[kubernetes] Add version management system with automated version updates

[kvaps]

This PR adds a version management system for Kubernetes that automatically fetches and updates supported versions based on kamaji.

Changes

• Added hack/update-versions.sh script to fetch and update Kubernetes versions
• Updated files/versions.yaml with version mappings
• Updated values.yaml with version enum and parameter
• Updated Makefile to include version update workflow
• Added hack directory to .helmignore

Features

• Automatically fetches Kubernetes version from kamaji repository
• Gets latest patch version for the supported minor version
• Queries container registry for available versions
• Updates version enum in values.yaml using reliable awk-based approach
• Updates KUBERNETES_VERSION in Makefile
• Maintains version mappings in versions.yaml

Workflow

• Reads kamaji version from Dockerfile
• Fetches Kubernetes version from kamaji's kubeadm_version.go
• Finds latest patch version for that minor version
• Includes supported version + 5 previous minor versions
• Updates all configuration files automatically

Summary by CodeRabbit

• New Features

  • Kubernetes version parameter now uses an enum constraint to limit selection to supported versions (v1.33, v1.32, v1.31, v1.30, v1.29, v1.28).

• Documentation

  • Simplified Kubernetes version field description for clarity.

• Chores

  • Updated Kubernetes patch version mappings (v1.32→v1.32.10, v1.31→v1.31.14).
  • Relaxed add-on schema validation requirements.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR introduces a new bash script that dynamically orchestrates Kubernetes version mappings and schema updates by extracting Kamaji version references and retrieving corresponding kube-apiserver tags. It replaces the previous inline yq-based approach with a dedicated build-time tool, updates version references and documentation, and relaxes OpenAPI schema validation constraints.

Changes

Cohort / File(s)	Summary
Workflow versioning \.github/workflows/pre-commit.yml	Updates cozyvalues-gen version from v1.0.5 to v1.0.6 in install step
Build configuration packages/apps/kubernetes/.helmignore, packages/apps/kubernetes/Makefile	Adds "/hack" to helm ignore list; introduces new update target that runs hack/update-versions.sh followed by make generate; removes yq-based schema update from generate target
Documentation & schema packages/apps/kubernetes/README.md, packages/apps/kubernetes/values.schema.json	Updates version field description to "Kubernetes major.minor version to deploy"; reorders enum from ascending to descending; escapes placeholder brackets in host description
Version management packages/apps/kubernetes/files/versions.yaml, packages/apps/kubernetes/values.yaml	Rewrites version mappings (v1.32: 6→10, v1.31: 10→14); replaces string type with Version enum in values.yaml with explicit enum declaration
Version orchestration script packages/apps/kubernetes/hack/update-versions.sh	New bash script that extracts Kamaji version, retrieves kube-apiserver tags, determines latest patch per major.minor, constructs versions.yaml, updates values.yaml enum, and modifies Makefile KUBERNETES_VERSION
CRD relaxation packages/system/cozystack-resource-definitions/cozyrds/kubernetes.yaml	Removes required field constraints from addon sections in OpenAPI schema, making all previously required fields optional

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

• New script complexity: hack/update-versions.sh contains multi-step orchestration with external API calls, error handling, and file modifications—requires careful verification of logic flow, tool dependencies (skopeo, jq), and data parsing correctness
• Cross-file coordination: Version updates must align consistently across versions.yaml, values.yaml, values.schema.json, README.md, and Makefile; enum ordering change (ascending→descending) should be verified against all consumers
• Build workflow changes: Removal of yq-based schema generation and introduction of new update target; verify that the new script produces identical schema structures or document any behavioral changes
• Schema relaxation impact: OpenAPI validation loosening in kubernetes.yaml CRD requires confirmation that this doesn't introduce unintended optional fields or validation gaps

Possibly related PRs

• [kubernetes] User-selectable cluster version #1191: Both PRs modify Kubernetes chart version support (versions.yaml, values.yaml, values.schema.json, Makefile) and replace dynamic enum updates with structured version management
• [kubernetes] Explicitly mention available K8s versions #1212: Both PRs update Kubernetes version field descriptions and metadata in README and schema files
• Update kamaji version #633: New script extracts Kamaji Dockerfile version; this PR depends on the Kamaji version updates introduced in that change

Suggested reviewers

• lllamnyp
• nbykov0

Poem

🐰 A rabbit hops through versions new,

Scripts that fetch what Kamaji knew,

Enums ordered, schemas tight,

Kube versions updated right!

Build and generate with care—hop! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a version management system with automated version updates for Kubernetes, which is reflected across multiple files (new update script, version mappings, enum configuration, and Makefile workflow).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a comprehensive version management system for both Kubernetes and PostgreSQL applications. The core purpose is to automate the process of identifying, tracking, and updating supported application versions, thereby reducing manual maintenance overhead and ensuring that deployments consistently use the latest stable patch releases. This system integrates external sources like kamaji and container registries to keep version information current across various configuration files.

Highlights

• Automated Version Management: Introduced a new system to automatically fetch and update supported Kubernetes and PostgreSQL versions.
• Kubernetes Version Sync: Kubernetes versions are now automatically fetched from the kamaji repository, ensuring alignment with its supported versions.
• PostgreSQL Version Discovery: PostgreSQL versions are dynamically determined by querying the cloudnative-pg container registry and its GitHub README.
• Configuration Updates: versions.yaml, values.yaml, and Makefile are automatically updated with the latest version information.
• New Update Scripts: Dedicated hack/update-versions.sh scripts have been added for both Kubernetes and PostgreSQL to manage this automation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces an automated version management system for both Kubernetes and PostgreSQL, which is a great enhancement for maintainability. The changes include new update-versions.sh scripts that fetch the latest supported versions and update the corresponding Helm chart values, schemas, and version mappings.

My review focuses on the robustness and maintainability of these new scripts. I've identified a few areas where the scripts rely on brittle scraping of web content, which could lead to failures if the source format changes. I've also suggested a simplification for a complex piece of logic in the Kubernetes version update script to improve its readability.

Overall, this is a valuable addition. Addressing the feedback will help make the new automation more resilient.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

packages/apps/kubernetes/hack/update-versions.sh (4)

26-50: Version extraction logic is solid.

File existence checks and validation of extracted values are appropriate. However, the curl command on line 43 lacks retry logic for transient network failures. Consider adding a retry loop or using curl's built-in --retry flag.

KUBERNETES_VERSION_FROM_KAMAJI=$(curl -sSL --retry 3 --retry-delay 1 "https://raw.githubusercontent.com/clastix/kamaji/${KAMAJI_VERSION}/internal/upgrade/kubeadm_version.go" | grep "KubeadmVersion" | sed -E 's/.*KubeadmVersion = "([^"]+)".*/\1/')

---

52-86: Version filtering is well-implemented but could use edge-case clarity.

The version sorting and filtering logic is correct. However, the comparison approach (lines 74, 114) is verbose. The construct:

if [ "$(printf '%s\n%s\n' "$tag" "$KUBERNETES_VERSION_FROM_KAMAJI" | sort -V | head -1)" = "$tag" ] || [ "$tag" = "$KUBERNETES_VERSION_FROM_KAMAJI" ]; then

can be simplified. Additionally, the skopeo call (line 61) has no retry mechanism for transient registry failures.

---

171-172: Use mapfile for more robust array assignment.

The current approach with command substitution can have word-splitting issues. Shellcheck (SC2207) flags this pattern. Use mapfile or read -a for cleaner, safer array population.

-IFS=$'\n' VERSIONS=($(printf '%s\n' "${VERSIONS[@]}" | sort -V -r))
-unset IFS
+mapfile -t VERSIONS < <(printf '%s\n' "${VERSIONS[@]}" | sort -V -r)

---

202-237: Fragile awk state machine for values.yaml updates.

The awk-based section replacement (lines 208–223) relies on implicit state tracking and assumes the old section follows a specific pattern. This is brittle:

• If spacing or comments between ## @enum {string} Version and version: change, the logic fails.
• The state machine deletes everything after the enum line until it sees version:, which could inadvertently remove content.

Consider a more explicit approach:

1. Extract the section to be replaced using awk with explicit bounds.
2. Validate the section exists and has the expected structure.
3. Replace it with the new section.

This is a recommended refactor if maintainability is a concern, but the current approach works if the file format is strictly controlled.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 13e0501 and 06a25c1.

📒 Files selected for processing (9)

• .github/workflows/pre-commit.yml (1 hunks)
• packages/apps/kubernetes/.helmignore (1 hunks)
• packages/apps/kubernetes/Makefile (1 hunks)
• packages/apps/kubernetes/README.md (1 hunks)
• packages/apps/kubernetes/files/versions.yaml (1 hunks)
• packages/apps/kubernetes/hack/update-versions.sh (1 hunks)
• packages/apps/kubernetes/values.schema.json (2 hunks)
• packages/apps/kubernetes/values.yaml (1 hunks)
• packages/system/cozystack-resource-definitions/cozyrds/kubernetes.yaml (1 hunks)

🧰 Additional context used

🧠 Learnings (4)

📚 Learning: 2025-07-14T16:23:12.803Z

Learnt from: NickVolynkin
Repo: cozystack/cozystack PR: 1196
File: packages/apps/http-cache/Makefile:24-27
Timestamp: 2025-07-14T16:23:12.803Z
Learning: In the cozystack repository, the `readme-generator` tool removes enum contents from values.schema.json files during its operation. Therefore, when using readme-generator in Makefiles, any enum values need to be injected back into the schema using yq commands after readme-generator has run, not before.

Applied to files:

• packages/apps/kubernetes/Makefile

📚 Learning: 2025-11-28T21:26:10.771Z

Learnt from: kvaps
Repo: cozystack/cozystack PR: 1671
File: packages/apps/postgres/files/versions.yaml:1-6
Timestamp: 2025-11-28T21:26:10.771Z
Learning: In packages/apps/postgres/files/versions.yaml, the version mappings are sourced from the CloudNativePG container registry (ghcr.io/cloudnative-pg/postgresql), not from PostgreSQL project releases. The versions should reflect what's actually published in the CloudNativePG registry, which is automatically fetched by the hack/update-versions.sh script.

Applied to files:

• packages/apps/kubernetes/hack/update-versions.sh
• packages/apps/kubernetes/files/versions.yaml

📚 Learning: 2025-07-11T06:11:25.438Z

Learnt from: lllamnyp
Repo: cozystack/cozystack PR: 1130
File: hack/e2e-apps/kubernetes.bats:101-101
Timestamp: 2025-07-11T06:11:25.438Z
Learning: In cozystack, the plural form for the Kubernetes custom resource is `kuberneteses.apps.cozystack.io`, not `kubernetes.apps.cozystack.io`. This is defined in the API schema even though it's not grammatically perfect.

Applied to files:

• packages/system/cozystack-resource-definitions/cozyrds/kubernetes.yaml

📚 Learning: 2025-11-27T11:21:45.808Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-27T11:21:45.808Z
Learning: Applies to **/Chart.yaml : Use Helm Charts with the umbrella pattern and vendor upstream charts in `charts/` directory

Applied to files:

• packages/system/cozystack-resource-definitions/cozyrds/kubernetes.yaml

🧬 Code graph analysis (3)

packages/apps/kubernetes/hack/update-versions.sh (2)

hack/e2e-apps/run-kubernetes.sh (1)

• run_kubernetes_test (1-137)

scripts/installer.sh (1)

• run_migrations (8-20)

packages/apps/kubernetes/values.yaml (1)

pkg/cmd/server/start.go (1)

• AppsVersionToKubeVersion (290-302)

packages/system/cozystack-resource-definitions/cozyrds/kubernetes.yaml (1)

pkg/cmd/server/openapi.go (1)

• sanitizeForV2 (286-331)

🪛 Shellcheck (0.11.0)

packages/apps/kubernetes/hack/update-versions.sh

[warning] 129-129: TOTAL_LINES appears unused. Verify use (or export if used externally).

(SC2034)

---

[warning] 171-171: Prefer mapfile or read -a to split command output (or quote to avoid splitting).

(SC2207)

---

[warning] 188-188: Use single quotes, otherwise this expands now rather than when signalled.

(SC2064)

---

[warning] 188-188: Use single quotes, otherwise this expands now rather than when signalled.

(SC2064)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

🔇 Additional comments (13)

packages/apps/kubernetes/.helmignore (1)

4-4: LGTM! Appropriately excludes build tooling from Helm chart packaging.

packages/apps/kubernetes/README.md (1)

107-107: LGTM! Updated description appropriately reflects the enum-based version parameter approach.

packages/apps/kubernetes/files/versions.yaml (1)

2-6: Verify Kubernetes patch version availability in registry. The updated patch versions (v1.32.10, v1.31.14, v1.30.14, v1.29.15, v1.28.15) should be confirmed as available in the container registry used by the project. Per learnings from similar version management in other apps, these versions are auto-fetched by hack/update-versions.sh.

packages/apps/kubernetes/values.schema.json (1)

495-495: LGTM! Schema updates are well-coordinated:

• Host description properly escaped for JSON safety.
• Version enum reordered from ascending to descending (latest first), which improves UX in UI dropdowns.
• Description aligns with values.yaml and README documentation.

Enum ordering change is a minor UX improvement for the deployment UI.

Also applies to: 618-627

packages/apps/kubernetes/values.yaml (1)

49-59: LGTM! Version enum properly defined and integrated:

• Enum annotation format (@enum, @value) is correct for cozyvalues-gen documentation generation.
• Type reference {Version} correctly links parameter to enum definition.
• Default remains v1.33 as expected.
• Enum values (v1.33 → v1.28) in descending order, consistent with schema.json.

Per the Makefile workflow, hack/update-versions.sh will maintain this enum during version updates.

packages/apps/kubernetes/Makefile (1)

11-13: Critical: hack/update-versions.sh script implementation not provided for review. The new update target depends on this script, but it was not included in the files for review. Per the PR objectives, this script should:

• Read kamaji version from its Dockerfile
• Extract Kubernetes version from kamaji's kubeadm_version.go
• Update KUBERNETES_VERSION, versions.yaml, and values.yaml

Please verify the script implementation is included in your PR and functions correctly.

packages/system/cozystack-resource-definitions/cozyrds/kubernetes.yaml (1)

11-11: Verify OpenAPI schema validation changes against controller implementations. The review flags removal of required constraints from addon and controlPlane fields in the Kubernetes schema. Without access to the repository, I cannot confirm: (1) whether required fields were actually removed, (2) whether downstream controllers (Kamaji, etcd, KubeVirt operators) gracefully handle missing configurations, or (3) whether existing tests cover optional field scenarios. Confirm these details before merging.

packages/apps/kubernetes/hack/update-versions.sh (6)

1-12: Good defensive setup with proper error handling.

The script correctly sets up strict error handling (errexit, nounset, pipefail) and establishes clear file paths for all artifacts.

---

14-24: Solid prerequisite validation.

Tool checks for skopeo and jq are appropriately placed early with clear error messages.

---

188-188: Trap command uses double quotes; verify this is intentional.

Shellcheck (SC2064) flags the trap on line 188. Double quotes cause $TEMP_FILE and $TEMP_VERSIONS to expand immediately when the trap is set, not when executed. This is likely correct (since the variables are already defined), but consider single quotes if future code changes cause confusion:

# Current (double quotes—expands at trap set time):
trap "rm -f $TEMP_FILE $TEMP_VERSIONS" EXIT

# Alternative (single quotes—expands at trap execution time):
trap 'rm -f "$TEMP_FILE" "$TEMP_VERSIONS"' EXIT

The current approach is fine and common in shell scripts.

---

245-259: Makefile update logic is clean.

The awk-based update for KUBERNETES_VERSION is straightforward and correct. The conditional check before updating is appropriate.

---

129-129: Remove unused variable TOTAL_LINES.

TOTAL_LINES is assigned on line 129 but is never referenced elsewhere in the file.

-TOTAL_LINES=$(wc -l < "$TEMP_VERSIONS" | tr -d ' ')
 START_POS=$((SUPPORTED_POS - 5))

---

176-184: Critical: Script generates invalid YAML format.

The script at lines 176-184 outputs invalid YAML. The current format produces unstructured quoted lines that yq cannot parse as a valid YAML object:

"v1.31": "v1.31.4"
"v1.32": "v1.32.1"

Remove outer quotes from keys to generate valid block-style YAML:

 {
     for ver in "${VERSIONS[@]}"; do
-        echo "\"${ver}\": \"${VERSION_MAP[$ver]}\""
+        echo "${ver}: \"${VERSION_MAP[$ver]}\""
     done
 } > "$VERSIONS_FILE"

This produces valid YAML that downstream consumers like yq can parse correctly.

⛔ Skipped due to learnings

Learnt from: NickVolynkin
Repo: cozystack/cozystack PR: 1117
File: packages/apps/mysql/Makefile:8-8
Timestamp: 2025-06-26T04:29:24.830Z
Learning: The cozystack project uses yq v4+ on their CI runner, so yq v4 syntax (-o json --indent 4) is compatible and version checks are not needed.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

cozyvalues-gen v1.0.6 release GitHub cozystack

💡 Result:

I couldn't find a v1.0.6 release. The cozyvalues-gen GitHub Releases list shows up to v1.0.4 (released 29 Oct 2025); the module page on pkg.go.dev also lists v1.0.1 as a published version and points to the GitHub repo. [1][2]

Sources:

• GitHub Releases — cozystack/cozyvalues‑gen (Releases page showing v1.0.4 as latest). [1]
• pkg.go.dev — github.com/cozystack/cozyvalues‑gen (module documentation). [2]

---

The cozyvalues-gen version v1.0.6 does not exist and will cause the workflow to fail. The latest available release is v1.0.4 (Oct 29, 2025). Update line 31 to use a valid version or confirm the intended version bump.

🤖 Prompt for AI Agents

.github/workflows/pre-commit.yml line 31: the workflow downloads cozyvalues-gen
v1.0.6 which does not exist and will break CI; update the curl URL to a valid
release (for example replace v1.0.6 with the latest available tag v1.0.4) or
change it to the intended release you want to use, and verify the asset name
(cozyvalues-gen-linux-amd64.tar.gz) and binary path remain correct.