Converge kai-server docker insecure-registries for in-cluster registry push #341
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#341
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
The kai-server snap docker daemon cannot push to the in-cluster registry
(
192.168.0.194:30500). The registry serves plain HTTP, but the docker daemondefaults to HTTPS, so a
docker pushfails with:k3s containerd already trusts this registry for pulls, but the snap docker
daemon (kai-server's build/CI daemon, which does the pushes) is a separate
config and was never told the registry is insecure.
daemon.jsonheld only{"log-level": "error"}- noinsecure-registriesentry. This is why atlashad never landed in the registry (eco-app images there were pushed by eco-app's
own CI from a different runner).
Manual fix already applied on kai-server
Added the entry to
/var/snap/docker/current/config/daemon.jsonand restartedthe docker snap:
Why this needs ansible
That path is per-snap-revision config under
/var/snap/docker/current/. A snaprefresh is not guaranteed to carry it forward, and hand-applied host config has
no source of truth. Per the deploy repo's authoring/rollout split, host daemon
config belongs in this repo as an ansible task that converges kai-server's
docker
insecure-registriesto include192.168.0.194:30500(the NodePortin-cluster registry), then handler-restarts the docker snap on change.
Acceptance
insecure-registries: ["192.168.0.194:30500"]in the kai-server docker
daemon.json, idempotently.Refs