v0.9.0: Update to FeatBit v5.2.0 with Database Migration Scripts (#65)

This pull request upgrades the FeatBit Helm chart and related Kubernetes manifests to version 0.9.0, with a corresponding application update to v5.2.0. It introduces new database migration scripts for both PostgreSQL and MongoDB, updates documentation to clarify upgrade and dependency procedures, and ensures all image tags are aligned with the new release. The most significant changes are grouped below.

Release and Version Updates

Bumped Helm chart version to 0.9.0 and application version to 5.2.0 in Chart.yaml, values.yaml, and all example deployment files to ensure consistency across environments.
Database Migration Scripts (exernal databases excluded)

Added new migration scripts for PostgreSQL (06_v5.2.0.sql) and MongoDB (05_v5.2.0.js) to support schema changes required for v5.2.0, including new columns, default values, and updated policies/permissions for feature flags and environments.
Documentation Improvements

Updated README.md to clarify upgrade procedures, emphasizing manual execution of migration scripts before upgrading, and added a dedicated "Migration and Upgrades" section.
Revised dependency notice and recommendations for production environments, highlighting Bitnami image deprecation and the need for external managed services.
Policy and Permissions Enhancements (via migrations)

Migration scripts update organization, policy, and access token documents/tables to improve feature flag management, environment access, and default policy behaviors for both "Administrator" and "Developer" roles.

Author: cosmic-flood

AGENTS.md

@@ -107,7 +107,7 @@ charts/featbit/
   image:
     registry: docker.io
     repository: featbit/<service>
-    tag: "5.1.4"
+    tag: "5.2.0"
 
   service:
     type: ClusterIP
@@ -229,4 +229,4 @@ Create in `examples/standard/` or `examples/pro/`:
 
 - Main repository: https://github.com/featbit/featbit
 - Chart repository: https://github.com/featbit/featbit-charts
-- Current version: 0.8.0 (App: 5.1.4)
+- Current version: 0.9.0 (App: 5.2.0)

README.md

@@ -7,33 +7,6 @@ This Helm chart bootstraps a [FeatBit](https://github.com/featbit/featbit) insta
 * Kubernetes >=1.23
 * Helm >= 3.7.0
 
-## ⚠️ Dependencies Notice
-
-🚨 **CRITICAL: Bitnami Image Repository Changes (Effective August 2025)**
-
-This chart includes the following infrastructure dependencies which are **strictly for testing and development purposes**:
-
-- **PostgreSQL**: Default primary database *(⚠️ bitnami legacy images only, no update)*
-- **MongoDB**: Alternative primary database
-- **Redis**: Required caching layer *(⚠️ bitnami legacy images only, no update)*
-- **Kafka**: Optional messaging system *(⚠️ bitnami legacy images only, no updates)*
-- **ClickHouse**: Optional analytics database *(⚠️ bitnami legacy images only, no updates)*
-
-**For local testing/development**, we provide example configurations in [`charts/featbit/examples/standard/`](./charts/featbit/examples/standard/) that use specific container images:
-- [`featbit-standard-local-pg.yaml`](./charts/featbit/examples/standard/featbit-standard-local-pg.yaml) - PostgreSQL + Redis configuration for local Docker Desktop Kubernetes
-- [`featbit-standard-local-mongo.yaml`](./charts/featbit/examples/standard/featbit-standard-local-mongo.yaml) - MongoDB + Redis configuration for local Docker Desktop Kubernetes
-
-These examples leverage the default image configurations in `values.yaml`, which specify tested and compatible versions for local development environments.
-
-
-**For production environments**, we HIGHLY recommend that you use external managed services (your own included):
-
-- **PostgreSQL/MongoDB**: Configure `externalPostgresql` or `externalMongodb` with managed database services (Azure Database for PostgreSQL, AWS RDS, Google Cloud SQL, etc.)
-- **Redis**: Configure `externalRedis` with managed Redis services (Azure Cache for Redis, AWS ElastiCache, Google Cloud Memorystore, etc.)
-- **Kafka**: Configure `externalKafka` with managed Kafka services (Confluent Cloud, AWS MSK, Azure Event Hubs, etc.)
-- **ClickHouse**:  Configure `externalClickhouse` with managed ClickHouse services (ClickHouse Cloud, Altinity.Cloud, etc.)
-
-
 ## Usage 
 
 [Helm](https://helm.sh) must be installed to use the charts.  Please refer to
@@ -73,6 +46,30 @@ Helm's [documentation](https://helm.sh/docs)
 
 Note that if your device is based on the arm64 architecture, please use version 0.2.1 and above.
 
+## Migration and Upgrades
+
+🔄 **Starting from Helm Chart v0.9.0 (FeatBit v5.2.0)**
+
+Each release includes migration scripts in the [`migration/`](./migration/) folder. **Database migrations are NOT executed automatically by Helm** - they must be reviewed and executed manually by your DBA or database team before upgrading.
+
+**For external databases**: Always check `migration/RELEASE-v{version}.md` for required database schema changes before running `helm upgrade`.
+
+## ⚠️ Dependencies Notice
+
+🚨 **CRITICAL: Bitnami Image Repository Changes (Effective August 2025)**
+
+This chart includes infrastructure dependencies (PostgreSQL/MongoDB, Redis, Kafka, ClickHouse) which are **strictly for testing and development purposes** using bitnami legacy images with no updates.
+
+**For local testing/development**, use the provided example configurations:
+- [`featbit-standard-local-pg.yaml`](./charts/featbit/examples/standard/featbit-standard-local-pg.yaml) - PostgreSQL + Redis configuration for local Docker Desktop Kubernetes
+- [`featbit-standard-local-mongo.yaml`](./charts/featbit/examples/standard/featbit-standard-local-mongo.yaml) - MongoDB + Redis configuration for local Docker Desktop Kubernetes
+
+**For production environments**, we HIGHLY recommend external managed services:
+- **PostgreSQL/MongoDB**: Configure `externalPostgresql` or `externalMongodb` with managed database services (Azure Database for PostgreSQL, AWS RDS, Google Cloud SQL, etc.)
+- **Redis**: Configure `externalRedis` with managed Redis services (Azure Cache for Redis, AWS ElastiCache, Google Cloud Memorystore, etc.)
+- **Kafka**: Configure `externalKafka` with managed Kafka services (Confluent Cloud, AWS MSK, Azure Event Hubs, etc.)
+- **ClickHouse**: Configure `externalClickhouse` with managed ClickHouse services (ClickHouse Cloud, Altinity.Cloud, etc.)
+
 ## Expose self-hosted deployment
 
 To use FeatBit, three services must be exposed from the internal network of Kubernetes:

charts/featbit/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.4
+version: 0.9.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "5.1.4"
+appVersion: "5.2.0"
 
 kubeVersion: ">=1.23-0"
 

charts/featbit/examples/aks/featbit-aks-values.yaml

@@ -16,7 +16,7 @@ ui:
   image:
     registry: docker.io
     repository: featbit/featbit-ui
-    tag: "5.1.4"
+    tag: "5.2.0"
     pullPolicy: IfNotPresent
 
   podSecurityContext:
@@ -65,7 +65,7 @@ api:
   image:
     registry: docker.io
     repository: featbit/featbit-api-server
-    tag: "5.1.4"
+    tag: "5.2.0"
     pullPolicy: IfNotPresent
 
   podSecurityContext:
@@ -133,7 +133,7 @@ els:
   image:
     registry: docker.io
     repository: featbit/featbit-evaluation-server
-    tag: "5.1.4"
+    tag: "5.2.0"
     pullPolicy: IfNotPresent
 
   podSecurityContext:
@@ -202,7 +202,7 @@ das:
   image:
     registry: docker.io
     repository: featbit/featbit-data-analytics-server
-    tag: "5.1.4"
+    tag: "5.2.0"
     pullPolicy: IfNotPresent
 
   podSecurityContext:

charts/featbit/examples/standard/featbit-aks-via-ingress-frontdoor.yaml

@@ -24,7 +24,7 @@ ui:
   image:
     registry: docker.io
     repository: featbit/featbit-ui
-    tag: "5.1.4"
+    tag: "5.2.0"
     pullPolicy: IfNotPresent
 
   service:
@@ -59,7 +59,7 @@ api:
   image:
     registry: docker.io
     repository: featbit/featbit-api-server
-    tag: "5.1.4"
+    tag: "5.2.0"
     pullPolicy: IfNotPresent
 
   service:
@@ -94,7 +94,7 @@ els:
   image:
     registry: docker.io
     repository: featbit/featbit-evaluation-server
-    tag: "5.1.4"
+    tag: "5.2.0"
     pullPolicy: IfNotPresent
 
   service:
@@ -129,7 +129,7 @@ da-server:
   image:
     registry: docker.io
     repository: featbit/featbit-data-analytics-server
-    tag: "5.1.4"
+    tag: "5.2.0"
     pullPolicy: IfNotPresent
 
   service:

charts/featbit/templates/mongodb-init-scripts-configmap.yaml

@@ -375,4 +375,151 @@ data:
     if (bulkOps.length > 0) {
         db.RelayProxies.bulkWrite(bulkOps, { ordered: false });
     }
+  05_v5.2.0.js: |-
+    const dbName = "{{ $db }}";
+    print('use', dbName, 'database')
+    db = db.getSiblingDB(dbName)
+
+    // https://github.com/featbit/featbit/pull/802
+
+    db.Segments.updateMany(
+        { tags: { $exists: false } },
+        { $set: { tags: [] } }
+    );
+
+    // https://github.com/featbit/featbit/pull/811
+
+    db.Organizations.updateMany(
+        {},
+        {
+            $set: {
+                "settings.flagSortedBy": "created_at"
+            }
+        }
+    );
+
+    db.Policies.updateOne(
+        {
+            type: "SysManaged",
+            name: "Administrator"
+        },
+        {
+            $push: {
+                "statements.$[org].actions": {
+                    $each: ["UpdateOrgSortFlagsBy"],
+                    $position: 0
+                }
+            }
+        },
+        {
+            arrayFilters: [
+                { "org.resourceType": "organization" }
+            ]
+        }
+    );
+
+    // https://github.com/featbit/featbit/pull/821
+
+    db.Policies.updateMany(
+        {
+            "statements.resourceType": "flag",
+            "statements.actions": "ManageFeatureFlag"
+        },
+        {
+            $set: {
+                "statements.$[stmt].actions": ["*"]
+            }
+        },
+        {
+            arrayFilters: [
+                {
+                    "stmt.resourceType": "flag",
+                    "stmt.actions": "ManageFeatureFlag"
+                }
+            ]
+        }
+    )
+
+    db.AccessTokens.updateMany(
+        {
+            "permissions.resourceType": "flag",
+            "permissions.actions": "ManageFeatureFlag"
+        },
+        {
+            $set: {
+                "permissions.$[perm].actions": ["*"]
+            }
+        },
+        {
+            arrayFilters: [
+                {
+                    "perm.resourceType": "flag",
+                    "perm.actions": "ManageFeatureFlag"
+                }
+            ]
+        }
+    );
+
+    // update built-in 'Administrator' and 'Developer' policies
+
+    // add access to envs for 'Developer' policy
+    db.Policies.updateOne(
+        {
+            organizationId: { $eq: null },
+            type: "SysManaged",
+            name: "Developer",
+            "statements.resourceType": { $ne: "env" }
+        },
+        {
+            $push: {
+                statements: {
+                    id: UUID().toString().split('"')[1],
+                    resourceType: "env",
+                    effect: "allow",
+                    actions: ["CanAccessEnv"],
+                    resources: ["project/*:env/*"]
+                }
+            }
+        }
+    );
+
+    // add access to envs for 'Administrator' policy
+    db.Policies.updateOne(
+        {
+            organizationId: { $eq: null },
+            type: "SysManaged",
+            name: "Administrator"
+        },
+        {
+            $set: {
+                "statements.$[stmt].actions": ["CanAccessEnv", "DeleteEnv", "UpdateEnvSettings", "CreateEnvSecret", "DeleteEnvSecret", "UpdateEnvSecret"]
+            }
+        },
+        {
+            arrayFilters: [
+                { "stmt.resourceType": "env" }
+            ]
+        }
+    );
+
+    // add full access to feature flags
+    db.Policies.updateMany(
+        {
+            organizationId: { $eq: null },
+            type: "SysManaged",
+            name: { $in: ["Administrator", "Developer"] },
+            "statements.resourceType": { $ne: "flag" }
+        },
+        {
+            $push: {
+                statements: {
+                    id: UUID(),
+                    resourceType: "flag",
+                    effect: "allow",
+                    actions: ["*"],
+                    resources: ["project/*:env/*:flag/*"]
+                }
+            }
+        }
+    );
     {{- end -}}