move to production#1694
Open
portersupport wants to merge 40 commits into
Open
Conversation
* Support cloudsql.instances field for service-connection-managed proxy config * Add PR check tests for CloudSQL legacy and instances-only paths * Enforce single service account for CloudSQL proxy; document legacy fields * Consolidate cloudsql.instances into cloudsql.connections across all charts * Remove instances[] from worker and job values.yaml; promote connections[] * Fix mixed-scenario CI tests and stray instances[] comment references * add multi-instance tests --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* Support cloudsql.instances field for service-connection-managed proxy config * Add proxyVersion flag to support upgrading to Cloud SQL Proxy v2 * Flip proxyVersion logic: v2 is opt-in, v1 is default * Simplify proxyVersion helpers and remove dead code * Flip proxyVersion conditions: if v2 use v2, else v1 * Fix whitespace in terminationGracePeriodSeconds conditionals * Consolidate proxyVersion CI tests: 27 steps → 12, delete 9 testdata files * Revert unrelated terminationGracePeriodSeconds whitespace changes * Rename cloudsql.proxyVersion to cloudsql.version --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
fix: prevent karpenter from evicting rollout-sync pods
) Adds pod- and container-level securityContext rendering from .Values.podSecurityContext / .Values.securityContext in the job chart's cronjob.yaml and hook-configmap.yaml, matching the existing behavior in the web and worker charts. This allows users to set seccompProfile (and other security context fields) on job workloads. Co-authored-by: David Townley <davidtownley@Davids-MacBook-Pro.local> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…or, and logdna Pins SHA256 image digests to prevent silent tag mutation and supply chain attacks. For logdna, also adds sha field support to the daemonset template since the chart previously had no way to specify a digest. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Exposes image.repository and image.tag in values so callers can override both. Required for pinning the k8s-dns-node-cache image by digest in the porter monolith (RUN-2547). Defaults preserve the current image reference. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Trigger the chart-publishing workflow off pushes to main instead of pushes to a separate production branch. The production branch was a manual deploy gate that drifted from main over time (auto-bumped Chart.yaml versions on production stopped flowing back to main earlier this year), and the merge-to-production PRs were just bulk replays rather than selective filtering. Bump main's Chart.yaml versions to match what is currently live in ChartMuseum (last published from production HEAD) so the next publish increments from the right base. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Revert the version bumps on worker and the three addons. Those charts have no functional drift from live (only whitespace), so bumping them would trigger pointless republishes on first run. Keep the bumps on web (ships #1690 karpenter rollout-sync fix) and job (ships #1693 job securityContext support), which do have pending unreleased changes sitting on main. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The staging→production promotion step described here no longer exists after switching the publish workflow to trigger on merge to main. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
build.sh queries ChartMuseum and minor-bumps from there, overwriting whatever's in Chart.yaml. There's no manual-override path without modifying the script itself. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The auto-commit step pushes Chart.yaml version bumps directly to main. The default GITHUB_TOKEN authenticates as github-actions[bot], which cannot be added to main's "Allow specified actors to bypass required pull requests" list (the bot identity is not selectable). Switch the build job's checkout to use a portersupport PAT so the push happens under that account, which can be added to the bypass list. Requires: PORTERSUPPORT_PAT repo secret containing a fine-grained PAT for the portersupport account, scoped to this repo with contents:write. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Added initContainerSecurityContext
Add [skip ci] to the auto-commit message so the PAT-authenticated push back to main doesn't retrigger the workflow. Without this, every chart publish would loop: bump → push → retrigger → bump → push → ... The GITHUB_TOKEN loop protection that prevented this on the production branch doesn't apply to PAT pushes — PAT pushes are treated like any human push and do trigger workflows. [skip ci] is GitHub Actions' documented marker for opting out of that. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds helm-template assertions to pr_checks.yaml for the five addons whose images were digest-pinned (grafana, redis, datadog, tailscale-operator, logdna). Each step renders the chart and greps for `<repo>@sha256:` — loose check by design, so legitimate digest bumps don't require CI updates. Catches: digest accidentally cleared, template not wiring the digest field through, future chart syncs wiping pinned values. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`echo "$OUT" | grep -q` produces false positives on large helm outputs under bash's `set -e -o pipefail` (GitHub Actions default): grep exits early on match, echo gets SIGPIPE (141), pipefail surfaces that as the pipeline's exit code, and the `||` error path fires even though grep matched. Datadog's render is large enough to hit this reliably. Switching to `grep -qE "pattern" <<< "$OUT"` eliminates the pipe and the race. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
feat: pin image digests for Tier 1 addon charts
ci: publish helm charts on merge to main
…al-dns-chart feat: expose image fields in local-dns-cache chart (RUN-2547)
PR #1695 added pinned image digests to the values.yaml of datadog, grafana, logdna, redis, and tailscale-operator, but landed on main five minutes before the workflow trigger was switched from production to main (#1697). As a result those changes never made it into ChartMuseum. Bump each affected chart so the next publish run detects a diff in the chart directory and republishes. The version numbers here are just to force the diff — build.sh queries ChartMuseum for the live version and minor-bumps from there, then overwrites Chart.yaml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…-digests chore: republish tier 1 addons to ship pinned image digests
…hellform Added shellform support for healthcheck commands to the worker chart.
Signed-off-by: Edwin Hermans <edwin@madtech.cx>
…y_worker Allow the worker deploymentstrategy to be defined like the web service
Sync vendored karpenter chart to upstream v1.12.1 to pull in the latest version. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
chore: upgrade karpenter 1.8.2 -> 1.12.1
Like command, entrypoint and healthcheck customer sometimes want to use the shell form of lifecycle commands
Add shellForm for lifecycle commands
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.