Add job to update policies and kubectl image #407
Conversation
viccuad
added
kind/enhancement
| updateCapabilitiesPolicyTag: | ||
| name: Update capabilities-psp tag | ||
| kind: yaml | ||
| sourceid: capabilitiesPolicyTag | ||
| spec: | ||
| file: "charts/kubewarden-defaults/values.yaml" | ||
| key: "$.recommendedPolicies.capabilitiesPolicy.module.tag" |
There was a problem hiding this comment.
Where are the tags updated? Reading script I have the impression that script just checks if the tag from the values files are the latest ones. But I do not understand where are the targets that will update it with the latest version. Furthermore, where the latest tags are fetched? I think we should do something similar of the dockerimage example
There was a problem hiding this comment.
To test the script, I've merge this PR into my helm-charts repository main branch and downgrade two policies. Then, I've ran the CI. The CI is green but no PR is open. In the logs we can see that script ran every step but it does not update the tags.
There was a problem hiding this comment.
Fixed now with a rebase. One doesn't need conditions, just to set target.foo.scmid.
Tested in my fork:
https://github.com/viccuad/helm-charts/actions/runs/8393105846/job/22987348660
viccuad#2
This allows for programatically consuming module.tag, for example in airgap scripts or update scripts. Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
viccuad
force-pushed
the
feat-update-policies
branch
from
7dca022 to
b2720e3
Compare
Add job that checks the policies and kubectl image tags every week, and opens a PR if there's any bump needed. Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
viccuad
force-pushed
the
feat-update-policies
branch
from
b2720e3 to
81d48a4
Compare
| kubectlImageTag: | ||
| kind: dockerimage | ||
| spec: | ||
| image: ghcr.io/kubewarden/kubectl | ||
| versionfilter: | ||
| kind: semver |
There was a problem hiding this comment.
The test in my fork I can see the script bumping the version. That's nice! Thanks for that!
But I have some questions, how the versionfilter knows which is the latest version? Does it perform semver comparisons? What are the difference from the kind latest?
I'm wondering if we can hit some coner case like a patch release is published after a major/minor release. In other words, let's image that we have a latest release which is v2.0.0 but we release a patch release v1.9.1 to fix an issue in the v1.9.0 version. Will the script downgrade the policy because v1.9.1 is the most recent version? I was reading the updatecli docs I did not fully understand what's happening here.
There was a problem hiding this comment.
I'm aware that scenario never happen before. But I would like to understand that to help the maintainance of the script in the future.
There was a problem hiding this comment.
Good question, tripped me too.
Right now the spec.versionfilter is configured with semver and no pattern. This means it defaults to pattern: *, and will accept any valid semver (including prereleases, which I think it's fine, we review the PR) that are newer than the current semver version (so, not :latest nor downgrades). See here.
Description
Fix #388
Add job that checks the policies and kubectl image tags every week,
and opens a PR if there's any bump needed.
Test
Tested updatecli part locally with:
Tested
make generate-policies-file generate-images-file, everything works for airgap scripts.Tested in my fork:
https://github.com/viccuad/helm-charts/actions/runs/8393105846/job/22987348660
viccuad#2
Additional Information
Should wait for merge until 1.11 is released.
Tradeoff
Potential improvement