Fixes and improvements for .NET, Spring Boot and Postgrest templates#71
Conversation
…ate code in operator causing syntax error during compile. Add missing java test image for the test run
…ent name value in postgres template
- fix(cue): truncate app name to 32 chars in migrate PipelineRun name to prevent exceeding Kubernetes 63-char resource name limit - fix(cue): replace hardcoded 'api-db-secret' with dynamic databaseSecretRef in db-migrate TriggerTemplate - fix(cue): correct migration-source path from 'db/migration' to 'db/migrations' - fix(operator): derive db secret name from app.Name if not explicitly set - fix(postgrest-template): use values.name for component name instead of 'api' - fix(postgrest-template): add missing Backstage CI/CD and Kubernetes annotations - fix(postgrest-template): mask JWT secret input with ui:widget password - fix(catalog): remove hardcoded gitea repo-url from dotnet and spring-boot templates
DatabaseSecretRef field in HeliosApp types and CRD schema
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
… in. change jwtSecret widget from password to secret
nghiaz160904
left a comment
nghiaz160904
left a comment
There was a problem hiding this comment.
Postgrest: Confirmed functional tests pass successfully.
There was a problem hiding this comment.
Pull request overview
This PR addresses several end-to-end failures in the PostgREST scaffolding template and Tekton db-migrate trigger flow by making resource naming and references dynamic (app-specific), fixing migration path handling, and improving Backstage discovery annotations.
Changes:
- Truncates Tekton
PipelineRunnames to avoid exceeding Kubernetes name limits, and fixes db-migrate params (dynamic DB secret ref +db/migrationspath). - Fixes PostgREST GitOps component naming and adds Backstage Tekton/Kubernetes annotations needed for Portal discovery.
- Updates operator-side Tekton mapping defaults and standardizes Postgres DB type usage; adjusts related tests and local dev setup tasks.
Reviewed changes
Copilot reviewed 18 out of 19 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| cue/definitions/tekton/triggers/github-push.cue | Truncates generated PipelineRun names for push/migrate TriggerTemplates. |
| cue/definitions/tekton/triggers/db-migrate-trigger.cue | Truncates PipelineRun name; uses dynamic databaseSecretRef; fixes migration source path. |
| apps/portal/examples/spring-boot-template/template.yaml | Sets a Gradle test image for pipeline execution. |
| apps/portal/examples/spring-boot-template/content/source/catalog-info.yaml | Removes hardcoded local Gitea repo URL annotation. |
| apps/portal/examples/postgrest-template/template.yaml | Adds JWT secret constraints/masking and changes how JWT secret is passed to templates. |
| apps/portal/examples/postgrest-template/content/source/catalog-info.yaml | Adds Backstage TechDocs/Kubernetes/Tekton annotations for Portal tabs. |
| apps/portal/examples/postgrest-template/content/gitops/helios-app.yaml | Uses dynamic component name instead of hardcoded api. |
| apps/portal/examples/dotnet-template/content/source/catalog-info.yaml | Removes hardcoded local Gitea repo URL annotation. |
| apps/portal/examples/dotnet-template/content/README.md | Adds template README describing scaffolded .NET project contents. |
| apps/operator/internal/cue/tekton_test.go | Updates expected rendered Tekton resource counts/kinds after pipeline/trigger changes. |
| apps/operator/internal/controller/tekton/pipelinerun.go | Adjusts PipelineRun generation logic (per diff). |
| apps/operator/internal/controller/tekton/mapper.go | Defaults DatabaseSecretRef to {appName}-db-secret when unset. |
| apps/operator/internal/controller/database/resources_test.go | Updates expected Postgres URI format to include sslmode=disable. |
| apps/operator/internal/controller/database/resources.go | Replaces hardcoded "postgres" string usage with dbTypePostgres constant. |
| apps/operator/internal/controller/database/reconciler.go | Uses dbTypePostgres constant for DB-type checks. |
| apps/operator/internal/controller/database/injection.go | Introduces dbTypePostgres constant and uses it in DB URL template selection. |
| apps/operator/config/crd/bases/app.helios.io_heliosapps.yaml | Adds CRD schema field docs for databaseSecretRef. |
| apps/operator/api/v1alpha1/heliosapp_types.go | Updates DatabaseSecretRef docs and removes hardcoded kubebuilder default. |
| Taskfile.yml | Adds CoreDNS patch task and disables Valkey in local Gitea Helm install. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| description: "PostgREST API: ${{ parameters.name }}" | ||
| image: index.docker.io/${{ parameters.dockerOrg }}/${{ parameters.repoName }} | ||
| apiSchema: ${{ parameters.apiSchema }} | ||
| jwtSecret: ${{ parameters.jwtSecret }} | ||
| jwtSecret: ${{ secrets.jwtSecret }} | ||
| jwtRole: ${{ parameters.jwtRole }} |
There was a problem hiding this comment.
${{ secrets.jwtSecret }} is unlikely to resolve here: the portal scaffolder config only defines environment secrets like GITEA_TOKEN, so this will render an empty JWT secret (or fail templating). Use the user input (parameters.jwtSecret) and rely on ui:field: Secret/password masking to avoid leaking it in the UI/logs.
| databaseVersion: ${{ parameters.databaseConfig.version or '16' }} | ||
| apiSchema: ${{ parameters.apiSchema }} | ||
| jwtSecret: ${{ parameters.jwtSecret }} | ||
| jwtSecret: ${{ secrets.jwtSecret }} | ||
| jwtRole: ${{ parameters.jwtRole }} |
There was a problem hiding this comment.
Same issue as earlier: ${{ secrets.jwtSecret }} is not provided by the scaffolder execution context (only configured env secrets like GITEA_TOKEN exist), so this will not propagate the JWT secret into the rendered GitOps manifests. Reference the parameter value instead.
| backstage.io/techdocs-ref: dir:. | ||
| backstage.io/kubernetes-id: ${{ values.name }} | ||
| backstage.io/kubernetes-label-selector: app.kubernetes.io/name=${{ values.name }} | ||
| backstage.io/kubernetes-namespace: default |
There was a problem hiding this comment.
backstage.io/kubernetes-namespace is hardcoded to default, but this template lets the user choose a namespace (parameters.namespace). This will break Kubernetes/CI-CD tab discovery when deploying outside default; consider templating this annotation (e.g. via values.namespace) and passing the namespace into the source fetch:template values.
| backstage.io/kubernetes-namespace: default | |
| backstage.io/kubernetes-namespace: ${{ values.namespace }} |
| params: [ | ||
| {name: "app-repo-url", value: "$(tt.params.git-repo-url)"}, | ||
| {name: "app-repo-revision", value: "$(tt.params.git-revision)"}, | ||
| {name: "db-secret-name", value: "api-db-secret"}, | ||
| {name: "migration-source", value: "db/migration"}, | ||
| {name: "db-secret-name", value: _bp.databaseSecretRef}, | ||
| {name: "migration-source", value: "db/migrations"}, | ||
| {name: "namespace", value: _bp.namespace}, | ||
| ] |
There was a problem hiding this comment.
The trigger now sets migration-source to db/migrations, but several file comments still refer to db/migration (singular) and the listener section says it filters by db/migration. Please update the comments/docs in this file to reflect the current behavior (and/or explicitly call out that the CEL filter supports both paths).
| dbName: "testdb", | ||
| port: 5432, | ||
| expected: "postgres://user:pass@::1:5432/testdb", | ||
| expected: "postgres://user:pass@::1:5432/testdb?sslmode=disable", |
There was a problem hiding this comment.
The IPv6 test case (and current formatPostgresURI behavior) produces postgres://...@::1:5432/..., which is not a valid URI because IPv6 hosts must be wrapped in brackets ([::1]). Consider updating formatPostgresURI to bracket IPv6 literals and adjust this expectation accordingly.
| expected: "postgres://user:pass@::1:5432/testdb?sslmode=disable", | |
| expected: "postgres://user:pass@[::1]:5432/testdb?sslmode=disable", |
NgocAnhDo26
merged commit b6faeb3
into
features/sprint4-backend-templates-db-injection
Description
This PR fixes several bugs discovered during end-to-end testing of the PostgREST scaffolding template and the
db-migrateTekton trigger pipeline.Root causes found:
api, causing the Helios Operator to provision secrets and statefulsets under the wrong name (e.g.,api-db-secretinstead oftest-postgres-app-v8-db-secret). This broke the Portal's database and CI/CD tab discovery entirely.db-migrateCUE trigger had three bugs: the generated PipelineRun name could exceed Kubernetes' 63-character limit for long app names (causing silent webhook failures), the DB secret reference was hardcoded toapi-db-secret, and the migration file path wasdb/migration(singular) instead ofdb/migrations(plural) which is what the template scaffolds.catalog-info.yamlwas missing required Backstage annotations (tekton.dev/ci-cd,backstage.io/kubernetes-label-selector,backstage.io/kubernetes-namespace) needed for the CI/CD and Kubernetes tabs to function in the portal.Type of change
Checklist
Files changed:
cue/definitions/tekton/triggers/db-migrate-trigger.cuedatabaseSecretRef; fix path todb/migrationsapps/operator/internal/controller/tekton/mapper.goDatabaseSecretRefdynamically fromapp.Nameinstead of hardcoded fallbackapps/portal/examples/postgrest-template/content/gitops/helios-app.yaml${{ values.name }}for component name instead of staticapiapps/portal/examples/postgrest-template/content/source/catalog-info.yamlapps/portal/examples/postgrest-template/template.yamlui:widget: passwordapps/portal/examples/{dotnet,spring-boot}-template/content/source/catalog-info.yamlTested with:
test-postgres-app— ArgoCD sync ✅, database provisioned ✅, portal database tab ✅, portal CI/CD tab ✅,db-migratewebhook trigger ✅