coilyco-flight-deck/infrastructure
1
0
Fork 0
Code Issues 101 Pull requests Projects Releases Packages Wiki Activity Actions 1

k3s-deploy-notes.md documents GHCR pull as canonical - docker-save sideload is the real pattern #38

New issue
Open
opened 2026-05-23 20:54:32 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:54:32 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-05-21T04:34:52Z - https://github.com/coilysiren/infrastructure/issues/218

Problem

docs/k3s-deploy-notes.md documents the GHCR-push + cluster-side-pull flow as the canonical CI deploy pattern (the CI workflow block around line 210, and the docker-registry ExternalSecret in section 5). But the actual canonical homelab pattern - used by repo-recall, galaxy-gen, and now backend - is the docker-save sideload:

  1. Build the image in CI.
  2. docker save it, stream the tarball over tailscale ssh deploy@kai-server into sudo k3s ctr -n k8s.io images import -.
  3. kubectl set image + rollout status.

No registry pull on the cluster, no imagePullSecret, no kubeconfig in CI - just an OIDC tailnet join (TS_CLIENT_ID / TS_AUDIENCE) and an SSH tunnel.

This drift is not cosmetic: backend followed the documented GHCR pattern and the cluster could not pull the image (403, read:packages), which forced the migration (coilysiren/backend#70, #71).

Fix

Update k3s-deploy-notes.md to make the docker-save sideload the documented default, with repo-recall/.github/workflows/docker.yml and galaxy-gen/.github/workflows/build-and-publish.yml as reference templates. Keep the GHCR path documented only as the option for repos that publish public images for third-party consumers (repo-recall does both).

_Originally filed by @coilysiren on 2026-05-21T04:34:52Z - [https://github.com/coilysiren/infrastructure/issues/218](https://github.com/coilysiren/infrastructure/issues/218)_ **Problem** `docs/k3s-deploy-notes.md` documents the GHCR-push + cluster-side-pull flow as the canonical CI deploy pattern (the CI workflow block around line 210, and the `docker-registry` ExternalSecret in section 5). But the actual canonical homelab pattern - used by `repo-recall`, `galaxy-gen`, and now `backend` - is the **docker-save sideload**: 1. Build the image in CI. 2. `docker save` it, stream the tarball over `tailscale ssh deploy@kai-server` into `sudo k3s ctr -n k8s.io images import -`. 3. `kubectl set image` + `rollout status`. No registry pull on the cluster, no `imagePullSecret`, no kubeconfig in CI - just an OIDC tailnet join (`TS_CLIENT_ID` / `TS_AUDIENCE`) and an SSH tunnel. This drift is not cosmetic: `backend` followed the documented GHCR pattern and the cluster could not pull the image (403, `read:packages`), which forced the migration (coilysiren/backend#70, #71). **Fix** Update `k3s-deploy-notes.md` to make the docker-save sideload the documented default, with `repo-recall/.github/workflows/docker.yml` and `galaxy-gen/.github/workflows/build-and-publish.yml` as reference templates. Keep the GHCR path documented only as the option for repos that publish public images for third-party consumers (repo-recall does both).
coilysiren added
P4
 and removed
P3
 labels 2026-05-31 07:00:51 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-294
tangled-knot
dispatch/issue-216
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/infrastructure#38
No description provided.