[NA]: Import Bitnami common helpers + automate chart version bump#7
Open
GuySaar8 wants to merge 2 commits into
Open
[NA]: Import Bitnami common helpers + automate chart version bump#7GuySaar8 wants to merge 2 commits into
GuySaar8 wants to merge 2 commits into
Conversation
Port the generically-useful helpers from the unmaintained Bitnami common library chart into templates/_imported_bitnami_common.tpl, renamed under the comet-common.* namespace: capabilities (kubeVersion + apiVersion resolvers), storage.class, ingress (backend/certManagerRequest), utils (fieldToEnvVar, getValueFromKey, getKeyFromList, secret.getvalue, checksumTemplate), secrets (name/key/lookup/exists/passwords.manage) and compatibility (OpenShift securityContext). Adds comet-common.names.namespace, which secrets/utils need. secrets.passwords.manage's Bitnami error/validation dependencies are ported in trimmed, de-Bitnamified form (generic message, no bitnami.com links, no subchart validation tree). Helpers this chart already provides (names, labels, images, tplvalues, affinities, size presets) and Bitnami image-catalog-specific helpers (errors.insecureImages, warnings) are intentionally not imported. README documents the new helper groups and Apache-2.0 attribution. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Move chart versioning into CI so it no longer has to be managed by hand in each PR (mirrors the comet-monitoring publish workflow). - release.yaml: switch from push-to-main to workflow_dispatch with a 'bump' choice (patch/minor/major). A bump job computes the next SemVer, commits it back to the branch, then the existing OCI release job packages and publishes. workflow_dispatch (not push) is deliberate: a push-triggered job that commits a bump back to main would re-trigger itself in a loop. - helm-oci-release.yaml: add an optional 'ref' input so the package step checks out the post-bump branch HEAD instead of the pre-bump triggering commit. - Remove verify-chart-version.yaml and helm-verify-chart-version.yaml: they required Chart.yaml > latest release on every PR touching templates/**, which directly conflicts with machine-managed versioning (it would block every feature PR). With the version bumped automatically at release time, the PR gate is redundant. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
GuySaar8
changed the title
obezpalko
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two related changes:
commonhelpers into this chart (Bitnami stopped maintaining the upstream library chart), renamed under thecomet-common.*namespace.comet-monitoringpublish workflow.1. Imported helpers —
templates/_imported_bitnami_common.tplPorted from the Apache-2.0 Bitnami
commonchart, renamedcommon.*→comet-common.*, adapted for this chart:kubeVersion,apiVersions.has, apiVersion resolvers forpolicy/networkPolicy/job/cronjob/daemonset/deployment/statefulset/ingress/rbac/crd/apiService/hpa/vpa,psp.supported,admissionConfiguration.*,podSecurityConfiguration.apiVersion,supportsHelmVersionstorage.classingress.backend,ingress.certManagerRequestfieldToEnvVar,getValueFromKey,getKeyFromList,secret.getvalue,checksumTemplatesecrets.name,secrets.key,secrets.lookup,secrets.exists,secrets.passwords.managecompatibility.isOpenshift,compatibility.renderSecurityContextnames.namespace(new — required by secrets/utils)Adaptations
secrets.passwords.manageoriginally depends on Bitnami'scommon.validations.*tree andcommon.errors.upgrade.passwords.empty(full of subchart-specific logic andbitnami.comdoc links). Those are ported in trimmed, de-Bitnamified form: a generic upgrade-with-empty-password error, no external links, no subchart indirection.errors.insecureImages,_warnings.tpl).README updated with a section documenting each new helper group + usage examples.
2. Release workflow — automated version bump
release.yamlnow bumps the chart version in CI instead of relying on a manualChart.yamledit per PR.main→workflow_dispatchwith abumpchoice input (patch/minor/major, defaultminor).bumpjob computes the next SemVer, commitsBump chart version to X.Y.Zback to the branch, then the existing OCI release job packages and publishes tooci://ghcr.io/comet-mland cuts the GitHub release.workflow_dispatchand not push: a push-triggered job that commits a version bump back tomainwould push aChart.yamlchange and re-trigger itself in an infinite loop. Manual dispatch avoids that. (This matchescomet-monitoring, whose push trigger is likewise disabled in favor of dispatch.)helm-oci-release.yamlgains an optionalrefinput so the package step checks out the post-bump branch HEAD — without it, the reusable workflow's plain checkout would package the pre-bump commit and publish the old version.Removed:
verify-chart-version.yaml+helm-verify-chart-version.yamlThese workflows ran on every PR touching
Chart.yaml/templates/**/values*and failed the PR unlessChart.yamlversion was strictly greater than the latest release.That gate made sense under manual versioning, but it directly conflicts with the new automated-bump model: now that the version is bumped by CI at release time, a feature PR's
Chart.yamllegitimately equals the released version — so the check would block every feature PR and force exactly the manual bump we're trying to eliminate. The PR-time gate is now redundant, so both files are removed.Chart.yamlis left at0.2.0(the current release); the firstworkflow_dispatchrun will produce0.3.0.Verification
helm lintpasses.comet-commonrenders every imported helper correctly (e.g.deployment.apiVersion→apps/v1,storage.class→storageClassName: …, ingressbackendstring→name:/int→number:,fieldToEnvVarmy-password→MY_PASSWORD,secrets.passwords.manage→ quoted base64,renderSecurityContextpassthrough off-OpenShift).Note for reviewers
The bump job's
git pushtomainuses the defaultGITHUB_TOKEN. Ifmainhas branch protection requiring PRs/reviews, that push will be rejected — in which case we'll need a PAT (likecomet-monitoring'sGH_PAT_TO_ACCESS_GITHUB_API) or a protection exception for the actions bot.🤖 Generated with Claude Code