Skip to content

feat(upgrade): accurate version detection + changelog + impact table + confirm#457

Closed
pallakatos wants to merge 2 commits into
mainfrom
feat/upgrade-version-detect-changelog-impact
Closed

feat(upgrade): accurate version detection + changelog + impact table + confirm#457
pallakatos wants to merge 2 commits into
mainfrom
feat/upgrade-version-detect-changelog-impact

Conversation

@pallakatos

Copy link
Copy Markdown
Collaborator

Summary

Addresses real kars upgrade feedback from a cluster deployed before the karsRelease stamp existed (it showed Current: v0.1.0 and started immediately with no preview).

1. Accurate current-version detection

Was falling back to the chart's static appVersionv0.1.0 on any older cluster. Now resolves the real version, most-reliable first:

  1. the karsRelease Helm value stamped by a prior kars upgrade;
  2. image-digest match — read the controller pod's running image digest and match it against the digests of recent published kars-controller release tags (since az acr import preserves content-addressed digests, ACR == GHCR);
  3. static appVersion as last resort.

2. Changelog summary

Before the confirm, prints the annotated tag messages (the real feature changelog) for the versions between current and target — e.g.:

  v0.1.18
     Bound CRD watch timeout (200s < Azure LB 240s idle) across all 11 reconcilers…
  v0.1.17
     • kars up: discover + set up BYO Foundry project…
     • NEW kars upgrade: failsafe upgrade…

3. Impact table (the new ask)

Reads the live cluster and shows what will be rolling-restarted before the confirm:

  ── Impact — workloads that will be restarted ──
  TYPE        NAMESPACE           NAME             READY  IMAGE
  controller  kars-system         kars-controller  0/2    kars-controller:latest
  sandbox     kars-testkarsfinal  testkarsfinal    0/1    openclaw-sandbox:latest

  2 workload(s) will be rolling-restarted (1 controller + 1 sandbox(es)).

4. Y/N confirmation

Interactive prompt before any write; auto-proceeds under --yes / non-TTY. --dry-run shows changelog + impact + plan and exits.

Safety

All additions are read-only (kubectl get, public GitHub + GHCR APIs) with graceful fallback; the upgrade write path is unchanged, and a human confirm now gates it. Security audit: docs/internal/security-audits/2026-06-26-upgrade-version-changelog-impact.md (2 sign-offs).

Verification

  • tsc + oxlint clean, 843 tests (new releasesBetween cases).
  • Validated live against kars-aks: digest helpers collect 5 manifest digests/tag; releasesBetween("v0.1.15","v0.1.18") → v0.1.16/17/18; changelog renders real bullets from tag messages; impact table renders; --dry-run shows everything with no changes.

…+ confirm

Addresses real `kars upgrade` feedback on a cluster deployed before the
karsRelease stamp existed.

- Current-version detection: was falling back to the chart's static appVersion
  (showed v0.1.0 on any older cluster). Now resolves the real version, most-
  reliable first: (1) the karsRelease Helm value stamped by a prior upgrade,
  (2) IMAGE-DIGEST MATCH — read the controller pod's running image digest and
  match it against recent published kars-controller release digests (az acr
  import preserves content-addressed digests, so ACR==GHCR), (3) static
  appVersion as last resort.
- Changelog summary: prints the annotated tag messages (the real feature
  changelog) for the versions between current and target, before the confirm.
- Impact table: reads the live cluster (controller + all sandbox Deployments
  across namespaces) and shows what will be rolling-restarted — namespace,
  readiness, running image — the blast radius — before the confirm.
- Y/N confirmation before any write (auto-proceeds under --yes / non-TTY).
  --dry-run shows changelog + impact + plan and exits.

All additions are read-only (kubectl get, public GitHub + GHCR APIs) with
graceful fallback; the upgrade write path is unchanged.

Security audit: docs/internal/security-audits/2026-06-26-upgrade-version-changelog-impact.md (2 sign-offs).
Verification: tsc + oxlint clean, 843 tests; validated live against kars-aks
(digest match, changelog from tag messages, impact table render, dry-run).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

…luster)

Real-world failure: a `kars upgrade` on a cluster whose nodes were all NotReady
(AKS reported Running, but every node had shutdown/unreachable/cilium-agent-not-
ready taints) ground through a 5.5-min image import and then timed out on the
8-min `helm upgrade --wait` (controller stuck 1/2, 2nd replica unschedulable),
ending in a messy `--atomic` rollback that also errored.

Add a pre-flight gate: before importing images or touching Helm, check node
readiness via `kubectl get nodes`. If ALL nodes are NotReady, abort in ~2s with
actionable guidance (check nodes / `az aks start` / describe nodes) instead of
~13 minutes of doomed work. Partial readiness is allowed but surfaced.

Verification: tsc + oxlint clean, 843 tests; proven live against the degraded
kars-aks cluster — now fails fast with a clear message and makes no changes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@pallakatos

Copy link
Copy Markdown
Collaborator Author

Superseded by #479. This PR was branched at v0.1.18 — before the #473 kars upgrade repair (rollback, value preservation, health gating, honest version detection) landed — so it's now CONFLICTING, and merging it directly would revert that repair. #479 re-lands only the net-new, non-conflicting features (changelog summary, impact table, Y/N confirm, pre-flight node gate, and the image-digest version fallback) rebased on current main, with the write path left byte-for-byte unchanged and the audit doc in the tracked docs/security-audits/ folder. Closing in favour of #479.

@pallakatos pallakatos closed this Jun 29, 2026
pallakatos added a commit that referenced this pull request Jun 29, 2026
…t (additive, #457) (#479)

Re-lands the additive, non-conflicting parts of the stale PR #457 on top of the
current v0.1.21 hardened `kars upgrade` flow — WITHOUT touching the repaired
write path (image import → atomic Helm upgrade → mesh-first rolling restart →
health-gated success → --atomic/rollback is byte-for-byte unchanged).

New, all read-only:
- Changelog summary before the confirm: annotated tag messages for the releases
  between current and target (fetchRecentReleases/releasesBetween/fetchTagMessage
  + summarizeChangelog).
- Impact table: reads the live cluster and lists the controller + sandboxes that
  will be rolling-restarted, with readiness and running image.
- Y/N confirmation before any write; auto-proceeds under --yes or non-TTY stdin
  (existing automation unaffected).
- Pre-flight node-readiness gate: hard-blocks (no changes) only when EVERY node
  is NotReady, where the upgrade would otherwise time out + roll back.
- Version-detection fallback: when the controller runs :latest with no
  karsRelease stamp, match the running image digest to published release digests
  to recover the real "Current:" version. Inserted ONLY as a new fallback step —
  never overrides the existing image-tag or stamped-value detection.

Supersedes #457 (which was branched at v0.1.18, before the #473 upgrade repair,
and is now CONFLICTING; merging it directly would revert the repair). This brings
in just its net-new features rebased on current main, with the security-audit doc
in the tracked docs/security-audits/ folder.

Tests: release.test.ts +6 (releasesBetween x3, summarizeChangelog x3). CLI
typecheck + oxlint (0 errors) + build clean; vitest 888 pass / 2 skipped.

Co-authored-by: Pal Lakatos-Toth <pallakatos@github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant