feat: update images in values for bitnami helm charts

[miklosbarabas]

Summary by CodeRabbit

• New Features

  • Configurable image registry/repository overrides for ClickHouse, PostgreSQL, MinIO, and Redis (defaults to docker.io/bitnamilegacy).

• Documentation

  • Helm chart README updated to document the new image override options and defaults.

• Chores

  • Minor formatting cleanup in build scripts (no functional change).
  • CI workflow adjusted so deployment steps run for pull-request triggers and skip automated release branches.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Walkthrough

Adds image.registry and image.repository overrides for clickhouse, postgresql, minio, and redis in Helm values and documents them in the chart README; changes two CI workflow step conditions to run on pull requests (with release-please-- exclusion); and adds a trailing newline to a Makefile (no functional change).

Changes

Cohort / File(s)	Summary of diff
Helm values: image overrides helm/cosmo/values.yaml	Adds image.registry: docker.io and image.repository: bitnamilegacy/<component> entries for clickhouse, postgresql, minio, and redis in both Keycloak-related and top-level Cosmo sections.
Helm docs: values table updates helm/cosmo/README.md	Documents new image.registry and image.repository keys for clickhouse, minio, postgresql, and redis (additive entries only).
CI workflow: trigger condition change .github/workflows/helm-deployment.yaml	Changes step gating for "start minikube" and "Deploy to minikube" from github.event_name == 'push' with ref-based filter to github.event_name == 'pull_request' with head_ref-based filter; retains release-please-- exclusion.
Makefile formatting helm/Makefile	Adds a trailing newline at EOF only; no changes to commands or logic.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: update bitnami image refs #2171 — Updates container image references to the bitnamilegacy namespace (directly related to the Helm image overrides in this PR).

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

helm/Makefile (4)

47-47: Optionally parameterize namespace and paths for repeatability.
Hard-coding the realm path and omitting namespace can lead to accidental creation in the wrong namespace.

Apply this diff to the recipe:

-update-kc-realm:
-	kubectl create configmap realm --from-file=realm.json=../docker/keycloak/realm.json --dry-run=client -o yaml > realm-config-map.yaml
+update-kc-realm:
+	kubectl -n $(NAMESPACE) create configmap $(KC_REALM_CM_NAME) --from-file=realm.json=$(KC_REALM_FILE) --dry-run=client -o yaml > $(KC_REALM_OUTPUT)

Add these defaults near the top of the file (outside this hunk):

# Defaults (override via env or make vars)
NAMESPACE ?= default
KC_REALM_CM_NAME ?= realm
KC_REALM_FILE ?= ../docker/keycloak/realm.json
KC_REALM_OUTPUT ?= realm-config-map.yaml

---

9-10: Duplicate delete target defined twice.
GNU Make warns on duplicate recipes; keep a single definition.

Apply this diff to remove the duplicate:

-40
-delete:
-41
-	kapp delete -a cosmo
+40
+# (deleted duplicate delete target)

Also applies to: 40-41

---

1-1: Declare phony targets to avoid filename collisions.
Prevents targets like test, build, delete, etc., from being shadowed by files.

Add at the top:

+ .PHONY: test deploy delete publish-cosmo-chart publish-router-chart upload-artifacthub-manifest docs build docker-build-minikube update-kc-realm

---

5-7: Minor: drop unnecessary quotes around KAPP_ARGS.
Quotes become part of the value in Make; not needed here.

-KAPP_ARGS:="--logs-all"
+KAPP_ARGS := --logs-all

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6a9fee4 and 9a0be2e.

📒 Files selected for processing (1)

• helm/Makefile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

helm/Makefile (1)

47-47: LGTM: no functional change in update-kc-realm recipe.
Command remains correct; trailing newline is harmless.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.github/workflows/helm-deployment.yaml (3)

45-51: Re-gate minikube startup on safe PR contexts (non-fork, non-draft).

Unconditionally starting a cluster on every PR can be slow/flaky and executes repo-defined Make targets on untrusted forks. Recommend gating to same-repo, non-draft PRs.

Apply:

-#        if: github.event_name == 'push' && !startsWith(github.ref, 'refs/heads/release-please--')
+        if: ${{ !github.event.pull_request.head.repo.fork && !github.event.pull_request.draft }}

---

52-56: Re-gate deployment to minikube to avoid heavy work on forks/drafts.

Same concern as above; running make deploy on every PR (incl. forks) increases CI time and risk surface.

Apply:

-#        if: github.event_name == 'push' && !startsWith(github.ref, 'refs/heads/release-please--')
+        if: ${{ !github.event.pull_request.head.repo.fork && !github.event.pull_request.draft }}

---

2-7: Ensure this workflow runs when this file changes.

Currently it won’t trigger on edits to helm-deployment.yaml itself. Include the file in the path filter.

   pull_request:
     paths:
       - "helm/**/*"
       - ".github/workflows/helm-ci.yaml"
+      - ".github/workflows/helm-deployment.yaml"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a29ae8d and 6588a76.

📒 Files selected for processing (2)

• .github/workflows/helm-deployment.yaml (1 hunks)
• helm/Makefile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• helm/Makefile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build_test
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

helm/cosmo/values.yaml (4)

402-404: Bitnami legacy repo override is appropriate; also override auxiliary images and document the rationale.

Using docker.io/bitnamilegacy/* aligns with Bitnami’s Aug 28, 2025 catalog change; legacy is a stopgap with no updates. Please:

• Add a short comment explaining the temporary legacy switch.
• Override aux images to avoid mixed pulls (e.g., volumePermissions uses os-shell). (github.com)

Suggested change (add comments inline here):

 clickhouse:
-  image:
-    registry: docker.io
-    repository: bitnamilegacy/clickhouse
+  # Temporary: Bitnami moved legacy tags to docker.io/bitnamilegacy (Aug 28, 2025).
+  # TODO: migrate off legacy and pin tag/digest once plan is agreed.
+  image:
+    registry: docker.io
+    repository: bitnamilegacy/clickhouse

And add this block under clickhouse (outside the snippet above):

clickhouse:
  volumePermissions:
    image:
      registry: docker.io
      repository: bitnamilegacy/os-shell

Also consider pinning a tag or digest for reproducibility. (github.com)

Would you like a follow-up PR to audit and override all sub-images used by this chart version?

---

437-439: PostgreSQL: cover volumePermissions and (if enabled) metrics exporter images.

To prevent future ImagePullBackOff when those helpers are enabled, override their repos too. Newer Bitnami charts use os-shell for volumePermissions and postgres-exporter for metrics. (github.com)

Add under postgresql:

postgresql:
  volumePermissions:
    image:
      registry: docker.io
      repository: bitnamilegacy/os-shell
  metrics:
    image:
      registry: docker.io
      repository: bitnamilegacy/postgres-exporter

Also consider pinning tags/digests. (github.com)

If you share the exact bitnami chart versions in use, I can generate the precise set of image overrides.

---

469-471: MinIO: also override volumePermissions image when enabled.

Bitnami MinIO uses a volume-permissions init container; override it to legacy as well. (sir5kong.github.io)

Add under minio:

minio:
  volumePermissions:
    image:
      registry: docker.io
      repository: bitnamilegacy/bitnami-shell

Note: some charts have renamed this helper image to os-shell; verify the exact field in your chart version before merging. (github.com)

---

493-495: Redis: consider sentinel/metrics/volumePermissions overrides to avoid mixed sources.

If you ever enable these, set their repos to legacy too (examples below). (northflank.com)

Add under redis:

redis:
  volumePermissions:
    image:
      registry: docker.io
      repository: bitnamilegacy/os-shell
  sentinel:
    image:
      registry: docker.io
      repository: bitnamilegacy/redis-sentinel
  metrics:
    image:
      registry: docker.io
      repository: bitnamilegacy/redis-exporter

Also pin tags/digests where possible. (github.com)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6588a76 and 3cf3a29.

📒 Files selected for processing (3)

• .github/workflows/helm-deployment.yaml (1 hunks)
• helm/Makefile (1 hunks)
• helm/cosmo/values.yaml (4 hunks)

✅ Files skipped from review due to trivial changes (1)

• helm/Makefile

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/helm-deployment.yaml

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: StarpTech
PR: wundergraph/cosmo#2142
File: helm/cosmo/Chart.yaml:0-0
Timestamp: 2025-08-15T10:21:45.838Z
Learning: In the WunderGraph Cosmo project, helm chart version upgrades and README badge synchronization are handled in separate helm release PRs, not in the initial version bump PRs.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)
• GitHub Check: build_test

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/workflows/helm-deployment.yaml (3)

46-46: Redundant event_name guard.

The workflow only runs on pull_request, so checking github.event_name == 'pull_request' in-step is redundant. Keep only the release-please guard for clarity.

Suggested minimal change:

-        if: github.event_name == 'pull_request' && !startsWith(github.head_ref, 'release-please--')
+        if: !startsWith(github.head_ref, 'release-please--')

Also applies to: 53-53

---

18-18: Minikube + Helm deploy may exceed 8 minutes.

Starting Minikube and deploying charts often takes >8 minutes on ubuntu-latest. Consider bumping timeout-minutes to 15–20 to reduce flaky timeouts.

---

29-29: Pin actions to a commit SHA for supply-chain safety.

azure/setup-helm@v4, carvel-dev/setup-action@v2, and medyagh/setup-minikube@v0.0.18 should be pinned to immutable SHAs.

Example:

-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@<commit-sha>

-        uses: carvel-dev/setup-action@v2
+        uses: carvel-dev/setup-action@<commit-sha>

-        uses: medyagh/setup-minikube@v0.0.18
+        uses: medyagh/setup-minikube@<commit-sha>

Also applies to: 35-35, 48-48

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 081ba64 and 3cbd300.

📒 Files selected for processing (4)

• .github/workflows/helm-deployment.yaml (1 hunks)
• helm/Makefile (1 hunks)
• helm/cosmo/README.md (4 hunks)
• helm/cosmo/values.yaml (4 hunks)

✅ Files skipped from review due to trivial changes (1)

• helm/cosmo/README.md

🚧 Files skipped from review as they are similar to previous changes (2)

• helm/cosmo/values.yaml
• helm/Makefile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build_test
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/helm-deployment.yaml (2)

45-51: Release-please exclusion: fix looks good; drop redundant event check (optional).

Using github.head_ref correctly excludes release-please PRs. Since this workflow only runs on pull_request, the github.event_name guard is redundant.

Apply to simplify:

-        if: github.event_name == 'pull_request' && !startsWith(github.head_ref, 'release-please--')
+        if: "!startsWith(github.head_ref, 'release-please--')"

---

52-56: Same simplification for deploy step (optional).

Mirror the above to keep conditions consistent and minimal.

-        if: github.event_name == 'pull_request' && !startsWith(github.head_ref, 'release-please--')
+        if: "!startsWith(github.head_ref, 'release-please--')"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3cbd300 and e7a10fd.

📒 Files selected for processing (4)

• .github/workflows/helm-deployment.yaml (1 hunks)
• helm/Makefile (1 hunks)
• helm/cosmo/README.md (4 hunks)
• helm/cosmo/values.yaml (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• helm/Makefile
• helm/cosmo/README.md
• helm/cosmo/values.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build_test
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)

[Noroth]

LGTM