Dp 1289

[pwildber]

Summary

• Added support for Jeff on-prem setup via one-click installation
• Extended the upgrade process to optionally install Jeff during upgrades
• Integrated custom registry configuration options
• Refactored compose file handling to use templates
• Updated Podman secrets handling to ensure compatibility with Jeff containers

---

Key Changes

Compose File Management

• Migrated to template-based compose files
  • Templates are copied and rendered at runtime into untracked files
• This avoids issues where:
  • git pull causes merge conflicts
  • Updated compose definitions overwrite or delete local changes
• Previously, compose files were tracked and modified in-place, leading to drift and conflicts

Podman Secrets Handling

• Secrets remain GPG-encrypted at rest
• Changed runtime handling:
  • Before: decrypted into /run/secrets, then loaded into environment variables by containers
  • Now: injected directly as environment variables
• This change resolves an issue where:
  • Jeff-related containers read /run/secrets automatically
  • They encountered encrypted values and could not decrypt them

---

Testing

Comprehensive testing was performed across all supported combinations:

Ubuntu / Docker

Fresh Install

• No Jeff, default registry
• No Jeff, custom registry
• Jeff installed, default registry
• Jeff installed, custom registry

Upgrade

• No Jeff, default registry
• No Jeff, custom registry
• Jeff installed, default registry
• Jeff installed, custom registry

---

RHEL / Podman

Fresh Install

• No Jeff, default registry
• No Jeff, custom registry
• Jeff installed, default registry
• Jeff installed, custom registry

Upgrade

• No Jeff, default registry
• No Jeff, custom registry
• Jeff installed, default registry
• Jeff installed, custom registry

---

Rollback & Upgrade Improvements

• Implemented pre-upgrade backup of the IriusRisk service
• Added restore mechanism of the service during rollback
• Verified rollback behaviour across all scenarios above

[jsanchezIR]

Are we trying a docker/podman login before install (ensure) the packages then here? (if Custom registry)

I may be wrong but seems we are calling prompt_registry_settings before install the packages at one-click.sh

[pwildber]

Correct. I changed it so that you set a custom registry once and it used for all images, given that if our clients aren't allowed to use public repositories and must use an internal one, they aren't going to select yes on using the default public postgres image repository. That being the case, we need to log in to said registry immediately so that if the client chooses to install postgres on the same server, it can be pulled from the custom registry, and if they choose to set up Jeff, they can pull the redis image from their own registry.

[pwildber]

Oh hang on I may have misread you, let me check something.

[pwildber]

I've moved the registry prompt and update_compose_image_placeholders call to after dependencies are installed and before we set up Postgres. Quick test with docker, working correctly.

[jsanchezIR]

One more thing, just to be sure before approval

Do we need to define COMPOSE_OVERRIDE here before the first compose down?

Great work as always, every time I get more vertigo with this repo :)

[pwildber]

Good catch, I had to move it around to accommodate Jeff but missed this. It still worked as the down command evaulates to just docker-compose down. I've pushed a commit to compute the pre-rollback down command and then the post rollback/file restoration down command, and tested with docker.