feat(postgres): hardcode PostgreSQL 17 for monitoring and add migration

[IvanHunters]

Summary

This PR ensures PostgreSQL version consistency across the platform by:

• Adding migration 37 to set version v17 for existing PostgreSQL resources
• Hardcoding PostgreSQL 17.7 image for monitoring databases (Grafana and Alerta)

Motivation

CloudNativePG operator defaults to PostgreSQL 18.3 when no explicit image is specified. However, monitoring queries are configured for PostgreSQL 17 features (pg_stat_checkpointer, updated pg_stat_bgwriter). This mismatch could cause issues with existing deployments.

Changes

• Migration 37: Backfills spec.version="v17" for all postgreses.apps.cozystack.io resources without a version set
• Monitoring databases: Explicitly set imageName: ghcr.io/cloudnative-pg/postgresql:17.7 for:
  • Grafana database
  • Alerta database

Testing

• Migration script tested on existing PostgreSQL resources
• Verified PostgreSQL 17.7 image is available
• Confirmed monitoring databases deploy with correct version

Summary by CodeRabbit

• Chores
  • Added an automated migration to backfill PostgreSQL version fields across existing resources.
  • Explicitly set PostgreSQL image to 17.7 for monitoring and system components: Alerta, Grafana, Harbor, Keycloak, and SeaweedFS.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: be9839c9-b77a-4fd4-ad6b-144d997baadd

📥 Commits

Reviewing files that changed from the base of the PR and between fd17144 and 620c8fb.

📒 Files selected for processing (3)

• packages/system/harbor/templates/database.yaml
• packages/system/keycloak/templates/db.yaml
• packages/system/seaweedfs/templates/database.yaml

✅ Files skipped from review due to trivial changes (3)

• packages/system/seaweedfs/templates/database.yaml
• packages/system/harbor/templates/database.yaml
• packages/system/keycloak/templates/db.yaml

---

📝 Walkthrough

Walkthrough

A new shell migration script is added to backfill spec.version for postgreses.apps.cozystack.io resources (defaulting to v17), conditionally skipping if the CRD is absent and stamping migration state via a cozystack-version ConfigMap. Several CNPG Cluster templates were updated to set spec.imageName: ghcr.io/cloudnative-pg/postgresql:17.7.

Changes

Cohort / File(s)	Summary
PostgreSQL Migration packages/core/platform/images/migrations/migrations/37	New executable shell migration that checks for the postgreses CRD, lists all postgreses resources, patches missing .spec.version to v17, logs skips/changes, and updates the cozystack-version ConfigMap to version=38.
Monitoring DB Clusters packages/system/monitoring/templates/alerta/alerta-db.yaml, packages/system/monitoring/templates/grafana/db.yaml	Added spec.imageName: ghcr.io/cloudnative-pg/postgresql:17.7 to CNPG Cluster manifests for alerta-db and grafana-db.
System DB Clusters packages/system/harbor/templates/database.yaml, packages/system/keycloak/templates/db.yaml, packages/system/seaweedfs/templates/database.yaml	Added spec.imageName: ghcr.io/cloudnative-pg/postgresql:17.7 to CNPG Cluster templates for harbor, keycloak, and seaweedfs databases.

Sequence Diagram

sequenceDiagram
    participant Migration as Migration Script (migrations/37)
    participant K8sAPI as Kubernetes API
    participant CRD as postgreses.apps.cozystack.io CRD
    participant Resources as postgreses Resources
    participant ConfigMap as cozystack-version ConfigMap

    Migration->>K8sAPI: Check if `postgreses` CRD exists
    alt CRD Not Found
        Migration->>ConfigMap: Apply/Update `cozystack-version` -> version=38 (cozy-system)
        Migration->>Migration: Exit successfully
    else CRD Exists
        Migration->>K8sAPI: List all `postgreses` across namespaces
        K8sAPI-->>Resources: Return resource list
        loop For each postgres resource
            Migration->>K8sAPI: Get `.spec.version`
            alt `.spec.version` non-empty
                Migration->>Migration: Log skip
            else `.spec.version` missing
                Migration->>K8sAPI: Patch `.spec.version` = v17
                Migration->>Migration: Log applied patch
            end
        end
        Migration->>ConfigMap: Apply/Update `cozystack-version` -> version=38 (cozy-system)
        Migration->>Migration: Complete
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped through YAML, shell, and CRD,
I nudged each Postgres to v17 with glee,
A ConfigMap stamp, tidy and keen,
Images pinned, and migrations seen —
Thump-thump, the cluster hums in harmony!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding a PostgreSQL 17 migration and hardcoding PostgreSQL 17 for monitoring databases.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/postgres-v17-migration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a migration script to backfill the PostgreSQL version to v17 for existing resources and explicitly pins the PostgreSQL image to version 17.7 for Alerta and Grafana databases. The review feedback identifies critical inconsistencies in the migration versioning logic (where the script refers to version 38 despite being named 37) and a shell compatibility issue regarding the use of 'pipefail' in a POSIX sh script.

[coderabbitai]

🧹 Nitpick comments (1)

packages/core/platform/images/migrations/migrations/37 (1)

1-10: Shell compatibility: set -euo pipefail with #!/bin/sh is a bash extension, not POSIX-compliant.

This is not unique to migration 37. The entrypoint script (run-migrations.sh) and 19+ other migrations use the same #!/bin/sh + set -euo pipefail pattern. Migration 36 is exceptional in using only set -e. Since this pattern is established throughout the migration system and appears functional, consider this a consistency/hardening opportunity rather than a required fix.

Option 1 (preferred): Align with migration 36's conservative approach

• Change to set -eu for POSIX compliance with #!/bin/sh

Option 2: Use bash explicitly for migrations needing bash features

• Change shebang to #!/bin/bash (like migrations 28, 29, 30 do for complex logic)

For migration 37, the logic is simple and does not require pipefail. Aligning with migration 36 (set -eu) is recommended.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/core/platform/images/migrations/migrations/37` around lines 1 - 10,
The script uses a non-POSIX combination (#!/bin/sh) together with `set -euo
pipefail`; update migration 37 to be POSIX-safe by replacing `set -euo pipefail`
with `set -eu` (aligning with migration 36) so the script remains compatible
with /bin/sh while keeping strict error handling; ensure the same change is
applied consistently to other migrations using the same pattern or alternatively
switch the shebang to `#!/bin/bash` if you intentionally need bash-only
features.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/core/platform/images/migrations/migrations/37`:
- Around line 1-10: The script uses a non-POSIX combination (#!/bin/sh) together
with `set -euo pipefail`; update migration 37 to be POSIX-safe by replacing `set
-euo pipefail` with `set -eu` (aligning with migration 36) so the script remains
compatible with /bin/sh while keeping strict error handling; ensure the same
change is applied consistently to other migrations using the same pattern or
alternatively switch the shebang to `#!/bin/bash` if you intentionally need
bash-only features.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a6d20069-f895-4c17-90ed-70b253e419dd

📥 Commits

Reviewing files that changed from the base of the PR and between 7b9f308 and fd17144.

📒 Files selected for processing (3)

• packages/core/platform/images/migrations/migrations/37
• packages/system/monitoring/templates/alerta/alerta-db.yaml
• packages/system/monitoring/templates/grafana/db.yaml

[github-actions]

Successfully created backport PR for release-1.2:

• [Backport release-1.2] feat(postgres): hardcode PostgreSQL 17 for monitoring and add migration #2309