Document and harden registry push against 413 Payload Too Large.

Use ephemeral docker login config; document Cloudflare bypass via Jenkins extra_hosts.
2026-06-16 19:57:43 -04:00 · 2026-06-16 19:57:43 -04:00 · ebe9a41501
commit ebe9a41501
parent e1facdec3d
2 changed files with 21 additions and 0 deletions
--- a/docs/JENKINS.md
+++ b/docs/JENKINS.md
@ -62,6 +62,21 @@ The bootstrap stage installs the **buildx** CLI plugin into `.ci-bin/docker-conf

 Set `DOCKER_GID` on the Jenkins Coolify service to the host docker group GID (`stat -c '%g' /var/run/docker.sock`), redeploy Jenkins.

+### Registry push `413 Payload Too Large`
+
+Docker image layers are often **>100MB**. If `git.aexoradao.com` is behind **Cloudflare proxy** (orange cloud), uploads fail with `413`.
+
+**Fix (recommended for same-host Jenkins):** Jenkins container `extra_hosts`:
+
+```yaml
+extra_hosts:
+  - 'git.aexoradao.com:host-gateway'
+```
+
+Pushes then go to **local Traefik** (Let's Encrypt on origin), not Cloudflare.
+
+**Alternative:** Cloudflare DNS → **DNS only** (grey cloud) for `git.aexoradao.com`, or use Docker Hub as `REGISTRY_IMAGE`.
+
 ### Registry push 401/403

 - Token needs **write:package** (or full repo scope including packages)
--- a/scripts/ci/jenkins-push-image.sh
+++ b/scripts/ci/jenkins-push-image.sh
@ -14,8 +14,14 @@ if [ -z "${REGISTRY_USER:-}" ] || [ -z "${REGISTRY_PASSWORD:-}" ]; then
  exit 1
 fi

+# Ephemeral docker config — do not persist registry password in workspace
+PUSH_DOCKER_CONFIG="$(mktemp -d)"
+trap 'rm -rf "$PUSH_DOCKER_CONFIG"' EXIT
+export DOCKER_CONFIG="$PUSH_DOCKER_CONFIG"
+
 echo "$REGISTRY_PASSWORD" | $DOCKER login "$REGISTRY_HOST" -u "$REGISTRY_USER" --password-stdin

+echo "Pushing ${REGISTRY_IMAGE}:${IMAGE_TAG} (large layers need Cloudflare bypass — Jenkins extra_hosts git.aexoradao.com:host-gateway)"
 $DOCKER push "${REGISTRY_IMAGE}:${IMAGE_TAG}"
 $DOCKER push "${REGISTRY_IMAGE}:main"