Conversation
Signed-off-by: Ian Miller <milleryan2003@gmail.com>
Signed-off-by: Ian Miller <milleryan2003@gmail.com>
cwiklik
left a comment
There was a problem hiding this comment.
Review Summary
Well-motivated PR that eliminates a real divergence between main-branch builds (Dockerfile → /manager) and release builds (ko → /ko-app/cmd). Standardizing on Dockerfiles with proper Helm chart defaults fixes the clean helm install failure. The yq-based release packaging (commit 2) is safer than the original sed approach. E2E smoke test on main merges is a good addition. @Bobbins228's feedback has been addressed.
Areas reviewed: CI/GitHub Actions, Helm, Shell, Makefile, Docs, Security
Commits: 2 commits, all signed-off: ✅
CI status: all 14 checks passing ✅ (Build, E2E, Lint, DCO, CodeQL, Trivy, Hadolint, ShellCheck, YAML Lint, Action Pinning)
Highlights
- Smart default strategy:
latest+Alwaysfor dev, release workflow pins to semver +IfNotPresent— both paths consistent now yqwithstrenv()for YAML edits is much safer than sed — good iteration on @Bobbins228's feedback- E2E smoke test (Kind + cert-manager + clean
helm install+ rollout check) is a solid guard for main - Clean removal of ko entrypoint patch workaround from dev scripts
Minor note
Actions use version tags (@v4, @v6) rather than SHA pins. The repo's "Verify Action Pinning" check passes so this follows current policy — just noting that SHA pinning is a stronger supply-chain security practice for the future.
Summary
.goreleaser.yaml) and replace with unifiedrelease.ymlworkflow usingdocker/build-push-actiontag: __PLACEHOLDER__→latest,cmd: /ko-app/cmd→/manager,pullPolicy: IfNotPresent→Alwayskagenti-operatorandagentcard-signerimages via Dockerfiles on all triggers (main merges, tag pushes, manual dispatch)helm install)latesttag to default branch onlyko-local-buildMakefile target, renameKO_DOCKER_REPO→LOCAL_REGISTRYdocs/dev.mdto remove ko referencesWhy
CI had a divergence: main-branch merges built images with Dockerfiles (entrypoint
/manager), while release tags built with GoReleaser + ko (entrypoint/ko-app/cmd). The Helm chart hardcodedcmd: /ko-app/cmdandtag: __PLACEHOLDER__, so a cleanhelm installalways failed — either the tag didn't exist or the entrypoint didn't match.Two separate issues depending on which path you took:
Path 1: Install from source chart (helm install ./charts/kagenti-operator)
Path 2: Install from released chart (helm install oci://ghcr.io/...)
The core issue was: two different build tools producing images with different entrypoints, and a chart that couldn't work with both. I fixed it by standardizing everything on Dockerfiles + /manager.
Verification
helm install kagenti-operator ./charts/kagenti-operatorsucceeded/managermatches between Dockerfile and chart defaultsko-local-build,KO_DOCKER_REPO,/ko-app/cmd, or__PLACEHOLDER__in tracked filesTest plan
kagenti-operator:latestandagentcard-signer:latestexist on GHCR with/managerentrypointRelated issue(s)
[RHAIENG-3716]