From 5ad0b6cbd67f2354baa537ed2a343a1841e7a1f2 Mon Sep 17 00:00:00 2001
From: Palash Goel <palash.goel@intel.com>
Date: Thu, 13 Nov 2025 06:28:14 +0000
Subject: [PATCH 1/5] changes for onprem upgrade rke2

---
 on-prem-installers/mage/upgrade.go | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/on-prem-installers/mage/upgrade.go b/on-prem-installers/mage/upgrade.go
index 42fc421ba..6168ae132 100644
--- a/on-prem-installers/mage/upgrade.go
+++ b/on-prem-installers/mage/upgrade.go
@@ -63,8 +63,15 @@ func (Upgrade) rke2Cluster() error {
 	   1.27 needs to be installed first.
 	   TODO: Add logic to determine version hops dynamically instead of hardcoding them.
 	   NOTE: EMF v3.0.0 uses "v1.30.10+rke2r1"
+	   NOTE: Upgrading from 1.30.10 to 1.34.1 requires intermediate versions: 1.30 → 1.31 → 1.32 → 1.33 → 1.34
 	*/
-	for i, rke2UpgradeVersion := range []string{"v1.30.10+rke2r1", "v1.30.14+rke2r2"} {
+	for i, rke2UpgradeVersion := range []string{
+		"v1.30.14+rke2r2", // Patch update within 1.30
+		"v1.31.13+rke2r1",  // Upgrade to 1.31
+		"v1.32.9+rke2r1",  // Upgrade to 1.32
+		"v1.33.5+rke2r1",  // Upgrade to 1.33
+		"v1.34.1+rke2r1",  // Final target version
+	} {
 		// Set version in upgrade Plan and render template.
 		tmpl, err := template.ParseFiles(filepath.Join("rke2", "upgrade-plan.tmpl"))
 		if err != nil {
@@ -99,8 +106,14 @@ func (Upgrade) rke2Cluster() error {
 			return err
 		}
 
-		if i == 0 {
-			fmt.Printf("RKE2 upgraded to intermediate version %s, starting another upgrade...\n", rke2UpgradeVersion)
+		if i < len([]string{
+			"v1.30.14+rke2r2",
+			"v1.31.13+rke2r1",
+			"v1.32.9+rke2r1",
+			"v1.33.5+rke2r1",
+			"v1.34.1+rke2r1",
+		})-1 {
+			fmt.Printf("RKE2 upgraded to intermediate version %s, starting next upgrade...\n", rke2UpgradeVersion)
 		}
 	}
 

From f1286e019ddcfd0fb2e00ff02535d21aec8ee4da Mon Sep 17 00:00:00 2001
From: PalashGoelIntel <palash.goel@intel.com>
Date: Thu, 13 Nov 2025 13:44:01 +0530
Subject: [PATCH 2/5] Update values.yaml

---
 on-prem-installers/assets/gitea/values.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/on-prem-installers/assets/gitea/values.yaml b/on-prem-installers/assets/gitea/values.yaml
index 2ed168eeb..856660fb7 100644
--- a/on-prem-installers/assets/gitea/values.yaml
+++ b/on-prem-installers/assets/gitea/values.yaml
@@ -2,6 +2,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
+
 redis-cluster:
   enabled: false
 postgresql:
@@ -161,3 +162,9 @@ containerSecurityContext:
   seccompProfile:
     type: RuntimeDefault
   runAsNonRoot: true
+
+# Use Recreate strategy to avoid queue lock issues when upgrading
+# Gitea uses LevelDB for internal queues (/data/queues/) which can only be accessed by one pod at a time
+deployment:
+  strategy:
+    type: Recreate

From 95f47c0c44248b2af2018aab3cb29190afa5f52c Mon Sep 17 00:00:00 2001
From: Palash Goel <palash.goel@intel.com>
Date: Thu, 13 Nov 2025 08:23:55 +0000
Subject: [PATCH 3/5] lint go issue

---
 on-prem-installers/mage/upgrade.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/on-prem-installers/mage/upgrade.go b/on-prem-installers/mage/upgrade.go
index 6168ae132..9a01cd11d 100644
--- a/on-prem-installers/mage/upgrade.go
+++ b/on-prem-installers/mage/upgrade.go
@@ -67,7 +67,7 @@ func (Upgrade) rke2Cluster() error {
 	*/
 	for i, rke2UpgradeVersion := range []string{
 		"v1.30.14+rke2r2", // Patch update within 1.30
-		"v1.31.13+rke2r1",  // Upgrade to 1.31
+		"v1.31.13+rke2r1", // Upgrade to 1.31
 		"v1.32.9+rke2r1",  // Upgrade to 1.32
 		"v1.33.5+rke2r1",  // Upgrade to 1.33
 		"v1.34.1+rke2r1",  // Final target version

From 244264ff1b4f7b601d812c6eb8fb28be0877d4a2 Mon Sep 17 00:00:00 2001
From: Palash Goel <palash.goel@intel.com>
Date: Fri, 14 Nov 2025 13:02:34 +0000
Subject: [PATCH 4/5] changes for postgres

---
 on-prem-installers/onprem/onprem_upgrade.sh   |  4 +++-
 on-prem-installers/onprem/upgrade_postgres.sh | 24 ++++++++++++++-----
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/on-prem-installers/onprem/onprem_upgrade.sh b/on-prem-installers/onprem/onprem_upgrade.sh
index 2b1fe1e8b..e4aa6463c 100755
--- a/on-prem-installers/onprem/onprem_upgrade.sh
+++ b/on-prem-installers/onprem/onprem_upgrade.sh
@@ -803,13 +803,15 @@ sleep 10
 # Restore secret after app delete but before postgress restored
 yq e 'del(.metadata.labels, .metadata.annotations, .metadata.uid, .metadata.creationTimestamp)' postgres_secret.yaml | kubectl apply -f -
 
+sleep 30
 # Wait until PostgreSQL pod is running (Re-sync)
 start_time=$(date +%s)
 timeout=300  # 5 minutes in seconds
 set +e
 while true; do
     echo "Checking PostgreSQL pod status..."
-    podname=$(kubectl get pods -n orch-database -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}')
+    # CloudNativePG uses cnpg.io/cluster label instead of app.kubernetes.io/name
+    podname=$(kubectl get pods -n orch-database -l cnpg.io/cluster=postgresql-cluster,cnpg.io/instanceRole=primary -o jsonpath='{.items[0].metadata.name}')
     pod_status=$(kubectl get pods -n orch-database "$podname" -o jsonpath='{.status.phase}')
     if [[ "$pod_status" == "Running" ]]; then
         echo "PostgreSQL pod is Running."
diff --git a/on-prem-installers/onprem/upgrade_postgres.sh b/on-prem-installers/onprem/upgrade_postgres.sh
index e7e4f269f..a2f1e275b 100755
--- a/on-prem-installers/onprem/upgrade_postgres.sh
+++ b/on-prem-installers/onprem/upgrade_postgres.sh
@@ -75,13 +75,25 @@ delete_postgres() {
   kubectl delete secret --ignore-not-found=true -n $postgres_namespace postgresql
 }
 
+get_postgres_pod() {
+  kubectl get pods -n orch-database -l cnpg.io/cluster=postgresql-cluster,cnpg.io/instanceRole=primary -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "postgresql-0"
+}
+
 restore_postgres() {
-  kubectl exec -n $postgres_namespace $podname -- /bin/bash -c "$(typeset -f disable_security); disable_security"
-  remote_backup_path="/tmp/${postgres_namespace}_${podname}_backup.sql"
-  kubectl cp "$local_backup_path" "$postgres_namespace/$podname:$remote_backup_path"
+  podname=$(get_postgres_pod)
+ # kubectl exec -n $postgres_namespace $podname -- /bin/bash -c "$(typeset -f disable_security); disable_security"
+  remote_backup_path="/var/lib/postgresql/data/${postgres_namespace}_${podname}_backup.sql"
+
+  kubectl cp "$local_backup_path" "$postgres_namespace/$podname:$remote_backup_path" -c postgres
 
   echo "Restoring backup databases from pod $podname in namespace $postgres_namespace..."
 
-  kubectl exec -n $postgres_namespace $podname -- /bin/bash -c "psql -U $POSTGRES_USERNAME <  $remote_backup_path "
-  kubectl exec -n $postgres_namespace $podname -- /bin/bash -c "$(typeset -f enable_security); enable_security"
-}
+  # Get postgres password from secret
+  PGPASSWORD=$(kubectl get secret -n $postgres_namespace postgresql -o jsonpath='{.data.postgres-password}' | base64 -d)
+
+  # CloudNativePG doesn't need security disable/enable, just use credentials
+  # Use the remote backup file that was copied to the pod
+  kubectl exec -n $postgres_namespace $podname -c postgres -- env PGPASSWORD="$PGPASSWORD" psql -U $POSTGRES_USERNAME -f "$remote_backup_path"
+
+  echo "Restore completed successfully."
+}
\ No newline at end of file

From 4e5d65b8ab0477f517a03d23329ef6060dd329de Mon Sep 17 00:00:00 2001
From: PalashGoelIntel <palash.goel@intel.com>
Date: Fri, 14 Nov 2025 19:05:23 +0530
Subject: [PATCH 5/5] Update upgrade_postgres.sh

fixed lint issue
---
 on-prem-installers/onprem/upgrade_postgres.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/on-prem-installers/onprem/upgrade_postgres.sh b/on-prem-installers/onprem/upgrade_postgres.sh
index a2f1e275b..3fef82a10 100755
--- a/on-prem-installers/onprem/upgrade_postgres.sh
+++ b/on-prem-installers/onprem/upgrade_postgres.sh
@@ -93,7 +93,7 @@ restore_postgres() {
 
   # CloudNativePG doesn't need security disable/enable, just use credentials
   # Use the remote backup file that was copied to the pod
-  kubectl exec -n $postgres_namespace $podname -c postgres -- env PGPASSWORD="$PGPASSWORD" psql -U $POSTGRES_USERNAME -f "$remote_backup_path"
+  kubectl exec -n $postgres_namespace "$podname" -c postgres -- env PGPASSWORD="$PGPASSWORD" psql -U $POSTGRES_USERNAME -f "$remote_backup_path"
 
   echo "Restore completed successfully."
-}
\ No newline at end of file
+}