mongodb: vendor chart via git subtree (alternative to #2420)

.github/copilot-instructions.md

@@ -26,7 +26,7 @@ When reviewing a PR, analyze changes against the following. Post inline comments
 | **Version coherence** | Bumps to `VERSION` / `deps.yaml` / `solution/zenkoversion.yaml` should stay mutually consistent. Feature flags or capabilities added in `zenkoversion.yaml` must correspond to service versions that actually support them. |
 | **Dockerfiles** (`solution/kafka/`, `solution/kafka-connect/`...) | Base images pinned by tag or digest, no secrets baked in, no unnecessary `COPY . .`, reasonable layer count, user is non-root where possible. |
 | **Helm charts & K8s manifests** (`solution-base/mongodb/charts/`, `monitoring/`) | Resource requests/limits set, label selectors match, no hard-coded namespaces, `securityContext` present, ServiceAccount scoping minimal. Any breaking chart-value renames documented in an upgrade note. |
-| **Chart upgrade path** (`solution-base/mongodb/patches/`, `how_to_upgrade.md`) | If chart version or MongoDB version changes, upgrade notes are updated and patches still apply cleanly. |
+| **Chart upgrade path** (`solution-base/mongodb/Makefile`, `how_to_upgrade.md`) | If chart version or MongoDB version changes, upgrade notes are updated and the `git subtree merge --squash` produced by `make vendor-sync` resolves cleanly against our local commits. |
 | **TypeScript tests** (`tests/functional/ctst/`, `tests/workflows/`) | Proper `async`/`await`, no swallowed promise rejections, Cucumber step definitions register correctly, no accidental `.only` / `.skip`, correct use of World context in ctst. |
 | **Python tests** (`tests/zenko_tests/`) | No bare `except:`, specific exception types, consistency with existing style, `requirements.txt` kept in sync. |
 | **CI workflows** (`.github/workflows/`) | Actions pinned (tag or SHA), secrets not echoed to logs, `permissions:` block scoped minimally, reusable-workflow inputs/secrets wired correctly, runner labels valid for Scality infra. |

.github/workflows/end2end.yaml

@@ -188,27 +188,6 @@ jobs:
           password: ${{ secrets.ARTIFACTS_PASSWORD }}
           source: /tmp/artifacts
         if: always()
-
-  check-mongo-patches:
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-      - name: fetch mongo charts
-        run: make fetch-mongodb-sharded
-        working-directory: ./solution-base/mongodb
-      - name: apply patches to charts
-        run: make patch
-        working-directory: ./solution-base/mongodb
-      - name: compare with upstream charts and fail if diff exists
-        run: |
-          if [ -n "$(git status --porcelain)" ]; then
-            echo "Differences found between committed patches and applied patches:"
-            git diff
-            exit 1
-          else
-            echo "No differences found. All patches match their committed versions."
-          fi
 
   build-doc:
     runs-on: ubuntu-22.04

solution-base/mongodb/Makefile

@@ -1,23 +1,49 @@
-ROOT_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
-CHART_DIR:="${ROOT_DIR}/charts"
+BITNAMI_REMOTE := bitnami-charts
+BITNAMI_REPO   := https://github.com/bitnami/charts.git
 
-CHART_REPO:="https://charts.bitnami.com/bitnami"
-CHART_MONGO_SHARDED_VERSION:="9.4.4"
+CHART         := mongodb-sharded
+CHART_VERSION := 9.4.4
+CHART_REF     := $(CHART)/$(CHART_VERSION)
 
-PATCH_DIR:="${ROOT_DIR}/patches"
-PATCH_FILES:=$(shell ls -d ${PATCH_DIR}/*)
-HELM=helm
+# Repo-relative path of the vendored chart (needed by `git subtree`).
+REPO_CHART_PREFIX  := solution-base/mongodb/charts/$(CHART)
+# Path relative to this Makefile's directory (where `helm` runs).
+LOCAL_CHART_PREFIX := charts/$(CHART)
 
-.PHONY: fetch patch
+VENDOR_BRANCH := vendor/$(CHART_REF)
 
-fetch-mongodb-sharded:
-	@rm -rf ${CHART_DIR}
-	@${HELM} fetch mongodb-sharded \
-		--repo ${CHART_REPO} \
-		--version ${CHART_MONGO_SHARDED_VERSION} \
-		--untar \
-		--untardir ${CHART_DIR}
+HELM := helm
 
-patch:
-	@git apply --check ${PATCH_FILES}
-	@git apply ${PATCH_FILES}
+.PHONY: create-remote fetch-remote update-vendor-branch vendor-sync deps
+
+create-remote:
+	@git remote get-url $(BITNAMI_REMOTE) >/dev/null 2>&1 || \
+		git remote add $(BITNAMI_REMOTE) $(BITNAMI_REPO)
+
+# Fetch full main + the target chart tag so `git subtree split` can synthesize
+# the chart's history. `--no-tags` avoids importing bitnami/charts' ~1000 tags
+# (one per chart-version bump across every chart) into the Zenko repo.
+fetch-remote: create-remote
+	git fetch --no-tags $(BITNAMI_REMOTE) main
+	git fetch --no-tags $(BITNAMI_REMOTE) refs/tags/$(CHART_REF):refs/tags/$(CHART_REF)
+
+update-vendor-branch: fetch-remote
+	-git branch -D $(VENDOR_BRANCH)
+	git subtree split --prefix=bitnami/$(CHART) $(CHART_REF) -b $(VENDOR_BRANCH)
+
+# Maintainer-only: bump CHART_VERSION above, then `make vendor-sync` to merge
+# upstream into our prefix. Resolves merge conflicts against our local commits
+# the same way any git merge does.
+vendor-sync: update-vendor-branch
+	git subtree merge --prefix=$(REPO_CHART_PREFIX) $(VENDOR_BRANCH) --squash
+	@$(MAKE) deps
+
+# Resolve and extract the `bitnami/common` library chart so it appears as a
+# subdirectory (required by `solution-base/build.sh`'s `helm template`).
+deps:
+	@$(HELM) dependency build $(LOCAL_CHART_PREFIX)
+	@cd $(LOCAL_CHART_PREFIX)/charts && \
+		for tgz in *.tgz; do \
+			[ -f "$$tgz" ] || continue; \
+			tar xzf "$$tgz" && rm "$$tgz"; \
+		done