forgejo_admin/pal-e-platform
1
0
Fork 1
Code Issues 35 Pull requests Projects Releases Packages Wiki Activity Actions

Fix tf-state-backup CronJob — replace dead bitnami/kubectl image #51

New issue
Closed
opened 2026-03-14 18:16:22 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-14 18:16:22 +00:00
Owner
Copy link

Lineage

bug-tf-state-backup-image-dead — relates to plan-pal-e-platform → Phase 6.1 (state backup)

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want the tf-state-backup CronJob to use a working container image
So that daily Terraform state backups resume and data loss risk is eliminated

Context

Bitnami removed all Docker Hub images (same pattern that broke Keycloak). The bitnami/kubectl:1.31 image used by the tf-state-backup CronJob no longer exists. Pods fail with ImagePullBackOff. No state backups have run since the CronJob was deployed.

The fix is to switch to alpine:3.20 and download the kubectl binary alongside the existing mc (MinIO client) download in the init script. This avoids future Bitnami disappearances and keeps the image small.

File Targets

Files the agent should modify:

  • terraform/main.tf (~line 1704) — CronJob container image + command/args

Files the agent should NOT touch:

  • .woodpecker.yaml — CI pipeline, no changes needed
  • salt/ — not relevant to this fix

Acceptance Criteria

  • CronJob image changed from bitnami/kubectl:1.31 to alpine:3.20
  • Shell changed from /bin/bash to /bin/sh (alpine uses ash, not bash)
  • kubectl binary downloaded via curl alongside existing mc download
  • All bare kubectl calls replaced with /tmp/kubectl
  • tofu validate passes
  • tofu fmt produces no changes

Test Expectations

  • tofu validate passes
  • tofu fmt check produces no diff
  • After apply: kubectl create job --from=cronjob/tf-state-backup test-backup -n tofu-state creates a pod that completes successfully
  • Backup files appear in MinIO tf-state-backups bucket

Constraints

  • Use alpine:3.20 (pinned version, not :latest)
  • Download kubectl v1.31.4 from official dl.k8s.io URL
  • Keep the existing mc download pattern (curl to /tmp)
  • set -euo pipefail works in BusyBox ash (alpine's shell)

Checklist

  • PR opened
  • tofu validate passes
  • tofu fmt clean
  • No unrelated changes
  • Closes this issue

Related

  • bug-tf-state-backup-image-dead — pal-e-docs bug note
  • PR #39 — original state backup implementation
  • plan-pal-e-platform — Platform Hardening plan
### Lineage `bug-tf-state-backup-image-dead` — relates to `plan-pal-e-platform` → Phase 6.1 (state backup) ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want the tf-state-backup CronJob to use a working container image So that daily Terraform state backups resume and data loss risk is eliminated ### Context Bitnami removed all Docker Hub images (same pattern that broke Keycloak). The `bitnami/kubectl:1.31` image used by the tf-state-backup CronJob no longer exists. Pods fail with `ImagePullBackOff`. No state backups have run since the CronJob was deployed. The fix is to switch to `alpine:3.20` and download the kubectl binary alongside the existing mc (MinIO client) download in the init script. This avoids future Bitnami disappearances and keeps the image small. ### File Targets Files the agent should modify: - `terraform/main.tf` (~line 1704) — CronJob container image + command/args Files the agent should NOT touch: - `.woodpecker.yaml` — CI pipeline, no changes needed - `salt/` — not relevant to this fix ### Acceptance Criteria - [ ] CronJob image changed from `bitnami/kubectl:1.31` to `alpine:3.20` - [ ] Shell changed from `/bin/bash` to `/bin/sh` (alpine uses ash, not bash) - [ ] kubectl binary downloaded via curl alongside existing mc download - [ ] All bare `kubectl` calls replaced with `/tmp/kubectl` - [ ] `tofu validate` passes - [ ] `tofu fmt` produces no changes ### Test Expectations - [ ] `tofu validate` passes - [ ] `tofu fmt` check produces no diff - [ ] After apply: `kubectl create job --from=cronjob/tf-state-backup test-backup -n tofu-state` creates a pod that completes successfully - [ ] Backup files appear in MinIO `tf-state-backups` bucket ### Constraints - Use `alpine:3.20` (pinned version, not `:latest`) - Download kubectl v1.31.4 from official `dl.k8s.io` URL - Keep the existing mc download pattern (curl to /tmp) - `set -euo pipefail` works in BusyBox ash (alpine's shell) ### Checklist - [ ] PR opened - [ ] `tofu validate` passes - [ ] `tofu fmt` clean - [ ] No unrelated changes - [ ] Closes this issue ### Related - `bug-tf-state-backup-image-dead` — pal-e-docs bug note - PR #39 — original state backup implementation - `plan-pal-e-platform` — Platform Hardening plan
forgejo_admin 2026-03-14 18:21:34 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform#51
No description provided.