[system] Pin PostgreSQL 17.7-standard-trixie for system databases#2363
[system] Pin PostgreSQL 17.7-standard-trixie for system databases#2363IvanHunters wants to merge 3 commits intomainfrom
Conversation
…databases Partially reverts #2304 by removing explicit imageName specification from system database manifests (Harbor, Keycloak, Grafana, Alerta, SeaweedFS). This allows CNPG operator to manage PostgreSQL versions according to operator defaults and ClusterImageCatalog configuration. Signed-off-by: IvanHunters <[email protected]>
This change pins the PostgreSQL image to version 17.7-standard-trixie for all system databases (keycloak-db, harbor-db, grafana-db, alerta-db, seaweedfs-db) to ensure consistency and use the Debian Trixie base image. Changes: - Updated database templates for system components to use ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie - Replaced migration 37 with a script that updates existing CNPG clusters to use the new image version - Migration safely identifies system databases by checking for the absence of the apps.cozystack.io/application.name label to avoid touching user-created Postgres applications Signed-off-by: IvanHunters <[email protected]>
📝 WalkthroughWalkthroughUpdates PostgreSQL CNPG cluster image tag from Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Signed-off-by: IvanHunters <[email protected]>
There was a problem hiding this comment.
Code Review
This pull request updates the PostgreSQL image for system databases (Keycloak, Harbor, Grafana, Alerta, and SeaweedFS) to 17.7-standard-trixie across Helm templates and introduces a migration script to update existing clusters. Several issues were identified in the migration script: a versioning regression that might cause the migration to be skipped on some systems, the use of the pipefail bashism in a script with a /bin/sh shebang, and potential failures in identifying Harbor databases if a fullnameOverride is used. Additionally, the script's efficiency could be improved by reducing the number of kubectl calls within the loop.
| kubectl create configmap -n cozy-system cozystack-version \ | ||
| --from-literal=version=38 --dry-run=client -o yaml | kubectl apply -f- |
There was a problem hiding this comment.
The migration versioning appears to be regressing. The previous version of this file (Migration 37) moved the system to version 38. This updated version moves it to 37. Any system that has already applied the previous version of migration 37 will have its cozystack-version set to 38, causing the migration runner to skip this updated script. To ensure this migration runs on all existing installations, it should be assigned a higher version number (e.g., 38 or 39) and update the ConfigMap accordingly.
| # NOTE: This migration ONLY updates system CNPG Cluster resources (clusters.postgresql.cnpg.io), | ||
| # NOT user-created Postgres applications (postgreses.apps.cozystack.io). | ||
|
|
||
| set -euo pipefail |
There was a problem hiding this comment.
The set -o pipefail option is a bashism and is not supported by all POSIX-compliant shells, such as dash (the default /bin/sh on many Debian-based systems). Since the shebang is #!/bin/sh, this may cause the script to fail with an Illegal option -o pipefail error. Consider changing the shebang to #!/bin/bash or removing pipefail if POSIX compatibility is required.
| TARGET_IMAGE="ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" | ||
|
|
||
| # Database names to update (can be in any namespace) | ||
| DB_NAMES="keycloak-db harbor-db grafana-db alerta-db seaweedfs-db" |
There was a problem hiding this comment.
The migration script uses a hardcoded list of database names. For Harbor, the database name is defined in the Helm template as {{ .Values.harbor.fullnameOverride }}-db. If a user has configured a fullnameOverride, this migration script will fail to identify and update the Harbor database. Consider using a more flexible matching pattern or checking for specific labels if available.
| APP_LABEL=$(kubectl get clusters.postgresql.cnpg.io -n "$NAMESPACE" "$CLUSTER_NAME" \ | ||
| -o jsonpath='{.metadata.labels.apps\.cozystack\.io/application\.name}' 2>/dev/null || echo "") | ||
| if [ -n "$APP_LABEL" ]; then | ||
| continue | ||
| fi | ||
|
|
||
| # Check if cluster name matches one of our target databases | ||
| MATCH=false | ||
| for db_name in $DB_NAMES; do | ||
| if [ "$CLUSTER_NAME" = "$db_name" ]; then | ||
| MATCH=true | ||
| break | ||
| fi | ||
| done | ||
|
|
||
| if [ "$MATCH" = false ]; then | ||
| continue | ||
| fi | ||
|
|
||
| # Get current imageName | ||
| CURRENT_IMAGE=$(kubectl get clusters.postgresql.cnpg.io -n "$NAMESPACE" "$CLUSTER_NAME" \ | ||
| -o jsonpath='{.spec.imageName}' 2>/dev/null || echo "") |
There was a problem hiding this comment.
Performing multiple kubectl get calls (lines 32 and 52) inside a loop for every cluster is inefficient and can significantly slow down the migration process as the number of clusters grows. It also increases the load on the Kubernetes API server. It is recommended to fetch all required fields (namespace, name, labels, and imageName) in a single kubectl get call using a more comprehensive jsonpath or by processing the JSON output.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@packages/core/platform/images/migrations/migrations/37`:
- Around line 16-18: The migration currently matches databases by name via the
DB_NAMES variable which can patch non-system clusters or miss Harbor (whose name
is rendered from .Values.harbor.fullnameOverride); update the migration to
restrict to system-owned resources by adding a stable selector (e.g., a label
like app.kubernetes.io/part-of=system or a dedicated system-owned label) and use
that selector when listing/patching CNPG clusters instead of name-only matching,
and also include logic to resolve Harbor's actual rendered name from
packages/system/harbor/templates/database.yaml (fullnameOverride) or match it by
the same system selector; modify the code that references DB_NAMES to combine
name AND label selection (or namespace filter) so only system databases are
patched.
In `@packages/core/platform/values.yaml`:
- Line 9: The targetVersion bump to 38 means the deployment will still run the
old migrations because migrations.image is pinned to the previous digest; build
a new platform-migrations image that includes the new /migrations/38 script,
push it, and update the migrations.image reference in values.yaml to the new tag
or digest so the job executes the newly added migration rather than the old
/migrations/37 content.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 76525bde-2263-41f2-b96e-22f5a42c6a67
📒 Files selected for processing (7)
packages/core/platform/images/migrations/migrations/37packages/core/platform/values.yamlpackages/system/harbor/templates/database.yamlpackages/system/keycloak/templates/db.yamlpackages/system/monitoring/templates/alerta/alerta-db.yamlpackages/system/monitoring/templates/grafana/db.yamlpackages/system/seaweedfs/templates/database.yaml
| # Database names to update (can be in any namespace) | ||
| DB_NAMES="keycloak-db harbor-db grafana-db alerta-db seaweedfs-db" | ||
|
|
There was a problem hiding this comment.
Use a system-owned selector instead of name-only matching.
This still does not isolate “system databases”: any unlabeled CNPG cluster in any namespace named keycloak-db, grafana-db, alerta-db, or seaweedfs-db will be patched. Harbor can also be missed, because Line 5 of packages/system/harbor/templates/database.yaml renders the name from .Values.harbor.fullnameOverride, not a literal harbor-db. Please filter on a stable system-owned namespace/label before patching; otherwise a false match or miss will be locked in when this migration advances the version.
Also applies to: 22-49
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@packages/core/platform/images/migrations/migrations/37` around lines 16 - 18,
The migration currently matches databases by name via the DB_NAMES variable
which can patch non-system clusters or miss Harbor (whose name is rendered from
.Values.harbor.fullnameOverride); update the migration to restrict to
system-owned resources by adding a stable selector (e.g., a label like
app.kubernetes.io/part-of=system or a dedicated system-owned label) and use that
selector when listing/patching CNPG clusters instead of name-only matching, and
also include logic to resolve Harbor's actual rendered name from
packages/system/harbor/templates/database.yaml (fullnameOverride) or match it by
the same system selector; modify the code that references DB_NAMES to combine
name AND label selection (or namespace filter) so only system databases are
patched.
| enabled: false | ||
| image: ghcr.io/cozystack/cozystack/platform-migrations:v1.2.1@sha256:e8fcf006a4451fc0e961455e9b27a61b7103ee49b1a81fe5e4662ffed093fad6 | ||
| targetVersion: 37 | ||
| targetVersion: 38 |
There was a problem hiding this comment.
Publish a new platform-migrations image with this target bump.
Line 9 makes the hook run migration 37, but migrations.image is still pinned to the existing digest on Line 8. The job will therefore execute the old /migrations/37 contents instead of the script added in this PR. Please build and reference a new image tag/digest in the same change.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@packages/core/platform/values.yaml` at line 9, The targetVersion bump to 38
means the deployment will still run the old migrations because migrations.image
is pinned to the previous digest; build a new platform-migrations image that
includes the new /migrations/38 script, push it, and update the migrations.image
reference in values.yaml to the new tag or digest so the job executes the newly
added migration rather than the old /migrations/37 content.
|
#2364 done here |
What this PR does
This PR pins the PostgreSQL image version to 17.7-standard-trixie for all system databases (keycloak-db, harbor-db, grafana-db, alerta-db, seaweedfs-db). The change ensures consistency and uses the Debian Trixie base image across all system components.
Key changes:
imageName: ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixieapps.cozystack.io/application.namelabel to avoid touching user-created Postgres applicationsRelease note
```release-note
[system] Pin PostgreSQL 17.7-standard-trixie image for system databases (keycloak, harbor, grafana, alerta, seaweedfs)
```
Summary by CodeRabbit
standard-trixievariant across Harbor, Keycloak, Grafana, Alerta, and SeaweedFS components with automatic migration handling.