Skip to content

fix(deps): Update third-party container images to latest stable versions (resolves #2046).#2050

Draft
junhaoliao wants to merge 11 commits intoy-scope:mainfrom
junhaoliao:upgrade-3rd-party
Draft

fix(deps): Update third-party container images to latest stable versions (resolves #2046).#2050
junhaoliao wants to merge 11 commits intoy-scope:mainfrom
junhaoliao:upgrade-3rd-party

Conversation

@junhaoliao
Copy link
Copy Markdown
Member

@junhaoliao junhaoliao commented Feb 27, 2026

Description

Update all third-party container images used in the Helm chart, Docker Compose, and the Python
controller to their latest stable versions. Pin bitnami/kubectl:latest to a specific version for
reproducibility.

Image Before After Notes
MariaDB mariadb:10-jammy mariadb:10.11.16 Latest 10.x LTS patch. 11.4 was considered but drops mysqladmin (used by health checks), so staying on 10.x per issue guidance.
MySQL mysql:8.0.23 mysql:8.0.45 Latest 8.0.x patch
MongoDB mongo:7.0.1 mongo:8.0.19 Latest stable 8.0.x patch
RabbitMQ rabbitmq:3.9.8 rabbitmq:4.2.4 3.x is EOL; latest stable 4.x patch
Redis redis:7.2.4 redis:7.4.8 Latest 7.x patch
kubectl bitnami/kubectl:latest bitnami/kubectl:1.31 Pinned to minor version; :latest is non-deterministic

Updated in three locations:

  1. Helm chart templates (tools/deployment/package-helm/templates/): database-statefulset.yaml,
    results-cache-statefulset.yaml, queue-statefulset.yaml, redis-statefulset.yaml,
    _helpers.tpl
  2. Docker Compose (tools/deployment/package/docker-compose-all.yaml)
  3. Python controller (components/clp-package-utils/clp_package_utils/controller.py): sets
    CLP_DB_CONTAINER_IMAGE_REF used by the Docker Compose database service

Checklist

  • The PR satisfies the contribution guidelines.
  • This is a breaking change and that has been indicated in the PR title, OR this isn't a
    breaking change.
  • Necessary docs have been updated, OR no docs need to be updated.

Validation performed

1. Build the CLP package

Task: Build the CLP package (including the Docker image) with the updated image references.

Command:

task package

Output (last lines):

task: [package] rsync --archive "tools/deployment/package/" "/home/junhao/workspace/clp/build/clp-package"
task: [package] rsync --archive "/home/junhao/workspace/clp/build/clp-package-image.id" "/home/junhao/workspace/clp/build/clp-package"
task: [package] echo '0.9.1-dev' > '/home/junhao/workspace/clp/build/clp-package/VERSION'

2. Start CLP and verify all services are healthy with updated images

Task: Start CLP via Docker Compose and confirm all third-party services pull the correct updated
images and pass their health checks.

Commands:

cd build/clp-package
./sbin/start-clp.sh

Output (last line):

2026-02-27T08:46:05.353 INFO [controller] Started CLP.

Verification — running container images and health status:

docker ps --format 'table {{.Image}}\t{{.Status}}' --filter "name=clp-package-0d63"
IMAGE              STATUS
mariadb:10.11.16   Up About a minute (healthy)
rabbitmq:4.2.4     Up About a minute (healthy)
redis:7.4.8        Up About a minute (healthy)
mongo:8.0.19       Up About a minute (healthy)

Explanation: All four updated third-party images are running and report (healthy). The
mysqladmin ping, rabbitmq-diagnostics check_running, redis-cli PING, and mongosh ping
health checks all pass with the new versions.

3. Run a compression job

Task: Verify end-to-end compression pipeline (database, queue, Redis, MongoDB all participate).

Command:

./sbin/compress.sh --unstructured ~/samples/hive-24hr/

Output:

2026-02-27T08:46:24.372 INFO [compress] Compression job 2 submitted.
2026-02-27T08:46:40.917 INFO [compress] Compressed 472.83MB into 4.30MB (110.07x). Speed: 40.14MB/s.

Explanation: Compression completed successfully. The full pipeline — job submission via MariaDB,
task dispatch via RabbitMQ, result tracking via Redis, and metadata storage via MongoDB — functions
correctly with the updated images.

3. Run a compression job

Task: Verify end-to-end compression pipeline (database, queue, Redis, MongoDB all participate).

Command:

./sbin/compress.sh --unstructured ~/samples/hive-24hr/

Output:

2026-02-27T08:46:24.372 INFO [compress] Compression job 2 submitted.
2026-02-27T08:46:40.917 INFO [compress] Compressed 472.83MB into 4.30MB (110.07x). Speed: 40.14MB/s.

Explanation: Compression completed successfully. The full pipeline — job submission via MariaDB,
task dispatch via RabbitMQ, result tracking via Redis, and metadata storage via MongoDB — functions
correctly with the updated images.

4. Run a search query

Task: Verify the search pipeline (query scheduler, query worker, Redis, MongoDB) works with the
updated images.

Commands:

./sbin/search.sh --count '*'
./sbin/search.sh --count '*STARTUP*'

Output:

tags: [] count: 600962
tags: [] count: 29

Explanation: Both wildcard and filtered searches return results from the archives compressed in
step 3. The query pipeline — job dispatch via RabbitMQ, task coordination via Redis, and result
storage via MongoDB — functions correctly with the updated images.

5. Verify Helm template rendering (MariaDB default)

Task: Confirm the Helm chart renders the correct updated image references.

Command:

helm template test tools/deployment/package-helm | grep -E "image:" | sort -u

Output:

          image: >-
          image: "bitnami/kubectl:1.31"
          image: "ghcr.io/y-scope/clp/clp-package:main"
          image: "mongo:8.0.19"
          image: "rabbitmq:4.2.4"
          image: "redis:7.4.8"

The image: >- multiline entry resolves to mariadb:10.11.16:

helm template test tools/deployment/package-helm | grep -A2 "image: >-"
          image: >-
              mariadb:10.11.16
          imagePullPolicy: "Always"

6. Verify Helm template rendering (MySQL conditional)

Task: Confirm the MySQL path in database-statefulset.yaml renders the updated MySQL version.

Command:

helm template test tools/deployment/package-helm --set clpConfig.database.type=mysql | grep -A2 "image: >-"

Output:

          image: >-
              mysql:8.0.45
          imagePullPolicy: "Always"

Explanation: Both the MariaDB (default) and MySQL conditional paths render the correct updated
image tags.

Summary by CodeRabbit

  • Chores
    • Updated infrastructure container images for database, queue, cache and datastore components to newer stable releases for improved security and compatibility.
    • Upgraded the init/tooling image used during startup to a specific newer minor release to stabilise startup tooling.
    • Bumped the package Helm chart version to the next development release.

@junhaoliao junhaoliao requested a review from a team as a code owner February 27, 2026 12:57
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Feb 27, 2026

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d6413623-10c3-4539-b628-cf4be47cb7d0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Updated container image tags and a Helm chart version across deployment manifests and a controller default: MySQL, MariaDB, RabbitMQ, Redis, MongoDB, and bitnami/kubectl image tags were changed.

Changes

Cohort / File(s) Summary
Controller configuration
components/clp-package-utils/clp_package_utils/controller.py
Default database bundling images updated: MySQL mysql:8.0.23mysql:8.0.45, MariaDB mariadb:10-jammymariadb:10.11.16.
Helm template helpers
tools/deployment/package-helm/templates/_helpers.tpl
Pinned initContainer image: bitnami/kubectl:latestbitnami/kubectl:1.31.
Helm database StatefulSet
tools/deployment/package-helm/templates/database-statefulset.yaml
StatefulSet database images updated: MySQL 8.0.238.0.45, MariaDB 10-jammy10.11.16.
Helm service StatefulSets
tools/deployment/package-helm/templates/queue-statefulset.yaml, tools/deployment/package-helm/templates/redis-statefulset.yaml, tools/deployment/package-helm/templates/results-cache-statefulset.yaml
Updated images: RabbitMQ rabbitmq:3.9.8rabbitmq:4.2.4, Redis redis:7.2.4redis:7.4.8, MongoDB mongo:7.0.1mongo:8.0.19.
Docker Compose
tools/deployment/package/docker-compose-all.yaml
Service images aligned with templates: MariaDB 10-jammy10.11.16, RabbitMQ 3.9.84.2.4, Redis 7.2.47.4.8, MongoDB 7.0.18.0.19.
Chart metadata
tools/deployment/package-helm/Chart.yaml
Chart version bumped from 0.2.1-dev.50.2.1-dev.6.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: updating third-party container images to newer stable versions across multiple files and components.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tools/deployment/package-helm/templates/_helpers.tpl`:
- Line 370: The Helm template currently pins a non-existent image tag
("bitnami/kubectl:1.31"); update the image reference in the _helpers.tpl
template to a valid tag or digest (e.g., "bitnami/kubectl:latest" or a specific
SHA256 digest) so pods can be created successfully—replace image:
"bitnami/kubectl:1.31" with the chosen valid tag/digest and, if reproducibility
is required, prefer pinning the SHA256 digest instead of :latest.

In `@tools/deployment/package-helm/templates/queue-statefulset.yaml`:
- Line 24: Update the deployment test plan for the RabbitMQ image change to
"rabbitmq:4.2.4": verify there are no classic mirrored queues (or migrate to
quorum queues) by inspecting cluster/queue configuration, run the health check
`rabbitmq-diagnostics check_running` after startup, perform smoke tests with the
project's Celery version (Celery 5.6.2+)—start workers, publish and consume
messages, and exercise typical task payloads to detect AMQP frame negotiation
issues related to the increased default initial_frame_max (8192); if you hit
frame errors, either adjust RabbitMQ's initial_frame_max or configure
Celery/clients accordingly or revert the image until compatibility is confirmed.

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 44de3d4 and 41355ca.

📒 Files selected for processing (8)
  • components/clp-package-utils/clp_package_utils/controller.py
  • tools/deployment/package-helm/Chart.yaml
  • tools/deployment/package-helm/templates/_helpers.tpl
  • tools/deployment/package-helm/templates/database-statefulset.yaml
  • tools/deployment/package-helm/templates/queue-statefulset.yaml
  • tools/deployment/package-helm/templates/redis-statefulset.yaml
  • tools/deployment/package-helm/templates/results-cache-statefulset.yaml
  • tools/deployment/package/docker-compose-all.yaml

containers:
- name: "queue"
image: "rabbitmq:3.9.8"
image: "rabbitmq:4.2.4"
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

RabbitMQ 4.0 4.2 breaking changes migration guide

💡 Result:

RabbitMQ 4.0 (from 3.13.x): key breaking changes + what to do

  • Classic (mirrored) queue HA is removed in 4.0 → migrate to Quorum Queues or Streams (classic queues remain, but non-replicated). Plan a migration (often blue/green) and remove mirroring policies/args. [1]
  • If you enabled Khepri on RabbitMQ 3.13.x, you cannot in-place upgrade to 4.x (you must migrate/blue-green to a fresh 4.x cluster). [2]
  • Quorum queue behavior change (4.0): default delivery limit is now 20 → validate any workloads that rely on repeated redeliveries/retries. [3]
  • Upgrade prerequisites: ensure required/stable feature flags are enabled before upgrading, and follow supported upgrade paths (e.g., 3.13.x → 4.0.x is supported). [2]
  • Erlang/OTP compatibility: RabbitMQ 4.0.x requires Erlang/OTP ≥ 26.2 (and supports 27.x). [4]

RabbitMQ 4.2 (from 4.0/4.1 or 3.13): breaking changes to check

From the 4.2 release notes / compatibility notes:

  • AMQP 1.0 durability default: if a sending client omits the AMQP 1.0 header section, RabbitMQ 4.2 assumes durable=false (per spec). AMQP 1.0 publishers should explicitly set durable=true when they need durable messages. [5]
  • AMQP 0.9.1 Direct Reply-To + mandatory: publishing replies with mandatory=true to amq.rabbitmq.reply-to.* is treated as “routed” (no basic.return just because the requester is gone). If you relied on basic.return for RPC failure detection, adjust client logic. [5]
  • Config cleanup: very rarely used *.cacerts settings were removed from rabbitmq.conf (not cacertfile). Remove/replace if present. [5]
  • Erlang/OTP note for 4.2.x: still min Erlang/OTP 26.2, supports 27.x; Erlang 28 has caveats (notably with Khepri upgrades). [4]

Practical migration checklist (4.0 → 4.2, or 3.13 → 4.2)

  1. Inventory deprecated/removed features (especially mirrored classic queues) and migrate to quorum queues/streams. [1]
  2. If on 3.13 + Khepri enabled, plan blue/green migration, not in-place upgrade. [2]
  3. Confirm feature flags state and supported upgrade path for your current version. [2]
  4. Validate Erlang/OTP version meets the target series requirements. [4]
  5. If you use AMQP 1.0 or Direct Reply-To RPC, regression-test the 4.2 behavior changes above. [5]

Sources: What’s New in RabbitMQ 4.0 (mirroring removed) [1]; RabbitMQ 4.x upgrade guide (paths, feature flags, Khepri caveat) [2]; RabbitMQ blog on quorum queues in 4.0 (delivery limit default 20) [3]; Erlang/RabbitMQ compatibility matrix [4]; RabbitMQ 4.2.0 release notes / breaking changes section [5].


🌐 Web query:

Celery RabbitMQ 4.x compatibility support

💡 Result:

Celery 4.x uses the AMQP 0-9-1 client stack (via Kombu/py-amqp), so it’s generally compatible with RabbitMQ 4.x as a broker because RabbitMQ 4.x continues to support AMQP 0-9-1 (and also adds native AMQP 1.0 support, which Celery 4.x does not use) [3][4].

The main RabbitMQ 4.x compatibility pitfall to watch is frame-size/handshake changes in RabbitMQ 4.1+:

  • RabbitMQ’s pre-auth “initial frame max” is 8192 bytes by default in 4.x (initial_frame_max) [2].
  • RabbitMQ 4.1 notes that clients that override frame_max must use ≥ 8192, and some older clients with low defaults needed upgrades [1]. (If your Celery/Kombu/py-amqp stack is old or pinned, this is where issues can surface.)

Practical guidance:

  • If you can, upgrade Celery (4.x is tied to very old Python versions) [4].
  • If you must stay on Celery 4.x, ensure your Kombu/py-amqp dependencies aren’t extremely old, and smoke-test worker connection + publish/consume against your exact RabbitMQ 4.x version (especially 4.1+), watching for handshake/frame negotiation errors [1][2].

🏁 Script executed:

# Check if there are any queue configurations or celery-related settings in the codebase
fd -e yaml -e yml -e py | head -20 | xargs rg -l "celery|queue|mirroring" 2>/dev/null | head -20

Repository: y-scope/clp

Length of output: 173


🏁 Script executed:

# Search for any explicit queue configuration in helm templates
fd -e yaml -e yml . tools/deployment/package-helm/templates/ | xargs rg -i "queue|mirror|policy" 2>/dev/null

Repository: y-scope/clp

Length of output: 5426


🏁 Script executed:

# Read the queue-statefulset.yaml to see full configuration
cat -n tools/deployment/package-helm/templates/queue-statefulset.yaml | head -80

Repository: y-scope/clp

Length of output: 2061


🏁 Script executed:

# Search for celery and kombu versions in requirements/setup files
fd -e txt -e py -e yaml . | xargs rg -i "celery|kombu|py.amqp" 2>/dev/null | grep -i "version\|=="

Repository: y-scope/clp

Length of output: 219


🏁 Script executed:

# Check queue configuration and health check details
cat -n tools/deployment/package-helm/templates/queue-statefulset.yaml | tail -50

Repository: y-scope/clp

Length of output: 2006


🏁 Script executed:

# Search for celery version specifications in requirements files
fd -e txt -e cfg -e toml . | xargs rg "celery" -A 2 -B 2 2>/dev/null | head -40

Repository: y-scope/clp

Length of output: 385


🏁 Script executed:

# Look for Python requirements or setup.py to find exact versions
fd -type f \( -name "requirements*.txt" -o -name "setup.py" -o -name "pyproject.toml" -o -name "Pipfile" \)

Repository: y-scope/clp

Length of output: 225


🏁 Script executed:

# Find requirements files
find . -name "requirements*.txt" -o -name "setup.py" -o -name "pyproject.toml" -o -name "Pipfile" 2>/dev/null | head -20

Repository: y-scope/clp

Length of output: 410


🏁 Script executed:

# Check if there are any queue/mirroring policies in helm values or configuration
fd -e yaml -e yml . tools/deployment/package-helm/ | xargs rg -i "policy|mirroring|mirror" 2>/dev/null

Repository: y-scope/clp

Length of output: 2433


🌐 Web query:

rabbitmq-diagnostics check_running command RabbitMQ 4.x compatibility

💡 Result:

Yes—rabbitmq-diagnostics check_running is supported in RabbitMQ 4.x (it’s documented in the RabbitMQ 4.0 rabbitmq-diagnostics man page and referenced in the 4.1 monitoring/health-check guidance). It is therefore compatible to use as a health check with RabbitMQ 4.x. [1], [2]

What it does in 4.x:

  • Fails (non‑zero exit code) if the RabbitMQ application is not running on the target node (e.g., if it was stopped via rabbitmqctl stop_app, or is paused/stopped). [1], [2]
  • Common usage:
    • rabbitmq-diagnostics check_running [1]
    • Quiet mode for probes: rabbitmq-diagnostics -q check_running [2]
    • Often paired with alarms check (recommended “stage 3” style check):
      rabbitmq-diagnostics -q check_running && rabbitmq-diagnostics -q check_local_alarms [2]

Sources:
[1] RabbitMQ 4.0 rabbitmq-diagnostics(8) man page (check_running)
[2] RabbitMQ 4.1 Monitoring guide (node health checks using check_running)


Test Celery 5.x with RabbitMQ 4.2.4 before deployment.

While upgrading from RabbitMQ 3.9.8 to 4.2.4, note that RabbitMQ 4.0 removed classic queue mirroring (requiring migration to quorum queues if used). However, no mirroring configuration is evident in this deployment. The health check command rabbitmq-diagnostics check_running is compatible with RabbitMQ 4.x.

Celery 5.6.2+ (as specified in the codebase) is compatible with RabbitMQ 4.x over AMQP 0-9-1. However, RabbitMQ 4.1+ changed the default initial_frame_max to 8192 bytes. Perform smoke testing (connect workers, publish/consume messages) to ensure no frame negotiation issues arise.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@tools/deployment/package-helm/templates/queue-statefulset.yaml` at line 24,
Update the deployment test plan for the RabbitMQ image change to
"rabbitmq:4.2.4": verify there are no classic mirrored queues (or migrate to
quorum queues) by inspecting cluster/queue configuration, run the health check
`rabbitmq-diagnostics check_running` after startup, perform smoke tests with the
project's Celery version (Celery 5.6.2+)—start workers, publish and consume
messages, and exercise typical task payloads to detect AMQP frame negotiation
issues related to the increased default initial_frame_max (8192); if you hit
frame errors, either adjust RabbitMQ's initial_frame_max or configure
Celery/clients accordingly or revert the image until compatibility is confirmed.

@junhaoliao junhaoliao requested a review from hoophalab March 2, 2026 15:48
hoophalab
hoophalab previously approved these changes Mar 2, 2026
Copy link
Copy Markdown
Contributor

@hoophalab hoophalab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, though I cannot 100% sure there won't be issues in some edge cases.

Validations: compressed and searched logs in webui. This should involve all updated components.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably need to bump helm version

@hoophalab hoophalab dismissed their stale review March 2, 2026 23:19

helm version

@junhaoliao junhaoliao requested a review from hoophalab March 3, 2026 08:11
hoophalab
hoophalab previously approved these changes Mar 5, 2026
@junhaoliao junhaoliao added this to the March 2026 milestone Mar 7, 2026
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tools/deployment/package-helm/templates/_helpers.tpl`:
- Line 385: The image reference currently pins to a mutable minor tag ("image:
\"bitnami/kubectl:1.31\""); replace it with the resolved immutable digest form
(e.g. "bitnami/kubectl:1.31@sha256:<digest>") to ensure reproducible
deployments. Resolve the digest in CI or locally (e.g. docker inspect or skopeo
inspect docker://bitnami/kubectl:1.31) and update the image string in the
template to include the `@sha256` digest.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 463b8ae9-c0ba-4383-8035-3bdf74b7450c

📥 Commits

Reviewing files that changed from the base of the PR and between 823c212 and 083b2f4.

📒 Files selected for processing (4)
  • components/clp-package-utils/clp_package_utils/controller.py
  • tools/deployment/package-helm/Chart.yaml
  • tools/deployment/package-helm/templates/_helpers.tpl
  • tools/deployment/package/docker-compose-all.yaml

Comment thread tools/deployment/package-helm/templates/_helpers.tpl Outdated
@junhaoliao junhaoliao modified the milestones: March 2026, Mid-April 2026 Apr 1, 2026
hoophalab
hoophalab previously approved these changes Apr 6, 2026
@junhaoliao junhaoliao marked this pull request as draft April 8, 2026 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants