[virtual-machine] Use external IP for egress traffic for PortList method too #1349
Conversation
WalkthroughBumps chart versions for tenant, virtual-machine, and vm-instance; trims historical entries and adds new HEADs in packages/apps/versions_map; tenant NetworkPolicy endpointSelector tightened to a label expression; virtual-machine and vm-instance templates add CiliumNetworkPolicy resources and always set Service wholeIP annotation; VM templates add a deny-external annotation; adds migration script to patch appVersion and set cluster version. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor User
participant LB as Service (LoadBalancer)
participant VM as VM Pod
participant CIL as Cilium (NetworkPolicy)
participant CL as Cluster
participant EXT as External World
User->>LB: Connect to LB IP / port
LB->>VM: Forward traffic
Note over CIL: Ingress rules applied\n(fromCluster / fromWorld)\nOptional toPorts when PortList
CIL-->>VM: Allow or deny ingress
VM->>EXT: Egress traffic
Note over CIL: Egress to World allowed
CIL-->>EXT: Permit egress if matched
Note over VM,CIL: Tenant policy selects pods only if\nlabel policy.cozystack.io/allow-external-communication != "false"
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested reviewers
Poem
Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
packages/apps/vm-instance/templates/vm.yaml (1)
28-33: Annotation won’t be matched by LabelSelector; use a label instead.Cilium/Kubernetes LabelSelectors do not match annotations. Your tenant NetworkPolicy uses endpointSelector with matchExpressions on policy.cozystack.io/allow-external-communication, so this must be a pod label, not an annotation. Move the key under template.metadata.labels (and remove from annotations) to make the policy effective.
Apply:
- annotations: - policy.cozystack.io/allow-external-communication: "false" - kubevirt.io/allow-pod-bridge-network-live-migration: "true" + annotations: + kubevirt.io/allow-pod-bridge-network-live-migration: "true" labels: + policy.cozystack.io/allow-external-communication: "false" {{- include "virtual-machine.labels" . | nindent 8 }}
🧹 Nitpick comments (1)
packages/apps/vm-instance/templates/vm.yaml (1)
28-33: Consider making the external-communication toggle configurable.Hard-coding "false" may surprise users. Expose a value (e.g., .Values.policy.allowExternalCommunication defaulting to "false") and template it here and in related charts for consistency.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (9)
packages/apps/tenant/Chart.yaml(1 hunks)packages/apps/tenant/templates/networkpolicy.yaml(1 hunks)packages/apps/versions_map(3 hunks)packages/apps/virtual-machine/Chart.yaml(1 hunks)packages/apps/virtual-machine/templates/service.yaml(2 hunks)packages/apps/virtual-machine/templates/vm.yaml(1 hunks)packages/apps/vm-instance/Chart.yaml(1 hunks)packages/apps/vm-instance/templates/service.yaml(2 hunks)packages/apps/vm-instance/templates/vm.yaml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Build
🔇 Additional comments (10)
packages/apps/tenant/Chart.yaml (1)
7-7: Version bump looks correct.Chart version increment to 1.13.0 aligns with related changes in this PR.
packages/apps/vm-instance/Chart.yaml (2)
20-20: Chart version bump is fine.0.12.0 reflects template changes in this PR.
26-26: App version bump is consistent.appVersion 0.12.0 matches chart versioning.
packages/apps/virtual-machine/Chart.yaml (2)
20-20: Version bump acknowledged.0.14.0 aligns with behavior changes (egress policy/CNP additions).
26-26: App version bump OK.appVersion tracks chart version.
packages/apps/versions_map (3)
194-196: VM chart mapping updates look consistent.0.13.0 pinned to 9c1563a and new 0.14.0 HEAD added. Matches Chart.yaml changes.
217-218: vm-instance mapping updates are consistent.0.11.0 pinned; 0.12.0 HEAD added. Matches Chart.yaml.
171-173: Approve: Chart.yaml version matches versions_map
tenant chart version 1.13.0 in packages/apps/tenant/Chart.yaml aligns with the entries in versions_map (tenant 1.12.0 & 1.13.0) — ready to merge.packages/apps/virtual-machine/templates/service.yaml (1)
14-16: LGTM: safer boolean parsing.The extra parentheses around
fromYamlare correct and improve readability.packages/apps/vm-instance/templates/service.yaml (1)
14-16: LGTM: clearer conditional.Parenthesized
fromYamlusage is correct.
| endpointSelector: | ||
| matchExpressions: | ||
| - key: policy.cozystack.io/allow-external-communication | ||
| operator: NotIn | ||
| values: ["false"] |
There was a problem hiding this comment.
Annotation vs label mismatch: pods won’t be excluded as intended.
endpointSelector.matchExpressions matches labels, but VMs set policy.cozystack.io/allow-external-communication: "false" as an annotation (see vm.yaml). With NotIn ["false"], pods without this label are still selected, so the “false” annotation has no effect. Either move this key to a pod label in VM templates (preferred) or switch selector to something that matches annotations (Cilium generally matches labels).
Additionally, consider least-privilege semantics: use In ["true"] to require explicit opt-in instead of implicitly allowing unlabeled pods.
Apply along with the vm.yaml change below.
🤖 Prompt for AI Agents
In packages/apps/tenant/templates/networkpolicy.yaml around lines 23 to 27, the
endpointSelector is matching labels but the VM/VM template currently sets
policy.cozystack.io/allow-external-communication as an annotation, so the
selector never excludes those VMs; update the VM template (vm.yaml) to set
policy.cozystack.io/allow-external-communication as a pod/VM label (preferred)
and keep the endpointSelector.matchExpressions as-is, OR if you cannot change
vm.yaml, replace the selector logic to a mechanism that matches annotations
(noting Cilium generally matches labels) to ensure the “false” value takes
effect; additionally change the selector semantics to require explicit opt-in
(e.g., use In ["true"]) so unlabeled pods are denied by default; apply this
change together with the vm.yaml update.
| apiVersion: cilium.io/v2 | ||
| kind: CiliumNetworkPolicy | ||
| metadata: | ||
| name: {{ include "virtual-machine.fullname" . }} | ||
| spec: | ||
| endpointSelector: | ||
| matchLabels: | ||
| {{- include "virtual-machine.selectorLabels" . | nindent 6 }} | ||
| ingress: | ||
| - fromEntities: | ||
| - cluster | ||
| - fromEntities: | ||
| - world | ||
| {{- if eq .Values.externalMethod "PortList" }} | ||
| toPorts: | ||
| - ports: | ||
| {{- range .Values.externalPorts }} | ||
| - port: {{ quote . }} | ||
| {{- end }} | ||
| {{- end }} | ||
| egress: | ||
| - toEntities: | ||
| - world |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Guard against empty PortList and optionally restrict egress ports too.
- If
externalMethod == "PortList"but.Values.externalPortsis empty, this renderstoPorts:with no entries (invalid CNP). Add a length check. - Consider mirroring the same port restriction on egress to avoid unexpected outbound ports when using PortList.
Apply this diff:
- fromEntities:
- world
- {{- if eq .Values.externalMethod "PortList" }}
+ {{- if and (eq .Values.externalMethod "PortList") (gt (len .Values.externalPorts) 0) }}
toPorts:
- ports:
{{- range .Values.externalPorts }}
- port: {{ quote . }}
{{- end }}
{{- end }}
egress:
- toEntities:
- world
+ {{- if and (eq .Values.externalMethod "PortList") (gt (len .Values.externalPorts) 0) }}
+ toPorts:
+ - ports:
+ {{- range .Values.externalPorts }}
+ - port: {{ quote . }}
+ {{- end }}
+ {{- end }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| apiVersion: cilium.io/v2 | |
| kind: CiliumNetworkPolicy | |
| metadata: | |
| name: {{ include "virtual-machine.fullname" . }} | |
| spec: | |
| endpointSelector: | |
| matchLabels: | |
| {{- include "virtual-machine.selectorLabels" . | nindent 6 }} | |
| ingress: | |
| - fromEntities: | |
| - cluster | |
| - fromEntities: | |
| - world | |
| {{- if eq .Values.externalMethod "PortList" }} | |
| toPorts: | |
| - ports: | |
| {{- range .Values.externalPorts }} | |
| - port: {{ quote . }} | |
| {{- end }} | |
| {{- end }} | |
| egress: | |
| - toEntities: | |
| - world | |
| apiVersion: cilium.io/v2 | |
| kind: CiliumNetworkPolicy | |
| metadata: | |
| name: {{ include "virtual-machine.fullname" . }} | |
| spec: | |
| endpointSelector: | |
| matchLabels: | |
| {{- include "virtual-machine.selectorLabels" . | nindent 6 }} | |
| ingress: | |
| - fromEntities: | |
| - cluster | |
| - fromEntities: | |
| - world | |
| {{- if and (eq .Values.externalMethod "PortList") (gt (len .Values.externalPorts) 0) }} | |
| toPorts: | |
| - ports: | |
| {{- range .Values.externalPorts }} | |
| - port: {{ quote . }} | |
| {{- end }} | |
| {{- end }} | |
| egress: | |
| - toEntities: | |
| - world | |
| {{- if and (eq .Values.externalMethod "PortList") (gt (len .Values.externalPorts) 0) }} | |
| toPorts: | |
| - ports: | |
| {{- range .Values.externalPorts }} | |
| - port: {{ quote . }} | |
| {{- end }} | |
| {{- end }} |
🤖 Prompt for AI Agents
In packages/apps/virtual-machine/templates/service.yaml around lines 31 to 53,
the CiliumNetworkPolicy renders an empty toPorts block when
.Values.externalMethod == "PortList" but .Values.externalPorts is empty and also
only applies ports to ingress; update the template to (1) guard the toPorts
section with a length check so it is emitted only when .Values.externalPorts |
len > 0 (avoiding an invalid empty toPorts), and (2) mirror the same guarded
toPorts block under egress so outbound traffic is restricted when using
PortList; ensure YAML indentation and templating whitespace are preserved.
| policy.cozystack.io/allow-external-communication: "false" | ||
| kubevirt.io/allow-pod-bridge-network-live-migration: "true" |
There was a problem hiding this comment.
Use a label (not an annotation) so the NetworkPolicy selector works.
Move policy.cozystack.io/allow-external-communication: "false" under labels (and remove it from annotations) to align with the selector in tenant NetworkPolicy.
Apply this diff:
annotations:
- policy.cozystack.io/allow-external-communication: "false"
kubevirt.io/allow-pod-bridge-network-live-migration: "true"
labels:
+ policy.cozystack.io/allow-external-communication: "false"
{{- include "virtual-machine.labels" . | nindent 8 }}Also applies to: 67-69
🤖 Prompt for AI Agents
In packages/apps/virtual-machine/templates/vm.yaml around lines 65-66 (and also
apply same change to lines 67-69), the key
policy.cozystack.io/allow-external-communication is placed under annotations but
the tenant NetworkPolicy selects on a label; move this key from annotations into
the metadata.labels section (remove it from annotations) and ensure its value
remains "false" so the NetworkPolicy selector will match correctly.
| apiVersion: cilium.io/v2 | ||
| kind: CiliumNetworkPolicy | ||
| metadata: | ||
| name: {{ include "virtual-machine.fullname" . }} | ||
| spec: | ||
| endpointSelector: | ||
| matchLabels: | ||
| {{- include "virtual-machine.selectorLabels" . | nindent 6 }} | ||
| ingress: | ||
| - fromEntities: | ||
| - cluster | ||
| - fromEntities: | ||
| - world | ||
| {{- if eq .Values.externalMethod "PortList" }} | ||
| toPorts: | ||
| - ports: | ||
| {{- range .Values.externalPorts }} | ||
| - port: {{ quote . }} | ||
| {{- end }} | ||
| {{- end }} | ||
| egress: | ||
| - toEntities: | ||
| - world |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Same PortList robustness and egress tightening as VM service.
Prevent emitting an empty toPorts and (optionally) restrict egress ports when externalMethod == "PortList".
Apply this diff:
- fromEntities:
- world
- {{- if eq .Values.externalMethod "PortList" }}
+ {{- if and (eq .Values.externalMethod "PortList") (gt (len .Values.externalPorts) 0) }}
toPorts:
- ports:
- {{- range .Values.externalPorts }}
- - port: {{ quote . }}
- {{- end }}
+ {{- range .Values.externalPorts }}
+ - port: {{ quote . }}
+ {{- end }}
{{- end }}
egress:
- toEntities:
- world
+ {{- if and (eq .Values.externalMethod "PortList") (gt (len .Values.externalPorts) 0) }}
+ toPorts:
+ - ports:
+ {{- range .Values.externalPorts }}
+ - port: {{ quote . }}
+ {{- end }}
+ {{- end }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| apiVersion: cilium.io/v2 | |
| kind: CiliumNetworkPolicy | |
| metadata: | |
| name: {{ include "virtual-machine.fullname" . }} | |
| spec: | |
| endpointSelector: | |
| matchLabels: | |
| {{- include "virtual-machine.selectorLabels" . | nindent 6 }} | |
| ingress: | |
| - fromEntities: | |
| - cluster | |
| - fromEntities: | |
| - world | |
| {{- if eq .Values.externalMethod "PortList" }} | |
| toPorts: | |
| - ports: | |
| {{- range .Values.externalPorts }} | |
| - port: {{ quote . }} | |
| {{- end }} | |
| {{- end }} | |
| egress: | |
| - toEntities: | |
| - world | |
| apiVersion: cilium.io/v2 | |
| kind: CiliumNetworkPolicy | |
| metadata: | |
| name: {{ include "virtual-machine.fullname" . }} | |
| spec: | |
| endpointSelector: | |
| matchLabels: | |
| {{- include "virtual-machine.selectorLabels" . | nindent 6 }} | |
| ingress: | |
| - fromEntities: | |
| - cluster | |
| - fromEntities: | |
| - world | |
| {{- if and (eq .Values.externalMethod "PortList") (gt (len .Values.externalPorts) 0) }} | |
| toPorts: | |
| - ports: | |
| {{- range .Values.externalPorts }} | |
| - port: {{ quote . }} | |
| {{- end }} | |
| {{- end }} | |
| egress: | |
| - toEntities: | |
| - world | |
| {{- if and (eq .Values.externalMethod "PortList") (gt (len .Values.externalPorts) 0) }} | |
| toPorts: | |
| - ports: | |
| {{- range .Values.externalPorts }} | |
| - port: {{ quote . }} | |
| {{- end }} | |
| {{- end }} |
🤖 Prompt for AI Agents
In packages/apps/vm-instance/templates/service.yaml around lines 31 to 53, the
CiliumNetworkPolicy currently emits an empty toPorts block when
.Values.externalMethod == "PortList" and does not restrict egress ports; change
the conditional so toPorts is rendered only when .Values.externalMethod ==
"PortList" AND .Values.externalPorts is non-empty, and when using "PortList"
also add a matching egress toPorts section that enumerates the same
.Values.externalPorts to tighten egress; implement this by wrapping the toPorts
block in an additional if (len .Values.externalPorts | gt 0) and adding a
corresponding egress toPorts with the same port range under the egress stanza
when .Values.externalMethod == "PortList".
8656222 to
cc0a6db
Compare
…hod too Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
There was a problem hiding this comment.
Actionable comments posted: 6
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (10)
packages/apps/tenant/Chart.yaml(1 hunks)packages/apps/tenant/templates/networkpolicy.yaml(1 hunks)packages/apps/versions_map(1 hunks)packages/apps/virtual-machine/Chart.yaml(1 hunks)packages/apps/virtual-machine/templates/service.yaml(2 hunks)packages/apps/virtual-machine/templates/vm.yaml(1 hunks)packages/apps/vm-instance/Chart.yaml(1 hunks)packages/apps/vm-instance/templates/service.yaml(2 hunks)packages/apps/vm-instance/templates/vm.yaml(1 hunks)scripts/migrations/18(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (8)
- packages/apps/virtual-machine/templates/vm.yaml
- packages/apps/virtual-machine/Chart.yaml
- packages/apps/vm-instance/Chart.yaml
- packages/apps/tenant/Chart.yaml
- packages/apps/tenant/templates/networkpolicy.yaml
- packages/apps/vm-instance/templates/service.yaml
- packages/apps/virtual-machine/templates/service.yaml
- packages/apps/vm-instance/templates/vm.yaml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Build
🔇 Additional comments (1)
packages/apps/versions_map (1)
167-167: LGTM: tenant HEAD updated to 1.13.0Matches the migration target for tenants.
| virtual-machine 0.12.3 c02a3818 | ||
| virtual-machine 0.13.0 HEAD | ||
| tenant 1.13.0 HEAD | ||
| virtual-machine 0.14.0 HEAD |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
HEADs here imply 0.14.0 (virtual-machine) and 0.12.0 (vm-instance); migration currently patches 1.x
Keep HEAD markers and migration in sync. Either adjust the migration to 0.14.0/0.12.0 (recommended) or change these HEAD lines accordingly.
Run to confirm consistency across map, charts, and migration:
Also applies to: 175-175
🏁 Script executed:
#!/bin/sh
set -eu
echo "versions_map:"
rg -n '^(virtual-machine|vm-instance)\s' packages/apps/versions_map
echo
echo "Chart.yaml versions:"
rg -nH '^(version|appVersion):' packages/apps/virtual-machine/Chart.yaml packages/apps/vm-instance/Chart.yaml
echo
echo "Migration appVersion literals:"
rg -n "appVersion" scripts/migrations/18Length of output: 1047
Sync migration appVersion values with HEAD markers: In scripts/migrations/18 update the appVersion literals for virtualmachines from 1.14.0→0.14.0 and for vminstances from 1.12.0→0.12.0 to match the HEAD entries in packages/apps/versions_map.
🤖 Prompt for AI Agents
In scripts/migrations/18 around where appVersion literals are defined (update
the two entries referenced by packages/apps/versions_map line 168), change the
appVersion for the virtualmachines migration from "1.14.0" to "0.14.0" and
change the appVersion for the vminstances migration from "1.12.0" to "0.12.0" so
they match the HEAD markers in packages/apps/versions_map; locate the two
appVersion string literals in that migration file and replace them with the new
values, run tests or lint to ensure no formatting issues.
| #!/bin/sh | ||
| # Migration 18 --> 19 | ||
|
|
There was a problem hiding this comment.
🛠️ Refactor suggestion
Enable strict mode and preflight kubectl
Fail fast on unset vars and missing kubectl. Avoid pipefail since /bin/sh may not support it.
Apply this diff:
#!/bin/sh
+# Fail fast on errors and unset variables
+set -eu
+
+# Ensure kubectl is available
+command -v kubectl >/dev/null 2>&1 || {
+ echo "kubectl is required for migrations" >&2
+ exit 1
+}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| #!/bin/sh | |
| # Migration 18 --> 19 | |
| #!/bin/sh | |
| # Migration 18 --> 19 | |
| # Fail fast on errors and unset variables | |
| set -eu | |
| # Ensure kubectl is available | |
| command -v kubectl >/dev/null 2>&1 || { | |
| echo "kubectl is required for migrations" >&2 | |
| exit 1 | |
| } |
🤖 Prompt for AI Agents
In scripts/migrations/18 around lines 1 to 3, enable strict mode and add a
preflight check for kubectl: add a shell strictness setting (use set -eu to fail
on errors and unset variables but do not add pipefail), then verify kubectl is
available (use command -v kubectl >/dev/null 2>&1 and exit with a clear error
message if missing) so the script fails fast on unset vars and missing kubectl
while remaining /bin/sh compatible.
| kubectl get tenants.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do | ||
| kubectl patch tenants.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.13.0"}' | ||
| done |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Avoid “No resources found” being parsed as NAMESPACE/NAME; use jsonpath and read -r
With -o custom-columns, kubectl may print “No resources found”, which this loop will read as tokens and attempt to patch invalid objects. Use jsonpath to emit nothing on empty sets and read -r to avoid backslash mangling. Also fail fast if a patch errors.
Apply this diff:
-kubectl get tenants.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
- kubectl patch tenants.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.13.0"}'
+kubectl get tenants.apps.cozystack.io -A -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\n"}{end}' \
+| while IFS=$'\t' read -r NAMESPACE NAME; do
+ kubectl patch tenants.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.13.0"}' || exit 1📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| kubectl get tenants.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do | |
| kubectl patch tenants.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.13.0"}' | |
| done | |
| kubectl get tenants.apps.cozystack.io -A -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\n"}{end}' \ | |
| | while IFS=$'\t' read -r NAMESPACE NAME; do | |
| kubectl patch tenants.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.13.0"}' || exit 1 | |
| done |
🤖 Prompt for AI Agents
In scripts/migrations/18 around lines 5 to 7, the kubectl loop can consume the
literal "No resources found" and mis-parse output; change the kubectl output to
use -o jsonpath to emit only namespace/name pairs (and nothing when empty), pipe
into while read -r to avoid backslash mangling, and ensure the script fails fast
on any patch error (e.g., check kubectl patch exit status or set -e) so a failed
patch aborts the migration; also skip iterations when either NAMESPACE or NAME
is empty.
| kubectl get virtualmachines.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do | ||
| kubectl patch virtualmachines.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.14.0"}' | ||
| done |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Make the virtual-machine loop robust like tenants
Mirror the jsonpath + read -r pattern and fail fast on errors.
Apply this diff:
-kubectl get virtualmachines.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
- kubectl patch virtualmachines.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"0.14.0"}'
+kubectl get virtualmachines.apps.cozystack.io -A -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\n"}{end}' \
+| while IFS=$'\t' read -r NAMESPACE NAME; do
+ kubectl patch virtualmachines.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"0.14.0"}' || exit 1Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In scripts/migrations/18 around lines 10 to 12, the virtualmachines loop uses a
simple kubectl get piped into while read which is brittle; update it to mirror
the tenants pattern by using kubectl get with a jsonpath that emits namespace
and name per line, read each line with IFS= read -r NAMESPACE NAME (or use read
-r -d '' if tenants uses NUL), and ensure the script fails fast by enabling set
-euo pipefail (or explicitly check and exit on kubectl/patch errors). Replace
the current pipe-while with the jsonpath + read -r pattern and add fail-fast
behavior so any kubectl failure aborts the migration.
💡 Verification agent
🧩 Analysis chain
Fix appVersion mismatches for virtual-machine and vm-instance
versions_map declares virtual-machine 0.14.0 and vm-instance 0.12.0 as HEAD, but this script patches 1.14.0 and 1.12.0 respectively. This likely breaks version gating and rollback logic. Align the migration to 0.x series.
Apply this diff:
-kubectl get virtualmachines.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
- kubectl patch virtualmachines.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.14.0"}'
+kubectl get virtualmachines.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
+ kubectl patch virtualmachines.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"0.14.0"}'
done
-kubectl get vminstances.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
- kubectl patch vminstances.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.12.0"}'
+kubectl get vminstances.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
+ kubectl patch vminstances.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"0.12.0"}'
doneRun to double-check chart versions and migration values:
Also applies to: 13-15
🏁 Script executed:
#!/bin/sh
set -eu
# Show chart versions
rg -nH '^(version|appVersion):' packages/apps/virtual-machine/Chart.yaml packages/apps/vm-instance/Chart.yaml packages/apps/tenant/Chart.yaml
# Show versions_map HEADs
rg -n '^(virtual-machine|vm-instance|tenant)\s' packages/apps/versions_map
# Show migration appVersion literals
rg -n "appVersion" scripts/migrations/18Length of output: 986
🏁 Script executed:
#!/bin/sh
set -eu
echo "Listing all migration scripts:"
ls scripts/migrations
echo "Inspecting appVersion literals in migrations 13-15:"
rg -n "appVersion" scripts/migrations/1[3-5]Length of output: 617
Fix appVersion in scripts/migrations/18 for virtual-machine and vm-instance
packages/apps/virtual-machine/Chart.yaml defines appVersion 0.14.0 and vm-instance defines 0.12.0, but migrations/18 erroneously patches "1.14.0" and "1.12.0". Update those two literals to match the 0.x series:
scripts/migrations/18
- kubectl patch virtualmachines.apps.cozystack.io … -p '{"appVersion":"1.14.0"}'
+ kubectl patch virtualmachines.apps.cozystack.io … -p '{"appVersion":"0.14.0"}'
…
- kubectl patch vminstances.apps.cozystack.io … -p '{"appVersion":"1.12.0"}'
+ kubectl patch vminstances.apps.cozystack.io … -p '{"appVersion":"0.12.0"}'(The tenant patch at "1.13.0" is correct.)
🤖 Prompt for AI Agents
In scripts/migrations/18 around lines 10 to 12, the migration patches use
incorrect appVersion literals "1.14.0" and "1.12.0"; change those two
occurrences to the correct 0.x values used by the charts — replace "1.14.0" with
"0.14.0" for virtual-machine and replace "1.12.0" with "0.12.0" for vm-instance
so the patch uses the correct appVersion strings.
| kubectl get vminstances.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do | ||
| kubectl patch vminstances.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.12.0"}' | ||
| done |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Make the vm-instance loop robust like tenants
Same jsonpath + read -r pattern and early exit on patch failure.
Apply this diff:
-kubectl get vminstances.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
- kubectl patch vminstances.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"0.12.0"}'
+kubectl get vminstances.apps.cozystack.io -A -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\n"}{end}' \
+| while IFS=$'\t' read -r NAMESPACE NAME; do
+ kubectl patch vminstances.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"0.12.0"}' || exit 1Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In scripts/migrations/18 around lines 13 to 15, the vm-instance loop should be
made robust like the tenants loop: replace the get command output with a
jsonpath that emits "namespace name" pairs (e.g. kubectl get ... -A -o
jsonpath='{range .items[*]}{.metadata.namespace}{"
"}{.metadata.name}{"\n"}{end}') piped into while read -r NAMESPACE NAME; do ...;
done, and inside the loop check the kubectl patch exit status and exit the
script with a non-zero code if the patch fails (e.g. if ! kubectl patch ...;
then echo "patch failed for $NAMESPACE/$NAME" >&2; exit 1; fi).
Signed-off-by: Andrei Kvapil kvapss@gmail.com
What this PR does
Release note
Summary by CodeRabbit
New Features
Chores