When triggering an auto-deploy for kubernetes, ONLY the image should be updated, nothing else

Problem Statement

In a recent demo, a desire to upgrade the image to be utilized, also included a change to the configuration of a deployment at the same time. This must not occur in our future. Ideally configuration changes and image upgrades are separated out into their own issues and pipelines as to avoid mixing changes.

Utilize this issue to determine how we can minimally detect when changes other than image or chart upgrades are included. See if we can figure out how to block and stop a pipeline if such a change is detected.

Currently

We have a very basic design of asking the helm diff to be checked via a diff command that is run during auto-deployments:

• https://gitlab.com/gitlab-com/gl-infra/k8s-workloads/gitlab-com/-/tree/master/auto-deploy-image-check
• Triggered via: https://gitlab.com/gitlab-com/gl-infra/k8s-workloads/gitlab-com/-/blob/564b22b1553c397829afe8049c590ec98fbdeb0b/bin/k-ctl#L141

However, it only looks to see if there is a MODIFY on target deployment objects. This is dangerous as there are other configurations that are stored in Deployment objects (environment variables is a prime example). This leaves us vulnerable to potentially pushing a config change and an auto-deploy image change at the same time. Our current implementation is not granular enough to pick up on image specific changes, which should be the only allowed change during auto-deployments.

Note that we have the Container Registry Migrations job that frequently shows up and Auto-Deploy jobs may remove that job. This should be considered okay.

Milestones

• Make k-ctl do the basic JSON-based object testing correctly
• Identify what changes are required to enable us to test ahead of a deploy job (running a template command for example)
• Identify a system for which can perform the test for us
• Implement