Skip to content

feat(chart): make appVersion load-bearing for image tags#78

Merged
brandonrc merged 3 commits into
mainfrom
feat/74-appversion-load-bearing
Jun 3, 2026
Merged

feat(chart): make appVersion load-bearing for image tags#78
brandonrc merged 3 commits into
mainfrom
feat/74-appversion-load-bearing

Conversation

@brandonrc

@brandonrc brandonrc commented Apr 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Replaces #77, which proposed an alias-tag mechanism inside chart-releaser config. Senior review (Backend Architect + DevOps Automator) recommended dropping that approach and instead making appVersion itself the load-bearing field that drives the rendered image tag.

This PR does exactly that:

  • templates/{backend,edge,web}-deployment.yaml render the image as
    "{{ .Values.x.image.repository }}:{{ .Values.x.image.tag | default .Chart.AppVersion }}".
  • values.yaml sets backend.image.tag: "", web.image.tag: "", and edge.image.tag: "" so the default fires for normal chart consumers. pullPolicy flipped from Always to IfNotPresent since the rendered tag is now immutable per chart version.
  • values-staging.yaml explicitly sets web.image.tag: dev to preserve the previous staging behavior (the staging overlay only overrode the backend tag, so before this PR web was implicitly inheriting dev from the default).
  • RELEASING.md documents the release flow, the appVersion to image tag contract, and how consumers discover new versions (no automatic alias).

Result: helm install ak --version 1.2.0 always pulls image tag 1.2.0. No out-of-band metadata, no alias step. The image-reference verification gate added in #76 catches mismatches because the rendered tag is now driven by appVersion.

Verification

$ helm template foo charts/artifact-keeper --set postgres.auth.password=x --set secrets.jwtSecret=y --set edge.enabled=true | grep -E 'image:.*artifact-keeper'
          image: "ghcr.io/artifact-keeper/artifact-keeper-backend:1.1.0"
          image: "ghcr.io/artifact-keeper/artifact-keeper-edge:1.1.0"
          image: "ghcr.io/artifact-keeper/artifact-keeper-web:1.1.0"

$ helm template foo charts/artifact-keeper -f values-staging.yaml ... | grep artifact-keeper
          image: "ghcr.io/artifact-keeper/artifact-keeper-backend:dev"
          image: "ghcr.io/artifact-keeper/artifact-keeper-web:dev"

$ helm template foo charts/artifact-keeper -f values-production.yaml ... | grep artifact-keeper
          image: "ghcr.io/artifact-keeper/artifact-keeper-backend:latest"
          image: "ghcr.io/artifact-keeper/artifact-keeper-web:latest"

Test Checklist

  • Helm template renders without errors
  • Terraform validates/plans cleanly
  • Manually verified on staging cluster (if applicable)
  • Rollback strategy documented

Infrastructure

  • Helm: helm template renders correctly
  • Terraform: terraform validate passes
  • Terraform: terraform plan shows expected changes
  • ArgoCD: Application manifests are valid
  • N/A - documentation only

Refs #74. Supersedes #77.

Update (rebased onto main after #145)

Reconciled with the explicit-pin approach already on main:

  • Templates keep the load-bearing fallback {{ .Values.<comp>.image.tag | default .Chart.AppVersion }}, so any value file that omits a tag inherits appVersion.
  • values.yaml (dev) keeps explicit tag: dev and pullPolicy: Always for backend/web/edge (floating dev profile, ArgoCD pins digests).
  • values-production.yaml keeps the release pin (1.2.0); values-staging.yaml keeps dev.
  • Edge stays dev everywhere on purpose: no artifact-keeper-edge image is published at appVersion, so inheriting it would fail the image-reference gate (see Artifact Keeper Helm deployment fails: edge image missing (not suitable for airgap installations) #56).
  • helm-docs regenerated; RELEASING.md updated to match.

Closes #74

@brandonrc brandonrc requested a review from a team as a code owner April 26, 2026 22:46
@sonarqubecloud

sonarqubecloud Bot commented Apr 26, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@brandonrc brandonrc added this to the v1.2.0 milestone Apr 27, 2026
@brandonrc

brandonrc commented Apr 27, 2026

Copy link
Copy Markdown
Contributor Author

Status check (post-#84 / #85 merge):

The 5 failing checks on this PR are all blocked by missing versioned tags on ghcr.io. Chart appVersion is 1.1.0, image-ref gate probes:

  • ghcr.io/artifact-keeper/artifact-keeper-backend:1.1.0 -> 404 (no versioned backend tags on ghcr.io)
  • ghcr.io/artifact-keeper/artifact-keeper-web:1.1.0 -> 404 (web only has 1.1, 1.1.2, 1.1.3)

Backend has versioned tags on docker.io but not ghcr.io -- filed as artifact-keeper#905 (v1.1.9 critical). Web gap is artifact-keeper-web#320.

This PR remains parked until #905 + #320 land and v1.1.9 publishes both backend and web on ghcr.io. After that, bump appVersion in Chart.yaml to 1.1.9 and the gate should pass.

Alternative if we want to merge sooner: change the chart's image repository default from ghcr.io/artifact-keeper/... to docker.io/artifactkeeper/... (which has the versioned tags). That's a meaningful product decision -- ghcr.io has been the documented default. Probably better to fix the publish workflow.

@brandonrc brandonrc force-pushed the feat/74-appversion-load-bearing branch from 084f872 to b7d2d11 Compare June 3, 2026 16:53
brandonrc added 3 commits June 3, 2026 11:55
@brandonrc
feat(chart): make appVersion load-bearing for image tags
6fca72f 
Default image.tag for backend, web, and edge to .Chart.AppVersion when
unset, so a given chart version always pulls a matching image version.

- templates/{backend,edge,web}-deployment.yaml: use
  '{{ .Values.x.image.tag | default .Chart.AppVersion }}'.
- values.yaml: backend/web/edge image.tag set to "" so the default
  fires; also flipped pullPolicy from Always to IfNotPresent now that
  the rendered tag is immutable per chart version.
- values-staging.yaml: explicit web.image.tag: dev to preserve the
  previous staging behavior (was inheriting tag: dev from defaults).
- RELEASING.md: documents the chart release flow, the appVersion-as-
  image-tag contract, and how downstream consumers discover versions.

Replaces #77 (closed). The earlier approach added an alias-tag mechanism
to chart-releaser; senior review flagged that as out-of-band metadata
and recommended this template change instead.

Refs #74
@brandonrc
docs(chart): regenerate helm-docs for load-bearing image tags
aebc95e
@brandonrc
docs(release): note production pins the release version, not latest
f08e672 
values-production.yaml now pins backend/web to the release tag (1.2.0)
rather than the floating 'latest', matching the chart on main.
@brandonrc brandonrc force-pushed the feat/74-appversion-load-bearing branch from b7d2d11 to f08e672 Compare June 3, 2026 16:56
@brandonrc brandonrc merged commit ab22770 into main Jun 3, 2026
19 of 21 checks passed
@brandonrc brandonrc deleted the feat/74-appversion-load-bearing branch June 3, 2026 17:05
@github-project-automation github-project-automation Bot moved this from Todo to Done in Hardening Core Jun 3, 2026
This was referenced Jun 3, 2026
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Hardening Core
Status: Done

Milestone

v1.2.0

Development

Successfully merging this pull request may close these issues.

Helm chart release tags align with backend release tags

1 participant

@brandonrc