[Tools] Improve setup_local_ce.py script RC versions support and image tag selection

[adamdelman]

Description

Refactors and hardens the local CE installer to improve version discovery, default image selection, and operational robustness. The script now uses semver for GitHub tag ordering (with optional RC support), prefers chart-pinned image tags by default, exposes explicit CLI switches for version policy, and strengthens Helm/Kubernetes flows and debug output.

---

Changes

Version discovery and policy

• Added semver-based parsing and ordering for tags, including normalization of prerelease labels (rc38 → rc.38) to ensure correct comparisons.
• Introduced VersionSource and GitHubApiPath enums and centralized GitHub access in _github_get_json(...) with optional token auth.
• New resolvers:
  • resolve_from_releases(...) – highest semantic release (optionally includes prereleases).
  • resolve_from_tags(...) – tag-based fallback.
  • choose_first_matching_version(...) – stable-only vs. stable+RC enforcement.
• Extended get_latest_valid_version(...) with:
  • allow_dev_versions: bool – enables RC selection.
  • version_source: "auto" | "release" | "tag" – controls and orders source preference.

Chart defaults vs. “latest”

• Added _read_chart_image_versions(...) to read MLRun/Nuclio tags from chart values (cleaning leading v and architecture suffices).
• Chart-pinned tags are now preferred by default; GitHub lookup is optional via flag.
• setup_ce(...) / install_ce(...) now auto-resolve missing CE/MLRun/Nuclio versions using chart values or GitHub, respecting --dev-versions.

CLI and UX

• New flags:
  • --dev-versions – allow RC tags.
  • --use-latest-versions – ignore chart tags and query GitHub.
• Migrated all paths to pathlib.Path and strengthened typing across helpers.
• Improved debug logging and docstrings for echo_color(...), run_command(...), and related helpers.

Command execution, Helm, and Kubernetes

• run_command(...) now:
  • Auto-adds --debug to Helm commands when debug mode is on.
  • Prints combined stdout+stderr under [COMMAND OUTPUT] on failures before raising/warning.
• Improved Helm robustness:
  • Defensive repo handling in ensure_helm_repo(...) and update_helm_repos(...).
  • Debug-aware helm status during ingress setup.
• Namespace and /etc/hosts safety:
  • clear_namespaces(...) skips missing namespaces instead of erroring.
  • /etc/hosts updates now back up the file and apply changes via a temp file swap.

Image upgrade flow

• upgrade_images(...):

  • Reads chart defaults first when use_chart_versions=True.
  • Falls back to GitHub when chart values are missing or --use-latest-versions is set.
  • Removes leading v from MLRun/Jupyter tags before applying chart values.
  • Only sets Helm image keys when values exist (avoids overriding chart defaults).
  • Rebuilds dependencies before applying upgrades.

• install_ce(...) orchestrates the entire workflow with the new version-policy logic and improved logging.

---

Testing

• Verified namespace clearing skips non-existent namespaces safely.
• Confirmed prerelease ordering (1.10.0-rc38 > 1.9.2) when --dev-versions is used.
• Default install uses chart-pinned MLRun/Nuclio tags.
• --use-latest-versions correctly pulls versions from GitHub with fallback logic.
• Failure paths surface combined command output via [COMMAND OUTPUT].

---

Breaking Changes

• None intended; version selection may behave more strictly or more predictably depending on tag formats.

https://iguazio.atlassian.net/browse/ML-11621

[liranbg]

why

[liranbg]

Suggested change

	# For jupyter and log-collector images, drop a leading 'v' if provided
	# For mlrun images, drop a leading 'v' if provided

[liranbg]

use namedtuple, it would be better

[liranbg]

what do you max on? the major? if all versions are [(1,1,0), (1,2,0)] how will it take the second item?

[liranbg]

I dont understand the definition of "latest valid"). I think we need to condition these 2 flows into

1. by default, get the latest GA versions and use them
2. if provided with --devel or so flag, take latest-greatest RC available

[liranbg]

still relevant - https://github.com/mlrun/mlrun/pull/8802/files#r2476835951

[liranbg]

why do you need to get all_releases and not get the release marked as latest?

[adamdelman]

/releases/latest only returns the most recent stable release and skips RCs or newer tags, so we fetch all releases to pick the true latest by semver.