GKESRE-1438 Rebase fork on upstream: Bazel 9 + Go 1.26, GitHub App auth, optional namespace#13
Draft
rajatvig wants to merge 12 commits into
Draft
GKESRE-1438 Rebase fork on upstream: Bazel 9 + Go 1.26, GitHub App auth, optional namespace#13rajatvig wants to merge 12 commits into
rajatvig wants to merge 12 commits into
Conversation
[docs] Fix broken links in README.md
* upgrade modules * no vendor * update tests * update e2e * go mod tidy * bump go * update k8s client * canonical bcr name for rules_go and gazelle * upgrade protobuf * fix e2e * cleanup * upgrade k8s client
Signed-off-by: Vincent Composieux <vincent@composieux.fr>
…terci#63) * fix: export RUNFILES_DIR for child bash scripts Add RUNFILES_DIR=${RUNFILES} to async function so that child bash scripts (like .push scripts) can find runfiles.bash. Without this, child scripts fail with "runfiles.bash initializer cannot find bazel_tools/tools/bash/runfiles/runfiles.bash" error. The issue occurs because: - Parent scripts only export PYTHON_RUNFILES (Python-specific) - Child bash scripts check RUNFILES_DIR environment variable - Without RUNFILES_DIR, runfiles.bash initialization fails * fix: export RUNFILES_DIR in k8s_gitops.sh.tpl for k8s_deploy Add RUNFILES_DIR=${RUNFILES} to async function in k8s_gitops.sh.tpl. This template is used by k8s_deploy.apply (not k8s_test_namespace.sh.tpl which is for tests only). * fix: export RUNFILES_DIR in kubectl.sh.tpl for k8s_deploy.apply Add RUNFILES_DIR=${RUNFILES} to async function in kubectl.sh.tpl. This is the actual template used by the kubectl rule which generates the k8s_deploy.apply target.
Remove incompatible_use_toolchain_transition
- Bump Bazel to 9.1.1, rules_go to 0.61.1, gazelle to 0.51.3, aspect_bazel_lib to 2.21.1, rules_oci to 2.3.0 - Add rules_shell dependency and load sh_binary/sh_test from it where BUILD files relied on the native rules removed in Bazel 9, including the generated BUILD file of the downloaded kustomize repository - Drop --noincompatible_sandbox_hermetic_tmp from .bazelrc (flag no longer exists in Bazel 9) - Bump Go to 1.26 and upgrade all Go module dependencies (k8s.io 0.36.2, go-containerregistry 0.21.7, go-gitlab 0.115.0, ...) - Regenerate it_manifest_filter golden files: apimachinery no longer serializes creationTimestamp: null - Rename fasttemplate example funcs to satisfy the vet examples check (the Template type they referred to does not exist in this fork) Signed-off-by: Rajat Vig <rvig@etsy.com> Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Q72xp7ZYMA7UvaUEAkRP7F
Add a 'github_app' git server option to create_gitops_prs that authenticates with GitHub App credentials and creates the deployment commit and pull request entirely through the GitHub API, producing commits signed by the app. - New gitops/git/github_app package: installation-token transport via bradleyfalzon/ghinstallation, CreatePR, and CreateCommit which uploads the modified files as a tree, commits it, and opens the PR. Configured with -github_app_id, -github_installation_id, -private_key, -github_app_repo_owner, -github_app_repo and optional -github_app_enterprise_host flags. - create_gitops_prs: with -git_server github_app, collect the files modified by the gitops targets and commit them via the GitHub API to the -branch_name branch instead of pushing the local deployment branches. PR title/body fall back to Buildkite pipeline metadata when available. - git: add Repo.GetModifiedFiles. - Upgrade go-github from v32 to v88 (required by ghinstallation v2.19.0) and migrate to its options-based client API. Signed-off-by: Rajat Vig <rvig@etsy.com> Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Q72xp7ZYMA7UvaUEAkRP7F
Allow k8s_deploy to be used with manifests that carry their own
namespaces (including manifests spanning multiple namespaces) instead
of forcing a single namespace on every resource:
- namespace is no longer mandatory for gitops k8s_deploy; when unset,
the NAMESPACE template variable and kustomize namespace field are
simply omitted so resource namespaces are used as-is.
- New respect_resource_namespace option: when set together with a
namespace, kustomize uses a NamespaceTransformer with unsetOnly so
resources that already declare a namespace keep it, and .apply pipes
the manifests through the set_namespace tool instead of forcing the
rule namespace.
- New app_name attribute names the gitops output directory
({gitops_path}/{app_name}/{cluster}) since the namespace can no
longer be used as the directory name.
Signed-off-by: Rajat Vig <rvig@etsy.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Q72xp7ZYMA7UvaUEAkRP7F
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Rebuilds our fork on top of the latest upstream
fasterci/rules_gitops(be83981, merge of upstream PR fasterci#65), keeping only the two Etsy-specific features we need as clean, individually upstreamable commits:fd81871) — Bazel 9.1.1, Go 1.26.4, rules_go 0.61.1, gazelle 0.51.3,rules_shellloads forsh_binary/sh_test(removed as native rules in Bazel 9), drops the removed--noincompatible_sandbox_hermetic_tmpflag, and upgrades all Go module dependencies (k8s.io 0.36.x, protobuf 1.36.x, etc.).922220b) — newgit_server=github_appmode forcreate_gitops_prs: agitops/git/github_apppackage that authenticates with GitHub App credentials (ghinstallation v2.19.0, go-github v88) and creates the deployment commit and PR entirely through the GitHub API, producing app-signed commits.respect_resource_namespace(7d12e9e) —namespaceis no longer mandatory for gitopsk8s_deploy;respect_resource_namespaceuses anunsetOnlyNamespaceTransformer and theset_namespacetool so manifests that declare their own namespaces (including multi-namespace deployments) keep them; newapp_nameattribute names the gitops output directory.Because the branch restarts from upstream history, the diff against
mainis effectively a fork re-baseline: it also picks up everything upstream shipped since we forked (Bazel 8/9 support,bazel_flag,.difftarget,RUNFILES_DIRfix, protobuf migration, vendoring removal).Intentionally dropped from the old fork history (cherry-pick later if needed): the Buildkite-specific
create_gitops_prs.tpl.shbranch-name hack (pass--branch_name/--git_server github_appvia the rule's"${@}"passthrough instead), the Etsy-only attrs oncreate_gitops_prs, thepush_ociexternal-image fix, and the fork CI workflow.Related Issue
Internal fork maintenance — no upstream issue. (GKESRE-834 covers the original GitHub App signed-commits work being preserved here.)
Motivation and Context
Our fork had diverged from upstream and was missing fixes we need, most importantly Bazel 9 support. Rebuilding from upstream with the two Etsy features isolated as minimal-diff commits keeps the fork easy to maintain and positions each feature to be proposed upstream separately.
How Has This Been Tested?
go build ./...,go vet ./gitops/..., andgo test ./...pass at each commit (Go 1.26.4), including the newgithub_apppackage tests..bzl/BUILD changes were ported from theetsy-upstream-rebasebranch (previously exercised against Bazel 9) plus syntax checks;bazel build //... && bazel test //...with Bazel 9.1.1 still needs a run on a machine with Bazel — this is why the PR is a draft. The first Bazel run will also refreshMODULE.bazel.lock, which should be committed.main.Types of changes
Breaking relative to the old fork
main: gitops output paths use{gitops_path}/{app_name}/{cluster}(defaultapp_name = "myapp"), and the Buildkite tpl.sh hack is gone (flags must be passed to the rule instead). Breaking relative to upstream: none intended.Checklist:
🤖 Generated with Claude Code
https://claude.ai/code/session_01Q72xp7ZYMA7UvaUEAkRP7F
Generated by Claude Code