From 211ed3818764dbae4b43bd78f3bebbad737318e2 Mon Sep 17 00:00:00 2001 From: Techassi Date: Fri, 10 Apr 2026 10:05:39 +0200 Subject: [PATCH 1/7] ci: Merge registry specific Helm values --- .github/workflows/build.yaml | 2 +- deploy/helm/airflow-operator/.helmignore | 4 ++++ deploy/helm/airflow-operator/values.yaml | 1 - deploy/helm/airflow-operator/values/oci.stackable.tech.yaml | 5 +++++ 4 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 deploy/helm/airflow-operator/values/oci.stackable.tech.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1c735ffb..c38cc128 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -230,7 +230,7 @@ jobs: submodules: recursive - name: Package, Publish, and Sign Helm Chart - uses: stackabletech/actions/publish-helm-chart@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + uses: stackabletech/actions/publish-helm-chart@38cb337cac05e42a76946963e78ab48bbbfa36a0 # unreleased with: chart-registry-uri: oci.stackable.tech chart-registry-username: robot$sdp-charts+github-action-build diff --git a/deploy/helm/airflow-operator/.helmignore b/deploy/helm/airflow-operator/.helmignore index fef44b7e..0f7e0c9a 100644 --- a/deploy/helm/airflow-operator/.helmignore +++ b/deploy/helm/airflow-operator/.helmignore @@ -6,6 +6,8 @@ # Patterns to ignore when building packages. # This supports shell glob matching, relative path matching, and # negation (prefixed with !). Only one pattern per line. +# Ignore the file itself +.helmignore .DS_Store # Common VCS dirs .git/ @@ -26,3 +28,5 @@ .idea/ *.tmproj .vscode/ +# Partial, unmerged, registry specific values files +values/ diff --git a/deploy/helm/airflow-operator/values.yaml b/deploy/helm/airflow-operator/values.yaml index 89b8a10d..194b3a73 100644 --- a/deploy/helm/airflow-operator/values.yaml +++ b/deploy/helm/airflow-operator/values.yaml @@ -1,7 +1,6 @@ # Default values for airflow-operator. --- image: - repository: oci.stackable.tech/sdp/airflow-operator pullPolicy: IfNotPresent pullSecrets: [] diff --git a/deploy/helm/airflow-operator/values/oci.stackable.tech.yaml b/deploy/helm/airflow-operator/values/oci.stackable.tech.yaml new file mode 100644 index 00000000..06f5dd12 --- /dev/null +++ b/deploy/helm/airflow-operator/values/oci.stackable.tech.yaml @@ -0,0 +1,5 @@ +--- +# Values overlay for chart packages published to oci.stackable.tech. +image: + registry: oci.stackable.tech + repository: sdp/airflow-operator From bb3ff8d8f242192e14ecf970515243bfb7b7887e Mon Sep 17 00:00:00 2001 From: Techassi Date: Fri, 10 Apr 2026 11:25:35 +0200 Subject: [PATCH 2/7] chore(helm): Add operator.image template helper --- deploy/helm/airflow-operator/templates/_helpers.tpl | 7 +++++++ deploy/helm/airflow-operator/templates/deployment.yaml | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/deploy/helm/airflow-operator/templates/_helpers.tpl b/deploy/helm/airflow-operator/templates/_helpers.tpl index 1096ffc6..80f2848b 100644 --- a/deploy/helm/airflow-operator/templates/_helpers.tpl +++ b/deploy/helm/airflow-operator/templates/_helpers.tpl @@ -77,3 +77,10 @@ Labels for Kubernetes objects created by helm test {{- define "operator.testLabels" -}} helm.sh/test: {{ include "operator.chart" . }} {{- end }} + +{{/* +Build the full container image reference. +*/}} +{{- define "operator.image" -}} +{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (.Values.image.tag | default .Chart.AppVersion) -}} +{{- end }} diff --git a/deploy/helm/airflow-operator/templates/deployment.yaml b/deploy/helm/airflow-operator/templates/deployment.yaml index 0f4d902e..39e01667 100644 --- a/deploy/helm/airflow-operator/templates/deployment.yaml +++ b/deploy/helm/airflow-operator/templates/deployment.yaml @@ -15,7 +15,7 @@ spec: template: metadata: annotations: - internal.stackable.tech/image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + internal.stackable.tech/image: {{ include "operator.image" . }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} @@ -37,7 +37,7 @@ spec: - name: {{ include "operator.appname" . }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: {{ include "operator.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} resources: {{- toYaml .Values.resources | nindent 12 }} From 6c2685daf9d9a0fa41417ad22ef18671c9f4298b Mon Sep 17 00:00:00 2001 From: Techassi Date: Fri, 10 Apr 2026 11:28:50 +0200 Subject: [PATCH 3/7] feat(helm): Set image registry and repository env vars on Deployment --- Tiltfile | 20 +++++++++++-------- .../templates/deployment.yaml | 9 +++++++++ 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/Tiltfile b/Tiltfile index 53c3a8e4..d3ff819f 100644 --- a/Tiltfile +++ b/Tiltfile @@ -1,16 +1,18 @@ -# If tilt_options.json exists read it and load the default_registry value from it +# Load the metadata first, so that we immediately get access to the operator name +meta = read_json('nix/meta.json') +operator_name = meta['operator']['name'] + +# If tilt_options.json exists read it and load the default_registry and default_repository value from it settings = read_json('tilt_options.json', default={}) -registry = settings.get('default_registry', 'oci.stackable.tech/sandbox') +registry = settings.get('default_registry', 'oci.stackable.tech') +repository = settings.get('default_repository', 'sandbox' + '/' + operator_name) # Configure default registry either read from config file above, or with default value of "oci.stackable.tech/sandbox" default_registry(registry) -meta = read_json('nix/meta.json') -operator_name = meta['operator']['name'] - custom_build( - registry + '/' + operator_name, - 'make regenerate-nix && nix-build . -A docker --argstr dockerName "${EXPECTED_REGISTRY}/' + operator_name + '" && ./result/load-image | docker load', + registry + '/' + repository, + 'make regenerate-nix && nix-build . -A docker --argstr dockerName "${EXPECTED_REGISTRY}/' + repository + '" && ./result/load-image | docker load', deps=['rust', 'Cargo.toml', 'Cargo.lock', 'default.nix', "nix", 'build.rs', 'vendor'], ignore=['*.~undo-tree~'], # ignore=['result*', 'Cargo.nix', 'target', *.yaml], @@ -28,13 +30,15 @@ k8s_kind('DaemonSet', image_json_path='{.spec.template.metadata.annotations.inte # supported by helm(set). helm_values = settings.get('helm_values', None) -helm_override_image_repository = 'image.repository=' + registry + '/' + operator_name +helm_override_image_registry = 'image.registry=' + registry +helm_override_image_repository = 'image.repository=' + repository k8s_yaml(helm( 'deploy/helm/' + operator_name, name=operator_name, namespace="stackable-operators", set=[ + helm_override_image_registry, helm_override_image_repository, ], values=helm_values, diff --git a/deploy/helm/airflow-operator/templates/deployment.yaml b/deploy/helm/airflow-operator/templates/deployment.yaml index 39e01667..5d42cffc 100644 --- a/deploy/helm/airflow-operator/templates/deployment.yaml +++ b/deploy/helm/airflow-operator/templates/deployment.yaml @@ -70,6 +70,15 @@ spec: - name: OPERATOR_SERVICE_NAME value: {{ include "operator.fullname" . }} + # The URI of the image registry, like "oci.stackable.tech". Used to derive product image + # name. + - name: IMAGE_REGISTRY_URI + value: {{ .Values.image.registry }} + + # The image repository, like "sdp/airflow-operator" + - name: IMAGE_REPOSITORY + value: {{ .Values.image.repository }} + # Operators need to know the node name they are running on, to e.g. discover the # Kubernetes domain name from the kubelet API. - name: KUBERNETES_NODE_NAME From afff8c9e380b7bc3639beab6b8e172032d5e4a93 Mon Sep 17 00:00:00 2001 From: Techassi Date: Fri, 10 Apr 2026 11:29:25 +0200 Subject: [PATCH 4/7] chore(helm): Add helm-install command to Makefile --- Makefile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Makefile b/Makefile index 32f2bcad..6a0a9ff3 100644 --- a/Makefile +++ b/Makefile @@ -76,3 +76,9 @@ run-dev: check-nix check-kubernetes stop-dev: check-nix check-kubernetes nix run --extra-experimental-features "nix-command flakes" -f. tilt -- down + +helm-install: + helm install \ + --values deploy/helm/airflow-operator/values.yaml \ + --values deploy/helm/airflow-operator/values/$(OCI_REGISTRY_HOSTNAME).yaml \ + airflow-operator deploy/helm/airflow-operator From 115294487dca50f3bb8a6663c6baf7e2d6417bdc Mon Sep 17 00:00:00 2001 From: Techassi Date: Fri, 10 Apr 2026 12:51:46 +0200 Subject: [PATCH 5/7] ci: Also publish to quay.io --- .github/workflows/build.yaml | 46 ++++++++++++++++++++++++++++++++---- 1 file changed, 42 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c38cc128..3d07c43a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -173,7 +173,7 @@ jobs: build-arguments: VERSION=${{ steps.version.outputs.OPERATOR_VERSION }} container-file: docker/Dockerfile - - name: Publish Container Image + - name: Publish Container Image (oci.stackable.tech) if: ${{ !github.event.pull_request.head.repo.fork }} uses: stackabletech/actions/publish-image@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 with: @@ -184,6 +184,17 @@ jobs: image-manifest-tag: ${{ steps.build.outputs.image-manifest-tag }} source-image-uri: ${{ steps.build.outputs.image-manifest-uri }} + - name: Publish Container Image (quay.io) + if: ${{ !github.event.pull_request.head.repo.fork }} + uses: stackabletech/actions/publish-image@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + with: + image-registry-uri: quay.io + image-registry-username: stackable+robot_sdp_test_github_action_build + image-registry-password: ${{ secrets.QUAY_ROBOT_SDP_TEST_GITHUB_ACTION_BUILD_SECRET }} + image-repository: stackable/sdp-test/${{ env.OPERATOR_NAME }} + image-manifest-tag: ${{ steps.build.outputs.image-manifest-tag }} + source-image-uri: ${{ steps.build.outputs.image-manifest-uri }} + publish-index-manifest: name: Publish/Sign ${{ needs.build-container-image.outputs.operator-version }} Index if: | @@ -202,7 +213,7 @@ jobs: with: persist-credentials: false - - name: Publish and Sign Image Index + - name: Publish and Sign Image Index (oci.stackable.tech) uses: stackabletech/actions/publish-image-index-manifest@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 with: image-registry-uri: oci.stackable.tech @@ -211,6 +222,15 @@ jobs: image-repository: sdp/${{ env.OPERATOR_NAME }} image-index-manifest-tag: ${{ needs.build-container-image.outputs.operator-version }} + - name: Publish and Sign Image Index (quay.io) + uses: stackabletech/actions/publish-image-index-manifest@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + with: + image-registry-uri: quay.io + image-registry-username: stackable+robot_sdp_test_github_action_build + image-registry-password: ${{ secrets.QUAY_ROBOT_SDP_TEST_GITHUB_ACTION_BUILD_SECRET }} + image-repository: stackable/sdp-test/${{ env.OPERATOR_NAME }} + image-index-manifest-tag: ${{ needs.build-container-image.outputs.operator-version }} + publish-helm-chart: name: Package/Publish ${{ needs.build-container-image.outputs.operator-version }} Helm Chart if: | @@ -229,7 +249,7 @@ jobs: persist-credentials: false submodules: recursive - - name: Package, Publish, and Sign Helm Chart + - name: Package, Publish, and Sign Helm Chart (oci.stackable.tech) uses: stackabletech/actions/publish-helm-chart@38cb337cac05e42a76946963e78ab48bbbfa36a0 # unreleased with: chart-registry-uri: oci.stackable.tech @@ -241,6 +261,18 @@ jobs: app-version: ${{ needs.build-container-image.outputs.operator-version }} publish-and-sign: ${{ !github.event.pull_request.head.repo.fork }} + - name: Package, Publish, and Sign Helm Chart (quay.io) + uses: stackabletech/actions/publish-helm-chart@38cb337cac05e42a76946963e78ab48bbbfa36a0 # unreleased + with: + chart-registry-uri: quay.io + chart-registry-username: stackable+robot_sdp_charts_test_github_action_build + chart-registry-password: ${{ secrets.QUAY_ROBOT_SDP_CHARTS_TEST_GITHUB_ACTION_BUILD_SECRET }} + chart-repository: stackable/sdp-charts-test + chart-directory: deploy/helm/${{ env.OPERATOR_NAME }} + chart-version: ${{ needs.build-container-image.outputs.operator-version }} + app-version: ${{ needs.build-container-image.outputs.operator-version }} + publish-and-sign: ${{ !github.event.pull_request.head.repo.fork }} + openshift-preflight-check: name: Run OpenShift Preflight Check for ${{ needs.build-container-image.outputs.operator-version }}-${{ matrix.arch }} if: | @@ -259,12 +291,18 @@ jobs: - arm64 runs-on: ubuntu-latest steps: - - name: Run OpenShift Preflight Check + - name: Run OpenShift Preflight Check (oci.stackable.tech) uses: stackabletech/actions/run-openshift-preflight@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 with: image-index-uri: oci.stackable.tech/sdp/${{ env.OPERATOR_NAME }}:${{ needs.build-container-image.outputs.operator-version }} image-architecture: ${{ matrix.arch }} + - name: Run OpenShift Preflight Check (quay.io) + uses: stackabletech/actions/run-openshift-preflight@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + with: + image-index-uri: quay.io/stackable/sdp-test/${{ env.OPERATOR_NAME }}:${{ needs.build-container-image.outputs.operator-version }} + image-architecture: ${{ matrix.arch }} + # This job is a required check in GitHub Settings for this repository. # It saves us having to list many required jobs, or work around dynamically # named jobs (since there is no concept of required settings). From 2a9b0253e0efbf6c079a48d1a5dabd7452feeef0 Mon Sep 17 00:00:00 2001 From: Techassi Date: Fri, 10 Apr 2026 12:52:45 +0200 Subject: [PATCH 6/7] chore(helm): Add quay.io specific values file --- deploy/helm/airflow-operator/values/quay.io.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 deploy/helm/airflow-operator/values/quay.io.yaml diff --git a/deploy/helm/airflow-operator/values/quay.io.yaml b/deploy/helm/airflow-operator/values/quay.io.yaml new file mode 100644 index 00000000..2288c22f --- /dev/null +++ b/deploy/helm/airflow-operator/values/quay.io.yaml @@ -0,0 +1,5 @@ +--- +# Values overlay for chart packages published to quay.io. +image: + registry: quay.io + repository: stackable/sdp-test/airflow-operator From 0ae63ae12bbda2d4468ca5500946a01c71a62530 Mon Sep 17 00:00:00 2001 From: Techassi Date: Fri, 10 Apr 2026 15:11:59 +0200 Subject: [PATCH 7/7] ci: Use newer action versions --- .github/workflows/build.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3d07c43a..53250d29 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -48,7 +48,7 @@ jobs: - name: Check for changed files id: check - uses: stackabletech/actions/detect-changes@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + uses: stackabletech/actions/detect-changes@b4f7b1301d2e46e623cd04a22994a327470d4743 # unreleased with: patterns: | - '.github/workflows/build.yaml' @@ -166,7 +166,7 @@ jobs: - name: Build Container Image id: build - uses: stackabletech/actions/build-container-image@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + uses: stackabletech/actions/build-container-image@b4f7b1301d2e46e623cd04a22994a327470d4743 # unreleased with: image-name: ${{ env.OPERATOR_NAME }} image-index-manifest-tag: ${{ steps.version.outputs.OPERATOR_VERSION }} @@ -175,7 +175,7 @@ jobs: - name: Publish Container Image (oci.stackable.tech) if: ${{ !github.event.pull_request.head.repo.fork }} - uses: stackabletech/actions/publish-image@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + uses: stackabletech/actions/publish-image@b4f7b1301d2e46e623cd04a22994a327470d4743 # unreleased with: image-registry-uri: oci.stackable.tech image-registry-username: robot$sdp+github-action-build @@ -186,7 +186,7 @@ jobs: - name: Publish Container Image (quay.io) if: ${{ !github.event.pull_request.head.repo.fork }} - uses: stackabletech/actions/publish-image@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + uses: stackabletech/actions/publish-image@b4f7b1301d2e46e623cd04a22994a327470d4743 # unreleased with: image-registry-uri: quay.io image-registry-username: stackable+robot_sdp_test_github_action_build @@ -214,7 +214,7 @@ jobs: persist-credentials: false - name: Publish and Sign Image Index (oci.stackable.tech) - uses: stackabletech/actions/publish-image-index-manifest@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + uses: stackabletech/actions/publish-image-index-manifest@b4f7b1301d2e46e623cd04a22994a327470d4743 # unreleased with: image-registry-uri: oci.stackable.tech image-registry-username: robot$sdp+github-action-build @@ -223,7 +223,7 @@ jobs: image-index-manifest-tag: ${{ needs.build-container-image.outputs.operator-version }} - name: Publish and Sign Image Index (quay.io) - uses: stackabletech/actions/publish-image-index-manifest@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + uses: stackabletech/actions/publish-image-index-manifest@b4f7b1301d2e46e623cd04a22994a327470d4743 # unreleased with: image-registry-uri: quay.io image-registry-username: stackable+robot_sdp_test_github_action_build @@ -250,7 +250,7 @@ jobs: submodules: recursive - name: Package, Publish, and Sign Helm Chart (oci.stackable.tech) - uses: stackabletech/actions/publish-helm-chart@38cb337cac05e42a76946963e78ab48bbbfa36a0 # unreleased + uses: stackabletech/actions/publish-helm-chart@b4f7b1301d2e46e623cd04a22994a327470d4743 # unreleased with: chart-registry-uri: oci.stackable.tech chart-registry-username: robot$sdp-charts+github-action-build @@ -262,7 +262,7 @@ jobs: publish-and-sign: ${{ !github.event.pull_request.head.repo.fork }} - name: Package, Publish, and Sign Helm Chart (quay.io) - uses: stackabletech/actions/publish-helm-chart@38cb337cac05e42a76946963e78ab48bbbfa36a0 # unreleased + uses: stackabletech/actions/publish-helm-chart@b4f7b1301d2e46e623cd04a22994a327470d4743 # unreleased with: chart-registry-uri: quay.io chart-registry-username: stackable+robot_sdp_charts_test_github_action_build @@ -292,13 +292,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Run OpenShift Preflight Check (oci.stackable.tech) - uses: stackabletech/actions/run-openshift-preflight@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + uses: stackabletech/actions/run-openshift-preflight@b4f7b1301d2e46e623cd04a22994a327470d4743 # unreleased with: image-index-uri: oci.stackable.tech/sdp/${{ env.OPERATOR_NAME }}:${{ needs.build-container-image.outputs.operator-version }} image-architecture: ${{ matrix.arch }} - name: Run OpenShift Preflight Check (quay.io) - uses: stackabletech/actions/run-openshift-preflight@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + uses: stackabletech/actions/run-openshift-preflight@b4f7b1301d2e46e623cd04a22994a327470d4743 # unreleased with: image-index-uri: quay.io/stackable/sdp-test/${{ env.OPERATOR_NAME }}:${{ needs.build-container-image.outputs.operator-version }} image-architecture: ${{ matrix.arch }} @@ -338,7 +338,7 @@ jobs: persist-credentials: false - name: Send Notification - uses: stackabletech/actions/send-slack-notification@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1 + uses: stackabletech/actions/send-slack-notification@b4f7b1301d2e46e623cd04a22994a327470d4743 # unreleased with: publish-helm-chart-result: ${{ needs.publish-helm-chart.result }} publish-manifests-result: ${{ needs.publish-index-manifest.result }}