Take main's simplified approach for all conflicts:
- No run-migrations init container (entrypoint.sh handles migrations)
- No additionalEnv / server.env pass-through — just extraEnv array
- No disableDbMigrations flag
- Clean indentation throughout
Made-with: Cursor
- Add DISABLE_DB_MIGRATIONS to server.env reserved key list so users
cannot accidentally override it via server.env pass-through
- Fix worker template missing {{- dash on storageEnv rendering,
consistent with server template
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Cherry-pick from HuppertzL's PR #18157 (388be20):
- Add pvc-redis-internal.yaml so persistence.enabled actually works
- Set DISABLE_DB_MIGRATIONS=true in server container env (migrations
run in the init container, not on every server restart)
- Fix PVC guard to also check persistence.enabled (bug in original)
- Add trailing newline to PVC template
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Prevents a user-supplied server.env.REDIS_PASSWORD from overriding the
explicitly configured Redis password from redis.external.* settings.
Kubernetes uses the last-defined value for duplicate env vars, so without
this guard the user value would win and break Redis auth.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove server.additionalEnv injection from ensure-database-exists init
container (copilot/cubic): that container only runs psql commands and
only needs PGPASSWORD + APP_PASSWORD; injecting arbitrary server env
vars there is unnecessary and allows user-supplied keys to shadow
secret-backed credentials (e.g. PGPASSWORD override breaking bootstrap)
- Quote "${PG_DATABASE_URL}" in has_schema psql invocation (copilot):
prevents word-splitting if the URL contains spaces or shell-sensitive
characters (unlikely but correct defensive practice)
- Add missing trailing newline to deployment-server.yaml (POSIX)
- Fix test description: "yarn database migrate" → "yarn database:migrate:prod"
- Fix values.yaml comment: Set to "true" → Set to true (boolean, not string)
- 64/64 helm unittest pass
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
P0 — migration regression (found by greptile, cubic):
yarn database:migrate:prod was inside `if [ "$has_schema" = "f" ]`,
meaning on every helm upgrade of an existing deployment the core schema
already exists, the block is skipped, and pending migrations are never
applied. Moved yarn database:migrate:prod outside the conditional;
only tsx ./scripts/setup-db.ts remains gated on the schema check.
P2 — cosmetic/test fixes:
- Remove duplicate tmp/ entry in .gitignore (added twice via stash conflict)
- Fix run-migrations init container $img assignment indentation (16→8sp)
- Fix storageEnv nindent rendering: change ` {{ nindent }}` to
` {{- nindent }}` to avoid orphaned 14-space line in manifest
- Replace brittle env[0] index assertions in server_url_test.yaml and
env_mapping_test.yaml with JSONPath name filters
(spec.template.spec.containers[0].env[?(@.name=="X")])
- Add missing worker-side negative Redis test: verify REDIS_PASSWORD is
not injected into worker when using internal Redis (server had this,
worker did not)
- 64/64 helm unittest suites pass (11 suites)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add redis_auth_test.yaml: covers REDIS_PASSWORD injection from external
secret (secretKeyRef), plaintext password, and absence when using
internal Redis — validates HuppertzL's redis external secret feature
- Add env_mapping_test: disableDbMigrations defaults to false in init
container, server extraEnv with valueFrom on server pod, non-reserved
env pass-through with realistic email SMTP example
- Update schema_permissions_test: match new migration script command
(yarn database:migrate:prod) from improved init container
- 63/63 helm unittest suites pass (11 test suites)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cherry-picked from PR #18157 (HuppertzL/twenty improve-helm-chart):
- Redis external secret support (secretName/passwordKey)
- Improved migration init container: checks schema existence before
running, runs tsx setup-db.ts + yarn database:migrate:prod, flushes
cache and runs upgrade command post-migration
- additionalEnv map for server and worker
Built on top of and extending PR #18157:
- Fix volumes indentation in deployment-redis-internal.yaml (was nested
inside containers spec instead of pod spec — would cause mount failures)
- Fix indentation issues introduced by cherry-picked commits
- Add server.env pass-through: arbitrary keys in server.env are injected
into the server pod, filtered against reserved keys already rendered
by the template (SERVER_URL, PG_DATABASE_URL, REDIS_URL, etc.)
- Add server.extraEnv and worker.extraEnv arrays supporting both plain
value and valueFrom (secretKeyRef, configMapKeyRef, etc.) — supersedes
the simpler additionalEnv map for secret references
- Add server.disableDbMigrations (bool, default false) that injects
DISABLE_DB_MIGRATIONS into the run-migrations init container
- Add JSON schema validation for extraEnv (oneOf: value|valueFrom)
and disableDbMigrations
- Add helm unit tests (tests/env_mapping_test.yaml) for env pass-through,
extraEnv value, extraEnv valueFrom, and disableDbMigrations
- Update schema_permissions_test to match new migration script command
- Gitignore tmp/ directory
- 55/55 helm unittest suites pass
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.