled path doesn't match the
Harbor project the robot account has access to. Cache pushes failed
silently (Kaniko degrades gracefully) and no layers were cached.

Fix: use just the repo path, not the full registry URL.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ldraney commented

2026-06-05 04:07:45 +00:00

Author

Owner

PR #110 Review

DOMAIN REVIEW

Domain: CI/CD pipeline (Woodpecker + Kaniko + Harbor)

The fix is correct and well-reasoned. The woodpeckerci/plugin-kaniko plugin prepends the registry setting (harbor.harbor.svc.cluster.local) to both repo and cache_repo automatically. The previous value of harbor.harbor.svc.cluster.local/landscaping-assistant/cache resulted in a doubled path:

harbor.harbor.svc.cluster.local/harbor.harbor.svc.cluster.local/landscaping-assistant/cache

The fix aligns cache_repo with the existing repo pattern -- both now use just project/name and let the plugin prepend the registry. This is consistent (line 66: repo: landscaping-assistant/app, line 71: cache_repo: landscaping-assistant/cache).

No credentials are exposed. Secrets are properly referenced via from_secret.

BLOCKERS

None. This is a one-line config fix with no new functionality requiring test coverage. No security concerns.

NITS

None.

SOP COMPLIANCE

Branch named after issue -- Branch is fix-kaniko-cache-repo-path. SOP requires {issue-number}-{kebab-case-purpose}. Missing the issue number prefix.
Related references plan slug -- PR body has no ## Related section with a plan slug. It references PR #106 and docs, but not a plan slug.
"Fixes #107" mismatch -- The PR body says "Fixes #107", but issue #107 is titled "Keycloak auth with direct grant, roles, and audit trail". This PR fixes a Kaniko cache path -- it has nothing to do with Keycloak auth. This appears to be an incorrect issue reference. There is no open issue specifically for the Kaniko cache_repo bug.
PR body follows template (Summary, Changes, Test Plan present)
No secrets or credentials committed
No unnecessary file changes (single file, single line, tightly scoped)
Commit message is descriptive

PROCESS OBSERVATIONS

Low change failure risk. One-line fix to a CI config value. The before/after evidence from pipeline #226 logs is included in the PR body, which is good practice.
Follow-up item noted. The PR body mentions updating docs/infrastructure-and-pipeline.md after confirming cache works -- that should be tracked.
Issue linkage needs correction. The "Fixes #107" reference will auto-close the wrong issue (Keycloak auth) when merged. This should be corrected before merge to avoid polluting issue state. Either create a new issue for this bug and reference it, or remove the "Fixes #107" line entirely.

VERDICT: NOT APPROVED

The code change itself is correct and clean. The sole blocker is the incorrect issue reference: "Fixes #107" points to an unrelated Keycloak auth issue. Merging as-is would auto-close the wrong issue. Fix the PR body to remove or correct the issue reference, and correct the branch name or acknowledge the deviation, then this is ready to merge.

## PR #110 Review ### DOMAIN REVIEW **Domain:** CI/CD pipeline (Woodpecker + Kaniko + Harbor) The fix is correct and well-reasoned. The `woodpeckerci/plugin-kaniko` plugin prepends the `registry` setting (`harbor.harbor.svc.cluster.local`) to both `repo` and `cache_repo` automatically. The previous value of `harbor.harbor.svc.cluster.local/landscaping-assistant/cache` resulted in a doubled path: ``` harbor.harbor.svc.cluster.local/harbor.harbor.svc.cluster.local/landscaping-assistant/cache ``` The fix aligns `cache_repo` with the existing `repo` pattern -- both now use just `project/name` and let the plugin prepend the registry. This is consistent (line 66: `repo: landscaping-assistant/app`, line 71: `cache_repo: landscaping-assistant/cache`). No credentials are exposed. Secrets are properly referenced via `from_secret`. ### BLOCKERS None. This is a one-line config fix with no new functionality requiring test coverage. No security concerns. ### NITS None. ### SOP COMPLIANCE - [ ] **Branch named after issue** -- Branch is `fix-kaniko-cache-repo-path`. SOP requires `{issue-number}-{kebab-case-purpose}`. Missing the issue number prefix. - [ ] **Related references plan slug** -- PR body has no `## Related` section with a plan slug. It references PR #106 and docs, but not a plan slug. - [ ] **"Fixes #107" mismatch** -- The PR body says "Fixes #107", but issue #107 is titled "Keycloak auth with direct grant, roles, and audit trail". This PR fixes a Kaniko cache path -- it has nothing to do with Keycloak auth. This appears to be an incorrect issue reference. There is no open issue specifically for the Kaniko cache_repo bug. - [x] PR body follows template (Summary, Changes, Test Plan present) - [x] No secrets or credentials committed - [x] No unnecessary file changes (single file, single line, tightly scoped) - [x] Commit message is descriptive ### PROCESS OBSERVATIONS - **Low change failure risk.** One-line fix to a CI config value. The before/after evidence from pipeline #226 logs is included in the PR body, which is good practice. - **Follow-up item noted.** The PR body mentions updating `docs/infrastructure-and-pipeline.md` after confirming cache works -- that should be tracked. - **Issue linkage needs correction.** The "Fixes #107" reference will auto-close the wrong issue (Keycloak auth) when merged. This should be corrected before merge to avoid polluting issue state. Either create a new issue for this bug and reference it, or remove the "Fixes #107" line entirely. ### VERDICT: NOT APPROVED The code change itself is correct and clean. The sole blocker is the **incorrect issue reference**: "Fixes #107" points to an unrelated Keycloak auth issue. Merging as-is would auto-close the wrong issue. Fix the PR body to remove or correct the issue reference, and correct the branch name or acknowledge the deviation, then this is ready to merge.

ldraney commented

2026-06-05 04:08:22 +00:00

Author

Owner

Fixed: removed the incorrect Fixes #107 reference. This is a standalone follow-up to PR #106, no parent issue needed for a one-line config fix.

Fixed: removed the incorrect `Fixes #107` reference. This is a standalone follow-up to PR #106, no parent issue needed for a one-line config fix.