Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sclarkso The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Skipping CI for Draft Pull Request. |
|
/test e2e-parallel |
|
/test all |
|
/test e2e-parallel |
| resourceGroup: '{{ .mgmt.rg }}' | ||
| subscription: '{{ .mgmt.subscription.key }}' | ||
| steps: | ||
| - name: deploy-mce-crds |
There was a problem hiding this comment.
the deploy steps need to depend on the respective image mirror step
| releaseName: 'mce-crds' | ||
| releaseNamespace: 'multicluster-engine' | ||
| chartDir: ./deploy/helm/multicluster-engine-crds | ||
| chartDir: oci://{{ .acr.svc.name }}.{{ .acrDNSSuffix }}/helm/multicluster-engine-crds@{{ .acm.chartCrds.digest }} |
There was a problem hiding this comment.
This can't work in Ev2, sorry. You should keep the filesystem contents.
There was a problem hiding this comment.
We might be scrapping this anyway, but Ev2 won't use my changes to the templatize helm code to generate the artifact? chartDir has to be a local path?
3 participants
What
Updates acm makefile and update-policy-chart.sh to helm package charts and helm push them to acr repo.
Updates acm pipeline.yaml to consume oci images instead of local charts
Updates the Helm step handler in templatize's pipeline engine to support oci:// chart references.
Adds the 3 chart digests to config.yaml and the necessary additions to config.schema
Updates image-updater with the downstream oci image locatiion in the ACR.
Also had to modify the acr.go to be able to deal with the fact that OCI images don't have arch or OS metadata.
Why
On main today, there's one copy of each chart checked into deploy/helm/ and every environment deploys that same version. If the CI job re-renders charts from a newer operator bundle, everyone gets the new version on the next deploy -- there's no way to pin an environment to a specific chart version.
With the OCI approach, each chart version is a distinct tagged image in ACR with its own digest. Each environment's config.yaml section can reference a different digest, so you could have pers running the latest charts while cspr stays pinned to a known-good version. The same mechanism that already works for container images (per-environment digest overrides in config.yaml) now works for Helm charts too.
Special notes for your reviewer
I have tested in personal-dev. These changes still require the versions of the chart images specified in config.yaml to have been manually pushed to the acr. Image-updater changes in this PR will only grab the latest downstream images that exist, so there shouldn't be a scenario where the images specified in config.yaml don't exist. The plan is to update the github action to add build-and-push for acm, and to remove the manual step from prow ci that currently updates the acm helm charts.