codefresh-io · mikhail-klimko · May 20, 2025 · May 20, 2025 · May 20, 2025 · May 21, 2025
diff --git a/codefresh/.ci/values/defaults-hpa.yaml b/codefresh/.ci/values/defaults-hpa.yaml
@@ -75,3 +75,7 @@ argo-platform:
   promotion-orchestrator:
     hpa:
       enabled: true
+
+mongodb:
+  migration:
+    enabled: true
diff --git a/codefresh/Chart.lock b/codefresh/Chart.lock
@@ -64,58 +64,58 @@ dependencies:
   version: 1.14.22
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.2
+  version: 21.279.3
 - name: cfui
   repository: oci://quay.io/codefresh/charts
   version: 14.98.27
@@ -148,7 +148,7 @@ dependencies:
   version: 0.49.87
 - name: argo-platform
   repository: oci://quay.io/codefresh/charts
-  version: 1.3506.0
+  version: 1.3524.0-onprem-ae70d8a
 - name: argo-hub-platform
   repository: oci://quay.io/codefresh/charts
   version: 0.1.23
@@ -167,5 +167,5 @@ dependencies:
 - name: salesforce-reporter
   repository: oci://quay.io/codefresh/charts
   version: 1.30.11
-digest: sha256:814b879b8e7b0b276c66b821c69c2c22febbbec4a30fed89117d50530ae0ea5e
-generated: "2025-05-19T23:11:03.858637+03:00"
+digest: sha256:d49010d196b95521e9581721db1bacb30eaaae0a5a435e7f5fd753aa156330f2
+generated: "2025-05-23T18:48:21.901565+03:00"
diff --git a/codefresh/Chart.yaml b/codefresh/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: Helm Chart for Codefresh On-Prem
 name: codefresh
-version: 2.8.0-rc.1
+version: 2.8.0-rc.2
 keywords:
   - codefresh
 home: https://codefresh.io/
@@ -15,11 +15,13 @@ appVersion: 2.7.0
 annotations:
   artifacthub.io/prerelease: "true"
   artifacthub.io/alternativeName: "codefresh-onprem"
-  artifacthub.io/containsSecurityUpdates: "true"
+  # artifacthub.io/containsSecurityUpdates: "true"
   # supported kinds are added, changed, deprecated, removed, fixed and security.
   artifacthub.io/changes: |
-    - kind: changed
-      description: "Initial 2.8.0 release"
+    - kind: fixed
+      description: "Fixed dependencies version"
+    - kind: added
+      description: "Added ability to assign admin/platform permissions for user for specified group during sync"
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts
@@ -97,7 +99,7 @@ dependencies:
     repository: oci://quay.io/codefresh/charts
     condition: context-manager.enabled
   - name: pipeline-manager
-    version: "~1.139.0"
+    version: "~3.139.0"
     repository: oci://quay.io/codefresh/charts
     condition: pipeline-manager.enabled
   - name: gitops-dashboard-manager
@@ -211,7 +213,7 @@ dependencies:
     repository: oci://quay.io/codefresh/charts
     condition: cf-broadcaster.enabled
   - name: helm-repo-manager
-    version: "~0.21.0"
+    version: "*"
     repository: oci://quay.io/codefresh/charts
     condition: helm-repo-manager.enabled
   - name: hermes
@@ -237,7 +239,7 @@ dependencies:
     repository: oci://quay.io/codefresh/charts
     condition: argo-platform.enabled
   - name: argo-platform
-    version: "~1.3507.0"
+    version: "1.3524.0-onprem-ae70d8a"
     repository: oci://quay.io/codefresh/charts
     condition: argo-platform.enabled
   - name: argo-hub-platform

diff --git a/codefresh/README.md b/codefresh/README.md
@@ -1,6 +1,6 @@
 ## Codefresh On-Premises
 
-![Version: 2.8.0](https://img.shields.io/badge/Version-2.8.0-informational?style=flat-square) ![AppVersion: 2.7.0](https://img.shields.io/badge/AppVersion-2.7.0-informational?style=flat-square)
+![Version: 2.8.0-rc.2](https://img.shields.io/badge/Version-2.8.0--rc.2-informational?style=flat-square) ![AppVersion: 2.7.0](https://img.shields.io/badge/AppVersion-2.7.0-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes.
 
@@ -67,7 +67,7 @@ Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/
 - GCR Service Account JSON `sa.json` (provided by Codefresh, contact [email protected])
 - Firebase [Realtime Database URL](https://firebase.google.com/docs/database/web/start#create_a_database) with [legacy token](https://firebase.google.com/docs/database/rest/auth#legacy_tokens). See [Firebase Configuration](#firebase-configuration)
 - Valid TLS certificates for Ingress
-- When [external](#external-postgressql) PostgreSQL is used, `pg_cron` and `pg_partman` extensions **must be enabled** for [analytics](https://codefresh.io/docs/docs/dashboards/home-dashboard/#pipelines-dashboard) to work (see [AWS RDS example](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_pg_cron.html#PostgreSQL_pg_cron.enable))
+- When [external](#external-postgressql) PostgreSQL is used, `pg_cron` and `pg_partman` extensions **must be enabled** for [analytics](https://codefresh.io/docs/docs/dashboards/home-dashboard/#pipelines-dashboard) to work (see [AWS RDS example](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_pg_cron.html#PostgreSQL_pg_cron.enable)). The `pg_cron` extension should be the 1.4 version or higher for Azure Postgres DB.
 
 ## Get Repo Info
 
@@ -1202,7 +1202,7 @@ cfapi:
 ### Projects pipelines limit
 
 ```yaml
-cfapi:
+pipeline-manager:
   env:
     # Determines project's pipelines limit (default: 500)
     PROJECT_PIPELINES_LIMIT: 500
@@ -2032,7 +2032,7 @@ cfapi:
 
 #### Auto-index creation in MongoDB
 
-[Auto-index creation in MongoDB](#enabling-auto-index-creation)
+[Auto-index creation in MongoDB](#auto-index-creation-in-mongodb)
 
 #### ⚠️ New indexes in MongoDB
 
@@ -2092,7 +2092,7 @@ Default MongoDB image is changed from 6.x to 7.x.
 
 If you run external MongoDB (i.e. [Atlas](https://cloud.mongodb.com)), it is **required** to upgrade it to 7.x after upgrading Codefresh On-Prem to 2.8.x.
 
-For backward compatibility (in case you need to rollback to 6.x), you can set [`featureCompatibilityVersion`](https://www.mongodb.com/docs/v6.0/reference/command/setFeatureCompatibilityVersion/) to `6.0` in your values file.
+- **Before the upgrade**, for backward compatibility (in case you need to rollback to 6.x), you should set [`featureCompatibilityVersion`](https://www.mongodb.com/docs/v6.0/reference/command/setFeatureCompatibilityVersion/) to `6.0` in your values file.
 
 ```yaml
 mongodb:
@@ -2101,38 +2101,177 @@ mongodb:
     featureCompatibilityVersion: "6.0"
 ```
 
+- Perform Codefresh On-Prem upgrade to 2.8.x. Make sure all systems are up and running.
+
+- **After the upgrade**, if all system are stable, you need to set `featureCompatibilityVersion` to `7.0` in your values file and re-deploy the chart.
+
+```yaml
+mongodb:
+  migration:
+    enabled: true
+    featureCompatibilityVersion: "7.0"
+```
+
+⚠️ ⚠️ ⚠️ If FCV (FeatureCompatibilityVersion) is managed by MongoDB itself (i.e. Atlas), you can disable it completely (that is default value in Helm chart)
+
+```yaml
+mongodb:
+  migration:
+    enabled: false
+```
+
+#### ⚠️ New indexes in MongoDB
+
+If you maintain indexes manually (i.e. [Auto-index creation](#enabling-auto-index-creation) is off) you must create the following indexes **before** the upgrade:
+
+- [Database: `codefresh`, collection: `users`, index: `account_1__id_1`](https://github.com/codefresh-io/codefresh-onprem-helm/tree/release-2.8/indexes/codefresh/users.json#L2-L9)
+- [Database: `codefresh`, collection: `users`, index: `role_1_account_1__id_1`](https://github.com/codefresh-io/codefresh-onprem-helm/tree/release-2.8/indexes/codefresh/users.json#L10-L17)
+
 ### PostgreSQL update
 
 Default PostgreSQL image is changed from 13.x to 17.x
 
 If you run external PostgreSQL, follow the [official instructions](https://www.postgresql.org/docs/17/upgrading.html) to upgrade to 17.x.
 
-⚠️ ⚠️ ⚠️ If you run built-in PostgreSQL `bitnami/postgresql` subchart, direct upgrade is not supported. You need to backup your data, delete the old PostgreSQL StatefulSet with PVCs and restore the data into a new PostgreSQL StatefulSet.
+⚠️ ⚠️ ⚠️ If you run built-in PostgreSQL `bitnami/postgresql` subchart, direct upgrade is not supported due to **incompatible breaking changes** in the database files. You will see the following error in the logs:
+```
+postgresql 17:36:28.41 INFO  ==> ** Starting PostgreSQL **
+2025-05-21 17:36:28.432 GMT [1] FATAL:  database files are incompatible with server
+2025-05-21 17:36:28.432 GMT [1] DETAIL:  The data directory was initialized by PostgreSQL version 13, which is not compatible with this version 17.2.
+```
+You need to backup your data, delete the old PostgreSQL StatefulSet with PVCs and restore the data into a new PostgreSQL StatefulSet.
+
+- **Before the upgrade**, backup your data on a separate PVC
+
+- Create PVC with the same or bigger size as your current PostgreSQL PVC:
+
+```yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgresql-dump
+spec:
+  storageClassName: <STORAGE_CLASS>
+  resources:
+    requests:
+      storage: <PVC_SIZE>
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+```
+
+- Create a job to dump the data from the old PostgreSQL StatefulSet into the new PVC:
+
+```yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: postgresql-dump
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    spec:
+      containers:
+      - name: postgresql-dump
+        image: quay.io/codefresh/postgresql:17
+        resources:
+          requests:
+            memory: "128Mi"
+            cpu: "100m"
+          limits:
+            memory: "1Gi"
+            cpu: "1"
+        env:
+          - name: PGUSER
+            value: "<POSTGRES_USER>"
+          - name: PGPASSWORD
+            value: "<POSTGRES_PASSWORD>"
+          - name: PGHOST
+            value: "<POSTGRES_HOST>"
+          - name: PGPORT
+            value: "<POSTGRES_PORT>"
+        command:
+          - "/bin/bash"
+          - "-c"
+          - |
+            pg_dumpall --verbose > /opt/postgresql-dump/dump.sql
+        volumeMounts:
+          - name: postgresql-dump
+            mountPath: /opt/postgresql-dump
+      securityContext:
+        runAsUser: 0
+        fsGroup: 0
+      volumes:
+        - name: postgresql-dump
+          persistentVolumeClaim:
+            claimName: postgresql-dump
+      restartPolicy: Never
+```
+
+- Delete old PostgreSQL StatefulSet and PVC
 
 ```console
-PGUSER=postgres
-PGHOST=cf-postgresql
-PGPORT=5432
-PGPASSWORD=postgres
-BACKUP_DIR=/tmp/pg_backup
-BACKUP_SQL=backup.sql
-TIMESTAMP=$(date +%Y%m%d%H%M%S)
-NAMESPACE=codefresh
-
-# Backup PostgreSQL data
-pg_dumpall --verbose > "$BACKUP_DIR/$BACKUP_SQL.$TIMESTAMP" 2>> "$LOG_FILE"
-
-# Delete old PostgreSQL StatefulSet
 STS_NAME=$(kubectl get sts -n $NAMESPACE -l app.kubernetes.io/instance=$RELEASE_NAME -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}')
 PVC_NAME=$(kubectl get pvc -n $NAMESPACE -l app.kubernetes.io/instance=$RELEASE_NAME -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}')
 
 kubectl delete sts $STS_NAME -n $NAMESPACE
 kubectl delete pvc $PVC_NAME -n $NAMESPACE
+```
 
-# Perform Codefresh On-Prem upgrade to 2.8.x
+- Peform the upgrade to 2.8.x with PostgreSQL seed job enabled to re-create users and databases
 
-# Restore PostgreSQL data
-psql -U -f "$BACKUP_DIR/$BACKUP_SQL.$TIMESTAMP" >> "$LOG_FILE" 2>&1
+```yaml
+seed:
+  postgresSeedJob:
+    enabled: true
+```
+
+- Create a job to restore the data from the new PVC into the new PostgreSQL StatefulSet:
+
+```yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: postgresql-restore
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    spec:
+      containers:
+      - name: postgresql-restore
+        image: quay.io/codefresh/postgresql:17
+        resources:
+          requests:
+            memory: "128Mi"
+            cpu: "100m"
+          limits:
+            memory: "1Gi"
+            cpu: "1"
+        env:
+          - name: PGUSER
+            value: "<POSTGRES_USER>"
+          - name: PGPASSWORD
+            value: "<POSTGRES_PASSWORD>"
+          - name: PGHOST
+            value: "<POSTGRES_HOST>"
+          - name: PGPORT
+            value: "<POSTGRES_PORT>"
+        command:
+          - "/bin/bash"
+          - "-c"
+          - |
+            psql -f /opt/postgresql-dump/dump.sql
+        volumeMounts:
+          - name: postgresql-dump
+            mountPath: /opt/postgresql-dump
+      securityContext:
+        runAsUser: 0
+        fsGroup: 0
+      volumes:
+        - name: postgresql-dump
+          persistentVolumeClaim:
+            claimName: postgresql-dump
+      restartPolicy: Never
 ```
 
 ### RabbitMQ update