ldraney/notion-mcp-remote

Fork 0

fix: use internal Harbor URL in .woodpecker.yaml (#5) #10

Merged

forgejo_admin merged 1 commit from 5-fix-harbor-internal-url into main

2026-04-22 12:05:51 +00:00

forgejo_admin commented

2026-04-22 11:43:44 +00:00

Contributor

Summary

Switch the Woodpecker build-and-push step's registry from the external Tailscale Funnel URL to the in-cluster Harbor service URL. CI runs inside the cluster, so it must push to the internal service, not the external ingress.

Fixes #5

Rule

Per service-onboarding-sop Pre-Deploy Validation Checklist: CI pipelines must push to harbor-core.harbor.svc.cluster.local (in-cluster). The external harbor.tail5b443a.ts.net URL is for humans and runtime image pulls, not for CI.

Changes

One line changed in .woodpecker.yaml (line 22):

Before:

      registry: harbor.tail5b443a.ts.net

After:

      registry: harbor-core.harbor.svc.cluster.local

The repo path, tags, dockerfile, build_args, and secret references are all preserved exactly.

Out of Scope

k8s/deployment.yaml also references harbor.tail5b443a.ts.net for the kubelet's runtime image pull. That is a separate concern (kubelet-in-cluster image pulls) and was explicitly flagged informational-only by the scope review (review-1042-2026-04-21). Not touched here.

Test Plan

.woodpecker.yaml parses as valid YAML (python3 -c "import yaml; yaml.safe_load(open('.woodpecker.yaml'))" returns clean)
Diff is exactly one line, no structural or indentation changes
k8s/deployment.yaml untouched
On merge, next CI run should push image successfully to in-cluster Harbor (validated by Woodpecker pipeline success on subsequent push)

Review Checklist

Only .woodpecker.yaml is modified (one line)
New registry value is harbor-core.harbor.svc.cluster.local (internal cluster DNS, matches SOP)
Repo path notion-mcp-remote/notion-mcp-remote after the hostname is preserved
k8s/deployment.yaml is NOT modified (out of scope per review)
No CI steps, secrets, triggers, or unrelated config changed
YAML still parses (verified locally)

Forgejo issue: #5
Board item: #1042 on board-notion-mcp-remote
Scope review: review-1042-2026-04-21 (APPROVED, tagged review,ready)
SOP: service-onboarding-sop (Pre-Deploy Validation Checklist)
User story: story-notion-mcp-remote-ops-deploy-gitops
Deployment arch: arch-deployment-notion-mcp-remote
Project: project-notion-mcp-remote

## Summary Switch the Woodpecker `build-and-push` step's registry from the external Tailscale Funnel URL to the in-cluster Harbor service URL. CI runs inside the cluster, so it must push to the internal service, not the external ingress. Fixes #5 ## Rule Per `service-onboarding-sop` Pre-Deploy Validation Checklist: CI pipelines must push to `harbor-core.harbor.svc.cluster.local` (in-cluster). The external `harbor.tail5b443a.ts.net` URL is for humans and runtime image pulls, not for CI. ## Changes One line changed in `.woodpecker.yaml` (line 22): **Before:** ```yaml registry: harbor.tail5b443a.ts.net ``` **After:** ```yaml registry: harbor-core.harbor.svc.cluster.local ``` The repo path, tags, dockerfile, build_args, and secret references are all preserved exactly. ## Out of Scope `k8s/deployment.yaml` also references `harbor.tail5b443a.ts.net` for the kubelet's runtime image pull. That is a separate concern (kubelet-in-cluster image pulls) and was explicitly flagged informational-only by the scope review (`review-1042-2026-04-21`). Not touched here. ## Test Plan - [x] `.woodpecker.yaml` parses as valid YAML (`python3 -c "import yaml; yaml.safe_load(open('.woodpecker.yaml'))"` returns clean) - [x] Diff is exactly one line, no structural or indentation changes - [x] `k8s/deployment.yaml` untouched - [ ] On merge, next CI run should push image successfully to in-cluster Harbor (validated by Woodpecker pipeline success on subsequent push) ## Review Checklist - [ ] Only `.woodpecker.yaml` is modified (one line) - [ ] New registry value is `harbor-core.harbor.svc.cluster.local` (internal cluster DNS, matches SOP) - [ ] Repo path `notion-mcp-remote/notion-mcp-remote` after the hostname is preserved - [ ] `k8s/deployment.yaml` is NOT modified (out of scope per review) - [ ] No CI steps, secrets, triggers, or unrelated config changed - [ ] YAML still parses (verified locally) ## Related Notes - Forgejo issue: #5 - Board item: #1042 on `board-notion-mcp-remote` - Scope review: `review-1042-2026-04-21` (APPROVED, tagged `review,ready`) - SOP: `service-onboarding-sop` (Pre-Deploy Validation Checklist) - User story: `story-notion-mcp-remote-ops-deploy-gitops` - Deployment arch: `arch-deployment-notion-mcp-remote` - Project: `project-notion-mcp-remote`

forgejo_admin added 1 commit

2026-04-22 11:43:44 +00:00

fix(ci): use internal Harbor URL in .woodpecker.yaml

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

0c90829fd9

Switch the Woodpecker kaniko push target from the external Tailscale
Funnel URL (harbor.tail5b443a.ts.net) to the in-cluster service URL
(harbor-core.harbor.svc.cluster.local).

Per service-onboarding-sop, CI pipelines run inside the cluster and
must push to the internal Harbor service. The external URL is for
humans and runtime image pulls, not CI.

k8s/deployment.yaml also references the external URL for kubelet
image pulls -- that is a separate concern and out of scope here.

Fixes #5

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

forgejo_admin commented

2026-04-22 11:44:33 +00:00

Author

Contributor

Dev agent self-check (pre-QA)

Dev agent completed the implementation for #5. Per SOP-12 this PR still needs a separate QA review before merge. The Dev agent's toolset does not include a subagent-spawn mechanism, so the parent session should dispatch the qa agent via /review-pr forgejo_admin/notion-mcp-remote#10.

Self-check against the PR's Review Checklist

Only .woodpecker.yaml is modified (one line) -- diff is +1/-1, one file
New registry value is harbor-core.harbor.svc.cluster.local (internal cluster DNS)
Repo path notion-mcp-remote/notion-mcp-remote after the hostname is preserved (unchanged in diff)
k8s/deployment.yaml is NOT modified (out of scope per review-1042-2026-04-21)
No CI steps, secrets, triggers, or unrelated config changed
YAML parses (python3 -c "import yaml; yaml.safe_load(open('.woodpecker.yaml'))" -> OK)

Notes for the QA reviewer

The change is a literal hostname swap on the registry: key at line 22. No structural or indentation change.
Verify the new internal URL matches service-onboarding-sop and resolves from the Woodpecker agent's cluster.
k8s/deployment.yaml still references the external URL -- intentional, informational-only per scope review. Separate concern (kubelet runtime image pull).
Parent issue: #5. Closes via "Fixes #5" keyword.

VERDICT: PENDING_QA

## Dev agent self-check (pre-QA) Dev agent completed the implementation for #5. Per SOP-12 this PR still needs a separate QA review before merge. The Dev agent's toolset does not include a subagent-spawn mechanism, so the parent session should dispatch the `qa` agent via `/review-pr forgejo_admin/notion-mcp-remote#10`. ### Self-check against the PR's Review Checklist - [x] Only `.woodpecker.yaml` is modified (one line) -- diff is +1/-1, one file - [x] New registry value is `harbor-core.harbor.svc.cluster.local` (internal cluster DNS) - [x] Repo path `notion-mcp-remote/notion-mcp-remote` after the hostname is preserved (unchanged in diff) - [x] `k8s/deployment.yaml` is NOT modified (out of scope per `review-1042-2026-04-21`) - [x] No CI steps, secrets, triggers, or unrelated config changed - [x] YAML parses (`python3 -c "import yaml; yaml.safe_load(open('.woodpecker.yaml'))"` -> OK) ### Notes for the QA reviewer - The change is a literal hostname swap on the `registry:` key at line 22. No structural or indentation change. - Verify the new internal URL matches `service-onboarding-sop` and resolves from the Woodpecker agent's cluster. - `k8s/deployment.yaml` still references the external URL -- intentional, informational-only per scope review. Separate concern (kubelet runtime image pull). - Parent issue: #5. Closes via "Fixes #5" keyword. VERDICT: PENDING_QA

forgejo_admin commented

2026-04-22 11:46:10 +00:00

Author

Contributor

PR #10 Review

DOMAIN REVIEW

Stack: Woodpecker CI + Kaniko plugin + Harbor registry (YAML only).

Change verified:

.woodpecker.yaml:22 — registry: harbor.tail5b443a.ts.net → registry: harbor-core.harbor.svc.cluster.local
Exactly 1 file changed, +1/-1. Diff inspected end-to-end.
repo: notion-mcp-remote/notion-mcp-remote, tags: $CI_COMMIT_SHA, dockerfile: Dockerfile.k8s, build_args, username/password secret refs, and step-level when: triggers all preserved byte-for-byte.
Indentation unchanged; YAML structure identical.
No changes to the test step, top-level when: block, or any other file.

Correctness vs. SOP (service-onboarding-sop Pre-Deploy Validation Checklist — "CI registry URL" row):

Required value: harbor-core.harbor.svc.cluster.local (in-cluster service DNS, bypasses Tailscale DERP which is unreliable from inside the cluster).
PR value: harbor-core.harbor.svc.cluster.local. Exact match.
Repo path notion-mcp-remote/notion-mcp-remote continues to match the Harbor project naming convention (service-key/image-name).

Out-of-scope k8s/deployment.yaml:23 (image: harbor.tail5b443a.ts.net/...) — correctly NOT touched. This is the kubelet runtime image pull reference, which is a separate concern from the CI push target. The scope review review-1042-2026-04-21 explicitly flagged this as informational-only / SCOPE-FUTURE and instructed agents not to expand the bundle. Preserving it here is the correct behavior.

YAML quality: Valid YAML; indentation consistent with surrounding settings: block; no trailing whitespace introduced by the diff.

BLOCKERS

None.

NITS

None. The diff is minimal, surgical, and exactly matches the SOP prescription.

SOP COMPLIANCE

Branch named 5-fix-harbor-internal-url — follows {issue-number}-{kebab-case-purpose}
PR body has Summary, Changes, Test Plan, Out of Scope, Review Checklist, Related Notes
Related section references service-onboarding-sop, review-1042-2026-04-21, story-notion-mcp-remote-ops-deploy-gitops, arch-deployment-notion-mcp-remote, project-notion-mcp-remote, board item #1042
Fixes #5 link present; issue spec and AC satisfied (AC1 + AC2 grep-checkable; AC3 validated post-merge via next pipeline run per PR test plan; AC4 regression check covered because the test step is untouched)
No secrets, no .env, no credentials in diff
No scope creep — single-line change, no unrelated config churn
Pre-Deploy Validation Checklist "CI registry URL" row satisfied

PROCESS OBSERVATIONS

Deployment frequency: Positive. Unblocks the rest of story-ops-deploy-gitops (#1043 var.services entry, #1044 kustomize overlay, #1048 adjacent CI work) by giving those downstream items a working CI push target.
Change failure risk: Very low. Blast radius is 1 YAML value in the CI pipeline; the worst-case failure mode is that the Woodpecker agent cannot resolve cluster-internal DNS (noted and contingency-covered by the $HARBOR_INTERNAL fallback path in the parent issue). Runtime path (kubelet image pull via k8s/deployment.yaml) is unaffected.
Documentation: Scope review, SOP, story, and arch notes are all linked from the PR body. No doc gaps. The [SCOPE-FUTURE] follow-up on k8s/deployment.yaml image pull URL should be filed as a separate ticket if/when evaluation of kubelet cluster-internal DNS resolution is warranted — not a gap in this PR.
Test plan: Appropriate. Local YAML parse verified; full pipeline validation deferred to first post-merge push, which is the right place for it (cannot be validated pre-merge because the pipeline needs the merged config to exercise the new registry).

VERDICT: APPROVED

## PR #10 Review ### DOMAIN REVIEW **Stack:** Woodpecker CI + Kaniko plugin + Harbor registry (YAML only). **Change verified:** - `.woodpecker.yaml:22` — `registry: harbor.tail5b443a.ts.net` → `registry: harbor-core.harbor.svc.cluster.local` - Exactly 1 file changed, +1/-1. Diff inspected end-to-end. - `repo: notion-mcp-remote/notion-mcp-remote`, `tags: $CI_COMMIT_SHA`, `dockerfile: Dockerfile.k8s`, `build_args`, `username`/`password` secret refs, and step-level `when:` triggers all preserved byte-for-byte. - Indentation unchanged; YAML structure identical. - No changes to the `test` step, top-level `when:` block, or any other file. **Correctness vs. SOP (`service-onboarding-sop` Pre-Deploy Validation Checklist — "CI registry URL" row):** - Required value: `harbor-core.harbor.svc.cluster.local` (in-cluster service DNS, bypasses Tailscale DERP which is unreliable from inside the cluster). - PR value: `harbor-core.harbor.svc.cluster.local`. Exact match. - Repo path `notion-mcp-remote/notion-mcp-remote` continues to match the Harbor project naming convention (service-key/image-name). **Out-of-scope `k8s/deployment.yaml:23` (`image: harbor.tail5b443a.ts.net/...`)** — correctly NOT touched. This is the kubelet runtime image pull reference, which is a separate concern from the CI push target. The scope review `review-1042-2026-04-21` explicitly flagged this as informational-only / SCOPE-FUTURE and instructed agents not to expand the bundle. Preserving it here is the correct behavior. **YAML quality:** Valid YAML; indentation consistent with surrounding `settings:` block; no trailing whitespace introduced by the diff. ### BLOCKERS None. ### NITS None. The diff is minimal, surgical, and exactly matches the SOP prescription. ### SOP COMPLIANCE - [x] Branch named `5-fix-harbor-internal-url` — follows `{issue-number}-{kebab-case-purpose}` - [x] PR body has Summary, Changes, Test Plan, Out of Scope, Review Checklist, Related Notes - [x] Related section references `service-onboarding-sop`, `review-1042-2026-04-21`, `story-notion-mcp-remote-ops-deploy-gitops`, `arch-deployment-notion-mcp-remote`, `project-notion-mcp-remote`, board item #1042 - [x] Fixes #5 link present; issue spec and AC satisfied (AC1 + AC2 grep-checkable; AC3 validated post-merge via next pipeline run per PR test plan; AC4 regression check covered because the `test` step is untouched) - [x] No secrets, no `.env`, no credentials in diff - [x] No scope creep — single-line change, no unrelated config churn - [x] Pre-Deploy Validation Checklist "CI registry URL" row satisfied ### PROCESS OBSERVATIONS - **Deployment frequency:** Positive. Unblocks the rest of `story-ops-deploy-gitops` (#1043 var.services entry, #1044 kustomize overlay, #1048 adjacent CI work) by giving those downstream items a working CI push target. - **Change failure risk:** Very low. Blast radius is 1 YAML value in the CI pipeline; the worst-case failure mode is that the Woodpecker agent cannot resolve cluster-internal DNS (noted and contingency-covered by the `$HARBOR_INTERNAL` fallback path in the parent issue). Runtime path (kubelet image pull via `k8s/deployment.yaml`) is unaffected. - **Documentation:** Scope review, SOP, story, and arch notes are all linked from the PR body. No doc gaps. The `[SCOPE-FUTURE]` follow-up on `k8s/deployment.yaml` image pull URL should be filed as a separate ticket if/when evaluation of kubelet cluster-internal DNS resolution is warranted — not a gap in this PR. - **Test plan:** Appropriate. Local YAML parse verified; full pipeline validation deferred to first post-merge push, which is the right place for it (cannot be validated pre-merge because the pipeline needs the merged config to exercise the new registry). ### VERDICT: APPROVED