You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Upgrade the integrated PostgreSQL from version 15 to 16.
Users who are updating from the previous version of the chart need to follow the upgrade process as outlined in the logs of the PostgreSQL pod. That means helm upgrade, configuring upstream.prostgresql.extraEnvVars key to include POSTGRESQL_UPGRADE="copy". The complete configuration of the key would look like this (it needs to contain the config of POSTGRESQL_ADMIN_PASSWORD to avoid having extraEnvVars overridden without it):
How to test changes / Special notes to the reviewer
Checklist
For each Chart updated, version bumped in the corresponding Chart.yaml according to Semantic Versioning.
For each Chart updated, variables are documented in the values.yaml and added to the corresponding README.md. The pre-commit utility can be used to generate the necessary content. Use pre-commit run -a to apply changes. The pre-commit Workflow will do this automatically for you if needed.
JSON Schema template updated and re-generated the raw schema via the pre-commit hook.
Tests pass using the Chart Testing tool and the ct lint command.
Helm Chart values updated to use a PostgreSQL 16 container image.
Non-compliant requirements:
Existing deployments continue to work (backward compatibility).
Requires further human verification:
Update the RHDH Helm Chart configuration/values to deploy PostgreSQL 16 for the integrated database.
New Helm deployments create a PostgreSQL 16 database by default.
Configuration changes documented in the PR.
⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🔒 Security concerns
Supply chain / non-deterministic image versioning: Using tag: latest for the database image can unintentionally pull newer images over time, which increases the risk of deploying unreviewed image changes (including potential vulnerabilities or breaking changes). Consider pinning a specific version tag or digest.
The ticket context calls out using the latest Red Hat supported PostgreSQL image/version, but the chart is updated to quay.io/fedora/postgresql-16. Please verify this is the intended, supported image source for RHDH (and aligns with the stated “Red Hat supported PostgreSQL 16 container image availability” dependency) rather than a community Fedora image.
PostgreSQL is configured with tag: latest, which can introduce non-deterministic upgrades and break reproducibility/backward compatibility expectations. Consider pinning to a specific PostgreSQL 16 image tag (or digest) and documenting the upgrade path accordingly.
The chart now defaults to quay.io/fedora/postgresql-16:latest, but other existing deployment manifests in the wider ecosystem still reference quay.io/fedora/postgresql-15:latest. Validate that all supported installation paths (Helm chart vs. any operator-provisioned DB or test manifests) are updated/compatible, otherwise users may end up with mismatched PostgreSQL versions depending on how they deploy. (Ref 2, Ref 4)
Reference reasoning: The reference YAML manifests consistently pin the PostgreSQL container image to major version 15, indicating an established baseline across deployment/test configurations. Changing only the chart default to major version 16 risks diverging from those established manifests unless the related configs are updated or compatibility is explicitly ensured.
Why: The suggestion correctly identifies that using the latest tag for the PostgreSQL image can cause unpredictable deployments and recommends pinning to a specific version, which is a critical best practice for stability and reproducibility.
I'm not entirely sure how much we want to describe the upgrade process in the documentation and in the release notes. My impression is that it's clear from the pod logs of the PostgreSQL pod. Maybe just to mention that an upgrade of the PostgreSQL database is needed?
The reason will be displayed to describe this comment to others. Learn more.
Yeah, to fix the CI failures (upgrade checks by default), I think we would need to bump it to 6.0.0: #299 (comment)
Which kinda makes sense from a user's perspective as this seems like a breaking change requiring manual intervention.
Update Helm Chart values to use a PostgreSQL 16 container image for the integrated database
Ensure new Helm deployments create PostgreSQL 16 database by default
Document configuration changes in the PR
Non-compliant requirements:
Ensure existing deployments continue to work (backward compatibility)
Requires further human verification:
Ensure existing deployments continue to work (backward compatibility)
⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🔒 Security concerns
Supply chain / unpinned image: tag: latest for the PostgreSQL image can pull unexpected newer builds over time, reducing reproducibility and increasing the risk of inadvertently consuming a compromised or incompatible image version. Pin to a specific version tag (and ideally an image digest) to mitigate this.
The integrated PostgreSQL image was switched from 15 to 16, but the diff does not include any chart-level migration/upgrade automation or guardrails (e.g., notes, hooks, conditional logic). Existing installs may require manual steps and could fail or have data/collation upgrade requirements; validate that upgrade paths are handled or clearly surfaced to users via chart docs/templates.
The PostgreSQL image uses tag: latest, which makes deployments non-reproducible and can cause unexpected upgrades. Consider pinning to an explicit Postgres 16 image tag (and ideally digest) aligned with the supported Red Hat image policy for this chart.
Why: This is a valuable suggestion as using the latest tag is a bad practice that can lead to unpredictable deployments and potential breaking changes. Pinning to a specific version is crucial for stability.
Medium
Show image tag pinning in example
Update the helm install example in the README to show how to pin the PostgreSQL image version using --set postgresql.image.tag=.
Why: This suggestion improves the user-facing documentation by demonstrating a best practice (pinning the image version) in the installation example, which helps users adopt a more stable configuration.
Low
Add image pull policy
Add an explicit imagePullPolicy: IfNotPresent to the PostgreSQL image configuration to make the image pulling behavior explicit and stable.
Why: This is a good practice for explicitness, but its impact is minor. If the image tag is changed from latest (as suggested elsewhere), the default pullPolicy becomes IfNotPresent anyway, making this change less critical.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of the change
Upgrade the integrated PostgreSQL from version 15 to 16.
Users who are updating from the previous version of the chart need to follow the upgrade process as outlined in the logs of the PostgreSQL pod. That means
helm upgrade, configuringupstream.prostgresql.extraEnvVarskey to includePOSTGRESQL_UPGRADE="copy". The complete configuration of the key would look like this (it needs to contain the config ofPOSTGRESQL_ADMIN_PASSWORDto avoid havingextraEnvVarsoverridden without it):After that, perform
helm upgradeagain, removing thePOSTGRESQL_UPGRADEvariable for continued regular use.After that, a refresh of PostgreSQL collation versions is required (outlined in the PostgreSQL pod logs). This can be done, for example, like this: https://github.com/redhat-developer/rhdh/pull/3949/files#diff-5700e984b56368043ef9a0c1ab37e906444544c1fb8e47beb8189366fa0602c9R1054-R1110
The complete upgrade was tested in redhat-developer/rhdh#3949
Which issue(s) does this PR fix or relate to
How to test changes / Special notes to the reviewer
Checklist
Chart.yamlaccording to Semantic Versioning.values.yamland added to the corresponding README.md. The pre-commit utility can be used to generate the necessary content. Usepre-commit run -ato apply changes. The pre-commit Workflow will do this automatically for you if needed.pre-commithook.ct lintcommand.