Source:
oceanid/sink/README.md| ✏️ Edit on GitHub
Annotations Sink
Image Versioning
All sink images are tagged with immutable git commit SHAs for deterministic deployments.
Image Tags
Images are built and pushed to GHCR with two tags:
- Immutable SHA tag:
ghcr.io/goldfish-inc/oceanid/annotations-sink:<commit-sha>(used for deployments) - Mutable main tag:
ghcr.io/goldfish-inc/oceanid/annotations-sink:main(for convenience)
Deployment Process
- Code changes: Push changes to
sink/directory onmainbranch - Build workflow: GitHub Actions automatically builds and pushes images with SHA tags
- ESC update: Deploy workflow updates Pulumi ESC config with new SHA-tagged image
- Manual deployment: Run
pulumi -C cluster uplocally to deploy new image
Current Deployed Image
# Check deployed image tag
KUBECONFIG=~/.kube/k3s-config.yaml kubectl get deploy annotations-sink -n apps -o jsonpath='{.spec.template.spec.containers[0].image}'
Rollback Procedure
To rollback to a previous version:
-
Find the git commit SHA you want to rollback to:
git log --oneline sink/ -
Update ESC config with the old SHA tag:
esc env set default/oceanid-cluster \
"pulumiConfig.oceanid-cluster:sinkImage" \
"ghcr.io/goldfish-inc/oceanid/annotations-sink:<old-commit-sha>" \
--plaintext -
Deploy the rollback:
cd cluster
pnpm build
pulumi up -
Verify rollback:
KUBECONFIG=~/.kube/k3s-config.yaml kubectl get pods -n apps -l app=annotations-sink
KUBECONFIG=~/.kube/k3s-config.yaml kubectl logs -n apps deployment/annotations-sink --tail=20
Troubleshooting
Image pull errors: Verify GHCR credentials are valid:
KUBECONFIG=~/.kube/k3s-config.yaml kubectl get secret ghcr-creds -n apps -o yaml
Pod not updating: Force restart deployment:
KUBECONFIG=~/.kube/k3s-config.yaml kubectl rollout restart deployment/annotations-sink -n apps
Check image history:
# List all sink images in GHCR
gh api /user/packages/container/oceanid%2Fannotations-sink/versions | jq -r '.[].metadata.container.tags[]' | sort