Skip to content

feat: Implement automated database migration flow for PostgREST services #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
NgocAnhDo26 merged 57 commits into from
May 31, 2026
Merged

feat: Implement automated database migration flow for PostgREST services #79

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
57 commits
Select commit Hold shift + click to select a range
f69be3a
feat(portal): add .NET 10 Web API backstage template with postgres wi…
PhuocHoan Apr 12, 2026
4ea9c93
chore: update prereq scripts and operator test expectations
PhuocHoan Apr 12, 2026
95e1f1a
portal: refine template descriptions and local CORS origins
PhuocHoan Apr 12, 2026
7cf6573
Enhance database environment variable injection in Deployment (#67)
NgocAnhDo26 Apr 12, 2026
f67ca74
Users/hpn/implement postg rest auto api template (#65)
nghiaz160904 Apr 12, 2026
e7946e9
Upgrade dotnet template and postgres defaults to latest
PhuocHoan Apr 13, 2026
cf86730
Merge branch 'features/sprint4-backend-templates-db-injection' into u…
PhuocHoan Apr 13, 2026
fb2bfff
feat: add cross-platform support (Windows & Linux) for bootstrap proc…
PhamHoangKha1403 Apr 14, 2026
18cc2e1
Merge base branch and resolve template/setup conflicts
PhuocHoan Apr 15, 2026
2edfa6a
Update dotnet template to SDK 10.0.202 and add PR68 evidence guide
PhuocHoan Apr 15, 2026
1a68e88
Remove PR68 evidence guide from tracked files
PhuocHoan Apr 15, 2026
2f1779e
fix tekton and portal local dev integration
PhuocHoan Apr 15, 2026
8663db2
fix portal prettier formatting
PhuocHoan Apr 15, 2026
c53892c
feat(postgrest-template): Remove obsolete files and enhance template …
nghiaz160904 Apr 9, 2026
9a91d2e
feat(postgrest-template): Enhance PostgREST template with detailed RE…
nghiaz160904 Apr 9, 2026
3ce52d2
feat(postgrest-template): Remove obsolete GitOps files and update val…
nghiaz160904 Apr 12, 2026
b85b094
feat: Implement database migration trigger for PostgREST
nghiaz160904 Apr 12, 2026
1aedf76
temp: enhance PostgREST template with default values and new actions …
nghiaz160904 Apr 15, 2026
a0db3a4
Add initial migration
nghiaz160904 Apr 16, 2026
edd5a5a
feat: Enhance database migration support and improve webhook handling
nghiaz160904 Apr 16, 2026
ea40c07
chore: remove initial schema migration file
nghiaz160904 Apr 16, 2026
89ff59f
feat: Add database secret reference and validation for HeliosApp conf…
nghiaz160904 Apr 18, 2026
c30b5b9
Merge pull request #68 from helios-platform-team/users/hph/impl/templ…
NgocAnhDo26 Apr 18, 2026
8a5ef55
fix: Update secret validation to exclude database secrets due to auto…
nghiaz160904 Apr 19, 2026
37ac092
feat: Add database secret reference to WebhookIngress configuration
nghiaz160904 Apr 19, 2026
aa28e11
fix: Add databaseSecretRef to Tekton schema for improved secret manag…
nghiaz160904 Apr 19, 2026
b70dd0f
Merge pull request #70: branch 'bug/user/hpn/postgrest-template-fail…
VH3956 Apr 19, 2026
17539f6
setup hasura-graphql-template
VH3956 Apr 5, 2026
dfd936b
comment's review fix + change of workflow
VH3956 Apr 15, 2026
e0c011b
fix gitops namespace
VH3956 Apr 20, 2026
6ef3a7b
feat: Enhance Hasura GraphQL template with database secret reference …
nghiaz160904 Apr 20, 2026
25360f8
adding Docker workflow
VH3956 Apr 20, 2026
917bf8f
fix: Add new steps in taskfile to resolve startup problem, fix duplic…
hoangphuc841 Apr 21, 2026
eeba8db
fix: update application catalog metadata and fix an issue with compon…
hoangphuc841 Apr 21, 2026
7f837e9
fix: resolve db-migrate trigger and postgrest template issues
hoangphuc841 Apr 21, 2026
6cb1c63
- fix(crd): remove hardcoded 'api-db-secret' kubebuilder default from
hoangphuc841 Apr 21, 2026
2641c6a
update gitosPath + readme
VH3956 Apr 21, 2026
f6b8f1b
fix(test): updates tests for the recent changes
hoangphuc841 Apr 21, 2026
02e186d
chore: regenerate the crd from the go type annotations to match CI ch…
hoangphuc841 Apr 21, 2026
1c1fab8
fix(cue): repalce unsafe [:32] string slice with safe conditional let…
hoangphuc841 Apr 21, 2026
7fd9b97
fix(template): updated jwt references after switching to secret field
hoangphuc841 Apr 21, 2026
6bdddb2
fix(lint): extract repeated postgres string into dbTypePostgres const…
hoangphuc841 Apr 21, 2026
1c8e862
fix(template): update jwtSecret description and enforce length constr…
nghiaz160904 Apr 21, 2026
aa57f62
fix: accessing DB url + add:database migration
VH3956 Apr 22, 2026
4c363f9
fix: using PGRST_DB_URI + update cue logic for kube secret injections
VH3956 Apr 28, 2026
be601cd
fix: update manifest namespace
VH3956 Apr 28, 2026
b6faeb3
Merge pull request #71 from helios-platform-team/user/nhphuc/test-and…
NgocAnhDo26 May 3, 2026
062708c
Merge branch 'features/sprint4-backend-templates-db-injection' into u…
nghiaz160904 May 15, 2026
dd7acd2
Merge pull request #64 from helios-platform-team/users/ndvh/impl/hasu…
nghiaz160904 May 15, 2026
9450115
feat: Implement automated database migration flow for PostgREST services
May 22, 2026
9afc93c
refactor: Simplify client calls in PreSyncReconciler methods
May 23, 2026
72724d2
Merge branch 'main' into users/hpn/refactorPostgREST-CI/CD-pipeline-w…
nghiaz160904 May 26, 2026
f03ab17
fix: Fixed according to CodeRabbit reviews.
May 26, 2026
c85adb1
fix: lint
May 26, 2026
ed8571e
feat: Add system secrets provisioning to DatabaseReconciler and updat…
May 27, 2026
05db557
refactor: Enhance error handling and improve annotations in PreSync a…
May 27, 2026
cd9514e
test: Add Docker credentials and GitOps bot secrets to unit tests
May 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions apps/operator/config/crd/bases/app.helios.io_heliosapps.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,9 +101,9 @@ spec:
description: ContextSubpath is the path where the Dockerfile is located
type: string
databaseSecretRef:
default: api-db-secret
description: DatabaseSecretRef is the name of the secret containing
database credentials for migrations
description: |-
DatabaseSecretRef is the name of the secret containing database credentials for migrations.
Defaults to {appName}-db-secret if not set.
type: string
description:
description: Description of the application
Expand Down
2 changes: 2 additions & 0 deletions apps/operator/config/manager/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: controller
newName: controller
newTag: latest
Comment on lines 5 to +8
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Kiểm tra xem có overlay production riêng với pinned version không
fd -t f "kustomization" apps/operator/config/ --exec cat {} \; -exec echo "--- File: {}" \;

Repository: helios-platform-team/helios-platform

Length of output: 422

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Tìm mọi chỗ dùng newTag: latest trong apps/operator/config
echo "== newTag: latest occurrences =="
rg -n --hidden --no-ignore -S "newTag:\s*latest" apps/operator/config || true

# 2) Liệt kê toàn bộ kustomization.yaml trong apps/operator/config để xem cấu trúc overlay
echo
echo "== kustomization.yaml files =="
fd -t f "kustomization.yaml" apps/operator/config -x echo

# 3) In nội dung kustomization.yaml của thư mục manager (nơi có snippet) để đối chiếu
echo
echo "== manager/kustomization.yaml =="
if [ -f "apps/operator/config/manager/kustomization.yaml" ]; then
  nl -ba apps/operator/config/manager/kustomization.yaml | sed -n '1,120p'
else
  echo "File not found: apps/operator/config/manager/kustomization.yaml"
fi

Repository: helios-platform-team/helios-platform

Length of output: 747

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== manager/kustomization.yaml (with line numbers) =="
cat -n apps/operator/config/manager/kustomization.yaml | sed -n '1,200p'

echo
echo "== Search for prod/production overlays references =="
rg -n --hidden --no-ignore -S "(prod|production|staging|dev|development)" apps/operator/config || true

echo
echo "== Search where manager is included as resource/base =="
rg -n --hidden --no-ignore -S "manager" apps/operator/config/*/kustomization.yaml || true

Repository: helios-platform-team/helios-platform

Length of output: 6353

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== List kustomization.yaml under apps/operator/config (already known) =="
fd -t f "kustomization.yaml" apps/operator/config -x echo

echo
echo "== Show apps/operator/config/default/kustomization.yaml =="
cat -n apps/operator/config/default/kustomization.yaml | sed -n '1,240p'

echo
echo "== Search where apps/operator/config/default (or ../manager) is referenced outside config =="
rg -n --hidden --no-ignore -S "apps/operator/config/default|../manager|operator/config/default|operator/config/manager" apps || true

echo
echo "== Search for \"newTag: latest\" across repo =="
rg -n --hidden --no-ignore -S "newTag:\s*latest" . || true

Repository: helios-platform-team/helios-platform

Length of output: 11237

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== apps/operator/Makefile: tìm các đoạn set image controller=${IMG} =="
rg -n "set image controller=" apps/operator/Makefile

echo
echo "== Hiển thị quanh các dòng 150-240 =="
sed -n '140,240p' apps/operator/Makefile

echo
echo "== Hiển thị quanh các dòng 280-360 =="
sed -n '280,360p' apps/operator/Makefile

Repository: helios-platform-team/helios-platform

Length of output: 121

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== apps/operator/Makefile: tìm các đoạn set image controller=... =="
rg -n 'set image controller=' apps/operator/Makefile

echo
echo "== Hiển thị quanh các dòng 140-240 =="
sed -n '140,240p' apps/operator/Makefile

echo
echo "== Hiển thị quanh các dòng 280-360 =="
sed -n '280,360p' apps/operator/Makefile

Repository: helios-platform-team/helios-platform

Length of output: 7837

🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n "^\s*IMG\s*(\?|:|\+=|=)" apps/operator/Makefile || true

echo
echo "== Show lines around any IMG definition =="
# print around likely IMG assignments
rg -n "IMG" apps/operator/Makefile | head -n 50

echo
echo "== Search for \"make deploy\" docs/usage mentioning IMG override =="
rg -n "make (deploy|install)|IMG=" apps/operator/README.md apps/operator/Makefile || true

Repository: helios-platform-team/helios-platform

Length of output: 3046

Pin tag cho image controller thay vì dùng latest

Trong apps/operator/config/manager/kustomization.yaml đang set:

images:
- name: controller
  newName: controller
  newTag: latest

Ngoài ra apps/operator/MakefileIMG ?= controller:latestmake deploy/install chạy kustomize edit set image controller=${IMG}, nên nếu không truyền IMG thì bản deploy sẽ luôn dùng latest, làm giảm reproducibility/khó rollback-debug ở production. Nên pin version cụ thể (hoặc bắt buộc truyền IMG từ CI) thay vì mặc định latest.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/operator/config/manager/kustomization.yaml` around lines 5 - 8, Replace
the default "latest" image tag with a pinned tag and require/pass IMG from CI:
update the images entry in kustomization.yaml to use a specific version (not
"latest") for name: controller/newName: controller/newTag: <pin>, and change the
Makefile's IMG ?= controller:latest to either fail if IMG is unset or remove the
default (e.g., require IMG be provided by CI) so that the deploy path using
kustomize edit set image controller=${IMG} always receives an explicit,
reproducible tag; ensure any documentation/CI pipelines are updated to supply
the chosen IMG variable.

2 changes: 2 additions & 0 deletions apps/operator/config/rbac/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@ rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- rolebindings
- roles
verbs:
Expand Down
88 changes: 57 additions & 31 deletions apps/operator/internal/controller/argocd/application.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,68 @@ import (
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)

// GenerateArgoApplication creates an ArgoCD Application manifest.
// GenerateArgoApplication creates an ArgoCD Application manifest with PreSync hooks
// if the HeliosApp has a database trait for automatic database migrations.
func GenerateArgoApplication(heliosApp *appv1alpha1.HeliosApp) (*unstructured.Unstructured, error) {
appName := heliosApp.Name + "-argocd"
targetNamespace := cmp.Or(heliosApp.Spec.ArgoCDNamespace, "argocd")
project := cmp.Or(heliosApp.Spec.ArgoCDProject, "default")
gitOpsBranch := cmp.Or(heliosApp.Spec.GitOpsBranch, "main")

spec := map[string]any{
"project": project,
"source": map[string]any{
"repoURL": shared.RewriteGiteaURL(heliosApp.Spec.GitOpsRepo),
"targetRevision": gitOpsBranch,
"path": heliosApp.Spec.GitOpsPath,
},
"destination": map[string]any{
"server": "https://kubernetes.default.svc",
"namespace": heliosApp.Namespace,
},
"syncPolicy": map[string]any{
"automated": map[string]any{
"prune": true,
"selfHeal": true,
},
"syncOptions": []any{
"CreateNamespace=true",
},
},
"ignoreDifferences": []any{
map[string]any{
"group": "apps",
"kind": "Deployment",
"jqPathExpressions": []any{
`.spec.template.spec.containers[].env[]? | select(.name | test("^DB_"))`,
},
},
},
}

// Add PreSync hook if database trait exists
if HasDatabaseTrait(heliosApp) {
spec["syncPolicy"] = map[string]any{
"automated": map[string]any{
"prune": true,
"selfHeal": true,
},
"syncOptions": []any{
"CreateNamespace=true",
},
}

// Add PreSync hook to application
// Note: PreSync Job is created and managed by PreSyncReconciler
// This is referenced via Job annotations, not stored in Application spec
syncPolicy := spec["syncPolicy"].(map[string]any)
syncPolicy["syncOptions"] = append(
syncPolicy["syncOptions"].([]any),
"SkipDryRunOnMissingResource=true",
)
spec["syncPolicy"] = syncPolicy
}
Comment on lines +50 to +71
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Code thêm SkipDryRunOnMissingResource có phần dư thừa.

Lines 52-60 gán lại syncPolicy map giống hệt với lines 30-38 đã định nghĩa trước đó. Chỉ cần append thêm option vào syncOptions hiện có.

♻️ Đề xuất đơn giản hóa 
 	// Add PreSync hook if database trait exists
 	if HasDatabaseTrait(heliosApp) {
-		spec["syncPolicy"] = map[string]any{
-			"automated": map[string]any{
-				"prune":    true,
-				"selfHeal": true,
-			},
-			"syncOptions": []any{
-				"CreateNamespace=true",
-			},
-		}
-
-		// Add PreSync hook to application
-		// Note: PreSync Job is created and managed by PreSyncReconciler
-		// This is referenced via Job annotations, not stored in Application spec
-		syncPolicy := spec["syncPolicy"].(map[string]any)
-		syncPolicy["syncOptions"] = append(
-			syncPolicy["syncOptions"].([]any),
+		// Add SkipDryRunOnMissingResource for PreSync Job support
+		syncPolicy := spec["syncPolicy"].(map[string]any)
+		syncPolicy["syncOptions"] = append(
+			syncPolicy["syncOptions"].([]any),
 			"SkipDryRunOnMissingResource=true",
 		)
-		spec["syncPolicy"] = syncPolicy
 	}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/operator/internal/controller/argocd/application.go` around lines 50 -
71, The code redundantly recreates the syncPolicy map for
HasDatabaseTrait(heliosApp) then reassigns it; instead locate the existing
spec["syncPolicy"] (map[string]any) and simply append
"SkipDryRunOnMissingResource=true" to its "syncOptions" slice without rebuilding
the whole map — update the block around HasDatabaseTrait/heliosApp to fetch
spec["syncPolicy"].(map[string]any), append the option to
syncPolicy["syncOptions"].([]any), and leave spec["syncPolicy"] otherwise
unchanged.


app := map[string]any{
"apiVersion": "argoproj.io/v1alpha1",
"kind": "Application",
Expand All @@ -26,36 +81,7 @@ func GenerateArgoApplication(heliosApp *appv1alpha1.HeliosApp) (*unstructured.Un
"app.kubernetes.io/managed-by": "helios-operator",
},
},
"spec": map[string]any{
"project": project,
"source": map[string]any{
"repoURL": shared.RewriteGiteaURL(heliosApp.Spec.GitOpsRepo),
"targetRevision": gitOpsBranch,
"path": heliosApp.Spec.GitOpsPath,
},
"destination": map[string]any{
"server": "https://kubernetes.default.svc",
"namespace": heliosApp.Namespace,
},
"syncPolicy": map[string]any{
"automated": map[string]any{
"prune": true,
"selfHeal": true,
},
"syncOptions": []any{
"CreateNamespace=true",
},
},
"ignoreDifferences": []any{
map[string]any{
"group": "apps",
"kind": "Deployment",
"jqPathExpressions": []any{
`.spec.template.spec.containers[].env[]? | select(.name | test("^DB_"))`,
},
},
},
},
"spec": spec,
}

return &unstructured.Unstructured{Object: app}, nil
Expand Down
Loading
Loading