db-operator · allanger · Jan 16, 2026 · Jan 16, 2026 · Jan 16, 2026 · Jan 16, 2026
diff --git a/.github/workflows/helm-workflow.yaml b/.github/workflows/helm-workflow.yaml
@@ -7,37 +7,37 @@ on:
     branches:
       - main
 env:
-  HELM_VERSION: v3.19.0
-  HELMFILE_VERSION: v1.1.2
-  PYTHON_VERSION: 3.13
+  HELM_VERSION: v4.0.5
+  HELMFILE_VERSION: v1.2.3
+  PYTHON_VERSION: 3.14
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v6
       - name: Set up Helm
         uses: azure/setup-helm@v4.3.0
         with:
           version: ${{ env.HELM_VERSION }}
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v6
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           check-latest: true
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.0
+        uses: helm/chart-testing-action@v2.8.0
       - name: Run chart-testing (lint)
         run: ct lint --target-branch main --validate-maintainers=false
   test-values:
     needs: lint
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
       - name: Run the test
         run: |
           cd charts/db-operator
@@ -48,27 +48,27 @@ jobs:
     strategy:
       matrix:
         k8s_version:
-          - v1.30.13
-          - v1.31.9
-          - v1.32.5
-          - v1.33.1
+          - v1.35.0
+          - v1.34.3
+          - v1.33.7
+          - v1.32.11
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v6
       - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4.3.0
         with:
           version: ${{ env.HELM_VERSION }}
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v6
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           check-latest: true
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.1
+        uses: helm/chart-testing-action@v2.8.0
       # It's not used anymore, but it's a small step, maybe we'll need it in the future, so let it be here
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -89,25 +89,24 @@ jobs:
             - role: worker
           EOF
       - name: Create kind cluster
-        uses: helm/kind-action@v1.7.0
+        uses: helm/kind-action@v1.13.0
         with:
           node_image: kindest/node:${{ matrix.k8s_version }}
           config: ./kind-config.yaml
 
-      - uses: helmfile/helmfile-action@v1.0.0
+      - uses: helmfile/helmfile-action@v2.1.0
         with:
           helmfile-version: ${{ env.HELMFILE_VERSION }}
           helm-version: ${{ env.HELM_VERSION }}
-          helm-plugins: >
-            https://github.com/databus23/helm-diff, https://github.com/jkroepke/helm-secrets
+          helmfile-auto-init: true
           helmfile-args: sync --wait
 
       - name: Test the db-operator chart install
         run: |
           ct install --target-branch main --charts ./charts/db-operator
           helmfile destroy
 
-      - uses: helmfile/helmfile-action@v1.0.0
+      - uses: helmfile/helmfile-action@v2.1.0
         with:
           helmfile-version: ${{ env.HELMFILE_VERSION }}
           helm-version: ${{ env.HELM_VERSION }}
@@ -118,7 +117,7 @@ jobs:
           ct install --target-branch main --charts ./charts/db-operator --upgrade
           helmfile destroy
 
-      - uses: helmfile/helmfile-action@v1.0.0
+      - uses: helmfile/helmfile-action@v2.1.0
         with:
           helmfile-version: ${{ env.HELMFILE_VERSION }}
           helm-version: ${{ env.HELM_VERSION }}
@@ -129,7 +128,7 @@ jobs:
           ct install --target-branch main --charts ./charts/db-instances
           helmfile destroy
 
-      - uses: helmfile/helmfile-action@v1.0.0
+      - uses: helmfile/helmfile-action@v2.1.0
         with:
           helmfile-version: ${{ env.HELMFILE_VERSION }}
           helm-version: ${{ env.HELM_VERSION }}
@@ -145,18 +144,39 @@ jobs:
     if: github.ref == 'refs/heads/main'
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: Configure Git
         run: |
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
       - name: Install Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4.3.0
         with:
           version: ${{ env.HELM_VERSION }}
+      - name: Push Helm chart to OCI compatible registry (Github)
+        run: |
+          export BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
+          export SHA="+$(git rev-parse --short HEAD)"
+          helm registry login ghcr.io \
+            --username ${{ github.actor }} \
+            --password ${{ github.token }}
+          for chart in $(find charts -maxdepth 1 -mindepth 1 -type d); do
+            if [ "${BRANCH}" != "main" ]; then
+              yq e -i ".version += env(SHA)" "$chart/Chart.yaml"
+            fi
+            helm dep build $chart
+            helm package $chart -d chart-packages;
+          done
+          charts=$(find chart-packages -maxdepth 1 -mindepth 1 -type f)
+          REGISTRY=$(echo oci://ghcr.io/${{ github.repository }} | tr '[:upper:]' '[:lower:]')
+          for chart in $charts; do
+            echo ${chart}
+            echo "${REGISTRY}"
+            helm push "${chart}" "${REGISTRY}"
+          done
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.4.0
+        uses: helm/chart-releaser-action@v1.7.0
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/charts/db-operator/Chart.yaml b/charts/db-operator/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 type: application
 name: db-operator
-version: 2.2.0
+version: 2.3.0
 
 # ---------------------------------------------------------------------------------
 # -- All supported k8s versions are in the test:

diff --git a/...templates/crds/kinda.rocks_databases.yaml → ...b-operator/crd/kinda.rocks_databases.yaml b/...templates/crds/kinda.rocks_databases.yaml → ...b-operator/crd/kinda.rocks_databases.yaml
@@ -1,36 +1,11 @@
-{{- if .Values.crds.install }}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
-    {{- if .Values.webhook.certificate.create }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.webhook.certificate.name}}
-    {{ else }}
-    cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.webhook.certificate.secretName}}
-    {{- end }}
-    {{- if .Values.crds.keep }}
-    helm.sh/resource-policy: keep
-    {{- end }}
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
   name: databases.kinda.rocks
 spec:
-  {{- if .Values.webhook.enabled }}
-  conversion:
-    strategy: Webhook
-    webhook:
-      clientConfig:
-        service:
-          namespace: {{ .Release.Namespace }}
-          name: {{ include "webhook.name" . }}
-          path: /convert
-      conversionReviewVersions:
-        - v1alpha1
-        - v1beta1
-  {{- end }}
   group: kinda.rocks
   names:
     kind: Database
@@ -567,4 +542,3 @@ spec:
     storage: true
     subresources:
       status: {}
-{{- end }}
diff --git a/...mplates/crds/kinda.rocks_dbinstances.yaml → ...operator/crd/kinda.rocks_dbinstances.yaml b/...mplates/crds/kinda.rocks_dbinstances.yaml → ...operator/crd/kinda.rocks_dbinstances.yaml
@@ -1,36 +1,11 @@
-{{- if .Values.crds.install }}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
-    {{- if .Values.webhook.certificate.create }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.webhook.certificate.name}}
-    {{ else }}
-    cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.webhook.certificate.secretName}}
-    {{- end }}
-    {{- if .Values.crds.keep }}
-    helm.sh/resource-policy: keep
-    {{- end }}
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
   name: dbinstances.kinda.rocks
 spec:
-  {{- if .Values.webhook.enabled }}
-  conversion:
-    strategy: Webhook
-    webhook:
-      clientConfig:
-        service:
-          namespace: {{ .Release.Namespace }}
-          name: {{ include "webhook.name" . }}
-          path: /convert
-      conversionReviewVersions:
-        - v1alpha1
-        - v1beta1
-  {{- end }}
   group: kinda.rocks
   names:
     kind: DbInstance
@@ -443,4 +418,3 @@ spec:
     storage: true
     subresources:
       status: {}
-{{- end }}
diff --git a/...or/templates/crds/kinda.rocks_dbuser.yaml → .../db-operator/crd/kinda.rocks_dbusers.yaml b/...or/templates/crds/kinda.rocks_dbuser.yaml → .../db-operator/crd/kinda.rocks_dbusers.yaml
@@ -1,21 +1,9 @@
-{{- if .Values.crds.install }}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
-    {{- if .Values.webhook.certificate.create }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.webhook.certificate.name}}
-    {{ else }}
-    cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.webhook.certificate.secretName}}
-    {{- end }}
-    {{- if .Values.crds.keep }}
-    helm.sh/resource-policy: keep
-    {{- end }}
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
   name: dbusers.kinda.rocks
 spec:
   group: kinda.rocks
@@ -186,4 +174,3 @@ spec:
     storage: true
     subresources:
       status: {}
-{{- end }}
diff --git a/charts/db-operator/templates/crds.yaml b/charts/db-operator/templates/crds.yaml
@@ -0,0 +1,54 @@
+{{- if .Values.crds.install }}
+{{- $manifests := dict }}
+{{- range $path, $index :=  .Files.Glob  "crd/*" }}
+  {{- $file := $.Files.Get $path }}
+  {{- $_ := set $manifests ($index | toString ) $file }}
+{{- end }}
+{{- range $_, $file := $manifests }}
+---
+{{- $manifest := $file | fromYaml }}
+apiVersion: {{ get $manifest "apiVersion" }}
+kind: {{ get $manifest "kind" }}
+{{- $metadata := get $manifest "metadata" }}
+metadata:
+  name: {{ get $metadata "name" }}
+  {{- with $.Values.labels }}
+  labels:
+    {{- . | toYaml | nindent 4 }}
+  {{- end }}
+  {{- $crdAnnotations := get $metadata "annotations" }}
+  {{- $annotations :=  merge $crdAnnotations $.Values.annotations }}
+  annotations:
+    {{- $annotations | toYaml | nindent 4 }}
+    {{- if $.Values.webhook.certificate.create }}
+    cert-manager.io/inject-ca-from: {{ $.Release.Namespace }}/{{ $.Values.webhook.certificate.name}}
+    {{ else }}
+    cert-manager.io/inject-ca-from-secret: {{ $.Release.Namespace }}/{{ $.Values.webhook.certificate.secretName}}
+    {{- end }}
+    {{- if $.Values.crds.keep }}
+    helm.sh/resource-policy: keep
+    {{- end }}
+spec:
+{{- if (or 
+    (eq $manifest.metadata.name "databases.kinda.rocks") 
+    (eq $manifest.metadata.name "dbinstances.kinda.rocks") 
+  )
+}}
+{{- if $.Values.webhook.enabled }}
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: {{ $.Release.Namespace }}
+          name: {{ include "webhook.name" . }}
+          path: /convert
+      conversionReviewVersions:
+        - v1alpha1
+        - v1beta1
+{{- end }}
+{{- end }}
+{{ get $manifest "spec" | toYaml | indent 2 }}
+{{- end }}
+
+{{- end }}
diff --git a/helmfile.yaml.gotmpl b/helmfile.yaml.gotmpl
@@ -5,17 +5,19 @@ environments:
 ---
 repositories:
   - name: jetstack
-    url: https://charts.jetstack.io
+    url: quay.io/jetstack/charts
+    oci: true
   - name: bitnami
     url: https://charts.bitnami.com/bitnami
   - name: prometheus-community
-    url: https://prometheus-community.github.io/helm-charts
+    url: ghcr.io/prometheus-community/charts
+    oci: true
 
 releases:
   - name: cert-manager
     chart: jetstack/cert-manager
     namespace: cert-manager
-    version: v1.16.1
+    version: v1.19.2
     createNamespace: true
     values:
       - crds:
@@ -46,7 +48,7 @@ releases:
 
   - name: prometheus-stack
     namespace: monitoring
-    version: 65.3.2
+    version: 80.14.4
     createNamespace: true
     disableValidation: true
     disableOpenAPIValidation: true
@@ -57,16 +59,10 @@ releases:
       - prometheus:
           prometheusSpec:
             enableAdminAPI: true
-            podMonitorNamespaceSelector:
-              any: true
             podMonitorSelector: {}
             podMonitorSelectorNilUsesHelmValues: false
-            ruleNamespaceSelector:
-              any: true
             ruleSelector: {}
             ruleSelectorNilUsesHelmValues: false
-            serviceMonitorNamespaceSelector:
-              any: true
             serviceMonitorSelector: {}
             serviceMonitorSelectorNilUsesHelmValues: false