From 1fcc72f8b92b57b692851eec74e608270cfddf92 Mon Sep 17 00:00:00 2001 From: Julio Caicedo Date: Sun, 15 Feb 2026 00:16:17 -0500 Subject: [PATCH] Thanks for providing the detailed commit instructions. However, I notice that the diff shows **unstaged changes**, but you've asked me to generate a commit message based on **staged changes**. The diff header shows: ### Full Diff of Unstaged Changes (2 selected files) **Important**: Commit messages should be generated from **staged** changes (files added with `git add`). Unstaged changes are work-in-progress modifications that haven't been marked for commit yet. If you intended to commit these changes, please: 1. Stage them first: `git add README.md values.yaml` 2. Then I can generate an appropriate commit message --- That said, if these changes **are** what you want to commit, here's the conventional commit message: docs: add image versioning strategy and Chainguard usage explanation Add comprehensive documentation explaining why the chart uses Chainguard's 'latest' tag and the automated version tracking strategy. This addresses potential confusion about production version pinning. Changes: - Add "Image Versioning Strategy" section to README with rationale for using 'latest' tag and Chainguard images - Document automated weekly version updates via GitHub Actions - Provide alternative configuration for production version pinning - Add Auto-Update and Chainguard badges to README header - Include inline comments in values.yaml explaining image tag strategy - Add table of contents entry for new documentation section --- .github/WORKFLOWS.md | 130 ++++++++++++++++++ .github/workflows/update-valkey-version.yml | 144 ++++++++++++++++++++ CHANGELOG.md | 41 ++++++ README.md | 32 +++++ values.yaml | 16 ++- 5 files changed, 361 insertions(+), 2 deletions(-) create mode 100644 .github/WORKFLOWS.md create mode 100644 .github/workflows/update-valkey-version.yml create mode 100644 CHANGELOG.md diff --git a/.github/WORKFLOWS.md b/.github/WORKFLOWS.md new file mode 100644 index 0000000..3efa125 --- /dev/null +++ b/.github/WORKFLOWS.md @@ -0,0 +1,130 @@ +# GitHub Workflows Documentation + +This document describes the automated workflows used in this repository. + +## 📋 Available Workflows + +### 1. CI Workflow (`ci.yml`) +**Trigger**: Push and Pull Requests + +Validates the Helm chart on every code change: +- Lints the chart using `helm lint` +- Runs chart testing with `ct lint` +- Validates template rendering +- Ensures chart quality and best practices + +### 2. Release Workflow (`release.yml`) +**Trigger**: Push to `main` branch (when Chart.yaml version changes) + +Automates chart releases: +- Creates GitHub releases +- Signs the chart with GPG +- Publishes to GitHub Pages (Helm repository) +- Updates Artifact Hub + +### 3. Auto-Update Valkey Version (`update-valkey-version.yml`) +**Trigger**: +- Weekly schedule (Mondays at 9:00 AM UTC) +- Manual dispatch + +Automatically keeps Valkey version up-to-date: + +#### How It Works + +```mermaid +graph TD + A[Scheduled: Every Monday] --> B[Pull cgr.dev/chainguard/valkey:latest] + C[Manual Trigger] --> B + B --> D[Detect Valkey version] + D --> E{Version changed?} + E -->|No| F[✓ No action needed] + E -->|Yes| G[Update Chart.yaml appVersion] + G --> H[Bump chart patch version] + H --> I[Update CHANGELOG.md] + I --> J[Create Pull Request] + J --> K[Review & Merge] + K --> L[Release workflow triggers] +``` + +#### What It Does + +1. **Version Detection** + - Pulls the latest Chainguard Valkey image + - Runs `valkey-server --version` to detect the exact version + - Compares with current `appVersion` in `Chart.yaml` + +2. **If Version Changed** + - Updates `appVersion` in `Chart.yaml` to the new version + - Bumps the chart patch version (e.g., `0.2.0` → `0.2.1`) + - Adds entry to `CHANGELOG.md` with the version change + - Creates a pull request with all changes + +3. **Pull Request Contents** + - Clear title: `chore: update Valkey to version X.Y.Z` + - Detailed body with old → new version info + - Labeled as `automated`, `version-update`, `dependencies` + - Ready for review and merge + +4. **After Merge** + - Release workflow automatically triggers + - New chart version is published + - Users get the updated version + +#### Manual Trigger + +You can manually trigger the workflow from GitHub: + +1. Go to **Actions** tab +2. Select **Update Valkey Version** workflow +3. Click **Run workflow** +4. Select branch (usually `main`) + +This is useful when you want to check for updates immediately instead of waiting for the weekly schedule. + +#### Why This Approach? + +**Benefits:** +- ✅ Chart stays current with latest Valkey releases +- ✅ Security updates are tracked and applied quickly +- ✅ Full transparency via pull requests +- ✅ Human review before changes are published +- ✅ Automatic changelog maintenance + +**Trade-offs:** +- ⚠️ Chainguard free tier only provides `latest` tag +- ⚠️ Updates are reactive (weekly check) not instant +- ⚠️ Requires manual PR merge (by design, for safety) + +## 🔧 Maintenance + +### Adjusting Update Frequency + +Edit the cron schedule in `update-valkey-version.yml`: + +```yaml +schedule: + - cron: '0 9 * * 1' # Every Monday at 9:00 AM UTC +``` + +Common schedules: +- Daily: `'0 9 * * *'` +- Twice a week: `'0 9 * * 1,4'` (Monday and Thursday) +- Monthly: `'0 9 1 * *'` (First day of month) + +### Troubleshooting + +**If version detection fails:** +1. Check Docker pull permissions for Chainguard registry +2. Verify the `--version` command output format hasn't changed +3. Review workflow logs in Actions tab + +**If PRs aren't being created:** +1. Ensure GitHub Actions has write permissions +2. Check if there's already an open PR for version update +3. Verify the comparison logic in the workflow + +## 📚 References + +- [Chainguard Images](https://www.chainguard.dev/chainguard-images) +- [Helm Chart Best Practices](https://helm.sh/docs/chart_best_practices/) +- [GitHub Actions Documentation](https://docs.github.com/en/actions) diff --git a/.github/workflows/update-valkey-version.yml b/.github/workflows/update-valkey-version.yml new file mode 100644 index 0000000..05d997a --- /dev/null +++ b/.github/workflows/update-valkey-version.yml @@ -0,0 +1,144 @@ +name: Update Valkey Version + +on: + schedule: + # Runs every Monday at 9:00 AM UTC + - cron: '0 9 * * 1' + workflow_dispatch: # Allows manual trigger + +permissions: + contents: write + pull-requests: write + +jobs: + check-and-update: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get Valkey version from Chainguard image + id: get-version + run: | + # Pull the latest Chainguard Valkey image + docker pull cgr.dev/chainguard/valkey:latest + + # Get Valkey version from the container + # Using sed for better compatibility (works on both Linux and macOS) + VERSION=$(docker run --rm cgr.dev/chainguard/valkey:latest --version | sed -n 's/.*v=\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/p') + + if [ -z "$VERSION" ]; then + echo "Failed to detect Valkey version" + exit 1 + fi + + echo "detected_version=$VERSION" >> $GITHUB_OUTPUT + echo "Detected Valkey version: $VERSION" + + - name: Get current appVersion from Chart.yaml + id: current-version + run: | + CURRENT=$(grep '^appVersion:' Chart.yaml | awk '{print $2}' | tr -d '"') + echo "current_version=$CURRENT" >> $GITHUB_OUTPUT + echo "Current appVersion: $CURRENT" + + - name: Compare versions + id: compare + run: | + DETECTED="${{ steps.get-version.outputs.detected_version }}" + CURRENT="${{ steps.current-version.outputs.current_version }}" + + if [ "$DETECTED" != "$CURRENT" ]; then + echo "needs_update=true" >> $GITHUB_OUTPUT + echo "Version mismatch detected: $CURRENT -> $DETECTED" + else + echo "needs_update=false" >> $GITHUB_OUTPUT + echo "Version is up to date: $CURRENT" + fi + + - name: Update Chart.yaml + if: steps.compare.outputs.needs_update == 'true' + run: | + NEW_VERSION="${{ steps.get-version.outputs.detected_version }}" + + # Update appVersion in Chart.yaml + sed -i "s/^appVersion: .*/appVersion: \"$NEW_VERSION\"/" Chart.yaml + + # Bump patch version of chart + CHART_VERSION=$(grep '^version:' Chart.yaml | awk '{print $2}') + # Simple patch bump (you might want to use semver tool for production) + NEW_CHART_VERSION=$(echo $CHART_VERSION | awk -F. '{$NF = $NF + 1;} 1' | sed 's/ /./g') + sed -i "s/^version: .*/version: $NEW_CHART_VERSION/" Chart.yaml + + echo "Updated appVersion to $NEW_VERSION" + echo "Updated chart version to $NEW_CHART_VERSION" + + - name: Update CHANGELOG + if: steps.compare.outputs.needs_update == 'true' + run: | + NEW_VERSION="${{ steps.get-version.outputs.detected_version }}" + CHART_VERSION=$(grep '^version:' Chart.yaml | awk '{print $2}') + DATE=$(date +%Y-%m-%d) + + # Create or update CHANGELOG + if [ ! -f CHANGELOG.md ]; then + echo "# Changelog" > CHANGELOG.md + echo "" >> CHANGELOG.md + fi + + # Add new entry + sed -i "3i\\ +## [$CHART_VERSION] - $DATE\n\\ +\n\\ +### Changed\n\\ +- Updated Valkey to version $NEW_VERSION (from Chainguard latest image)\n" CHANGELOG.md + + - name: Create Pull Request + if: steps.compare.outputs.needs_update == 'true' + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: | + chore: update Valkey to version ${{ steps.get-version.outputs.detected_version }} + + - Updated appVersion from ${{ steps.current-version.outputs.current_version }} to ${{ steps.get-version.outputs.detected_version }} + - Automatically detected from cgr.dev/chainguard/valkey:latest + + Co-Authored-By: github-actions[bot] + branch: auto-update-valkey-${{ steps.get-version.outputs.detected_version }} + delete-branch: true + title: "chore: update Valkey to version ${{ steps.get-version.outputs.detected_version }}" + body: | + ## 🤖 Automated Valkey Version Update + + This PR was automatically created by the version checker workflow. + + ### Changes + - **Valkey version**: `${{ steps.current-version.outputs.current_version }}` → `${{ steps.get-version.outputs.detected_version }}` + - **Source**: Detected from `cgr.dev/chainguard/valkey:latest` + - **Chart version**: Bumped patch version + + ### Verification + The version was detected by pulling the latest Chainguard Valkey image and running `--version`. + + ### Next Steps + - Review the changes + - Merge to trigger a new chart release + - The release workflow will automatically publish to GitHub Pages + + --- + 🔄 This check runs weekly on Mondays at 9:00 AM UTC + labels: | + automated + version-update + dependencies + + - name: Summary + run: | + if [ "${{ steps.compare.outputs.needs_update }}" == "true" ]; then + echo "✅ Version update PR created: ${{ steps.current-version.outputs.current_version }} → ${{ steps.get-version.outputs.detected_version }}" + else + echo "✅ No update needed. Current version ${{ steps.current-version.outputs.current_version }} is up to date." + fi diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..d1d995d --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,41 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [0.2.0] - 2025-02-14 + +### Changed +- Switch to Chainguard zero-CVE images for enhanced security (valkey, kubectl, wolfi-base) +- Update container user from 999 to 65532 (Chainguard default) +- Simplify health check scripts for distroless compatibility +- Update pre-upgrade hook to work without shell + +### Added +- Automated version checking workflow (runs weekly) +- Documentation for image versioning strategy +- CHANGELOG.md for tracking releases + +### Security +- Migration to Chainguard images with zero known CVEs +- Enhanced security with distroless base images + +## [0.1.0] - 2024 + +### Added +- Initial release of Valkey Helm Chart +- Standalone mode support +- Sentinel mode for high availability +- Authentication and security features +- Persistence configuration +- Prometheus metrics exporter +- TLS support +- Pre-upgrade hooks for zero-downtime migrations +- Network policies and RBAC +- Comprehensive documentation + +--- + +**Note**: Starting from v0.2.0, this chart uses `cgr.dev/chainguard/valkey:latest` and the `appVersion` is automatically updated weekly via GitHub Actions when new Valkey versions are released. diff --git a/README.md b/README.md index f321eee..9ed6428 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,8 @@ [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/valkey-redis)](https://artifacthub.io/packages/helm/valkey-redis/valkey) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Helm](https://img.shields.io/badge/Helm-3.x-blue)](https://helm.sh) +[![Auto-Update](https://img.shields.io/badge/Auto--Update-Weekly-green)](https://github.com/start-codex/valkey-helm-chart/actions/workflows/update-valkey-version.yml) +[![Chainguard](https://img.shields.io/badge/Images-Chainguard%20%7C%20Zero%20CVE-brightgreen)](https://www.chainguard.dev/)

Valkey Logo @@ -14,6 +16,7 @@ Helm chart for deploying [Valkey](https://valkey.io/) on Kubernetes. Valkey is a - [Features](#features) - [Requirements](#requirements) +- [Image Versioning Strategy](#image-versioning-strategy) - [Quick Start](#quick-start) - [Architectures](#architectures) - [Configuration](#configuration) @@ -46,6 +49,35 @@ Helm chart for deploying [Valkey](https://valkey.io/) on Kubernetes. Valkey is a | Kubernetes | >= 1.23 | | Helm | >= 3.8 | +## Image Versioning Strategy + +This chart uses **Chainguard's zero-CVE Valkey images** for enhanced security. + +### Why `latest` tag? + +- **Free tier limitation**: Chainguard's free tier only provides the `latest` tag +- **Automatic updates**: Using `latest` ensures you always get the most recent security patches +- **Zero CVEs**: Chainguard images are rebuilt continuously to maintain zero known vulnerabilities + +### Version tracking + +- **appVersion in Chart.yaml**: Reflects the current Valkey version available in `cgr.dev/chainguard/valkey:latest` +- **Automated updates**: A GitHub Action checks weekly for version updates and creates PRs automatically +- **Transparency**: Every version change is tracked via pull requests and changelog entries + +### For production use + +If you require **version pinning** for production: + +```yaml +# Override with a specific version (requires Chainguard Pro or alternative registry) +image: + repository: valkey/valkey # Official Valkey images + tag: "9.0.0" # Specific version tag +``` + +> **Note**: Using `latest` provides continuous security updates but means deployments may pull different versions over time. For strict reproducibility, consider using image digests or switching to a registry that provides versioned tags. + ## Quick Start ```bash diff --git a/values.yaml b/values.yaml index bd44e09..aea11bc 100644 --- a/values.yaml +++ b/values.yaml @@ -13,10 +13,20 @@ clusterDomain: cluster.local # Valkey image configuration # Using Chainguard images for zero CVE security +# +# Why 'latest' tag? +# - Chainguard free tier only provides 'latest' tag +# - Ensures automatic security updates and zero known CVEs +# - appVersion in Chart.yaml tracks the actual version (auto-updated weekly) +# +# For production with version pinning, override with: +# image: +# repository: valkey/valkey # Official Valkey registry +# tag: "9.0.0" # Specific version image: registry: cgr.dev repository: chainguard/valkey - tag: "latest" + tag: "latest" # Auto-updated by Chainguard, version tracked in Chart.yaml appVersion pullPolicy: IfNotPresent # Common configuration @@ -130,10 +140,12 @@ sentinel: failoverTimeout: 180000 parallelSyncs: 1 + # Sentinel uses the same Chainguard Valkey image (includes sentinel binary) + # See main image configuration above for versioning strategy image: registry: cgr.dev repository: chainguard/valkey - tag: "latest" + tag: "latest" # Matches main Valkey image tag pullPolicy: IfNotPresent serviceAccount: