chainloop-dev
diff --git a/‎.claude/skills/upgrading-chart/SKILL.md‎
Lines changed: 132 additions & 0 deletions b/‎.claude/skills/upgrading-chart/SKILL.md‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎.claude/skills/upgrading-chart/chart-upgrade-process.md‎
Lines changed: 148 additions & 0 deletions b/‎.claude/skills/upgrading-chart/chart-upgrade-process.md‎
Lines changed: 148 additions & 0 deletions
diff --git a/‎.claude/skills/upgrading-chart/files-modified.md‎
Lines changed: 68 additions & 0 deletions b/‎.claude/skills/upgrading-chart/files-modified.md‎
Lines changed: 68 additions & 0 deletions
@@ -0,0 +1,132 @@
+---
+name: upgrading-chart
+description: Upgrades Helm chart dependencies (PostgreSQL, Vault) in the Chainloop project, including vendorized charts, container images, and CI/CD workflows. Use when the user mentions upgrading Helm charts, Bitnami dependencies, PostgreSQL chart, or Vault chart. CRITICAL - Major version upgrades are FORBIDDEN and must be escalated.
+---
+
+# Upgrading Helm Chart Dependencies
+
+This skill automates the upgrade process for Helm chart dependencies in the Chainloop project. Supports PostgreSQL and Vault (both Bitnami charts).
+
+## CRITICAL RESTRICTIONS
+
+**Version Upgrade Rules**:
+- Patch upgrades (1.2.3 → 1.2.4): ALLOWED
+- Minor upgrades (1.2.x → 1.3.x): ALLOWED
+- Major upgrades (1.x.x → 2.x.x): **FORBIDDEN - STOP IMMEDIATELY**
+
+**MANDATORY**: If major version upgrade is detected, STOP the process and inform the user that manual review is required.
+
+## Upgrade Types
+
+The skill supports two upgrade types:
+
+1. **Specific Image Upgrade**: Update container image to specific version (chart unchanged)
+2. **Chart Minor Version Upgrade**: Update chart to latest minor version (may include image updates)
+
+**IMPORTANT**: Container images are ONLY updated as part of chart upgrades, never independently (unless Type 1).
+
+## Process
+
+### 1. Identify Upgrade Type
+
+Ask the user which type of upgrade they want:
+- Type 1: Specific image version upgrade
+- Type 2: Latest minor chart version upgrade
+
+Also ask which chart: `postgresql` or `vault`
+
+### 2. Pre-Upgrade Validation
+
+Check current state:
+```bash
+cat deployment/chainloop/charts/<chart-name>/Chart.yaml | grep "^version:"
+cat deployment/chainloop/charts/<chart-name>/Chart.yaml | grep "^appVersion:"
+```
+
+### 3. Version Compatibility Check
+
+For any version change, validate that major version remains the same:
+```bash
+CURRENT_MAJOR=$(echo "$CURRENT_VERSION" | cut -d. -f1)
+TARGET_MAJOR=$(echo "$TARGET_VERSION" | cut -d. -f1)
+
+if [ "$CURRENT_MAJOR" != "$TARGET_MAJOR" ]; then
+    echo "FORBIDDEN: Major version upgrade detected"
+    exit 1
+fi
+```
+
+If major version upgrade detected, STOP and escalate.
+
+## Type 1: Specific Image Upgrade
+
+See [image-upgrade-process.md](image-upgrade-process.md) for detailed steps.
+
+**Summary**:
+1. Locate target container image in [Bitnami Containers](https://github.com/bitnami/containers)
+2. Find commit with release message pattern
+3. Extract APP_VERSION from Dockerfile
+4. Update `deployment/charts/<chart-name>/Chart.yaml` appVersion
+5. Update `.github/workflows/build_external_container_images.yaml` commit hash
+
+## Type 2: Chart Minor Version Upgrade
+
+See [chart-upgrade-process.md](chart-upgrade-process.md) for detailed steps.
+
+**Summary**:
+1. Locate target chart version in [Bitnami Charts](https://github.com/bitnami/charts) CHANGELOG.md
+2. Validate minor version upgrade only
+3. Download and extract target chart
+4. Check for image changes (compare Chart.yaml)
+5. If images changed, update container image references
+6. Vendorize chart update (copy files)
+7. Update dependencies in correct order
+8. Update main chart dependency version
+9. Clean up temporary files
+
+## Verification
+
+After any upgrade type, run:
+```bash
+# Lint charts
+helm lint deployment/charts/<chart-name>
+helm lint deployment/chainloop
+
+# Template validation
+helm template deployment/charts/<chart-name>
+helm template deployment/chainloop
+
+# Local testing
+cd devel && docker compose up
+
+# Verify image consistency
+grep -r "appVersion\|image.*tag" deployment/charts/<chart-name>/
+```
+
+## Files Modified
+
+See [files-modified.md](files-modified.md) for complete list.
+
+## Troubleshooting
+
+Common issues:
+- **Image Version Mismatch**: Verify APP_VERSION matches Chart.yaml appVersion
+- **Build Failures**: Check commit reference in build workflow
+- **Dependency Conflicts**: Verify dependencies updated in correct order (vendorized first, then main chart)
+
+## Rollback
+
+If issues occur:
+```bash
+git checkout HEAD -- deployment/
+find deployment/ -name "Chart.lock" -delete
+cd deployment/chainloop && helm dependency build
+cd ../../devel && docker compose down && docker compose up
+```
+
+## Important Notes
+
+- Dex is self-managed and follows a separate process (not covered by this skill)
+- Always use commit hashes for reproducibility
+- Dependencies must be updated in correct order: vendorized chart first, then main chart
+- Container images are found in Bitnami Containers repo, charts in Bitnami Charts repo
@@ -0,0 +1,148 @@
+# Chart Minor Version Upgrade Process (Type 2)
+
+This process upgrades a Helm chart to the latest minor version, potentially including image updates.
+
+## Step 1: Locate Target Chart Version
+
+1. Navigate to [Bitnami Charts](https://github.com/bitnami/charts)
+2. Open `bitnami/<chart-name>/CHANGELOG.md`
+3. Find latest minor version (ensure no major version change)
+4. Note target chart version
+
+## Step 2: Version Validation
+
+**MANDATORY**: Verify minor upgrade only:
+```bash
+CURRENT_CHART_VERSION="<current>"
+TARGET_CHART_VERSION="<target>"
+
+CURRENT_MAJOR=$(echo "$CURRENT_CHART_VERSION" | cut -d. -f1)
+TARGET_MAJOR=$(echo "$TARGET_CHART_VERSION" | cut -d. -f1)
+
+if [ "$CURRENT_MAJOR" != "$TARGET_MAJOR" ]; then
+    echo "FORBIDDEN: Major version upgrade detected"
+    exit 1
+fi
+```
+
+## Step 3: Download and Extract Target Chart
+
+```bash
+# Pull chart to temporary location
+helm pull bitnami/<chart-name> --version <target-version> --untar --untardir /tmp
+
+# Examine structure
+ls -la /tmp/<chart-name>/
+```
+
+## Step 4: Check for Image Changes
+
+```bash
+# Compare current vs target chart
+diff deployment/charts/<chart-name>/Chart.yaml /tmp/<chart-name>/Chart.yaml
+
+# Look for changes in:
+# - appVersion field
+# - images section (if present)
+# - dependencies
+```
+
+## Step 5: Update Container Images (if changed)
+
+**Execute only if images changed in target chart**:
+
+1. **Locate new image versions**:
+   - Pattern format: `<app-version>-<distro>-<distro-version>-r<revision>`
+   - Example: `15.3.0-debian-12-r1`
+
+2. **Get APP_VERSION from Dockerfile**:
+   - Navigate to `bitnami/containers/<image>/<major-version>/<distro>-<version>/Dockerfile`
+   - Extract `APP_VERSION` environment variable
+
+3. **Update build configuration**:
+   ```bash
+   # Update commit hash in build workflow
+   vi .github/workflows/build_external_container_images.yaml
+   ```
+
+## Step 6: Vendorize Chart Update
+
+```bash
+# Replace vendorized chart with new version
+cp -r /tmp/<chart-name>/* deployment/charts/<chart-name>/
+
+# Update Chart.yaml if images changed
+vi deployment/charts/<chart-name>/Chart.yaml
+# Set appVersion to APP_VERSION from Bitnami Containers
+
+# Update values.yaml if needed
+# Replace docker.io/bitnami/* with Chainloop registry paths
+vi deployment/charts/<chart-name>/values.yaml
+```
+
+## Step 7: Update Dependencies (CRITICAL ORDER)
+
+**Dependencies must be updated in this specific order**:
+
+```bash
+# 1. Update vendorized chart dependencies FIRST
+cd deployment/charts/<chart-name>
+helm dependency update
+helm dependency build
+
+# 2. Update main chart dependency version
+cd ../../chainloop
+vi Chart.yaml  # Update dependency version to match vendorized chart
+
+# 3. Update main chart dependencies
+helm dependency update
+helm dependency build
+
+cd ../..
+```
+
+## Step 8: Clean Up
+
+```bash
+# Remove temporary files
+rm -rf /tmp/<chart-name>
+
+# Verify working directory
+git status
+```
+
+## Step 9: Verification
+
+```bash
+# Lint charts
+helm lint deployment/charts/<chart-name>
+helm lint deployment/chainloop
+
+# Template validation
+helm template deployment/charts/<chart-name>
+helm template deployment/chainloop
+
+# Local testing
+cd devel && docker compose up
+
+# Verify image consistency
+grep -r "appVersion\|image.*tag" deployment/charts/<chart-name>/
+grep -r "<chart-name>" .github/workflows/build_external_container_images.yaml
+```
+
+## Files Modified
+
+- `deployment/charts/<chart-name>/Chart.yaml` - Chart version and appVersion
+- `deployment/charts/<chart-name>/values.yaml` - Image references
+- `deployment/charts/<chart-name>/Chart.lock` - Dependency lock (regenerated)
+- `deployment/charts/<chart-name>/templates/*` - All chart templates (vendorized)
+- `deployment/chainloop/Chart.yaml` - Main chart dependency version
+- `deployment/chainloop/Chart.lock` - Main dependency lock (regenerated)
+- `.github/workflows/build_external_container_images.yaml` - Image build references (if images changed)
+
+## Important Notes
+
+- Always vendorize first, then update main chart dependencies
+- Chart.lock files are regenerated by `helm dependency build`
+- Image registry paths must use Chainloop registry (not docker.io/bitnami)
+- Commit hashes ensure reproducible builds
@@ -0,0 +1,68 @@
+# Files Modified During Chart Upgrades
+
+This reference lists all files that may be modified during Helm chart dependency upgrades.
+
+## Type 1: Specific Image Upgrade
+
+### Chart Files
+- `deployment/charts/<chart-name>/Chart.yaml` - appVersion only
+
+### CI/CD Configuration
+- `.github/workflows/build_external_container_images.yaml` - commit hash reference
+
+**Total files**: 2 files
+
+## Type 2: Chart Minor Version Upgrade
+
+### Vendorized Chart Files
+- `deployment/charts/<chart-name>/Chart.yaml` - Chart version and appVersion
+- `deployment/charts/<chart-name>/values.yaml` - Default configuration and image references
+- `deployment/charts/<chart-name>/Chart.lock` - Dependency lock file (regenerated)
+- `deployment/charts/<chart-name>/templates/*` - All Helm template files
+- `deployment/charts/<chart-name>/README.md` - Chart documentation
+- Other chart files as needed
+
+### Main Chart Files
+- `deployment/chainloop/Chart.yaml` - Dependency version reference
+- `deployment/chainloop/Chart.lock` - Main chart dependency lock (regenerated)
+
+### CI/CD Configuration (if images changed)
+- `.github/workflows/build_external_container_images.yaml` - Image build commit references
+
+**Total files**: Variable (all vendorized chart files + 2-3 main files)
+
+## Common Chart Names
+
+- `postgresql` - PostgreSQL database
+- `vault` - HashiCorp Vault for secrets
+
+## File Locations Summary
+
+```
+deployment/
+├── charts/
+│   ├── postgresql/          # Vendorized PostgreSQL chart
+│   │   ├── Chart.yaml       # Chart metadata
+│   │   ├── Chart.lock       # Dependencies (regenerated)
+│   │   ├── values.yaml      # Configuration
+│   │   └── templates/       # Helm templates
+│   └── vault/               # Vendorized Vault chart
+│       ├── Chart.yaml
+│       ├── Chart.lock
+│       ├── values.yaml
+│       └── templates/
+└── chainloop/               # Main Chainloop chart
+    ├── Chart.yaml           # Main chart with dependencies
+    └── Chart.lock           # Main dependencies (regenerated)
+
+.github/
+└── workflows/
+    └── build_external_container_images.yaml  # Image build config
+```
+
+## Key Points
+
+- `.lock` files are always regenerated by `helm dependency build`
+- Template files are completely replaced during vendorization
+- Image registry paths should reference Chainloop registry, not `docker.io/bitnami`
+- Build workflow only modified if container images change