Skip to content

Commit 15a15c5

Browse files
committed
fix(orchestrator): use versioned name for the DB creation Job to avoid immutable upgrade errors (#427)
The `<release>-create-sonataflow-database` Job uses a fixed name across chart versions. When a field in the rendered pod spec changes between versions (e.g. the pinned PostgreSQL image digest), an in-place `helm upgrade` of an Orchestrator-enabled release tries to patch the Job's immutable `spec.template` and fails: Job.batch "<release>-create-sonataflow-database" is invalid: spec.template: ... field is immutable Use a versioned name `<release>-create-sf-db-<chart-version>` so each chart version gets a distinct Job (recreated instead of patched). This is the minimal part of #407 needed to fix the upgrade; the fail-hard / configurable backoffLimit changes (RHDHBUGS-2577) are intentionally left out of the 1.10 line. Fixes RHDHBUGS-3325. Targets 1.10.1. Signed-off-by: Gustavo Lira <guga.java@gmail.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Lucas <lyoon@redhat.com>
1 parent e767157 commit 15a15c5

10 files changed

Lines changed: 21 additions & 20 deletions

File tree

.github/actions/test-charts/action.yml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -166,8 +166,6 @@ runs:
166166
"--set route.enabled=false"
167167
"--set upstream.ingress.enabled=true"
168168
"--set global.host=rhdh.127.0.0.1.sslip.io"
169-
"--set upstream.backstage.podSecurityContext.runAsUser=1001"
170-
"--set upstream.backstage.podSecurityContext.runAsGroup=1001"
171169
"--set upstream.backstage.podSecurityContext.fsGroup=1001"
172170
)
173171
if [[ -n "$INPUT_EXTRA_HELM_ARGS" ]]; then

.pre-commit-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ repos:
1616
- id: helm-dependency-update
1717
name: helm-dependency-update
1818
entry: helm dependency update charts/backstage/vendor/backstage/charts/backstage
19-
language: unsupported
19+
language: system
2020
pass_filenames: false
2121
files: charts/backstage/vendor/backstage/charts/backstage/Chart\.(ya?ml|lock)$
2222
- id: jsonschema-dereference

charts/backstage/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,4 +47,4 @@ sources: []
4747
# Versions are expected to follow Semantic Versioning (https://semver.org/)
4848
# Note that when this chart is published to https://github.com/openshift-helm-charts/charts
4949
# it will follow the RHDH versioning 1.y.z
50-
version: 5.12.4
50+
version: 5.12.5

charts/backstage/README.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11

22
# RHDH Backstage Helm Chart for OpenShift
33

4-
![Version: 5.12.4](https://img.shields.io/badge/Version-5.12.4-informational?style=flat-square)
4+
![Version: 5.12.5](https://img.shields.io/badge/Version-5.12.5-informational?style=flat-square)
55
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
66

77
A Helm chart for deploying Red Hat Developer Hub, which is a Red Hat supported version of Backstage.
@@ -21,15 +21,15 @@ For the **Generally Available** version of this chart, see:
2121

2222
| Name | Email | Url |
2323
| ---- | ------ | --- |
24-
| Red Hat | | <https://redhat.com> |
24+
| Red Hat | | https://redhat.com |
2525

2626
## TL;DR
2727

2828
```console
2929
helm repo add bitnami https://charts.bitnami.com/bitnami
3030
helm repo add redhat-developer https://redhat-developer.github.io/rhdh-chart
3131

32-
helm install my-backstage redhat-developer/backstage --version 5.12.4
32+
helm install my-backstage redhat-developer/backstage --version 5.12.5
3333
```
3434

3535
## Introduction
@@ -156,7 +156,7 @@ Kubernetes: `>= 1.27.0-0`
156156

157157
| Repository | Name | Version |
158158
|------------|------|---------|
159-
| file://./vendor/backstage/charts/backstage/ | upstream(backstage) | 2.7.0 |
159+
| file://./vendor/backstage/charts/backstage/ | backstage | 2.7.0 |
160160
| https://charts.bitnami.com/bitnami | common | 2.39.0 |
161161

162162
## Values

charts/backstage/values.schema.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -185,7 +185,7 @@
185185
"enabled": true,
186186
"initContainer": {
187187
"args": [
188-
"mkdir -p /tmp/data && echo 'Copying Lightspeed RAG data...' && cp -r /rag/vector_db /rag-content/ && cp -r /rag/embeddings_model /rag-content/ && echo 'Copy complete.'"
188+
"mkdir -p /tmp/data && echo 'Copying Lightspeed RAG data...' && cp -r --no-preserve=mode,ownership /rag/vector_db /rag-content/ && cp -r --no-preserve=mode,ownership /rag/embeddings_model /rag-content/ && mkdir -p /rag-content/vector_db/notebooks && chmod -R a+rwX /rag-content/embeddings_model && echo 'Copy complete.'"
189189
],
190190
"command": [
191191
"sh",

charts/backstage/values.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -135,8 +135,10 @@ global:
135135
- >-
136136
mkdir -p /tmp/data &&
137137
echo 'Copying Lightspeed RAG data...' &&
138-
cp -r /rag/vector_db /rag-content/ &&
139-
cp -r /rag/embeddings_model /rag-content/ &&
138+
cp -r --no-preserve=mode,ownership /rag/vector_db /rag-content/ &&
139+
cp -r --no-preserve=mode,ownership /rag/embeddings_model /rag-content/ &&
140+
mkdir -p /rag-content/vector_db/notebooks &&
141+
chmod -R a+rwX /rag-content/embeddings_model &&
140142
echo 'Copy complete.'
141143
env: []
142144
# -- Resource requests/limits for the Lightspeed RAG bootstrap init container.

charts/must-gather/README.md

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ A Helm chart for running the RHDH Must-Gather diagnostic tool on Kubernetes
1212

1313
| Name | Email | Url |
1414
| ---- | ------ | --- |
15-
| Red Hat | | <https://redhat.com> |
15+
| Red Hat | | https://redhat.com |
1616

1717
## Source Code
1818

@@ -108,7 +108,7 @@ The command removes all the Kubernetes resources associated with the chart and d
108108
| Key | Description | Type | Default |
109109
|-----|-------------|------|---------|
110110
| affinity | Affinity rules for pod scheduling | object | `{}` |
111-
| dataHolder | Runs alongside the gather container and stays alive so you can exec in and retrieve the output. | object | `{"resources":{"limits":{"cpu":"100m","ephemeral-storage":"64Mi","memory":"128Mi"},"requests":{"cpu":"50m","ephemeral-storage":"32Mi","memory":"64Mi"}}}` |
111+
| dataHolder | Data holder container configuration -- Runs alongside the gather container and stays alive so you can exec in and retrieve the output. | object | `{"resources":{"limits":{"cpu":"100m","ephemeral-storage":"64Mi","memory":"128Mi"},"requests":{"cpu":"50m","ephemeral-storage":"32Mi","memory":"64Mi"}}}` |
112112
| dataHolder.resources | Resource requests and limits for the data-holder container | object | `{"limits":{"cpu":"100m","ephemeral-storage":"64Mi","memory":"128Mi"},"requests":{"cpu":"50m","ephemeral-storage":"32Mi","memory":"64Mi"}}` |
113113
| fullnameOverride | | string | `""` |
114114
| gather | Gather script configuration | object | `{"clusterInfo":false,"cmdTimeout":"30","extraArgs":[],"extraEnvVars":[],"heapDump":{"bufferSize":"","enabled":false,"instances":"","method":"","remoteDir":"","timeout":""},"logLevel":"info","namespaces":[],"since":"","sinceTime":"","withHelm":true,"withIngress":true,"withNamespaceInspect":true,"withOperator":true,"withOrchestrator":true,"withPlatform":true,"withRoute":true,"withSecrets":false}` |
@@ -123,7 +123,7 @@ The command removes all the Kubernetes resources associated with the chart and d
123123
| gather.heapDump.remoteDir | Directory in container where heap dumps are written for SIGUSR2 method. Must be writable inside the gather container. | string | `""` |
124124
| gather.heapDump.timeout | Timeout in seconds for heap dump collection | string | `""` |
125125
| gather.logLevel | Log level: info, INFO, debug, DEBUG, trace, TRACE | string | `"info"` |
126-
| gather.namespaces | Example: ["rhdh-prod", "rhdh-staging"] | list | `[]` |
126+
| gather.namespaces | Limit collection to specific namespaces (only effective when rbac.scope is "cluster"). -- Ignored when rbac.scope is "namespace" (collection is restricted to the release namespace). -- Example: ["rhdh-prod", "rhdh-staging"] | list | `[]` |
127127
| gather.since | Relative time for log collection (e.g., "2h", "30m") | string | `""` |
128128
| gather.sinceTime | Absolute timestamp for log collection (RFC3339 format) | string | `""` |
129129
| gather.withOperator | Collection features (enabled by default; set to false to skip) | bool | `true` |
@@ -143,20 +143,21 @@ The command removes all the Kubernetes resources associated with the chart and d
143143
| podSecurityContext | Pod security context | object | `{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` |
144144
| rbac | RBAC configuration | object | `{"create":true,"rules":{"backstages":true,"ingresses":true,"knative":true,"olm":true,"platform":true,"routes":true,"sonataflow":true},"scope":"cluster"}` |
145145
| rbac.create | Create RBAC resources (Role/ClusterRole and bindings) | bool | `true` |
146-
| rbac.rules | a rule here does not require disabling the corresponding gather.with* flag. | object | `{"backstages":true,"ingresses":true,"knative":true,"olm":true,"platform":true,"routes":true,"sonataflow":true}` |
146+
| rbac.rules | Control which API-group rules are included in the Role/ClusterRole. -- Disable a rule if the installing user cannot grant those permissions -- (Kubernetes requires you to already hold any permission you grant). -- The gather script handles missing permissions gracefully, so disabling -- a rule here does not require disabling the corresponding gather.with* flag. | object | `{"backstages":true,"ingresses":true,"knative":true,"olm":true,"platform":true,"routes":true,"sonataflow":true}` |
147147
| rbac.rules.backstages | rhdh.redhat.com — Backstage custom resources | bool | `true` |
148148
| rbac.rules.ingresses | networking.k8s.io — Ingresses, NetworkPolicies | bool | `true` |
149149
| rbac.rules.knative | operator.knative.dev, operator.serverless.openshift.io — Knative/Serverless | bool | `true` |
150150
| rbac.rules.olm | operators.coreos.com — OLM resources (subscriptions, CSVs, etc.) | bool | `true` |
151151
| rbac.rules.platform | config.openshift.io — ClusterVersions, Infrastructures (cluster scope only) | bool | `true` |
152152
| rbac.rules.routes | route.openshift.io — OpenShift Routes | bool | `true` |
153153
| rbac.rules.sonataflow | sonataflow.org — SonataFlow custom resources | bool | `true` |
154+
| rbac.scope | Scope of the RBAC role: "cluster" creates a ClusterRole with cluster-wide read access; -- "namespace" creates a namespace-scoped Role limited to the release namespace only -- (gather.namespaces is ignored; collection is restricted to the release namespace) | string | `"cluster"` |
154155
| resources | Resource requests and limits for the gather container | object | `{"limits":{"cpu":"500m","ephemeral-storage":"128Mi","memory":"512Mi"},"requests":{"cpu":"100m","ephemeral-storage":"64Mi","memory":"128Mi"}}` |
155156
| securityContext | Container security context | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` |
156157
| serviceAccount | Service account configuration | object | `{"annotations":{},"name":"","tokenExpirationSeconds":3600}` |
157158
| serviceAccount.annotations | Annotations to add to the service account | object | `{}` |
158-
| serviceAccount.name | If not set, a name is generated using the fullname template. | string | `""` |
159-
| serviceAccount.tokenExpirationSeconds | into the gather init container (minimum 600). | int | `3600` |
159+
| serviceAccount.name | The name of the service account to use. -- If not set, a name is generated using the fullname template. | string | `""` |
160+
| serviceAccount.tokenExpirationSeconds | Expiration (in seconds) for the bound service account token projected -- into the gather init container (minimum 600). | int | `3600` |
160161
| strategy | Deployment strategy | object | `{"type":"Recreate"}` |
161162
| test | Helm test configuration | object | `{"enabled":true,"image":{"digest":"","pullPolicy":"","registry":"docker.io","repository":"bitnami/kubectl","tag":"latest"}}` |
162163
| test.enabled | Enable the Helm test | bool | `true` |

charts/orchestrator-infra/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ Helm chart to deploy the Orchestrator solution's required infrastructure suite o
1010

1111
| Name | Email | Url |
1212
| ---- | ------ | --- |
13-
| Red Hat Developer Hub Team | | <https://github.com/redhat-developer/rhdh-chart> |
13+
| Red Hat Developer Hub Team | | https://github.com/redhat-developer/rhdh-chart |
1414

1515
## Source Code
1616

charts/orchestrator-software-templates-infra/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ A Helm chart to install Openshift GitOps and Openshift Pipelines, which are requ
1010

1111
| Name | Email | Url |
1212
| ---- | ------ | --- |
13-
| Red Hat Developer Hub Team | | <https://github.com/redhat-developer/rhdh-chart> |
13+
| Red Hat Developer Hub Team | | https://github.com/redhat-developer/rhdh-chart |
1414

1515
## Source Code
1616

charts/orchestrator-software-templates/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ This Helm chart deploys the Orchestrator Software Templates for Red Hat Develope
1010

1111
| Name | Email | Url |
1212
| ---- | ------ | --- |
13-
| Red Hat Developer Hub Team | | <https://github.com/redhat-developer/rhdh-chart> |
13+
| Red Hat Developer Hub Team | | https://github.com/redhat-developer/rhdh-chart |
1414

1515
## Source Code
1616

0 commit comments

Comments
 (0)