Skip to content

chore(base-cluster/dependencies)!: update helm release velero to v11 - abandoned #1827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate wants to merge 3 commits into
base: main
Choose a base branch
from
Open

chore(base-cluster/dependencies)!: update helm release velero to v11 - abandoned #1827

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5bee063
chore(base-cluster/dependencies)!: update helm release velero to v11
renovate[bot] Feb 9, 2026
2d30d63
chore(base-cluster/velero)!: update velero, checks and documentation
tasches Feb 9, 2026
0ca4cb9
fix(docs): change path description to correct value
tasches Apr 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions charts/base-cluster/README.md.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -434,4 +434,9 @@ of `.monitoring.tracing.ingester.<field>`

- This release disables the trivy-operator by default.
To continue using the operator set `.monitoring.securityScanning.enabled` to `true`.

- This release upgrades velero to the latest version. In that the uploader type changed from restic to kopia and restic
repositories are no longer supported. For the upgrade you have to create a new bucket and configure it as new
`backup.provider.velero.defaultLocation`. Please also delete all old restic repositories.

{{ .Files.Get "values.md" }}
17 changes: 16 additions & 1 deletion charts/base-cluster/templates/backup/velero/velero.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
{{- if (.Values.backup.provider).velero }}
{{- range $index, $repo := (lookup "velero.io/v1" "BackupRepository" "backup" "").items}}
Copy link
Copy Markdown
Member

@cwrau cwrau Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need the index

{{- if eq $repo.spec.repositoryType "restic" }}
{{- fail (printf "The Backuprepository '%s' is of unsupported type restic" $repo.metadata.name) }}
Copy link
Copy Markdown
Member

@cwrau cwrau Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aren't they namespaced? If yes you should also print out the namespace

{{- end }}
{{- end }}
Comment on lines +2 to +6
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the actual file to see the code at lines 2-6
cat -n charts/base-cluster/templates/backup/velero/velero.yaml | head -20

Repository: teutonet/teutonet-helm-charts

Length of output: 963

🏁 Script executed:

# Also check if there's context around this - let's see a wider range
wc -l charts/base-cluster/templates/backup/velero/velero.yaml

Repository: teutonet/teutonet-helm-charts

Length of output: 133

🏁 Script executed:

# Search for similar lookup() patterns in the repository to see how they're handled
rg "lookup\s*\(" charts/ -A 2 -B 1 | head -100

Repository: teutonet/teutonet-helm-charts

Length of output: 55

🌐 Web query:

Helm template lookup function null empty handling .items

💡 Result:

In Helm templates, the lookup function returns an empty map/dict {} when no matching resources are found in the cluster (or during helm template/--dry-run without cluster access). This empty map does not have an .items field. Accessing .items on an empty lookup result causes a "nil pointer" or similar template error because .items is nil/undefined. To safely handle this: 1. Check if lookup returned a non-empty result before accessing .items: {{- $lookupResult := lookup "v1" "Service" "mynamespace" "" }} {{- if $lookupResult }} {{- range $service := $lookupResult.items }} # process $service {{- end }} {{- end }} 2. For list lookups (empty name ""), check length: {{- if eq (len (lookup "v1" "Service" "mynamespace" "")) 0 }} # No services found {{- else }} # Services exist {{- end }} The official Helm docs confirm: "When lookup returns a list of objects, it is possible to access the object list via the items field" but "When no object is found, an empty value is returned." The Go template source code explicitly returns map[string]interface{}{} (empty map) on not found, enabling if not (lookup ...) checks. Always wrap .items access in if $lookupResult to avoid errors.

Citations:

🏁 Script executed:

# Check if there's any error handling or similar patterns in the templates
rg "if.*lookup\|if.*\$" charts/base-cluster/templates/ -A 2 -B 1 | head -50

Repository: teutonet/teutonet-helm-charts

Length of output: 55

🏁 Script executed:

# Look for any Helm documentation or comments about lookup in the codebase
rg -i "lookup.*backuprepository\|backuprepository.*lookup" charts/

Repository: teutonet/teutonet-helm-charts

Length of output: 55

🏁 Script executed:

# Check the git history to understand when this was added and why
git log --oneline -n 20 -- charts/base-cluster/templates/backup/velero/velero.yaml

Repository: teutonet/teutonet-helm-charts

Length of output: 150

🏁 Script executed:

# Let's check the full context of how this template is used - are BackupRepositories always present?
cat -n charts/base-cluster/templates/backup/velero/velero.yaml | sed -n '1,30p'

Repository: teutonet/teutonet-helm-charts

Length of output: 1212

🏁 Script executed:

# Check if there's any documentation or values file that explains the expected state
find charts/base-cluster -name "*.md" -o -name "*values*" | xargs rg -l "BackupRepository\|velero" 2>/dev/null

Repository: teutonet/teutonet-helm-charts

Length of output: 57

🏁 Script executed:

# Check the values defaults
fd "values" charts/base-cluster/ --type f | head -5

Repository: teutonet/teutonet-helm-charts

Length of output: 307

🏁 Script executed:

# Check if there's documentation about the velero setup and expected state
cat -n charts/base-cluster/templates/backup/velero/README.md 2>/dev/null || echo "No README found"

Repository: teutonet/teutonet-helm-charts

Length of output: 89

🏁 Script executed:

# Look at the chart's values.yaml to understand defaults
cat charts/base-cluster/values.yaml | grep -A 20 "backup:" | head -30

Repository: teutonet/teutonet-helm-charts

Length of output: 881

🏁 Script executed:

# Verify if this pattern is consistently an issue - check when lookup is used without guarding
rg "lookup.*\(" charts/ -A 1 | grep -E "lookup|\.items" | head -20

Repository: teutonet/teutonet-helm-charts

Length of output: 851

Guard the lookup result before accessing .items.

The lookup() function returns an empty map when the BackupRepository resource is not found (e.g., during initial deployment or when running helm template/dry-run without cluster access). Accessing .items on this empty result causes template rendering to fail. The condition wrapping this block checks only if Velero is enabled, not whether BackupRepository resources exist.

🔧 Proposed fix 
 {{- if (.Values.backup.provider).velero }}
-{{- range $index, $repo := (lookup "velero.io/v1" "BackupRepository" "backup" "").items}}
-  {{- if eq $repo.spec.repositoryType "restic" }}
-    {{- fail (printf "The Backuprepository '%s' is of unsupported type restic" $repo.metadata.name) }}
-  {{- end }}
-{{- end }}
+{{- $repos := lookup "velero.io/v1" "BackupRepository" "backup" "" -}}
+{{- if $repos }}
+{{- range $repo := $repos.items }}
+  {{- if eq $repo.spec.repositoryType "restic" }}
+    {{- fail (printf "The BackupRepository '%s' is of unsupported type restic" $repo.metadata.name) }}
+  {{- end }}
+{{- end }}
+{{- end }}
 apiVersion: helm.toolkit.fluxcd.io/v2
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@charts/base-cluster/templates/backup/velero/velero.yaml` around lines 2 - 6,
The template unconditionally accesses (lookup ...).items which fails when lookup
returns an empty map; guard that access by first capturing the lookup result and
checking it has items before ranging. For example, assign the lookup to a
variable (e.g., $repos := lookup "velero.io/v1" "BackupRepository" "backup" "")
and then wrap the range in a guard like {{- with $repos.items }} ... {{- end }}
(or check that $repos and $repos.items are non-empty) before iterating and
inspecting repo.spec.repositoryType and calling fail/printf with
repo.metadata.name.

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
Expand Down Expand Up @@ -51,6 +56,16 @@ spec:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
extraVolumeMounts:
- mountPath: /udmrepo
Copy link
Copy Markdown
Member

@cwrau cwrau Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why udm?

name: udmrepo
- mountPath: /.cache
name: cache
extraVolumes:
- emptyDir: {}
name: udmrepo
- emptyDir: {}
name: cache
resources: {{- include "common.resources" .Values.backup | nindent 6 }}
priorityClassName: system-cluster-critical
deployNodeAgent: true # enable FSB
Expand Down Expand Up @@ -88,7 +103,7 @@ spec:
{{- end }}
{{- end }}
volumeSnapshotLocation: []
uploaderType: restic
uploaderType: kopia
metrics:
serviceMonitor:
additionalLabels:
Expand Down
8 changes: 8 additions & 0 deletions charts/base-cluster/templates/kyverno/policies/kyverno-base-policies/kyverno-policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ spec:
{{- $syncEtcdSecret := dict "resources" (dict "namespaces" (list "monitoring") "kinds" (list "Pod") "names" (list "sync-etcd-secret-*")) -}}
{{- $nodeExporter := dict "resources" (dict "namespaces" (list "monitoring") "kinds" (list "Pod") "names" (list "kube-prometheus-stack-prometheus-node-exporter-*")) -}}
{{- $nfsServerProvisioner := dict "resources" (dict "namespaces" (list "nfs-server-provisioner") "kinds" (list "Pod") "names" (list "nfs-server-provisioner-0")) -}}
{{- $velero := dict "resources" (dict "namespaces" (list "backup") "kinds" (list "Pod" "Deployment") "names" (list "node-agent-*" "velero-*" "backup-*")) -}}

{{- $disallowHostPath := list -}}
{{- $runAsNonRoot := list -}}
Expand All @@ -49,6 +50,13 @@ spec:
{{- $disallowHostPath = append $disallowHostPath $alloy -}}
{{- $runAsNonRoot = append $runAsNonRoot $alloy -}}
{{- end -}}
{{- if (.Values.backup.provider).velero -}}
{{- $disallowHostPath = append $disallowHostPath $velero -}}
{{- $disallowCapabilities = append $disallowCapabilities $velero -}}
{{- $restrictSeccomp = append $restrictSeccomp $velero -}}
{{- $disallowPrivilegeEscalation = append $disallowPrivilegeEscalation $velero -}}
{{- $runAsNonRoot = append $runAsNonRoot $velero -}}
{{- end -}}
{{- if .Values.monitoring.prometheus.enabled -}}
{{- $disallowHostPath = append $disallowHostPath $syncEtcdSecret -}}
{{- $disallowHostPath = append $disallowHostPath $nodeExporter -}}
Expand Down
2 changes: 1 addition & 1 deletion charts/base-cluster/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,7 +210,7 @@ global:
vmware:
url: https://vmware-tanzu.github.io/helm-charts
charts:
velero: 7.2.2
velero: 11.3.2
Copy link
Copy Markdown
Member

@cwrau cwrau Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wasn't there 12 already released?

condition: '{{ ne (.Values.backup.provider).velero nil }}'
twin:
url: https://twin.github.io/helm-charts
Expand Down
Loading