feat: add release workflow for kustomize oci image

[tjololo]

chore: add release pipeline for dis-apim kustomize resources

Description

Enable cert-manager integration

As the operator has a DefaultingWebhook it relies on a certificate, we are installing cert-manager so we can leverage it to generate it for us

Release pipeline for kustomize

Pipeline for building and releasing kustomize resources for dis-apim in an oci image

Related Issue(s)

• #{issue number}

Verification

• Your code builds clean without any errors or warnings
• Manual testing done (required)
• Relevant automated test added (if you find this hard, leave it and we'll help out)
• All tests run green

Documentation

• User documentation is updated with a separate linked PR in altinn-studio-docs. (if applicable)

Summary by CodeRabbit

• New Features
  • Rolled out an automated release pipeline that builds and publishes updated container images, ensuring that the latest changes and stable release versions are consistently available.
  • Streamlined both commit-driven updates and tagged release builds to enhance reliability and speed in delivering artifacts to users.

[coderabbitai]

Important

Review skipped

Review was skipped as selected files did not have any reviewable changes.

💤 Files selected but had no reviewable changes (1)

• .github/workflows/dis-apim-kustomize-release.yml

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file named dis-apim-kustomize-release.yml has been added. This workflow automates the building of OCI artifacts for the Dis APIM Operator. It defines two jobs: the latest job, which runs on pushes to the main branch and pushes an artifact tagged as latest, and the release job, which is triggered by tags matching kustomize-dis-apim-* and pushes an artifact with the corresponding tag.

Changes

File(s)	Summary
.github/workflows/...kustomize-release.yml	Introduces a new GitHub Actions workflow with two jobs: latest (runs on main branch pushes, builds artifact tagged as latest) and release (runs on tag pushes, extracts and uses the tag for the artifact).

Sequence Diagram(s)

Latest Job Workflow

sequenceDiagram
    participant User as Committer
    participant GH as GitHub Actions
    participant Repo as Repository
    participant Flux as Flux Config
    participant Reg as Container Registry

    User->>GH: Push commit to main branch
    GH->>Repo: Checkout repository
    GH->>Flux: Configure Flux and set variables
    GH->>Reg: Login using GitHub Token
    GH->>Reg: Push artifact (tag: latest)

Loading

Release Job Workflow

sequenceDiagram
    participant Tagger as Tagger
    participant GH as GitHub Actions
    participant Repo as Repository
    participant Flux as Flux Config
    participant Reg as Container Registry

    Tagger->>GH: Push tag matching kustomize-dis-apim-*
    GH->>Repo: Checkout repository
    GH->>Flux: Configure Flux and set variables
    GH->>GH: Extract tag from reference
    GH->>Reg: Login using GitHub Token
    GH->>Reg: Push artifact (tag: extracted tag)

Loading

Suggested reviewers

• khanrn
• sduranc

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (13)

services/dis-apim-operator/config/default/kustomization.yaml (4)

9-10: Remove trailing spaces.
A trailing space was detected on line 10. Please remove it to maintain a clean YAML file.

---

21-22: Review comment on commented block indentation.
Static analysis flagged indentation issues in the commented lines (e.g. lines 21–22). Although these are comments, consider cleaning up their indentation to improve readability.

---

50-112: Validate Certificate Replacement Configuration.
The replacements block for certificate injection into both Validating and Mutating webhook configurations is now active. Please double-check that the indices (e.g. use of index 0 and index 1) correctly map to the intended DNS names and injection targets, and that the Certificate resource named serving-cert exists and is referenced properly.

---

144-178: Review Service Replacement Configuration.
This block maps fields from the webhook-service to Certificate resources via two separate list items. Confirm that the service’s name and namespace fields are correctly being replaced—especially the use of delimiters and indices for extracting DNS names.

.github/workflows/dis-apim-kustomize-realease.yaml (9)

10-10: Remove trailing spaces.
A trailing space was detected at the end of line 10. Please remove it to maintain consistency and avoid linting errors.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 10-10: trailing spaces

(trailing-spaces)

---

21-21: Fix job key indentation.
The latest: job (line 21) is indented with 4 spaces but should be indented with 2 spaces relative to its parent (jobs:). Adjusting this will align with GitHub Actions YAML style guidelines.

🧰 Tools

🪛 YAMLlint (1.35.1)

[warning] 21-21: wrong indentation: expected 2 but found 4

(indentation)

---

22-22: Adjust nested indentation in job configuration.
The nested keys under the latest: job (line 22) currently use 8 spaces where 6 are expected. Please update these indentations for consistency throughout the workflow file.

🧰 Tools

🪛 YAMLlint (1.35.1)

[warning] 22-22: wrong indentation: expected 6 but found 8

(indentation)

---

25-25: Fix defaults block indentation.
Within the latest: job, the run: key under defaults: (line 25) is indented with 12 spaces instead of the expected 10. Correcting this ensures clarity and YAML compliance.

🧰 Tools

🪛 YAMLlint (1.35.1)

[warning] 25-25: wrong indentation: expected 10 but found 12

(indentation)

---

26-26: Correct working-directory indentation.
The working-directory setting (line 26) is indented with 16 spaces, though 14 are expected. Please adjust this to maintain proper structure.

🧰 Tools

🪛 YAMLlint (1.35.1)

[warning] 26-26: wrong indentation: expected 14 but found 16

(indentation)

---

54-54: Correct indentation in release job.
For the release: job, the name: field on line 54 appears indented with 8 spaces instead of the expected 6. Please re-indent this section to meet YAML formatting standards.

🧰 Tools

🪛 YAMLlint (1.35.1)

[warning] 54-54: wrong indentation: expected 6 but found 8

(indentation)

---

57-57: Fix defaults block indentation in release job.
The defaults: block in the release job (line 57) is indented with 12 spaces rather than 10. Proper indentation is important to avoid YAML parsing issues.

🧰 Tools

🪛 YAMLlint (1.35.1)

[warning] 57-57: wrong indentation: expected 10 but found 12

(indentation)

---

58-58: Adjust working-directory indentation in release job.
The working-directory key under the release: job is indented with 16 spaces on line 58, but 14 spaces are expected. Please make the necessary adjustment.

🧰 Tools

🪛 YAMLlint (1.35.1)

[warning] 58-58: wrong indentation: expected 14 but found 16

(indentation)

---

86-86: Add newline at end of file.
The file is missing a newline character at the end. Kindly add one to comply with standard file formatting conventions.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 86-86: no new line character at the end of file

(new-line-at-end-of-file)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 19f9e32 and e13b03f.

📒 Files selected for processing (2)

• .github/workflows/dis-apim-kustomize-realease.yaml (1 hunks)
• services/dis-apim-operator/config/default/kustomization.yaml (3 hunks)

🧰 Additional context used

🪛 YAMLlint (1.35.1)

.github/workflows/dis-apim-kustomize-realease.yaml

[error] 10-10: trailing spaces

(trailing-spaces)

---

[warning] 21-21: wrong indentation: expected 2 but found 4

(indentation)

---

[warning] 22-22: wrong indentation: expected 6 but found 8

(indentation)

---

[warning] 25-25: wrong indentation: expected 10 but found 12

(indentation)

---

[warning] 26-26: wrong indentation: expected 14 but found 16

(indentation)

---

[warning] 54-54: wrong indentation: expected 6 but found 8

(indentation)

---

[warning] 57-57: wrong indentation: expected 10 but found 12

(indentation)

---

[warning] 58-58: wrong indentation: expected 14 but found 16

(indentation)

---

[error] 86-86: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: Run on Ubuntu
• GitHub Check: Run on Ubuntu
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

services/dis-apim-operator/config/default/kustomization.yaml (1)

24-25: Enable cert-manager resource.
The cert-manager resource (line 25) has now been uncommented. Please verify that the referenced cert-manager configuration is correct and that all related files (like certificate definitions) are aligned with this change.

[monteiro-renato]

Hmm, what are the \ used for here?
I thought it was to escape the forward slashes but then I noticed that some of them are not being escaped.

[tjololo]

They are for escaping the forwardslashes, but not the onces used by shell parameter expansion

example command to run:

export REF=refs/tags/prefix-1.0.0
echo ${REF/refs\/tags\/prefix-/}

[monteiro-renato]

This feels like it should be two different PRs 😅

[tjololo]

This feels like it should be two different PRs 😅

Yeah 😅, I got lazy 🙈
I can split it up if you like

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (3)

.github/workflows/dis-apim-kustomize-realease.yml (3)

35-38: Pin Flux Action Version for Stability
The workflow uses the Flux action with:

uses: fluxcd/flux2/action@3b42b200d376430f0e24d35f1a600447d92da531
with:
  version: latest

Using latest or a commit hash could lead to non-deterministic builds if upstream changes occur. It is recommended to pin the action to a specific, released version to ensure build reproducibility.

---

44-49: Use GitHub Context Variables for Revision Information (Latest Job)
The current script retrieves commit details using shell commands like git rev-parse --short HEAD and git branch --show-current. For better clarity and resilience (especially in detached HEAD states), consider using GitHub Actions’ built-in context variables such as ${{ github.sha }} for the commit hash and ${{ github.ref_name }} for the branch name.

---

78-83: Use GitHub Context Variables for Revision Information (Release Job)
In the release job, the script employs git commands (git rev-parse --short HEAD and git branch --show-current) to fetch revision details. For consistency and enhanced reliability—especially during tag events where branch information might not be available—consider using context variables like ${{ github.sha }} and ${{ github.ref_name }} provided by GitHub Actions.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d2f4ff and f8c1f22.

📒 Files selected for processing (1)

• .github/workflows/dis-apim-kustomize-realease.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: Run on Ubuntu
• GitHub Check: Run on Ubuntu
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

[tjololo]

Split the change into two PRs. kustomization changes are moved to #1392

[monteiro-renato]

Not sure I follow what is happening here.
How are you planning to integrate with: https://github.com/Altinn/altinn-platform/blob/main/services/dis-apim-operator/Makefile#L131-L135?

[tjololo]

I take all the kustomization and other files in the config folder and backage them up in a OCI image that is pushed to ghcr.

Frankly I wasn't planning on implementing it. I plan to deploy this with flux Kustomization CRDs and that resource reads kustomization.yaml and creates the final result by it self. Then we aren't relying on having a extra step in this pipeline