[CRDB-51639]: Add v2 chart packaging and multi-registry publishing, publish self-signer image to DockerHub.#617
Conversation
NishanthNalluri
changed the title
NishanthNalluri
changed the title
There was a problem hiding this comment.
Pull request overview
Extends the build/release tooling to package and publish “v2” Helm charts (operator + cockroachdb from cockroachdb-parent/charts/) to a /v2/ Helm repo path and to OCI registries, and adds DockerHub publishing for the self-signer image.
Changes:
- Add
build/v2-chartsandrelease/v2flows, including v2 chart packaging and/v2/index.yamlgeneration/merge. - Extend release publishing to upload v2 artifacts to GCS and push chart packages as OCI artifacts to GAR and DockerHub.
- Publish the self-signer image to DockerHub in GitHub Actions in addition to GCR.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Adds v2 build/release targets; adds DockerHub self-signer push target and shared tag variable. |
| build/teamcity-make-and-publish-charts-release.sh | Runs both legacy and v2 build+release steps in TeamCity. |
| build/release.sh | Splits legacy vs v2 release logic; adds OCI pushes to GAR and DockerHub. |
| build/make.sh | Adds v2 chart packaging, version-exists checks, and v2 index generation. |
| .github/workflows/build.yaml | Adds DockerHub login and push steps for self-signer image. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| push_oci_gar() { | ||
| local gar_registry="${OCI_GAR_REGISTRY:-us-docker.pkg.dev/releases-prod/self-hosted/charts}" | ||
| local gar_host="${gar_registry%%/*}" | ||
|
|
||
| echo "Authenticating with GAR for OCI push (${gar_host})..." | ||
| gcloud auth print-access-token | helm registry login "${gar_host}" --username oauth2accesstoken --password-stdin | ||
|
|
||
| echo "Pushing charts to OCI registry: ${gar_registry}" | ||
| for chart_pkg in build/artifacts/v2/*.tgz; do | ||
| echo " Pushing ${chart_pkg}..." | ||
| helm push "${chart_pkg}" "oci://${gar_registry}" || { | ||
| echo " Warning: OCI push to GAR failed for ${chart_pkg}. The charts repository in GAR may need to be created." |
There was a problem hiding this comment.
release.sh now calls helm registry login / helm push, but the script does not ensure Helm is installed or on PATH (unlike build/make.sh, which installs Helm into ./bin). In TeamCity, build/make.sh runs in a separate process so its exported PATH won’t persist for build/release.sh, which can cause the v2 release to fail with helm: command not found. Consider invoking ./bin/helm explicitly (if present) or adding a small Helm installation/validation step in release.sh before OCI pushes.
| echo "Pushing charts to OCI registry: ${gar_registry}" | ||
| for chart_pkg in build/artifacts/v2/*.tgz; do | ||
| echo " Pushing ${chart_pkg}..." | ||
| helm push "${chart_pkg}" "oci://${gar_registry}" || { | ||
| echo " Warning: OCI push to GAR failed for ${chart_pkg}. The charts repository in GAR may need to be created." | ||
| echo " Expected path: oci://${gar_registry}" | ||
| } | ||
| done | ||
| } |
There was a problem hiding this comment.
Both OCI push loops swallow helm push failures (they only print a warning and continue). This means the release job can succeed even when charts are not actually published to the OCI registries, which contradicts the PR’s intent to publish to GAR/DockerHub. Consider failing the script on push errors (or making the behavior explicitly configurable via an env var).
| if: ${{ secrets.DOCKERHUB_USERNAME != '' }} | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Push Self-signer to DockerHub | ||
| if: ${{ secrets.DOCKERHUB_USERNAME != '' }} |
There was a problem hiding this comment.
The DockerHub login/push steps are gated only on DOCKERHUB_USERNAME being non-empty, but they also require DOCKERHUB_TOKEN. If the token secret is missing/empty, the workflow will attempt to login and fail. Update the if: condition to require both secrets (and optionally check both in one place to avoid duplication).
| if: ${{ secrets.DOCKERHUB_USERNAME != '' }} | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Push Self-signer to DockerHub | |
| if: ${{ secrets.DOCKERHUB_USERNAME != '' }} | |
| if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Push Self-signer to DockerHub | |
| if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} |
| # v2_chart_version_exists checks if a specific chart version already exists | ||
| # in the v2 Helm repository. | ||
| v2_chart_version_exists() { | ||
| local chart_name="$1" | ||
| local chart_dir="$2" | ||
|
|
||
| if [ "$is_prod" = true ] && ! chart_version_exists; then | ||
| echo "Skipping build: chart version already present in production." | ||
| exit 0 | ||
| fi | ||
| helm repo add cockroachdb-v2 "https://${charts_hostname}/v2" --force-update 2>/dev/null || true | ||
| helm repo update cockroachdb-v2 2>/dev/null || true | ||
|
|
||
| local existing_version | ||
| existing_version=$(grep 'version:' "${chart_dir}/Chart.yaml" | awk '{print $2}') | ||
| # Use --devel to also match prerelease versions (e.g., 26.1.2-preview). | ||
| if helm search repo "cockroachdb-v2/${chart_name}" --devel --version "$existing_version" 2>/dev/null | grep -q "$existing_version"; then | ||
| echo "Chart ${chart_name} version $existing_version already exists in v2 repository." | ||
| return 0 | ||
| fi | ||
| return 1 | ||
| } |
There was a problem hiding this comment.
chart_version_exists and the new v2_chart_version_exists use opposite success semantics (legacy returns non-zero when the version exists, v2 returns zero when the version exists). This inconsistency is easy to misuse and can lead to incorrect skip logic later. Consider aligning the return codes or renaming one of the functions to reflect its actual truthiness.
This commit extends the build and release pipeline to package and publish the operator and cockroachdb charts from cockroachdb-parent/charts/ to existing prod GCS bucket (in /v2/ path), Google Artifact Registry, and DockerHub as OCI artifacts.
This commit adds `build-and-push/self-signer-dockerhub` Makefile target and extend build.yaml workflow to push `cockroach-self-signer-cert` image to DockerHub alongside GCR. DockerHub steps are gated on DOCKERHUB_USERNAME secret.
NishanthNalluri
force-pushed
the
nishanth/publish-helm-charts-v2
branch
from
e049c05 to
f00c322
Compare
This PR extends the build and release pipeline to package and publish the latest operator and cockroachdb charts from
cockroachdb-parent/charts/to existing prod GCS bucket (in /v2/ path), Google Artifact Registry, and DockerHub as OCI artifacts.The changes also include publishing the self-signer image to Dockerhub in addition to the existing GCR artifact.