Fix system postgresql images to 17.7-standard-trixie#2369
Fix system postgresql images to 17.7-standard-trixie#2369myasnikovdaniil merged 1 commit intorelease-1.2from
Conversation
Signed-off-by: Myasnikov Daniil <[email protected]> (cherry picked from commit a3f50ba)
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the PostgreSQL migration script and system database Helm templates to pin images to the 17.7-standard-trixie version or append the -standard-trixie suffix to existing version tags. The review feedback identifies that the regular expression used for version matching is too restrictive, as it only matches tags with exactly two numeric components, and suggests a more inclusive pattern. Additionally, the use of the Helm lookup function is noted for its limitations during dry-runs, and it is suggested to centralize the repeated logic across the various database templates.
| # Any PG 17 image — force to the pinned 17.7-standard-trixie | ||
| PATCH_IMAGE="$TARGET_IMAGE" | ||
| echo "PATCH $NAMESPACE/$CLUSTER_NAME: PG 17 detected, $CURRENT_IMAGE -> $PATCH_IMAGE" | ||
| elif [[ "$CURRENT_IMAGE" =~ :[0-9]+\.[0-9]+$ ]]; then |
There was a problem hiding this comment.
The regular expression :[0-9]+\.[0-9]+$ is quite restrictive as it only matches tags with exactly two numeric components (e.g., :18.1). It will fail to match bare major versions (e.g., :18) or tags with three components (e.g., :18.1.2). Consider using a more inclusive regex to ensure all bare version tags are correctly identified and suffixed.
| elif [[ "$CURRENT_IMAGE" =~ :[0-9]+\.[0-9]+$ ]]; then | |
| elif [[ "$CURRENT_IMAGE" =~ :[0-9]+(\.[0-9]+)*$ ]]; then |
| {{- $existingCluster := lookup "postgresql.cnpg.io/v1" "Cluster" .Release.Namespace (printf "%s-db" .Values.harbor.fullnameOverride) }} | ||
| {{- $image := dig "spec" "imageName" "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" $existingCluster }} | ||
| imageName: {{ if regexMatch ":17\\." $image }}ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie{{ else if regexMatch ":[0-9]+\\.[0-9]+$" $image }}{{ printf "%s-standard-trixie" $image }}{{ else }}{{ $image }}{{ end }} |
There was a problem hiding this comment.
The lookup function is used here to determine the existing image. Note that lookup does not work during helm template or helm install --dry-run (it returns an empty map), which might lead to unexpected diffs in GitOps workflows as the template will fall back to the default image.
Additionally, the regex :[0-9]+\.[0-9]+$ only matches tags with exactly two numeric components. Consider using a more inclusive regex. This logic is repeated across multiple system database templates (Keycloak, Alerta, Grafana, SeaweedFS) and should ideally be centralized in a helper template.
{{- $existingCluster := lookup "postgresql.cnpg.io/v1" "Cluster" .Release.Namespace (printf "%s-db" .Values.harbor.fullnameOverride) }}
{{- $image := dig "spec" "imageName" "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" $existingCluster }}
imageName: {{ if regexMatch ":17\\." $image }}ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie{{ else if regexMatch ":[0-9]+(\\.[0-9]+)*$" $image }}{{ printf "%s-standard-trixie" $image }}{{ else }}{{ $image }}{{ end }}| imageName: ghcr.io/cloudnative-pg/postgresql:17.7 | ||
| {{- $existingCluster := lookup "postgresql.cnpg.io/v1" "Cluster" .Release.Namespace "keycloak-db" }} | ||
| {{- $image := dig "spec" "imageName" "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" $existingCluster }} | ||
| imageName: {{ if regexMatch ":17\\." $image }}ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie{{ else if regexMatch ":[0-9]+\\.[0-9]+$" $image }}{{ printf "%s-standard-trixie" $image }}{{ else }}{{ $image }}{{ end }} |
There was a problem hiding this comment.
The regex :[0-9]+\.[0-9]+$ only matches tags with exactly two numeric components. Consider using a more inclusive regex to handle tags like :18 or :18.1.2 correctly.
imageName: {{ if regexMatch ":17\\." $image }}ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie{{ else if regexMatch ":[0-9]+(\\.[0-9]+)*$" $image }}{{ printf "%s-standard-trixie" $image }}{{ else }}{{ $image }}{{ end }}| imageName: ghcr.io/cloudnative-pg/postgresql:17.7 | ||
| {{- $existingCluster := lookup "postgresql.cnpg.io/v1" "Cluster" .Release.Namespace "alerta-db" }} | ||
| {{- $image := dig "spec" "imageName" "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" $existingCluster }} | ||
| imageName: {{ if regexMatch ":17\\." $image }}ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie{{ else if regexMatch ":[0-9]+\\.[0-9]+$" $image }}{{ printf "%s-standard-trixie" $image }}{{ else }}{{ $image }}{{ end }} |
There was a problem hiding this comment.
The regex :[0-9]+\.[0-9]+$ only matches tags with exactly two numeric components. Consider using a more inclusive regex to handle tags like :18 or :18.1.2 correctly.
imageName: {{ if regexMatch ":17\\." $image }}ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie{{ else if regexMatch ":[0-9]+(\\.[0-9]+)*$" $image }}{{ printf "%s-standard-trixie" $image }}{{ else }}{{ $image }}{{ end }}| imageName: ghcr.io/cloudnative-pg/postgresql:17.7 | ||
| {{- $existingCluster := lookup "postgresql.cnpg.io/v1" "Cluster" .Release.Namespace "grafana-db" }} | ||
| {{- $image := dig "spec" "imageName" "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" $existingCluster }} | ||
| imageName: {{ if regexMatch ":17\\." $image }}ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie{{ else if regexMatch ":[0-9]+\\.[0-9]+$" $image }}{{ printf "%s-standard-trixie" $image }}{{ else }}{{ $image }}{{ end }} |
There was a problem hiding this comment.
The regex :[0-9]+\.[0-9]+$ only matches tags with exactly two numeric components. Consider using a more inclusive regex to handle tags like :18 or :18.1.2 correctly.
imageName: {{ if regexMatch ":17\\." $image }}ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie{{ else if regexMatch ":[0-9]+(\\.[0-9]+)*$" $image }}{{ printf "%s-standard-trixie" $image }}{{ else }}{{ $image }}{{ end }}| imageName: ghcr.io/cloudnative-pg/postgresql:17.7 | ||
| {{- $existingCluster := lookup "postgresql.cnpg.io/v1" "Cluster" .Release.Namespace "seaweedfs-db" }} | ||
| {{- $image := dig "spec" "imageName" "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" $existingCluster }} | ||
| imageName: {{ if regexMatch ":17\\." $image }}ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie{{ else if regexMatch ":[0-9]+\\.[0-9]+$" $image }}{{ printf "%s-standard-trixie" $image }}{{ else }}{{ $image }}{{ end }} |
There was a problem hiding this comment.
The regex :[0-9]+\.[0-9]+$ only matches tags with exactly two numeric components. Consider using a more inclusive regex to handle tags like :18 or :18.1.2 correctly.
imageName: {{ if regexMatch ":17\\." $image }}ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie{{ else if regexMatch ":[0-9]+(\\.[0-9]+)*$" $image }}{{ printf "%s-standard-trixie" $image }}{{ else }}{{ $image }}{{ end }}
lexfrei
left a comment
There was a problem hiding this comment.
LGTM. Verified the cherry-pick logic:
- The
lookup/digpattern across the 5 system database charts (keycloak, grafana, alerta, seaweedfs, harbor) correctly reads the currentimageNamefrom the live CNPG Cluster and defaults toghcr.io/cloudnative-pg/postgresql:17.7-standard-trixiewhen not set. - Migration script 37 patches all CNPG Clusters with
imageNamematching:17.to the pinned target, and thetargetVersionbump from 36 → 38 is consistent with the scripts shipped inplatform-migrations:v1.2.1. - Fix reaches clusters via Helm template reconciliation even on the existing migrations image.
Non-blocking notes for follow-up:
- The updated migration 37 script lives in the repo but is not yet baked into the
platform-migrations:v1.2.1container image. The Helm reconciliation delivers the fix either way, but the repo/image divergence is worth documenting. helm lookupis a no-op underhelm template/--dry-run, so diff previews always render the pinned default regardless of actual cluster state.- The
:17\.regex idempotently re-patches already-correct images; consider a guard to skip whenCURRENT_IMAGE == TARGET_IMAGEto reduce log noise.
## What this PR does Post-release cleanup of `docs/changelogs/v1.3.0.md` so the notes match what users actually experience in v1.3.0. No code changes. - **Rewrite the postgres major-features entry** so author (`@myasnikovdaniil`), PR (`#2369`), and description all line up with the `17.7-standard-trixie` pin + migration-37 `imageName` rewrite that actually shipped. The previous entry credited `#2304` with a description matching a superseded `spec.version=v17` backfill approach. - **Remove the duplicate `#2364` postgres bug-fix entry** — the same work is now folded into the single major-features entry above, with backport references to `#2309` (v1.2.1) and `#2364` (v1.2.2). - **Remove the `[linstor-gui] Restrict to cozystack-cluster-admin group` security entry.** The vulnerable state never shipped in a tagged release, so there is nothing user-facing to announce. The `cozystack-cluster-admin`-group restriction is already described in the linstor-gui Feature Highlights section as part of the feature's day-one shipping behavior. ### Release note ```release-note [] ``` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Updated v1.3.0 changelog with clarified PostgreSQL system version pinning details and removed redundant entries for improved documentation clarity. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
Post-release cleanup of docs/changelogs/v1.3.0.md so the notes match what users actually experience in the released v1.3.0: - Rewrite the postgres major-features entry so author (myasnikovdaniil), PR (cozystack#2369), and description all match the 17.7-standard-trixie pin + migration-37 imageName rewrite that actually shipped. The previous entry credited cozystack#2304 (superseded spec.version=v17 backfill approach). - Remove the duplicate cozystack#2364 postgres bug-fix entry; the same work is now folded into the single major-features entry above, with backport references to cozystack#2309 (v1.2.1) and cozystack#2364 (v1.2.2). - Remove the [linstor-gui] Restrict to cozystack-cluster-admin group security entry. The vulnerable state never shipped in a tagged release, so there is nothing user-facing to announce; the restriction is already described in the linstor-gui Feature Highlights section as part of the feature's day-one behavior. Signed-off-by: Myasnikov Daniil <[email protected]>
Post-release cleanup of docs/changelogs/v1.3.0.md so the notes match what users actually experience in the released v1.3.0: - Rewrite the postgres major-features entry so author (myasnikovdaniil), PR (#2369), and description all match the 17.7-standard-trixie pin + migration-37 imageName rewrite that actually shipped. The previous entry credited #2304 (superseded spec.version=v17 backfill approach). - Remove the duplicate #2364 postgres bug-fix entry; the same work is now folded into the single major-features entry above, with backport references to #2309 (v1.2.1) and #2364 (v1.2.2). - Remove the [linstor-gui] Restrict to cozystack-cluster-admin group security entry. The vulnerable state never shipped in a tagged release, so there is nothing user-facing to announce; the restriction is already described in the linstor-gui Feature Highlights section as part of the feature's day-one behavior. Signed-off-by: Myasnikov Daniil <[email protected]>
(cherry picked from commit a3f50ba)
What this PR does
Release note