Guidance for working with updatecli pipelines in this repository. For general Helm chart work, see CLAUDE.md and AGENTS.md.
Updatecli automates Docker image tag updates across Helm chart values files. It watches quay.io/stackstate/* images for new release tags and writes the latest tag into the appropriate values.yaml keys.
updatecli/
├── updatecli.d/
│ ├── update-docker-images/
│ │ ├── update.yaml # Main pipeline: sources + targets for 21 images
│ │ └── README.md
│ └── finalize-docker-images/
│ └── update.yaml # Post-update: bump agent chart version, create MR
├── values.d/
│ ├── values.yaml # SCM + registry config (templated into pipelines)
│ └── values-local.yaml # Local dev override (sets clone directory)
└── updatecli-image-mapping.md # Reference table: image -> values file key(s)
There are two pipelines that run sequentially in CI:
- Pipeline ID:
docker-images - Contains 21
sources(one per Docker image) and 21targets(the values keys to update). - All targets are chained via
dependsonso they execute sequentially. This is intentional: split pipelines ran in parallel and only the last write survived because they all modify the same values file. - Almost all targets write to
stable/suse-observability/values.yaml. Two exceptions write tostable/suse-observability-agent/values.yaml(containerToolsSuseObservabilityAgent,kubernetesRbacAgentSuseObservabilityAgent). - Some images update multiple keys (use
keys:list instead ofkey:).
- Shares the same
pipelineid: docker-imagesso it operates on the same working branch (updatecli-docker-images-master). - If
stable/suse-observability-agent/values.yamlchanged vs master, runsscripts/bump-chart-version/bump_chart_version.py suse-observability-agentto bump the agent chart version. - Creates a GitLab merge request titled
[master] Bump helm chart docker images.
Three jobs in the update stage, triggered only when $RUN_UPDATECLI is set:
update_helm_chart_docker_images # runs update-docker-images pipeline
-> finalize_helm_chart_docker_images # runs finalize-docker-images pipeline
-> open_updatecli_docker_images_mr # ensures MR exists via .gitlab/open_updatecli_mr.sh
Every source is a dockerimage kind pulling from quay.io/stackstate/<name> with architecture: linux/amd64.
Images use a small set of tag formats. Keep the source entry in
updatecli/updatecli.d/update-docker-images/update.yaml close to the image it
tracks, and keep the reference table in
updatecli-image-mapping.md.
processAgentHash and agentHash are shell sources that resolve the latest
commit hash of stackstate-process-agent / stackstate-agent and use it as the
image tag. Because a fresh commit may not have its image built/pushed yet, each
source verifies the consumed image(s) exist with skopeo inspect before bumping:
processAgentHash→quay.io/stackstate/stackstate-k8s-process-agent:<hash>agentHash→quay.io/stackstate/stackstate-k8s-agent:<hash>andquay.io/stackstate/stackstate-k8s-cluster-agent:<hash>
If every consumed image exists, the source emits the new hash and the tag is
bumped. If any is still missing, the source instead re-emits the current tag
(read from stable/suse-observability-agent/values.yaml via scmid: default, so
it reads the same checkout the targets diff against). Re-emitting the current
value produces no diff — so no bump happens until the build lands — while keeping
the source successful. This matters because the sources live in the single shared
docker-images manifest: a source that failed (non-zero exit) would red-fail
the whole pipeline and block every unrelated image bump, whereas a missing build
should only hold back the agent tags.
Targets are yaml kind with scmid: default. Key fields:
sourceid- links to the source providing the tag valuedependson-["target#previousTarget"]to enforce sequential executionspec.file- the values file to updatespec.keyorspec.keys- JSONPath(s) to the image tag field(s)
- container-tools: Updates 5 keys across 3 targets (suse-observability, victoria-metrics backup cron, suse-observability-agent). Matches only standard
maintags;1.8.6_dev-*tags are CI/dev images and must not be used in customer-runtime chart defaults. - kubernetes-rbac-agent (suse-observability target): May need to be temporarily disabled if the tag key doesn't exist on master yet (updatecli clones from remote).
Pipeline YAML files use Go templates referencing values from values.d/values.yaml:
{{ .scm.owner }},{{ .scm.repository }},{{ .scm.branch }}- GitLab project coordinates{{ env .scm.userEnv }},{{ requiredEnv .scm.tokenEnv }}- credentials from environment{{ .scm.directory }}- optional clone directory (only set for local testing)
- Add a source entry in
update-docker-images/update.yamlwith the image name,tagfilter, andversionfiltermatching the image's tag format (see table above). - Add a target entry with:
sourceidpointing to the new sourcedependsonpointing to the last target in the chain (currentlyzookeeper)spec.fileandspec.key/spec.keysfor the values file location(s)
- Update the
dependsonso the new target becomes the last in the chain (or insert it alphabetically and fix the chain). - Update
updatecli-image-mapping.mdwith the new image's mapping. - If the target writes to
stable/suse-observability-agent/values.yaml, the finalize pipeline will automatically bump the agent chart version.
- Remove the source and target entries from
update-docker-images/update.yaml. - Fix the
dependsonchain so the target before and after the removed one are linked. - Update
updatecli-image-mapping.md.
Dry-run without committing or pushing (requires GITLAB_TOKEN in .env):
source .env
docker run --rm --network host -v $(pwd):/workspace:z -w /workspace -e GITLAB_TOKEN \
quay.io/stackstate/container-tools:1.8.6_dev-fa52bb17-main-4 \
updatecli diff \
-c updatecli/updatecli.d/update-docker-images/ \
-v updatecli/values.d/values.yamlTo apply locally and inspect changes (writes to updatecli-work/ subdirectory):
source .env
docker run --rm --network host -v $(pwd):/workspace:z -w /workspace -e GITLAB_TOKEN \
quay.io/stackstate/container-tools:1.8.6_dev-fa52bb17-main-4 \
updatecli apply --commit=false --push=false --clean=false \
-c updatecli/updatecli.d/update-docker-images/ \
-v updatecli/values.d/values.yaml -v updatecli/values.d/values-local.yamlWarning: Never set scm.directory to /workspace in local values - updatecli may clear it before cloning.
scripts/bump-chart-version/bump_chart_version.py- Bumps a chart's version and cascades to all dependents via the reverse dependency graph. Called by the finalize pipeline for agent chart changes. Also useful standalone:python3 scripts/bump-chart-version/bump_chart_version.py common # patch bump python3 scripts/bump-chart-version/bump_chart_version.py -t minor elasticsearch python3 scripts/bump-chart-version/bump_chart_version.py -d -v common # dry run python3 scripts/bump-chart-version/bump_chart_version.py --check common # validate deps
.gitlab/open_updatecli_mr.sh- Ensures a GitLab merge request exists for the updatecli branch. Idempotent (skips if MR already open).
| Variable | Purpose |
|---|---|
GITLAB_TOKEN |
GitLab API token (required) |
UPDATE_CLI_USER |
Git committer name |
UPDATE_CLI_EMAIL |
Git committer email |
UPDATE_CLI_PGP_KEY |
GPG signing key |
UPDATE_CLI_PGP_PASSPHRASE |
GPG key passphrase |
REGISTRY_USER |
quay.io registry username |
REGISTRY_PASSWORD |
quay.io registry password |