feat(ci): Refine release process and improve deployment configuration

This commit introduces a number of improvements to the CI/CD pipeline and the operator's deployment configuration.

Key changes include:
- Upgrading the Go version to 1.24 in the CI workflows.
- Enhancing the release process with better version calculation and tag handling.
- Renaming RBAC resources for clarity and consistency.
- Adding support for custom webhook certificates, allowing for more flexible deployments.
- Updating kustomize configurations to enable webhooks and cert-manager.

Author: chideat

.github/workflows/branch-pipeline.yaml

@@ -14,7 +14,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: '1.23'
+        go-version: '1.24'
 
     - name: Check out code
       uses: actions/checkout@v5
@@ -41,11 +41,13 @@ jobs:
     steps:
     - name: Check out code
       uses: actions/checkout@v5
+      with:
+        fetch-depth: 0
 
-    - name: Check for [skip ci] in commit messages or PR title
+    - name: Check for [skip ci] in commit message
       id: check_skip_ci
       run: |
-        if [[ "${{ github.event.head_commit.message }}" =~ \[skip\ ci\] ]] || [[ "${{ github.event.pull_request.title }}" =~ \[skip\ ci\] ]]; then
+        if [[ "${{ github.event.head_commit.message }}" =~ \[skip\ ci\] ]]; then
           echo "CI skip detected, exiting."
           exit 0
         fi
@@ -59,18 +61,20 @@ jobs:
           BRANCH_NAME="${GITHUB_REF#refs/heads/}"
           VERSION="${BRANCH_NAME#release-}"
           TS=$(date '+%m%d%H%M')
-          LARGEST_TAG=$(git tag --merged $BRANCH_NAME --sort=-v:refname | grep $VERSION | head -n 1)
+          # Get the latest tag matching the release version, looking at all tags now
+          LARGEST_TAG=$(git tag --sort=-v:refname | grep "^v${VERSION}\\.$" | head -n 1)
           if [ -z "$LARGEST_TAG" ]; then
             # No existing tag found, use version from branch name with .0 patch version
             TAG_NAME="v${VERSION}.0-rc.${TS}.${GITHUB_SHA::7}"
           else
-            # Extract and increment patch version from existing tag
+            # Extract and increment patch version from existing tag.
+            # This regex handles both final tags (v1.2.3) and pre-release tags (v1.2.3-rc1)
             if [[ $LARGEST_TAG =~ ^v?([0-9]+)\.([0-9]+)\.([0-9]+) ]]; then
               MAJOR=${BASH_REMATCH[1]}
               MINOR=${BASH_REMATCH[2]}
               PATCH=${BASH_REMATCH[3]}
               NEW_PATCH=$((PATCH + 1))
-              TAG_NAME="v${MAJOR}.${MINOR}.${NEW_PATCH}-rc.${ts}.${GITHUB_SHA::7}"
+              TAG_NAME="v${MAJOR}.${MINOR}.${NEW_PATCH}-rc.${TS}.${GITHUB_SHA::7}"
             else
               # Fallback if tag format is unexpected
               TAG_NAME="${LARGEST_TAG}-rc.${TS}.${GITHUB_SHA::7}"

.github/workflows/pr-pipeline.yaml

@@ -13,7 +13,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: '1.23'
+        go-version: '1.24'
 
     - name: Check out code
       uses: actions/checkout@v5
@@ -42,12 +42,53 @@ jobs:
     steps:
     - name: Check out code
       uses: actions/checkout@v5
+      with:
+        fetch-depth: 0
 
     - name: Read version from file
       id: get_version
       run: |
-        ls -la
-        echo "VERSION=$(cat version)" >> $GITHUB_ENV
+        # 1. Fetch all tags
+        git fetch --tags --force
+        
+        # 2. Get the latest tag name
+        latest_tag=$(git tag --sort=-v:refname | head -n 1)
+        
+        # 3. Handle case where no tags exist
+        if [ -z "$latest_tag" ]; then
+          new_tag="v0.1.0"
+        else
+          echo "Latest tag found: $latest_tag"
+          
+          # 4. Remove 'v' prefix for processing
+          if [[ $latest_tag == v* ]]; then
+            prefix="v"
+            version="${latest_tag#v}"
+          else
+            prefix=""
+            version="$latest_tag"
+          fi
+          
+          # 5. Split version into parts
+          IFS='.' read -r major minor patch <<< "$version"
+          
+          # ----------------------------------------------------------- #
+          # NEW: Default missing minor/patch versions to 0 for robustness
+          minor=${minor:-0}
+          patch=${patch:-0}
+          # ----------------------------------------------------------- #
+          
+          # 6. Increment the patch version
+          patch=$((patch + 1))
+          
+          # 7. Assemble the new tag
+          new_tag="${prefix}${major}.${minor}.${patch}"
+        fi
+
+        echo "Calculated new tag: $new_tag"
+        
+        # 8. Set the new tag as a GitHub Action output
+        echo "VERSION=$new_tag" >> "$GITHUB_ENV"
 
     - name: Get branch name
       id: get_branch
@@ -58,7 +99,7 @@ jobs:
           BRANCH_NAME=${GITHUB_REF#refs/heads/}
         fi
         # Replace special characters with hyphens, remove trailing hyphens, and convert to lowercase
-        SANITIZED_BRANCH_NAME=$(echo "$BRANCH_NAME" | tr -cs '[:alnum:]' '-' | sed 's/-*$//' | tr '[:upper:]' '[:lower:]')
+        SANITIZED_BRANCH_NAME=$(echo "$BRANCH_NAME" | tr -cs '[:alnum:]' '-' | sed 's/[-_]//g' | tr '[:upper:]' '[:lower:]')
         echo "BRANCH_NAME=$SANITIZED_BRANCH_NAME" >> $GITHUB_ENV
 
     - name: Get short commit SHA
@@ -87,6 +128,6 @@ jobs:
         file: ./Dockerfile
         context: .
         push: true
-        tags: ghcr.io/${{ github.repository }}:${{ env.VERSION }}-${{ env.BRANCH_NAME }}-${{ env.COMMIT_SHA }}
+        tags: ghcr.io/${{ github.repository }}:${{ env.VERSION }}-${{ env.BRANCH_NAME }}.g${{ env.COMMIT_SHA }}
         platforms: linux/amd64,linux/arm64
-
+linux/arm64

.github/workflows/release-pipeline.yaml

@@ -3,21 +3,19 @@ name: release-pipeline
 on:
   push:
     tags:
-      - '*'
+      - 'v*'
 
 jobs:
   build:
     name: Build and push Docker image
     runs-on: ubuntu-latest
+    env:
+      RELEASE_VERSION: ${{ github.ref_name }}
+
     steps:
     - name: Check out code
       uses: actions/checkout@v5
 
-    - name: Get the current tag
-      run: |
-        TAG=$(git describe --tags --abbrev=0)
-        echo "TAG=$TAG" >> $GITHUB_ENV
-
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3
 
@@ -47,6 +45,6 @@ jobs:
         context: .
         push: true
         tags: |
-          ${{ vars.DOCKER_USERNAME }}/valkey-operator:${{ env.TAG }}
-          ghcr.io/alauda/valkey-operator:${{ env.TAG }}
+          ${{ vars.DOCKER_USERNAME }}/valkey-operator:${{ env.RELEASE_VERSION }}
+          ghcr.io/${{ github.repository_owner }}/valkey-operator:${{ env.RELEASE_VERSION }}
         platforms: linux/amd64,linux/arm64

Makefile

@@ -105,7 +105,7 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=valkey-operator-manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

cmd/main.go

@@ -81,6 +81,7 @@ func init() {
 
 func main() {
 	var metricsAddr string
+	var webhookCertPath, webhookCertName, webhookCertKey string
 	var enableLeaderElection bool
 	var probeAddr string
 	var secureMetrics bool
@@ -94,6 +95,9 @@ func main() {
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.BoolVar(&secureMetrics, "metrics-secure", true,
 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.StringVar(&webhookCertPath, "webhook-cert-path", "", "The directory that contains the webhook certificate.")
+	flag.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", "The name of the webhook certificate file.")
+	flag.StringVar(&webhookCertKey, "webhook-cert-key", "tls.key", "The name of the webhook key file.")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	opts := zap.Options{
@@ -120,10 +124,22 @@ func main() {
 	if !enableHTTP2 {
 		tlsOpts = append(tlsOpts, disableHTTP2)
 	}
+	// Initial webhook TLS options
+	webhookTLSOpts := tlsOpts
+	webhookServerOptions := webhook.Options{
+		TLSOpts: webhookTLSOpts,
+	}
 
-	webhookServer := webhook.NewServer(webhook.Options{
-		TLSOpts: tlsOpts,
-	})
+	if len(webhookCertPath) > 0 {
+		setupLog.Info("Initializing webhook certificate watcher using provided certificates",
+			"webhook-cert-path", webhookCertPath, "webhook-cert-name", webhookCertName, "webhook-cert-key", webhookCertKey)
+
+		webhookServerOptions.CertDir = webhookCertPath
+		webhookServerOptions.CertName = webhookCertName
+		webhookServerOptions.KeyName = webhookCertKey
+	}
+
+	webhookServer := webhook.NewServer(webhookServerOptions)
 
 	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
 	// More info:

config/crd/kustomization.yaml

@@ -16,15 +16,15 @@ resources:
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-#- path: patches/cainjection_in_failovers.yaml
-#- path: patches/cainjection_in_clusters.yaml
-#- path: patches/cainjection_in_sentinels.yaml
-#- path: patches/cainjection_in_rds_valkeys.yaml
-#- path: patches/cainjection_in_users.yaml
+# - path: patches/cainjection_in_failovers.yaml
+# - path: patches/cainjection_in_clusters.yaml
+# - path: patches/cainjection_in_sentinels.yaml
+# - path: patches/cainjection_in_rds_valkeys.yaml
+# - path: patches/cainjection_in_users.yaml
 # +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # [WEBHOOK] To enable webhook, uncomment the following section
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 
 #configurations:
-#- kustomizeconfig.yaml
+# - kustomizeconfig.yaml