Skip to content

test(8.9): honor RDBMS_POSTGRESQL_USERNAME for the role in postgresql-cluster fixture#6310

Open
eamonnmoloney wants to merge 1 commit into
mainfrom
fix-pg-fixture-username-89
Open

test(8.9): honor RDBMS_POSTGRESQL_USERNAME for the role in postgresql-cluster fixture#6310
eamonnmoloney wants to merge 1 commit into
mainfrom
fix-pg-fixture-username-89

Conversation

@eamonnmoloney

@eamonnmoloney eamonnmoloney commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Which problem does the PR fix?

Backport of #6293 to the 8.9 chart. A manual deploy-camunda run of an 8.9 RDBMS scenario fails with password authentication failed for user "..." unless RDBMS_POSTGRESQL_USERNAME happens to be exactly app.

What's in this PR?

The 8.9 postgresql-cluster CNPG fixture hardcoded the managed login role to app, while the connection Secret, the psql-create-db job (--username=$RDBMS_POSTGRESQL_USERNAME), and rdbms.yaml (username: ${RDBMS_POSTGRESQL_USERNAME}) all use the variable. They only agree when the variable is literally app.

This derives the managed role name from $RDBMS_POSTGRESQL_USERNAME. The role is a superuser, so it accesses the default app database regardless of name. When the variable is app the fixture renders byte-identical to before, so CI is unchanged.

8.9 differs from 8.10: it creates databases via the psql-create-db job (not postInitSQL), so there's no CREATE DATABASE ... OWNER clause to update — only the managed role name.

Validation: envsubst render with =app (identical to before) and =camunda (role consistently camunda); go test ./matrix/... passes. Not GKE-validated for non-app values (no standing local 8.9 RDBMS deploy), but mirrors the GKE-validated 8.10 fix (#6293) and is a no-op when the var is app as CI uses.

Checklist

Please make sure to follow our Contributing Guide.

Before opening the PR:

  • In the repo's root dir, run make go.update-golden-only.
  • There is no other open pull request for the same update/change.
  • Tests for charts are added (if needed).
  • In-repo documentation are updated (if needed).

After opening the PR:

  • Did you sign our CLA (Contributor License Agreement)? It will show once you open the PR.
  • Did all checks/tests pass in the PR?

@github-actions github-actions Bot added the version/8.9 Camunda applications/cycle version label Jun 3, 2026
@eamonnmoloney @claude
test(8.9): honor RDBMS_POSTGRESQL_USERNAME for the role in postgresql…
d60439d 
…-cluster fixture

Backport of the 8.10 fix (#6293). The 8.9 postgresql-cluster CNPG fixture
hardcoded the managed login role to `app`, while the connection Secret, the
psql-create-db job (--username=$RDBMS_POSTGRESQL_USERNAME) and rdbms.yaml
(username: ${RDBMS_POSTGRESQL_USERNAME}) all use the variable. They only agree
when the var is literally `app`, so a manual deploy-camunda run with any other
value failed with 'password authentication failed for user ...'.

Derive the managed role name from $RDBMS_POSTGRESQL_USERNAME. The role is a
superuser, so it can access the default `app` database regardless of name. When
the var is `app` this renders byte-identical to before, so CI is unchanged.
(8.9 creates databases via the psql-create-db job rather than postInitSQL, so
unlike 8.10 there is no CREATE DATABASE owner clause to update.)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@eamonnmoloney eamonnmoloney marked this pull request as ready for review June 9, 2026 09:41
@eamonnmoloney eamonnmoloney force-pushed the fix-pg-fixture-username-89 branch from 6c652c5 to d60439d Compare June 9, 2026 09:41
@eamonnmoloney eamonnmoloney requested a review from a team as a code owner June 9, 2026 09:42
@eamonnmoloney eamonnmoloney requested review from Copilot and hisImminence and removed request for a team June 9, 2026 09:42
Copilot AI reviewed Jun 9, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Backports the 8.10 fix for postgresql-cluster CNPG test fixtures to the 8.9 chart so RDBMS scenarios remain self-consistent when RDBMS_POSTGRESQL_USERNAME is not app, preventing JDBC authentication failures during manual deploy-camunda runs.

Changes:

  • Update the CNPG managed role name in the 8.9 postgresql-cluster fixture to derive from $RDBMS_POSTGRESQL_USERNAME instead of hardcoding app.
  • Add inline rationale explaining why the role must track the JDBC username used by the chart and DB-creation job.

Comment thread charts/camunda-platform-8.9/test/integration/scenarios/common/resources/postgresql-cluster.yaml
Comment on lines +22 to +23
# "password authentication failed for user ...". In CI the var is `app`, so
# this renders identically.
Comment thread charts/camunda-platform-8.9/test/integration/scenarios/common/resources/postgresql-cluster.yaml
managed:
roles:
- name: app
- name: $RDBMS_POSTGRESQL_USERNAME
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hisImminence hisImminence Awaiting requested review from hisImminence hisImminence is a code owner automatically assigned from camunda/distribution

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

version/8.9 Camunda applications/cycle version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eamonnmoloney