docs: add docs around versioning, and bump versions

Author: lockwobr

.gitlab-ci.yml

@@ -228,3 +228,65 @@ create-agent-json:
   artifacts:
     paths:
       - artifacts.json
+
+create-chart-json:
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^chart\/v\d+\.\d+\.\d+$/'
+  needs: 
+    - job: bootstrap
+      artifacts: true
+  script:
+    - |
+      cat > artifacts.json << EOF
+      {
+        "skyhook": {
+          "source": {
+            "org": "${NGC_PRIVATE_ORG}",
+            "team": "skyhook"
+          },
+          "target": {
+            "org": "nvidia",
+            "team": "skyhook"
+          },
+          "artifacts": [
+            {
+              "name": "chart",
+              "version": "${CI_COMMIT_TAG#chart/}",
+              "type": "chart"
+            }
+          ],
+          "nspect_id": "${OPERATOR_NSPECT_ID}"
+        }
+      }
+      EOF
+  artifacts:
+    paths:
+      - artifacts.json
+
+publish-chart:
+  stage: deploy
+  rules: 
+    ## on commit to main publish a chart to our dev registry
+    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
+      needs: [bootstrap]
+      variables:
+        ENV: dev
+        VERSION: $CI_COMMIT_SHORT_SHA
+        REGISTRY: swgpu-baseos
+        URL: helm.ngc.nvidia.com/nvidian/swgpu-baseos
+    ## on tag publish a chart to the prod staging registry
+    - if: '$CI_COMMIT_TAG =~ /^chart\/v\d+\.\d+\.\d+$/'
+      needs: [bootstrap]
+      variables:
+        ENV: prod
+        REGISTRY: staging
+        URL: helm.ngc.nvidia.com/staging
+  variables:
+    USERNAME: "$$oauthtoken"
+    PASSWORD: ${NVCR_REGISTRY_PASSWORD}
+    ARGS: ""
+  script:
+    - if [ "${ENV}" == "dev" ]; then ARGS="--version $(date +%Y.%m.%d)-${CI_COMMIT_SHORT_SHA}"; fi
+    - /workspace/bin/helm repo add ${REGISTRY} https://${URL} --username="${USERNAME}" --password=${PASSWORD}
+    - /workspace/bin/helm package chart ${ARGS}
+    - /workspace/bin/helm cm-push $(ls skyhook-operator-*.tgz) ${REGISTRY}

README.md

@@ -125,6 +125,8 @@ The stages are applied in this order:
 **Semantic versioning is strictly enforced in the operator** in order to support upgrade and uninstall. Semantic versioning allows the 
 operator to know which way the package is going while also enforcing best versioning practices.
 
+**For detailed information about our versioning strategy, git tagging conventions, and component release process, see [docs/versioning.md](docs/versioning.md) and [docs/release-process.md](docs/release-process.md).**
+
 ## Packages
 Part of how the operator works is the [skyhook-agent](agent/README.md). Packages have to be created in way so the operator knows how to use them. This is where the agent comes into play, more on that later. A package is a container that meets these requirements:
 

chart/Chart.yaml

@@ -13,11 +13,11 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: v0.8.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.7.0"
+appVersion: v0.8.0
 ## TODO: not sure how we want to manage this version
 #kubeVersion: ">=1.28.0"

chart/README.md

@@ -28,6 +28,10 @@ Settings | Description | Default |
 | controllerManager.manager.env.logLevel | Log level for the operator controller. If you want more or less logs, change this value to "debug" or "error". | "info" |
 | controllerManager.manager.env.reapplyOnReboot | Reapply the packages on reboot. This is useful for systems that are read-only. | "false" |
 | controllerManager.manager.env.runtimeRequiredTaint | This feature assumes nodes are added to the cluster with `--register-with-taints` kubelet flag. This taint is assume to be all new nodes, and skyhook pods will tolerate this taint, and remove it one the nodes packages are complete. | skyhook.nvidia.com=runtime-required:NoSchedule | 
+| controllerManager.manager.image.repository | Where to get the image from | "ghcr.io/nvidia/skyhook/operator" |
+| controllerManager.manager.image.tag | what version of the operator to run | defaults to appVersion |
+| controllerManager.manager.agent.repository | Where to get the image from | "ghcr.io/nvidia/skyhook/agent" |
+| controllerManager.manager.agent.tag | what version of the agent to run | defaults to the current latest, but is not latest example v6.1.5 |
 | imagePullSecret | the secret used to pull the operator controller image, agent image, and package images. | node-init-secret |
 | estimatedPackageCount | estimated number of packages to be installed on the cluster, this is used to calculate the resources for the operator controller. | 1 |
 | estimatedNodeCount | estimated number of nodes in the cluster, this is used to calculate the resources for the operator controller | 1 |
@@ -38,4 +42,12 @@ Settings | Description | Default |
 - **CRD**: This project currently has one CRD and its not managed the ["recommended" way](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/). Its part of the templates. Meaning it will be updated with the `helm upgrade`. We decided it was better do it this way for this project. Doing it either way has consequences and this route has worked well for upgrades so far our deployments.
 
 ### Resource Management
-Skyhook uses Kubernetes LimitRange to set default CPU/memory requests/limits for all containers in the namespace. You can override these per-package in your Skyhook CR. Strict validation is enforced. See [../docs/resource_management.md](../docs/resource_management.md) for details and examples.
+Skyhook uses Kubernetes LimitRange to set default CPU/memory requests/limits for all containers in the namespace. You can override these per-package in your Skyhook CR. Strict validation is enforced. See [../docs/resource_management.md](../docs/resource_management.md) for details and examples.
+
+## Versioning
+
+This Helm chart follows independent versioning from the operator and agent components. The chart's `appVersion` field specifies the recommended stable operator version that provides a good default for installations. See [../docs/versioning.md](../docs/versioning.md) for more details on versioning.
+
+### Chart Version vs App Version
+- **Chart version** (`version` in Chart.yaml): Tracks changes to chart templates, values, and configuration (NOTE: agent version in set in the values.)
+- **App version** (`appVersion` in Chart.yaml): Recommended stable operator version for this chart release

chart/templates/deployment.yaml

@@ -76,11 +76,10 @@ spec:
         - name: PAUSE_IMAGE
           value: {{ quote .Values.controllerManager.manager.env.pauseImage }}
         - name: AGENT_IMAGE
-          value: {{ quote .Values.controllerManager.manager.env.agentImage }}
+          value: {{ .Values.controllerManager.manager.agent.repository }}:{{ .Values.controllerManager.manager.agent.tag}}
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ quote .Values.kubernetesClusterDomain }}
-        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag
-          | default .Chart.AppVersion }}
+        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }}
         livenessProbe:
           httpGet:
             path: /healthz

chart/values.yaml

@@ -60,11 +60,14 @@ controllerManager:
       runtimeRequiredTaint: skyhook.nvidia.com=runtime-required:NoSchedule
       ## puaseImage: is the image used for the pause container in the operator controller.
       pauseImage: registry.k8s.io/pause:3.10
-      ## agentImage: is the image used for the agent container. This image is the default for this install, but can be overridden in the CR at package level.
-      agentImage: ghcr.io/nvidia/skyhook/agent:latest
     image:
       repository: ghcr.io/nvidia/skyhook/operator
-      tag: latest
+      tag: "" ## if omitted, default to the chart appVersion
+    ## agentImage: is the image used for the agent container. This image is the default for this install, but can be overridden in the CR at package level.
+    agent:
+      repository: ghcr.io/nvidia/skyhook/agent
+      tag: "v6.1.5"
+
     # resources: If this is defined it will override the default calculation for resources
     # from estimatedNodeCount and estimatedPackageCount. The below values are
     # what will be calculated until nodes > 1000 and packages 1-2 or nodes > 500 and packages >= 4

docs/release-process.md

@@ -0,0 +1,89 @@
+# Skyhook Release Process
+
+Step-by-step process for releasing Skyhook components (operator, agent, chart).
+
+## Release Workflow
+
+### Operator Release
+
+```bash
+# 1. Test thoroughly, merge all PRs to main
+# 2. Tag and push
+git checkout main && git pull origin main
+git tag operator/v1.2.3
+git push origin operator/v1.2.3
+```
+
+**Automated:** Tests → Multi-platform build → Publish to ghcr.io + nvcr.io → Attestations
+
+### Agent Release
+
+```bash
+# 1. Test agent compatibility, merge all PRs to main  
+# 2. Tag and push
+git checkout main && git pull origin main
+git tag agent/v1.2.3
+git push origin agent/v1.2.3
+```
+
+**Automated:** Tests → Multi-platform build → Publish to ghcr.io + nvcr.io
+
+### Chart Release
+
+```bash
+# 1. Update Chart.yaml versions
+# chart/Chart.yaml
+version: v1.2.3        # Chart version
+appVersion: v0.8.0     # Recommended operator version
+
+# 2. Create PR and merge
+git checkout -b release/chart-v1.2.3
+git add chart/Chart.yaml
+git commit -m "chart: bump version to v1.2.3"
+git push origin release/chart-v1.2.3
+# Review and merge PR
+
+# 3. Tag after merge
+git checkout main && git pull origin main
+git tag chart/v1.2.3
+git push origin chart/v1.2.3
+```
+
+**Automated:** Package Helm chart → Publish to chart repository (when implemented)
+
+## Release Checklist
+
+**Before tagging:**
+- [ ] All PRs merged to main
+- [ ] For charts: Chart.yaml updated and merged
+- [ ] Tests passing
+- [ ] Documentation updated
+
+**After tagging:**
+- [ ] CI/CD pipeline completes
+- [ ] Images published successfully
+- [ ] Test deployment with new version
+
+## Common Commands
+
+```bash
+# Check current tags
+git tag -l 'operator/v*' --sort=-v:refname | head -5
+git tag -l 'agent/v*' --sort=-v:refname | head -5  
+git tag -l 'chart/v*' --sort=-v:refname | head -5
+
+# See what will be included in tag
+git log --oneline $(git tag -l 'operator/v*' --sort=-v:refname | head -1)..HEAD
+
+# Delete tag if needed (before CI runs)
+git tag -d operator/v1.2.3
+git push origin :refs/tags/operator/v1.2.3
+```
+
+## Rollback
+
+For problematic releases:
+1. Tag new patch release with fixes
+2. For critical issues: Update chart `appVersion` to previous stable version
+
+See [versioning.md](versioning.md) for version strategy details. 

docs/versioning.md

@@ -0,0 +1,74 @@
+# Skyhook Versioning Strategy
+
+Skyhook uses independent versioning for three components, all following [Semantic Versioning](https://semver.org/):
+
+1. **Operator** - Kubernetes operator that manages Skyhook resources
+2. **Agent** - Container that executes package operations on nodes  
+3. **Chart** - Helm chart for deploying the operator
+   1. NOTE: the versioning of the chat also includes versioning of the expected agent version. 
+   2. NOTE: If changing either the operator or agent this will generally include a chart release too.
+
+## Git Tagging Convention
+
+```bash
+operator/v{version}    # Operator releases
+agent/v{version}       # Agent releases  
+chart/v{version}       # Chart releases
+```
+
+## Component Versioning
+
+### Operator & Agent
+- **Independent versioning** with their own release cycles
+- **Semantic versioning**: MAJOR.MINOR.PATCH
+- **Compatibility**: Maintained through well-defined interfaces
+
+### Helm Chart  
+- **Independent from operator/agent** (starting at v0.8.0 these will start to diverge in version number)
+- **Chart version** (`version`): Tracks chart template/config changes
+- **App version** (`appVersion`): Recommended stable operator version
+
+## Chart Behavior
+
+### Chart.yaml
+example:
+```yaml
+version: v1.0.0        # Chart version (independent)
+appVersion: v0.7.0   # Recommended operator version
+```
+
+### Image Tag Defaults
+```yaml
+# values.yaml
+image:
+  tag: ""  # Empty = defaults to Chart.AppVersion
+
+# Template renders as:
+image: "ghcr.io/nvidia/skyhook/operator:0.7.0"
+```
+
+## Quick Reference
+
+```bash
+# Check deployed versions
+kubectl get deployment -n skyhook -o jsonpath='{.items[0].spec.template.spec.containers[0].image}'
+helm list -n skyhook
+
+# Override operator version
+helm install skyhook ./chart --set controllerManager.manager.image.tag="0.8.0"
+```
+
+## Release Process
+
+For step-by-step instructions on how to release components, see [release-process.md](release-process.md).
+
+**CI/CD triggers on git tags:**
+- `operator/vx.y.z` → publishes operator image
+- `agent/vx.y.z` → publishes agent image  
+- `chart/vx.y.z` → publishes helm chart
+
+**Chart versioning:**
+- **PATCH**: Bug fixes, docs
+- **MINOR**: New features, config options  
+- **MAJOR**: Breaking changes to chart, or compatibility with agent or operator.
+