diff --git a/.github/WORKFLOWS.md b/.github/WORKFLOWS.md new file mode 100644 index 0000000..3efa125 --- /dev/null +++ b/.github/WORKFLOWS.md @@ -0,0 +1,130 @@ +# GitHub Workflows Documentation + +This document describes the automated workflows used in this repository. + +## 📋 Available Workflows + +### 1. CI Workflow (`ci.yml`) +**Trigger**: Push and Pull Requests + +Validates the Helm chart on every code change: +- Lints the chart using `helm lint` +- Runs chart testing with `ct lint` +- Validates template rendering +- Ensures chart quality and best practices + +### 2. Release Workflow (`release.yml`) +**Trigger**: Push to `main` branch (when Chart.yaml version changes) + +Automates chart releases: +- Creates GitHub releases +- Signs the chart with GPG +- Publishes to GitHub Pages (Helm repository) +- Updates Artifact Hub + +### 3. Auto-Update Valkey Version (`update-valkey-version.yml`) +**Trigger**: +- Weekly schedule (Mondays at 9:00 AM UTC) +- Manual dispatch + +Automatically keeps Valkey version up-to-date: + +#### How It Works + +```mermaid +graph TD + A[Scheduled: Every Monday] --> B[Pull cgr.dev/chainguard/valkey:latest] + C[Manual Trigger] --> B + B --> D[Detect Valkey version] + D --> E{Version changed?} + E -->|No| F[✓ No action needed] + E -->|Yes| G[Update Chart.yaml appVersion] + G --> H[Bump chart patch version] + H --> I[Update CHANGELOG.md] + I --> J[Create Pull Request] + J --> K[Review & Merge] + K --> L[Release workflow triggers] +``` + +#### What It Does + +1. **Version Detection** + - Pulls the latest Chainguard Valkey image + - Runs `valkey-server --version` to detect the exact version + - Compares with current `appVersion` in `Chart.yaml` + +2. **If Version Changed** + - Updates `appVersion` in `Chart.yaml` to the new version + - Bumps the chart patch version (e.g., `0.2.0` → `0.2.1`) + - Adds entry to `CHANGELOG.md` with the version change + - Creates a pull request with all changes + +3. **Pull Request Contents** + - Clear title: `chore: update Valkey to version X.Y.Z` + - Detailed body with old → new version info + - Labeled as `automated`, `version-update`, `dependencies` + - Ready for review and merge + +4. **After Merge** + - Release workflow automatically triggers + - New chart version is published + - Users get the updated version + +#### Manual Trigger + +You can manually trigger the workflow from GitHub: + +1. Go to **Actions** tab +2. Select **Update Valkey Version** workflow +3. Click **Run workflow** +4. Select branch (usually `main`) + +This is useful when you want to check for updates immediately instead of waiting for the weekly schedule. + +#### Why This Approach? + +**Benefits:** +- ✅ Chart stays current with latest Valkey releases +- ✅ Security updates are tracked and applied quickly +- ✅ Full transparency via pull requests +- ✅ Human review before changes are published +- ✅ Automatic changelog maintenance + +**Trade-offs:** +- ⚠️ Chainguard free tier only provides `latest` tag +- ⚠️ Updates are reactive (weekly check) not instant +- ⚠️ Requires manual PR merge (by design, for safety) + +## 🔧 Maintenance + +### Adjusting Update Frequency + +Edit the cron schedule in `update-valkey-version.yml`: + +```yaml +schedule: + - cron: '0 9 * * 1' # Every Monday at 9:00 AM UTC +``` + +Common schedules: +- Daily: `'0 9 * * *'` +- Twice a week: `'0 9 * * 1,4'` (Monday and Thursday) +- Monthly: `'0 9 1 * *'` (First day of month) + +### Troubleshooting + +**If version detection fails:** +1. Check Docker pull permissions for Chainguard registry +2. Verify the `--version` command output format hasn't changed +3. Review workflow logs in Actions tab + +**If PRs aren't being created:** +1. Ensure GitHub Actions has write permissions +2. Check if there's already an open PR for version update +3. Verify the comparison logic in the workflow + +## 📚 References + +- [Chainguard Images](https://www.chainguard.dev/chainguard-images) +- [Helm Chart Best Practices](https://helm.sh/docs/chart_best_practices/) +- [GitHub Actions Documentation](https://docs.github.com/en/actions) diff --git a/.github/workflows/update-valkey-version.yml b/.github/workflows/update-valkey-version.yml new file mode 100644 index 0000000..05d997a --- /dev/null +++ b/.github/workflows/update-valkey-version.yml @@ -0,0 +1,144 @@ +name: Update Valkey Version + +on: + schedule: + # Runs every Monday at 9:00 AM UTC + - cron: '0 9 * * 1' + workflow_dispatch: # Allows manual trigger + +permissions: + contents: write + pull-requests: write + +jobs: + check-and-update: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get Valkey version from Chainguard image + id: get-version + run: | + # Pull the latest Chainguard Valkey image + docker pull cgr.dev/chainguard/valkey:latest + + # Get Valkey version from the container + # Using sed for better compatibility (works on both Linux and macOS) + VERSION=$(docker run --rm cgr.dev/chainguard/valkey:latest --version | sed -n 's/.*v=\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/p') + + if [ -z "$VERSION" ]; then + echo "Failed to detect Valkey version" + exit 1 + fi + + echo "detected_version=$VERSION" >> $GITHUB_OUTPUT + echo "Detected Valkey version: $VERSION" + + - name: Get current appVersion from Chart.yaml + id: current-version + run: | + CURRENT=$(grep '^appVersion:' Chart.yaml | awk '{print $2}' | tr -d '"') + echo "current_version=$CURRENT" >> $GITHUB_OUTPUT + echo "Current appVersion: $CURRENT" + + - name: Compare versions + id: compare + run: | + DETECTED="${{ steps.get-version.outputs.detected_version }}" + CURRENT="${{ steps.current-version.outputs.current_version }}" + + if [ "$DETECTED" != "$CURRENT" ]; then + echo "needs_update=true" >> $GITHUB_OUTPUT + echo "Version mismatch detected: $CURRENT -> $DETECTED" + else + echo "needs_update=false" >> $GITHUB_OUTPUT + echo "Version is up to date: $CURRENT" + fi + + - name: Update Chart.yaml + if: steps.compare.outputs.needs_update == 'true' + run: | + NEW_VERSION="${{ steps.get-version.outputs.detected_version }}" + + # Update appVersion in Chart.yaml + sed -i "s/^appVersion: .*/appVersion: \"$NEW_VERSION\"/" Chart.yaml + + # Bump patch version of chart + CHART_VERSION=$(grep '^version:' Chart.yaml | awk '{print $2}') + # Simple patch bump (you might want to use semver tool for production) + NEW_CHART_VERSION=$(echo $CHART_VERSION | awk -F. '{$NF = $NF + 1;} 1' | sed 's/ /./g') + sed -i "s/^version: .*/version: $NEW_CHART_VERSION/" Chart.yaml + + echo "Updated appVersion to $NEW_VERSION" + echo "Updated chart version to $NEW_CHART_VERSION" + + - name: Update CHANGELOG + if: steps.compare.outputs.needs_update == 'true' + run: | + NEW_VERSION="${{ steps.get-version.outputs.detected_version }}" + CHART_VERSION=$(grep '^version:' Chart.yaml | awk '{print $2}') + DATE=$(date +%Y-%m-%d) + + # Create or update CHANGELOG + if [ ! -f CHANGELOG.md ]; then + echo "# Changelog" > CHANGELOG.md + echo "" >> CHANGELOG.md + fi + + # Add new entry + sed -i "3i\\ +## [$CHART_VERSION] - $DATE\n\\ +\n\\ +### Changed\n\\ +- Updated Valkey to version $NEW_VERSION (from Chainguard latest image)\n" CHANGELOG.md + + - name: Create Pull Request + if: steps.compare.outputs.needs_update == 'true' + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: | + chore: update Valkey to version ${{ steps.get-version.outputs.detected_version }} + + - Updated appVersion from ${{ steps.current-version.outputs.current_version }} to ${{ steps.get-version.outputs.detected_version }} + - Automatically detected from cgr.dev/chainguard/valkey:latest + + Co-Authored-By: github-actions[bot] + branch: auto-update-valkey-${{ steps.get-version.outputs.detected_version }} + delete-branch: true + title: "chore: update Valkey to version ${{ steps.get-version.outputs.detected_version }}" + body: | + ## 🤖 Automated Valkey Version Update + + This PR was automatically created by the version checker workflow. + + ### Changes + - **Valkey version**: `${{ steps.current-version.outputs.current_version }}` → `${{ steps.get-version.outputs.detected_version }}` + - **Source**: Detected from `cgr.dev/chainguard/valkey:latest` + - **Chart version**: Bumped patch version + + ### Verification + The version was detected by pulling the latest Chainguard Valkey image and running `--version`. + + ### Next Steps + - Review the changes + - Merge to trigger a new chart release + - The release workflow will automatically publish to GitHub Pages + + --- + 🔄 This check runs weekly on Mondays at 9:00 AM UTC + labels: | + automated + version-update + dependencies + + - name: Summary + run: | + if [ "${{ steps.compare.outputs.needs_update }}" == "true" ]; then + echo "✅ Version update PR created: ${{ steps.current-version.outputs.current_version }} → ${{ steps.get-version.outputs.detected_version }}" + else + echo "✅ No update needed. Current version ${{ steps.current-version.outputs.current_version }} is up to date." + fi diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..d1d995d --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,41 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [0.2.0] - 2025-02-14 + +### Changed +- Switch to Chainguard zero-CVE images for enhanced security (valkey, kubectl, wolfi-base) +- Update container user from 999 to 65532 (Chainguard default) +- Simplify health check scripts for distroless compatibility +- Update pre-upgrade hook to work without shell + +### Added +- Automated version checking workflow (runs weekly) +- Documentation for image versioning strategy +- CHANGELOG.md for tracking releases + +### Security +- Migration to Chainguard images with zero known CVEs +- Enhanced security with distroless base images + +## [0.1.0] - 2024 + +### Added +- Initial release of Valkey Helm Chart +- Standalone mode support +- Sentinel mode for high availability +- Authentication and security features +- Persistence configuration +- Prometheus metrics exporter +- TLS support +- Pre-upgrade hooks for zero-downtime migrations +- Network policies and RBAC +- Comprehensive documentation + +--- + +**Note**: Starting from v0.2.0, this chart uses `cgr.dev/chainguard/valkey:latest` and the `appVersion` is automatically updated weekly via GitHub Actions when new Valkey versions are released. diff --git a/README.md b/README.md index f321eee..9ed6428 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,8 @@ [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/valkey-redis)](https://artifacthub.io/packages/helm/valkey-redis/valkey) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Helm](https://img.shields.io/badge/Helm-3.x-blue)](https://helm.sh) +[![Auto-Update](https://img.shields.io/badge/Auto--Update-Weekly-green)](https://github.com/start-codex/valkey-helm-chart/actions/workflows/update-valkey-version.yml) +[![Chainguard](https://img.shields.io/badge/Images-Chainguard%20%7C%20Zero%20CVE-brightgreen)](https://www.chainguard.dev/)

Valkey Logo @@ -14,6 +16,7 @@ Helm chart for deploying [Valkey](https://valkey.io/) on Kubernetes. Valkey is a - [Features](#features) - [Requirements](#requirements) +- [Image Versioning Strategy](#image-versioning-strategy) - [Quick Start](#quick-start) - [Architectures](#architectures) - [Configuration](#configuration) @@ -46,6 +49,35 @@ Helm chart for deploying [Valkey](https://valkey.io/) on Kubernetes. Valkey is a | Kubernetes | >= 1.23 | | Helm | >= 3.8 | +## Image Versioning Strategy + +This chart uses **Chainguard's zero-CVE Valkey images** for enhanced security. + +### Why `latest` tag? + +- **Free tier limitation**: Chainguard's free tier only provides the `latest` tag +- **Automatic updates**: Using `latest` ensures you always get the most recent security patches +- **Zero CVEs**: Chainguard images are rebuilt continuously to maintain zero known vulnerabilities + +### Version tracking + +- **appVersion in Chart.yaml**: Reflects the current Valkey version available in `cgr.dev/chainguard/valkey:latest` +- **Automated updates**: A GitHub Action checks weekly for version updates and creates PRs automatically +- **Transparency**: Every version change is tracked via pull requests and changelog entries + +### For production use + +If you require **version pinning** for production: + +```yaml +# Override with a specific version (requires Chainguard Pro or alternative registry) +image: + repository: valkey/valkey # Official Valkey images + tag: "9.0.0" # Specific version tag +``` + +> **Note**: Using `latest` provides continuous security updates but means deployments may pull different versions over time. For strict reproducibility, consider using image digests or switching to a registry that provides versioned tags. + ## Quick Start ```bash diff --git a/values.yaml b/values.yaml index bd44e09..aea11bc 100644 --- a/values.yaml +++ b/values.yaml @@ -13,10 +13,20 @@ clusterDomain: cluster.local # Valkey image configuration # Using Chainguard images for zero CVE security +# +# Why 'latest' tag? +# - Chainguard free tier only provides 'latest' tag +# - Ensures automatic security updates and zero known CVEs +# - appVersion in Chart.yaml tracks the actual version (auto-updated weekly) +# +# For production with version pinning, override with: +# image: +# repository: valkey/valkey # Official Valkey registry +# tag: "9.0.0" # Specific version image: registry: cgr.dev repository: chainguard/valkey - tag: "latest" + tag: "latest" # Auto-updated by Chainguard, version tracked in Chart.yaml appVersion pullPolicy: IfNotPresent # Common configuration @@ -130,10 +140,12 @@ sentinel: failoverTimeout: 180000 parallelSyncs: 1 + # Sentinel uses the same Chainguard Valkey image (includes sentinel binary) + # See main image configuration above for versioning strategy image: registry: cgr.dev repository: chainguard/valkey - tag: "latest" + tag: "latest" # Matches main Valkey image tag pullPolicy: IfNotPresent serviceAccount: