chore: align CI values with rhdh-chart 5.7.1

[zdrapela]

Summary

Auto-align rhdh CI values files with rhdh-chart 5.7.1.

.ci/pipelines/value_files/values_showcase.yaml

• upstream.backstage.image.pullPolicy: Always -> ``
• orchestrator.enabled: True -> False

.ci/pipelines/value_files/values_showcase-rbac.yaml

• upstream.backstage.image.pullPolicy: Always -> ``
• upstream.postgresql.enabled: False -> True
• orchestrator.enabled: True -> False

Structure Drift (needs manual review)

.ci/pipelines/value_files/values_showcase.yaml:

New chart sections:

• global.auth
• global.clusterRouterBase
• global.host
• upstream.metrics
• upstream.postgresql

.ci/pipelines/value_files/values_showcase-rbac.yaml:

Keys in CI not in chart:

• upstream.postgresql.auth.existingSecret

New chart sections:

• global.auth
• global.clusterRouterBase
• global.host
• upstream.ingress
• upstream.metrics
• upstream.service

---

Auto-generated by the RHDH Chart Version Aligner MCP tool.

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. RBAC YAML templates broken 🐞 Bug ≡ Correctness

Description

.ci/pipelines/value_files/values_showcase-rbac.yaml contains multiple unquoted {{ ... }}
template scalars (including multiline printf expressions), which will break YAML loading and
therefore CI’s yq merge and helm upgrade -f steps.

Code

.ci/pipelines/value_files/values_showcase-rbac.yaml[R444-457]

+        name: {{ printf "%s-dynamic-plugins" .Release.Name }}
+        optional: true
+    - name: dynamic-plugins-npmrc
+      secret:
+        defaultMode: 420
+        optional: true
+        secretName: {{ printf "%s-dynamic-plugins-npmrc" .Release.Name
+          }}
+    - name: dynamic-plugins-registry-auth
+      secret:
+        defaultMode: 416
+        optional: true
+        secretName: {{ printf "%s-dynamic-plugins-registry-auth" .Release.Name
+          }}

Relevance

⭐⭐⭐ High

Unquoted Helm templates in values YAML likely break yq/helm parsing; repo historically keeps them
quoted/escaped.

PR-#4153
PR-#4457
PR-#3108

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The RBAC values file has several fields where the YAML value starts with {{ (e.g.,
secretKeyRef.name, configMap.name, secret.secretName). CI merges these via yq eval-all, which
requires valid YAML. Existing cluster diff value files keep these template strings quoted,
indicating the expected format is a quoted YAML scalar.

.ci/pipelines/value_files/values_showcase-rbac.yaml[408-457]
.ci/pipelines/lib/helm.sh[30-63]
.ci/pipelines/utils.sh[578-612]
.ci/pipelines/value_files/diff-values_showcase-rbac_AKS.yaml[54-65]
.ci/pipelines/value_files/diff-values_showcase-rbac_AKS.yaml[112-127]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`values_showcase-rbac.yaml` has unquoted Helm template expressions (some split across lines) for fields like `secretKeyRef.name`, `configMap.name`, and `secret.secretName`. This is not safe YAML and will fail CI during `yq` merge or Helm install.

### Issue Context
CI uses `yq eval-all` to merge base and diff values and then runs `helm upgrade -f <merged.yaml>`.

### Fix Focus Areas
- .ci/pipelines/value_files/values_showcase-rbac.yaml[408-457]

### What to change
- Quote any value starting with `{{` (use the same style as the existing `diff-values_showcase-rbac_*.yaml` files).
- Avoid breaking template expressions across multiple lines; keep them on one line inside quotes.
 - Example: `name: '{{ printf "%s-dynamic-plugins" .Release.Name }}'`
 - Example: `secretName: '{{ printf "%s-dynamic-plugins-npmrc" .Release.Name }}'`

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. RBAC Postgres config mismatch 🐞 Bug ≡ Correctness

Description

RBAC values now enable upstream.postgresql.enabled: true while RBAC CI provisioning/configuration
is built around an external Crunchy Postgres and a postgres-cred secret containing POSTGRES_*
env-var keys; using that secret as postgresql.auth.existingSecret is incompatible and will break
RBAC deployments.

Code

.ci/pipelines/value_files/values_showcase-rbac.yaml[R478-482]

  postgresql:
-    enabled: false
+    enabled: true
    auth:
      existingSecret: postgres-cred
-
orchestrator:
-  plugins: [] # disable chart-based orchestrator plugins and define above for clarity (may need a new test config to cover helm chart plugins)
-  enabled: true

Relevance

⭐⭐⭐ High

RBAC pipeline historically provisions external Postgres via postgres-cred; enabling chart postgresql
with that secret mismatches expectations.

PR-#3213
PR-#3825
PR-#2463

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The RBAC deployment path explicitly provisions an external Postgres cluster and applies
postgres-cred into the RBAC namespace. The RBAC Backstage config references
${POSTGRES_HOST}/${POSTGRES_PORT}/${POSTGRES_USER}/${POSTGRES_PASSWORD}, matching the
postgres-cred secret keys. Enabling the chart’s upstream.postgresql while pointing
auth.existingSecret to that env-var secret is a configuration mismatch and will cause the chart
Postgres (and/or Backstage DB wiring) to fail or behave unexpectedly.

.ci/pipelines/value_files/values_showcase-rbac.yaml[361-482]
.ci/pipelines/utils.sh[578-612]
.ci/pipelines/utils.sh[202-295]
.ci/pipelines/resources/postgres-db/postgres-cred.yaml[1-12]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`values_showcase-rbac.yaml` enables the chart Postgres (`upstream.postgresql.enabled: true`) but CI’s RBAC deployment provisions and uses an external Crunchy Postgres, creating a `postgres-cred` secret with `POSTGRES_HOST/PORT/USER/PASSWORD` keys. That secret is not a Postgres-chart auth secret, so using it as `upstream.postgresql.auth.existingSecret` is incompatible.

### Issue Context
RBAC CI path calls `configure_external_postgres_db` and then installs the chart with `values_showcase-rbac.yaml`.

### Fix Focus Areas
- .ci/pipelines/value_files/values_showcase-rbac.yaml[478-482]
- .ci/pipelines/utils.sh[578-612]
- .ci/pipelines/utils.sh[202-295]
- .ci/pipelines/resources/postgres-db/postgres-cred.yaml[1-12]

### What to change
- Revert RBAC base values to keep external DB mode:
 - Set `upstream.postgresql.enabled: false` (or remove the key) in `values_showcase-rbac.yaml`.
- If the intention is to switch RBAC to chart-managed Postgres, then also update CI scripts and secrets to match the chart’s expected secret keys and stop provisioning external Crunchy Postgres (larger change).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rhdh-qodo-merge]

Review Summary by Qodo

Align CI values files with rhdh-chart 5.7.1

✨ Enhancement

Walkthroughs

Description

• Align CI values files with rhdh-chart 5.7.1
• Remove comments and simplify YAML formatting
• Change upstream.backstage.image.pullPolicy from Always to empty string
• Change orchestrator.enabled from true to false
• Change upstream.postgresql.enabled from false to true (rbac only)

Diagram

flowchart LR
  A["CI Values Files"] -->|"Remove comments"| B["Simplified YAML"]
  A -->|"Update image pullPolicy"| C["pullPolicy: empty"]
  A -->|"Disable orchestrator"| D["orchestrator.enabled: false"]
  A -->|"Enable PostgreSQL"| E["postgresql.enabled: true"]
  B --> F["Aligned with rhdh-chart 5.7.1"]
  C --> F
  D --> F
  E --> F

Loading

File Changes

1. .ci/pipelines/value_files/values_showcase-rbac.yaml ⚙️ Configuration changes +422/-479

Align rbac values with chart 5.7.1

• Removed extensive comments throughout the file for cleaner formatting
• Changed upstream.backstage.image.pullPolicy from Always to empty string
• Changed upstream.postgresql.enabled from false to true
• Changed orchestrator.enabled from true to false
• Reformatted YAML with consistent indentation and quote style
• Removed blank lines between configuration sections

.ci/pipelines/value_files/values_showcase-rbac.yaml

---

2. .ci/pipelines/value_files/values_showcase.yaml ⚙️ Configuration changes +378/-407

Align showcase values with chart 5.7.1

• Removed extensive comments throughout the file for cleaner formatting
• Changed upstream.backstage.image.pullPolicy from Always to empty string
• Changed orchestrator.enabled from true to false
• Reformatted YAML with consistent indentation and quote style
• Removed blank lines between configuration sections
• Simplified string quoting conventions

.ci/pipelines/value_files/values_showcase.yaml

---

[github-actions]

Image was built and published successfully. It is available at:

• quay.io/rhdh-community/rhdh:pr-4663
• quay.io/rhdh-community/rhdh:pr-4663-44d4d8c7