fix(CI): Add job to update image tag in helm charts

Signed-off-by: Anurag Rajawat <anurag@accuknox.com>
5GSEC · Sep 26, 2024 · 823af57 · 823af57
1 parent 13df8f9
commit 823af57
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 5 deletions.
diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
@@ -172,6 +172,7 @@ jobs:
           working-directory: ./deployments/nimbus
           run: |
             helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace \
+            --set image.tag=latest \
             --set image.pullPolicy=Never \
             --set autoDeploy.kubearmor=false \
             --set autoDeploy.kyverno=false \
@@ -232,6 +233,7 @@ jobs:
           working-directory: ./deployments/nimbus
           run: |
             helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace \
+            --set image.tag=latest \
             --set image.pullPolicy=Never \
             --set autoDeploy.kubearmor=false \
             --set autoDeploy.kyverno=false \
@@ -245,7 +247,7 @@ jobs:
         - name: Install nimbus-netpol
           working-directory: deployments/nimbus-netpol/
           run: |
-            helm upgrade --install nimbus-netpol . -n nimbus --set image.pullPolicy=Never
+            helm upgrade --install nimbus-netpol . -n nimbus --set image.pullPolicy=Never --set image.tag=latest
 
         - name: Wait for nimbus-netpol to start
           run: |
@@ -255,7 +257,7 @@ jobs:
         - name: Install nimbus-kubearmor
           working-directory: deployments/nimbus-kubearmor/
           run: |
-            helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus --set image.pullPolicy=Never
+            helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus --set image.pullPolicy=Never --set image.tag=latest
 
         - name: Wait for nimbus-kubearmor to start
           run: |
@@ -265,7 +267,7 @@ jobs:
         - name: Install nimbus-kyverno
           working-directory: deployments/nimbus-kyverno/
           run: |
-            helm upgrade --dependency-update --install nimbus-kyverno . -n nimbus --set image.pullPolicy=Never
+            helm upgrade --dependency-update --install nimbus-kyverno . -n nimbus --set image.pullPolicy=Never --set image.tag=latest
 
         - name: Wait for nimbus-kyverno to start
           run: |

diff --git a/.github/workflows/stable-release.yaml b/.github/workflows/stable-release.yaml
@@ -3,7 +3,10 @@
 
 name: Stable release
 
-on: workflow_dispatch
+on:
+  create:
+    tags:
+      - "v*"
 
 permissions: read-all
 
@@ -33,8 +36,35 @@ jobs:
       NAME: ${{ matrix.adapters }}
     secrets: inherit
 
+  update-image-tags-in-helm-charts:
+    if: github.repository == '5GSEC/nimbus'
+    needs: [ release-nimbus-image, release-adapters-image ]
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: Get tag
+        id: tag
+        run: |
+          if [ ${{ github.ref }} == "refs/heads/main" ]; then
+            echo "tag=latest" >> $GITHUB_OUTPUT
+          else
+            echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Update images tag
+        run: |
+          ./scripts/update-image-tag.sh ${{ steps.tag.outputs.tag }} 
+
+      - name: Commit changes
+        uses: stefanzweifel/git-auto-commit-action@v5
+
   release_helm_charts:
     if: github.repository == '5GSEC/nimbus'
+    needs: [ update-image-tags-in-helm-charts ]
     permissions:
       contents: write
     runs-on: ubuntu-latest

diff --git a/Makefile b/Makefile
@@ -100,7 +100,7 @@ lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
 ##@ Build
 
 .PHONY: build
-build: manifests generate fmt vet ## Build manager binary.
+build: fmt vet ## Build manager binary.
 	@go build -ldflags="-s" -o bin/"${BINARY_NAME}" ./cmd
 
 .PHONY: run

diff --git a/scripts/update-image-tag.sh b/scripts/update-image-tag.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+if ! command -v yq >/dev/null; then
+  echo "Installing yq..."
+  go install github.com/mikefarah/yq/v4@latest
+fi
+
+TAG=$1
+DEPLOYMENT_ROOT_DIR="deployments"
+DIRECTORIES=("${DEPLOYMENT_ROOT_DIR}/nimbus" "${DEPLOYMENT_ROOT_DIR}/nimbus-k8tls" \
+  "${DEPLOYMENT_ROOT_DIR}/nimbus-kubearmor" "${DEPLOYMENT_ROOT_DIR}/nimbus-kyverno" "${DEPLOYMENT_ROOT_DIR}/nimbus-netpol")
+
+echo "Updating tag to $TAG"
+for directory in "${DIRECTORIES[@]}"; do
+   yq -i ".image.tag = \"$TAG\"" "${directory}/values.yaml"
+done