fix: replace bitnami commercial images with free official images #2477
Conversation
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
📝 WalkthroughWalkthroughThe changes replace Helm-based MySQL and PostgreSQL deployments (using private Bitnami images) with direct Kubernetes manifests applied via kubectl. New YAML files define database secrets, services, deployments, and PVCs. Automation scripts and documentation are updated to use the new kubectl deployment approach and reflect new service hostnames. Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant Old as Old Flow<br/>(Helm)
participant New as New Flow<br/>(kubectl)
participant K8s as Kubernetes Cluster
rect rgb(220, 240, 255)
Note over User,K8s: Database Deployment Transition
end
rect rgb(240, 220, 255)
Note over Old: Previous: Helm-based approach
User->>Old: helm install bitnami/mysql
Note over Old: Attempts private image pull
Old->>K8s: ❌ Image pull failure
end
rect rgb(220, 255, 220)
Note over New: Current: kubectl manifest approach
User->>New: wget mysql.yaml
User->>New: kubectl apply -f mysql.yaml
New->>K8s: Create Secret (credentials)
New->>K8s: Create Service (mysql.gluu.svc)
New->>K8s: Create Deployment (MySQL 8.0)
New->>K8s: Create PVC (mysql-pv-claim)
New->>K8s: ✓ Resources deployed
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes
Poem
Pre-merge checks and finishing touches✅ Passed checks (5 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
mo-auto
added
area-CI
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
📜 Review details
Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (9)
automation/mysql.yaml(1 hunks)automation/pgsql.yaml(1 hunks)automation/startflexdemo.sh(3 hunks)docs/admin/recipes/getting-started-rancher.md(3 hunks)docs/includes/cn-system-requirements.md(1 hunks)docs/install/helm-install/amazon-eks.md(3 hunks)docs/install/helm-install/google-gke.md(3 hunks)docs/install/helm-install/local.md(1 hunks)docs/install/helm-install/microsoft-azure.md(3 hunks)
🧰 Additional context used
🪛 Checkov (3.2.334)
automation/pgsql.yaml
[medium] 22-61: Containers should not run with allowPrivilegeEscalation
(CKV_K8S_20)
[low] 22-61: CPU limits should be set
(CKV_K8S_11)
[low] 22-61: CPU requests should be set
(CKV_K8S_10)
[low] 22-61: Apply security context to your containers
(CKV_K8S_30)
[low] 22-61: Minimize the admission of containers with the NET_RAW capability
(CKV_K8S_28)
[low] 22-61: Image should use digest
(CKV_K8S_43)
[low] 22-61: Image Pull Policy should be Always
(CKV_K8S_15)
[low] 22-61: Liveness Probe Should be Configured
(CKV_K8S_8)
[low] 22-61: Memory limits should be set
(CKV_K8S_13)
[low] 22-61: Memory requests should be set
(CKV_K8S_12)
[low] 22-61: Minimize the admission of containers with capabilities assigned
(CKV_K8S_37)
[low] 22-61: Apply security context to your pods and containers
(CKV_K8S_29)
[low] 22-61: Use read-only filesystem for containers where possible
(CKV_K8S_22)
[low] 22-61: Readiness Probe Should be Configured
(CKV_K8S_9)
[medium] 22-61: Minimize the admission of root containers
(CKV_K8S_23)
[low] 22-61: Containers should run as a high UID to avoid host conflict
(CKV_K8S_40)
[low] 22-61: Ensure that the seccomp profile is set to docker/default or runtime/default
(CKV_K8S_31)
[low] 22-61: Prefer using secrets as files over secrets as environment variables
(CKV_K8S_35)
[low] 22-61: Ensure that Service Account Tokens are only mounted where necessary
(CKV_K8S_38)
automation/mysql.yaml
[medium] 22-59: Containers should not run with allowPrivilegeEscalation
(CKV_K8S_20)
[low] 22-59: CPU limits should be set
(CKV_K8S_11)
[low] 22-59: CPU requests should be set
(CKV_K8S_10)
[low] 22-59: Apply security context to your containers
(CKV_K8S_30)
[low] 22-59: Minimize the admission of containers with the NET_RAW capability
(CKV_K8S_28)
[low] 22-59: Image should use digest
(CKV_K8S_43)
[low] 22-59: Image Pull Policy should be Always
(CKV_K8S_15)
[low] 22-59: Liveness Probe Should be Configured
(CKV_K8S_8)
[low] 22-59: Memory limits should be set
(CKV_K8S_13)
[low] 22-59: Memory requests should be set
(CKV_K8S_12)
[low] 22-59: Minimize the admission of containers with capabilities assigned
(CKV_K8S_37)
[low] 22-59: Apply security context to your pods and containers
(CKV_K8S_29)
[low] 22-59: Use read-only filesystem for containers where possible
(CKV_K8S_22)
[low] 22-59: Readiness Probe Should be Configured
(CKV_K8S_9)
[medium] 22-59: Minimize the admission of root containers
(CKV_K8S_23)
[low] 22-59: Containers should run as a high UID to avoid host conflict
(CKV_K8S_40)
[low] 22-59: Ensure that the seccomp profile is set to docker/default or runtime/default
(CKV_K8S_31)
[low] 22-59: Prefer using secrets as files over secrets as environment variables
(CKV_K8S_35)
[low] 22-59: Ensure that Service Account Tokens are only mounted where necessary
(CKV_K8S_38)
🪛 markdownlint-cli2 (0.18.1)
docs/install/helm-install/google-gke.md
104-104: Trailing spaces
Expected: 0 or 2; Actual: 8
(MD009, no-trailing-spaces)
129-129: Trailing spaces
Expected: 0 or 2; Actual: 8
(MD009, no-trailing-spaces)
130-130: Trailing spaces
Expected: 0 or 2; Actual: 8
(MD009, no-trailing-spaces)
docs/includes/cn-system-requirements.md
25-25: Trailing spaces
Expected: 0 or 2; Actual: 4
(MD009, no-trailing-spaces)
docs/admin/recipes/getting-started-rancher.md
170-170: Trailing spaces
Expected: 0 or 2; Actual: 1
(MD009, no-trailing-spaces)
172-172: Fenced code blocks should be surrounded by blank lines
(MD031, blanks-around-fences)
186-186: Fenced code blocks should be surrounded by blank lines
(MD031, blanks-around-fences)
🔇 Additional comments (7)
docs/includes/cn-system-requirements.md (1)
24-26: Fix trailing whitespace on Line 24.Line 24 contains 4 trailing spaces instead of the allowed 0 or 2. Apply this diff:
-| cleanup - job | 0.3 | 0.3GB | N/A | 64 Bit | Yes | +| cleanup - job | 0.3 | 0.3GB | N/A | 64 Bit | Yes |The substantive changes (new cleanup-job row and updated image release style) look correct.
docs/install/helm-install/local.md (1)
34-49: Installation approach and prerequisites look good.The shift to a script-based deployment (wget + execution) aligns well with the PR's move away from helm-based provisioning. The simplified prerequisite line (generic Ubuntu VM) provides better forward compatibility.
docs/install/helm-install/google-gke.md (2)
96-100: Service hostname updates are consistent with new Kubernetes manifests.The changes correctly reference the new service names (postgresql.gluu.svc, mysql.gluu.svc) that match the headless services defined in automation/pgsql.yaml and automation/mysql.yaml. The wget + kubectl apply pattern aligns well with the new deployment approach.
Also applies to: 121-125, 136-136, 162-162
104-104: Fix trailing whitespace.Lines 104, 129, and 130 contain trailing spaces. Per markdownlint (MD009), these should be removed. Apply these diffs:
Add the following yaml snippet to your `override.yaml` file: - + ```yaml config:Add the following yaml snippet to your `override.yaml` file: - + ```yaml- ```yaml + ```yamlAlso applies to: 129-130
automation/startflexdemo.sh (1)
65-101: Main automation script correctly implements new kubectl-based deployment.The script properly downloads automation/mysql.yaml and automation/pgsql.yaml, applies them via kubectl, and updates service hostnames to the new names (mysql.gluu.svc, postgresql.gluu.svc). The control flow correctly handles both MYSQL and PGSQL persistence options.
Ensure that the version placeholders (nightly, vreplace-flex-version) are correctly substituted in the actual deployment flow.
docs/install/helm-install/amazon-eks.md (1)
96-142: Provider documentation updates are consistent and correct.The Amazon EKS documentation properly reflects the new kubectl-based deployment approach with updated service hostnames (postgresql.gluu.svc, mysql.gluu.svc) consistent with other provider guides and the new Kubernetes manifests.
docs/install/helm-install/microsoft-azure.md (1)
100-167: Microsoft Azure documentation updates are consistent with other providers.The Azure AKS documentation correctly implements the new kubectl-based deployment pattern with consistent service hostnames (postgresql.gluu.svc, mysql.gluu.svc). All three cloud providers (GKE, EKS, AKS) now follow the same unified approach.
| namespace: gluu | ||
| type: Opaque | ||
| stringData: | ||
| root-password: Test1234# |
There was a problem hiding this comment.
Hardcoded credentials pose security risk — consider parameterization.
The root password "Test1234#" is hardcoded in the YAML manifest. For production use, this should be externalized via environment variables or sealed secrets.
For demo/test purposes, consider adding a comment warning users to change this value before production deployment.
Also applies to: 8-8
🤖 Prompt for AI Agents
In automation/mysql.yaml around line 8, the root password is hardcoded as
"Test1234#" which is a security risk; replace the literal with a reference to an
external secret or environment variable (e.g., point to a Kubernetes Secret or
use an env var like MYSQL_ROOT_PASSWORD) and update the manifest to read from
that secret, or document using a sealed secret for production; if you must keep
a default for demos/tests add a clear comment above this line warning users to
change it before production and include instructions in README on how to
create/populate the external secret.
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: mysql | ||
| namespace: gluu | ||
| spec: | ||
| selector: | ||
| matchLabels: | ||
| app: mysql | ||
| strategy: | ||
| type: Recreate | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: mysql | ||
| spec: | ||
| containers: | ||
| - image: mysql:8.0 | ||
| name: mysql | ||
| env: | ||
| - name: MYSQL_ROOT_PASSWORD | ||
| valueFrom: | ||
| secretKeyRef: | ||
| name: mysql-secret | ||
| key: root-password | ||
| - name: MYSQL_DATABASE | ||
| value: gluu | ||
| ports: | ||
| - containerPort: 3306 | ||
| name: mysql | ||
| volumeMounts: | ||
| - name: mysql-persistent-storage | ||
| mountPath: /var/lib/mysql | ||
| volumes: | ||
| - name: mysql-persistent-storage | ||
| persistentVolumeClaim: | ||
| claimName: mysql-pv-claim | ||
| --- |
There was a problem hiding this comment.
🧩 Analysis chain
Script executed:
#!/bin/bash
# Check if the file exists and view its content
if [ -f "automation/mysql.yaml" ]; then
echo "=== File found ==="
wc -l automation/mysql.yaml
echo ""
echo "=== Content ==="
cat -n automation/mysql.yaml
else
echo "File not found at automation/mysql.yaml"
# Try to locate it
find . -name "mysql.yaml" -type f 2>/dev/null | head -20
fiRepository: GluuFederation/flex
<shell_result>
Repository: GluuFederation/flex
Exit code: 0
stdout:
=== File found ===
70 automation/mysql.yaml
=== Content ===
1 apiVersion: v1
2 kind: Secret
3 metadata:
4 name: mysql-secret
5 namespace: gluu
6 type: Opaque
7 stringData:
8 root-password: Test1234#
9 ---
10 apiVersion: v1
11 kind: Service
12 metadata:
13 name: mysql
14 namespace: gluu
15 spec:
16 ports:
17 - port: 3306
18 selector:
19 app: mysql
20 clusterIP: None
21 ---
22 apiVersion: apps/v1
23 kind: Deployment
24 metadata:
25 name: mysql
26 namespace: gluu
27 spec:
28 selector:
29 matchLabels:
30 app: mysql
31 strategy:
32 type: Recreate
33 template:
34 metadata:
35 labels:
36 app: mysql
37 spec:
38 containers:
39 - image: mysql:8.0
40 name: mysql
41 env:
42 - name: MYSQL_ROOT_PASSWORD
43 valueFrom:
44 secretKeyRef:
45 name: mysql-secret
46 key: root-password
47 - name: MYSQL_DATABASE
48 value: gluu
49 ports:
50 - containerPort: 3306
51 name: mysql
52 volumeMounts:
53 - name: mysql-persistent-storage
54 mountPath: /var/lib/mysql
55 volumes:
56 - name: mysql-persistent-storage
57 persistentVolumeClaim:
58 claimName: mysql-pv-claim
59 ---
60 apiVersion: v1
61 kind: PersistentVolumeClaim
62 metadata:
63 name: mysql-pv-claim
64 namespace: gluu
65 spec:
66 accessModes:
67 - ReadWriteOnce
68 resources:
69 requests:
70 storage: 5Gi
</shell_result>
CKV_K8S_35 Checkov security check MySQL secrets
<web_search_result>
Summary
- CKV_K8S_35 enforces the recommendation to avoid exposing secrets as environment variables (e.g., MYSQL_ROOT_PASSWORD via env / envFrom) and instead mount Kubernetes Secrets as files (volumes) so secrets are less likely to leak in logs, process listings or debugging output. [1][2]
Why it matters for MySQL
- The official MySQL image and many apps default to env vars (MYSQL_ROOT_PASSWORD, etc.), which triggers CKV_K8S_35. To satisfy the check you must stop injecting the secret via container env and supply it from a mounted secret file (or another file-based mechanism) and adapt startup/init logic accordingly. [1][2]
Simple remediation options
- Mount the Secret as a volume and read it from a file (example):
apiVersion: v1
kind: Pod
metadata:
name: mysql
spec:
containers:
- name: mysql
image: mysql:8
volumeMounts:- name: mysql-secret-vol
mountPath: /etc/secrets
readOnly: true
volumes:
- name: mysql-secret-vol
- name: mysql-secret-vol
secret:
secretName: mysql-secret
(then change your init/startup to read credentials from /etc/secrets/ instead of env). [1][3]
- Use init scripts or docker-entrypoint-initdb.d mounted from the Secret (for the MySQL image) so MySQL is initialized using file-based credentials rather than env vars. This keeps the secret in a file inside the container filesystem. [2][5]
Notes
- If you cannot change the application immediately, you can suppress the Checkov rule per-project (annotations or checkov:skip), but this is a temporary workaround — prefer remediating. [3]
References
- Check explanation / remediation guidance (industry/CIS guidance) on preferring file-mounted secrets. [1][2]
- Checkov docs for skipping/suppressing rules (if needed). [3]
Would you like a ready-to-apply Deployment manifest that shows mounting a MySQL secret and an example init script that reads the password from a file?
</web_search_result>
All security hardening recommendations are valid and well-founded.
The review accurately identifies five production readiness gaps in the MySQL Deployment:
- Security context – Required to prevent privilege escalation and enforce non-root execution.
- Resource constraints – Necessary to prevent resource exhaustion and ensure cluster stability.
- Health checks – Improves pod lifecycle reliability and orchestration.
- Image digest – Ensures reproducible deployments instead of relying on mutable tags.
- Credential handling – The current use of
secretKeyRefin environment variables triggers CKV_K8S_35. Per Checkov and security best practices, secrets should be mounted as volumes and read from files, not injected as env vars, to reduce exposure in logs and process listings.
The file confirms the Deployment lacks all five hardening measures. The example improvements are accurate and applicable. The characterization as acceptable for demo/test but requiring hardening for production is appropriate.
🧰 Tools
🪛 Checkov (3.2.334)
[medium] 22-59: Containers should not run with allowPrivilegeEscalation
(CKV_K8S_20)
[low] 22-59: CPU limits should be set
(CKV_K8S_11)
[low] 22-59: CPU requests should be set
(CKV_K8S_10)
[low] 22-59: Apply security context to your containers
(CKV_K8S_30)
[low] 22-59: Minimize the admission of containers with the NET_RAW capability
(CKV_K8S_28)
[low] 22-59: Image should use digest
(CKV_K8S_43)
[low] 22-59: Image Pull Policy should be Always
(CKV_K8S_15)
[low] 22-59: Liveness Probe Should be Configured
(CKV_K8S_8)
[low] 22-59: Memory limits should be set
(CKV_K8S_13)
[low] 22-59: Memory requests should be set
(CKV_K8S_12)
[low] 22-59: Minimize the admission of containers with capabilities assigned
(CKV_K8S_37)
[low] 22-59: Apply security context to your pods and containers
(CKV_K8S_29)
[low] 22-59: Use read-only filesystem for containers where possible
(CKV_K8S_22)
[low] 22-59: Readiness Probe Should be Configured
(CKV_K8S_9)
[medium] 22-59: Minimize the admission of root containers
(CKV_K8S_23)
[low] 22-59: Containers should run as a high UID to avoid host conflict
(CKV_K8S_40)
[low] 22-59: Ensure that the seccomp profile is set to docker/default or runtime/default
(CKV_K8S_31)
[low] 22-59: Prefer using secrets as files over secrets as environment variables
(CKV_K8S_35)
[low] 22-59: Ensure that Service Account Tokens are only mounted where necessary
(CKV_K8S_38)
🤖 Prompt for AI Agents
In automation/mysql.yaml around lines 22 to 59, the Deployment is missing
production hardening: add a pod/container securityContext (e.g., runAsNonRoot:
true, runAsUser with non-root UID, and allowPrivilegeEscalation: false) to
prevent privileged execution; add resource requests and limits for cpu/memory on
the container to avoid resource exhaustion; add livenessProbe and readinessProbe
(tcpSocket or exec against mysql socket/health endpoint) so Kubernetes can
manage pod lifecycle; pin the image to an immutable digest (replace mysql:8.0
with mysql@sha256:... or a specific digest) to ensure reproducible images; and
stop injecting the root password via env var-secretKeyRef — mount the Kubernetes
Secret as a volume and read the password from a file (or use projected secret)
so credentials are not exposed in process envs or logs. Ensure these changes are
applied within the same pod template and that any necessary user/permission
adjustments are made to allow MySQL to read the mounted secret file.
| namespace: gluu | ||
| type: Opaque | ||
| stringData: | ||
| postgresql-password: Test1234# |
There was a problem hiding this comment.
Hardcoded credentials pose security risk — consider parameterization.
The password "Test1234#" is hardcoded in the YAML manifest. For production use, externalize via environment variables or sealed secrets. Add a warning comment for demo/test users to change before production.
Also applies to: 8-8
🤖 Prompt for AI Agents
In automation/pgsql.yaml around line 8, the postgresql-password is hardcoded as
"Test1234#" which is a security risk; replace this literal with a reference to
an external secret (e.g., a Kubernetes Secret, sealed secret, or an environment
variable/SecretRef) and update the manifest to read the password from that
secret, ensuring the value is not checked into source control; additionally add
a clear comment in the file warning that the current value is only for demo/test
and must be replaced with a secure secret in production.
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: postgresql | ||
| namespace: gluu | ||
| spec: | ||
| selector: | ||
| matchLabels: | ||
| app: postgresql | ||
| strategy: | ||
| type: Recreate | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: postgresql | ||
| spec: | ||
| containers: | ||
| - image: postgres:16 | ||
| name: postgresql | ||
| env: | ||
| - name: POSTGRES_PASSWORD | ||
| valueFrom: | ||
| secretKeyRef: | ||
| name: postgresql-secret | ||
| key: postgresql-password | ||
| - name: POSTGRES_DB | ||
| value: gluu | ||
| - name: PGDATA | ||
| value: /var/lib/postgresql/data/pgdata | ||
| ports: | ||
| - containerPort: 5432 | ||
| name: postgresql | ||
| volumeMounts: | ||
| - name: postgresql-persistent-storage | ||
| mountPath: /var/lib/postgresql/data | ||
| volumes: | ||
| - name: postgresql-persistent-storage | ||
| persistentVolumeClaim: | ||
| claimName: postgresql-pv-claim | ||
| --- |
There was a problem hiding this comment.
🧩 Analysis chain
Script executed:
# First, let's look at the structure and find the relevant files
fd -e yaml . automation/ 2>/dev/null | head -20Repository: GluuFederation/flex
<shell_result>
Repository: GluuFederation/flex
Exit code: 0
stdout:
automation/janssen_helm_chart/non_janssen.yaml
automation/mysql.yaml
automation/pgsql.yaml
automation/rancher-partner-charts/package.yaml
automation/rancher-partner-charts/questions.yaml
</shell_result>
Script executed:
# Read the PostgreSQL manifest
cat -n automation/pgsql.yamlRepository: GluuFederation/flex
<shell_result>
Repository: GluuFederation/flex
Exit code: 0
stdout:
1 apiVersion: v1
2 kind: Secret
3 metadata:
4 name: postgresql-secret
5 namespace: gluu
6 type: Opaque
7 stringData:
8 postgresql-password: Test1234#
9 ---
10 apiVersion: v1
11 kind: Service
12 metadata:
13 name: postgresql
14 namespace: gluu
15 spec:
16 ports:
17 - port: 5432
18 selector:
19 app: postgresql
20 clusterIP: None
21 ---
22 apiVersion: apps/v1
23 kind: Deployment
24 metadata:
25 name: postgresql
26 namespace: gluu
27 spec:
28 selector:
29 matchLabels:
30 app: postgresql
31 strategy:
32 type: Recreate
33 template:
34 metadata:
35 labels:
36 app: postgresql
37 spec:
38 containers:
39 - image: postgres:16
40 name: postgresql
41 env:
42 - name: POSTGRES_PASSWORD
43 valueFrom:
44 secretKeyRef:
45 name: postgresql-secret
46 key: postgresql-password
47 - name: POSTGRES_DB
48 value: gluu
49 - name: PGDATA
50 value: /var/lib/postgresql/data/pgdata
51 ports:
52 - containerPort: 5432
53 name: postgresql
54 volumeMounts:
55 - name: postgresql-persistent-storage
56 mountPath: /var/lib/postgresql/data
57 volumes:
58 - name: postgresql-persistent-storage
59 persistentVolumeClaim:
60 claimName: postgresql-pv-claim
61 ---
62 apiVersion: v1
63 kind: PersistentVolumeClaim
64 metadata:
65 name: postgresql-pv-claim
66 namespace: gluu
67 spec:
68 accessModes:
69 - ReadWriteOnce
70 resources:
71 requests:
72 storage: 5Gi
</shell_result>
Script executed:
# Read the MySQL manifest for comparison
cat -n automation/mysql.yamlRepository: GluuFederation/flex
<shell_result>
Repository: GluuFederation/flex
Exit code: 0
stdout:
1 apiVersion: v1
2 kind: Secret
3 metadata:
4 name: mysql-secret
5 namespace: gluu
6 type: Opaque
7 stringData:
8 root-password: Test1234#
9 ---
10 apiVersion: v1
11 kind: Service
12 metadata:
13 name: mysql
14 namespace: gluu
15 spec:
16 ports:
17 - port: 3306
18 selector:
19 app: mysql
20 clusterIP: None
21 ---
22 apiVersion: apps/v1
23 kind: Deployment
24 metadata:
25 name: mysql
26 namespace: gluu
27 spec:
28 selector:
29 matchLabels:
30 app: mysql
31 strategy:
32 type: Recreate
33 template:
34 metadata:
35 labels:
36 app: mysql
37 spec:
38 containers:
39 - image: mysql:8.0
40 name: mysql
41 env:
42 - name: MYSQL_ROOT_PASSWORD
43 valueFrom:
44 secretKeyRef:
45 name: mysql-secret
46 key: root-password
47 - name: MYSQL_DATABASE
48 value: gluu
49 ports:
50 - containerPort: 3306
51 name: mysql
52 volumeMounts:
53 - name: mysql-persistent-storage
54 mountPath: /var/lib/mysql
55 volumes:
56 - name: mysql-persistent-storage
57 persistentVolumeClaim:
58 claimName: mysql-pv-claim
59 ---
60 apiVersion: v1
61 kind: PersistentVolumeClaim
62 metadata:
63 name: mysql-pv-claim
64 namespace: gluu
65 spec:
66 accessModes:
67 - ReadWriteOnce
68 resources:
69 requests:
70 storage: 5Gi
</shell_result>
All suggested improvements are valid and confirmed missing from the PostgreSQL deployment manifest.
The review comment is accurate. Both the PostgreSQL and MySQL manifests in automation/ lack the five critical security and operational hardening measures:
- Security context — Neither deployment defines
securityContextfor pod or container level - Resource constraints — No
requestsorlimitsfor CPU/memory are defined - Health checks — No
livenessProbeorreadinessProbeconfigured - Image digest — Both use mutable tags (
postgres:16,mysql:8.0) - Credential handling — Secrets are injected via environment variables; volume mounts are the more secure alternative
The manifests are structured identically and demonstrate identical gaps, confirming the comparison to automation/mysql.yaml is valid. These are standard Kubernetes hardening practices recommended for production deployments. The current state is appropriate for demo/test purposes but does require the suggested improvements before production use.
🧰 Tools
🪛 Checkov (3.2.334)
[medium] 22-61: Containers should not run with allowPrivilegeEscalation
(CKV_K8S_20)
[low] 22-61: CPU limits should be set
(CKV_K8S_11)
[low] 22-61: CPU requests should be set
(CKV_K8S_10)
[low] 22-61: Apply security context to your containers
(CKV_K8S_30)
[low] 22-61: Minimize the admission of containers with the NET_RAW capability
(CKV_K8S_28)
[low] 22-61: Image should use digest
(CKV_K8S_43)
[low] 22-61: Image Pull Policy should be Always
(CKV_K8S_15)
[low] 22-61: Liveness Probe Should be Configured
(CKV_K8S_8)
[low] 22-61: Memory limits should be set
(CKV_K8S_13)
[low] 22-61: Memory requests should be set
(CKV_K8S_12)
[low] 22-61: Minimize the admission of containers with capabilities assigned
(CKV_K8S_37)
[low] 22-61: Apply security context to your pods and containers
(CKV_K8S_29)
[low] 22-61: Use read-only filesystem for containers where possible
(CKV_K8S_22)
[low] 22-61: Readiness Probe Should be Configured
(CKV_K8S_9)
[medium] 22-61: Minimize the admission of root containers
(CKV_K8S_23)
[low] 22-61: Containers should run as a high UID to avoid host conflict
(CKV_K8S_40)
[low] 22-61: Ensure that the seccomp profile is set to docker/default or runtime/default
(CKV_K8S_31)
[low] 22-61: Prefer using secrets as files over secrets as environment variables
(CKV_K8S_35)
[low] 22-61: Ensure that Service Account Tokens are only mounted where necessary
(CKV_K8S_38)
| | `auth.password` | | ||
|
|
||
| - Click `Install` at the bottom right of the page. | ||
| - Open a kubectl shell from the top right navigation menu `>_`. |
There was a problem hiding this comment.
Fix markdown formatting issues from linter.
Three formatting issues were flagged by markdownlint:
- Line 170: Trailing spaces detected
- Line 172: Fenced code block needs blank line above it
- Line 186: Fenced code block needs blank line above it
Apply this diff to fix formatting:
To install a quick setup with `PostgreSQL` as the backend, you need to provide the connection parameters of a fresh setup.
For a test setup, you can follow the below instructions:
~
- - Open a kubectl shell from the top right navigation menu `>_`.
+ - Open a kubectl shell from the top right navigation menu `>_`.
- Run:
+
```bash
wget https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml
kubectl apply -f pgsql.yaml #adjust values as preferredAnd for MySQL:
To install a quick setup with `MySQL` as the backend, you need to provide the connection parameters of a fresh setup.
For a test setup, you can follow the below instructions:
~
- Open a kubectl shell from the top right navigation menu `>_`.
- Run:
+
```bash
wget https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/mysql.yaml
kubectl apply -f mysql.yaml #adjust values as preferredAlso applies to: 172-172, 186-186
🧰 Tools
🪛 markdownlint-cli2 (0.18.1)
170-170: Trailing spaces
Expected: 0 or 2; Actual: 1
(MD009, no-trailing-spaces)
🤖 Prompt for AI Agents
In docs/admin/recipes/getting-started-rancher.md around lines 170, 172, and 186,
fix the markdownlint issues by removing trailing spaces at line 170, and
ensuring there is a blank line immediately above each fenced code block at lines
172 and 186 (insert a single empty line before each ```bash fence); also verify
the fenced blocks are properly opened and closed with backticks and that the
wget/kubectl lines are inside those fenced blocks.
| - Open a kubectl shell from the top right navigation menu `>_`. | ||
| - Run: | ||
| ```bash | ||
| wget https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml | ||
| kubectl apply -f pgsql.yaml #adjust values as preferred | ||
| ``` |
There was a problem hiding this comment.
🧩 Analysis chain
Script executed:
#!/bin/bash
# Verify YAML file accessibility and check their structure
echo "=== Checking PostgreSQL YAML accessibility ==="
if curl -s -o /dev/null -w "%{http_code}" https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml; then
echo " (HTTP status code above)"
fi
echo -e "\n=== Checking MySQL YAML accessibility ==="
if curl -s -o /dev/null -w "%{http_code}" https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/mysql.yaml; then
echo " (HTTP status code above)"
fi
echo -e "\n=== PostgreSQL YAML content (first 40 lines) ==="
curl -s https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml | head -40
echo -e "\n=== MySQL YAML content (first 40 lines) ==="
curl -s https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/mysql.yaml | head -40Repository: GluuFederation/flex
<shell_result>
Repository: GluuFederation/flex
Exit code: 0
stdout:
=== Checking PostgreSQL YAML accessibility ===
404 (HTTP status code above)
=== Checking MySQL YAML accessibility ===
404 (HTTP status code above)
=== PostgreSQL YAML content (first 40 lines) ===
404: Not Found
=== MySQL YAML content (first 40 lines) ===
404: Not Found
</shell_result>
Script executed:
#!/bin/bash
# Check if YAML files exist in the repository at different locations
echo "=== Checking for pgsql.yaml and mysql.yaml in GluuFederation/flex repository ==="
# Try to find files in different branches and paths using GitHub API
curl -s "https://api.github.com/search/code?q=repo:GluuFederation/flex+filename:pgsql.yaml" | python3 << 'EOF'
import json, sys
try:
data = json.load(sys.stdin)
if data.get('total_count', 0) > 0:
print("PostgreSQL YAML files found:")
for item in data.get('items', []):
print(f" - {item['path']} (branch: {item.get('repository', {}).get('default_branch', 'N/A')})")
else:
print("No pgsql.yaml files found in repository")
except:
print("Error parsing response")
EOF
echo ""
curl -s "https://api.github.com/search/code?q=repo:GluuFederation/flex+filename:mysql.yaml" | python3 << 'EOF'
import json, sys
try:
data = json.load(sys.stdin)
if data.get('total_count', 0) > 0:
print("MySQL YAML files found:")
for item in data.get('items', []):
print(f" - {item['path']} (branch: {item.get('repository', {}).get('default_branch', 'N/A')})")
else:
print("No mysql.yaml files found in repository")
except:
print("Error parsing response")
EOF
echo ""
echo "=== Checking automation directory in nightly branch ==="
curl -s "https://api.github.com/repos/GluuFederation/flex/contents/automation?ref=nightly" | python3 << 'EOF'
import json, sys
try:
data = json.load(sys.stdin)
if isinstance(data, list):
print("Files in automation/ directory (nightly branch):")
for item in data:
print(f" - {item['name']}")
elif 'message' in data:
print(f"Error: {data['message']}")
else:
print("Unexpected response format")
except Exception as e:
print(f"Error: {e}")
EOFRepository: GluuFederation/flex
<shell_result>
Repository: GluuFederation/flex
Exit code: 0
stdout:
=== Checking for pgsql.yaml and mysql.yaml in GluuFederation/flex repository ===
Error parsing response
Error parsing response
=== Checking automation directory in nightly branch ===
Error: Expecting value: line 1 column 1 (char 0)
</shell_result>
Script executed:
#!/bin/bash
# Direct check of the nightly branch contents
echo "=== Attempting to retrieve main branch automation directory ==="
curl -s -H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/GluuFederation/flex/contents/automation" | head -100
echo ""
echo "=== Attempting to retrieve nightly branch automation directory ==="
curl -s -H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/GluuFederation/flex/contents/automation?ref=nightly" | head -100Repository: GluuFederation/flex
<shell_result>
Repository: GluuFederation/flex
Exit code: 0
stdout:
=== Attempting to retrieve main branch automation directory ===
[
{
"name": "auto_update_image_pr.py",
"path": "automation/auto_update_image_pr.py",
"sha": "1f8de3eb7bc3f98e26a162fc9450ed1fc76a3bad",
"size": 1916,
"url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/auto_update_image_pr.py?ref=main",
"html_url": "https://github.com/GluuFederation/flex/blob/main/automation/auto_update_image_pr.py",
"git_url": "https://api.github.com/repos/GluuFederation/flex/git/blobs/1f8de3eb7bc3f98e26a162fc9450ed1fc76a3bad",
"download_url": "https://raw.githubusercontent.com/GluuFederation/flex/main/automation/auto_update_image_pr.py",
"type": "file",
"_links": {
"self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/auto_update_image_pr.py?ref=main",
"git": "https://api.github.com/repos/GluuFederation/flex/git/blobs/1f8de3eb7bc3f98e26a162fc9450ed1fc76a3bad",
"html": "https://github.com/GluuFederation/flex/blob/main/automation/auto_update_image_pr.py"
}
},
{
"name": "common.py",
"path": "automation/common.py",
"sha": "abbe4787674e2ac1e92a08354a09b2776768d7ed",
"size": 2077,
"url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/common.py?ref=main",
"html_url": "https://github.com/GluuFederation/flex/blob/main/automation/common.py",
"git_url": "https://api.github.com/repos/GluuFederation/flex/git/blobs/abbe4787674e2ac1e92a08354a09b2776768d7ed",
"download_url": "https://raw.githubusercontent.com/GluuFederation/flex/main/automation/common.py",
"type": "file",
"_links": {
"self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/common.py?ref=main",
"git": "https://api.github.com/repos/GluuFederation/flex/git/blobs/abbe4787674e2ac1e92a08354a09b2776768d7ed",
"html": "https://github.com/GluuFederation/flex/blob/main/automation/common.py"
}
},
{
"name": "docs",
"path": "automation/docs",
"sha": "5b35490ccfef8783eeed9b32627d2b48d91a8039",
"size": 0,
"url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/docs?ref=main",
"html_url": "https://github.com/GluuFederation/flex/tree/main/automation/docs",
"git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/5b35490ccfef8783eeed9b32627d2b48d91a8039",
"download_url": null,
"type": "dir",
"_links": {
"self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/docs?ref=main",
"git": "https://api.github.com/repos/GluuFederation/flex/git/trees/5b35490ccfef8783eeed9b32627d2b48d91a8039",
"html": "https://github.com/GluuFederation/flex/tree/main/automation/docs"
}
},
{
"name": "github-labels",
"path": "automation/github-labels",
"sha": "38b7719aa45e97cd9323d397f5edbb714257aac9",
"size": 0,
"url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/github-labels?ref=main",
"html_url": "https://github.com/GluuFederation/flex/tree/main/automation/github-labels",
"git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/38b7719aa45e97cd9323d397f5edbb714257aac9",
"download_url": null,
"type": "dir",
"_links": {
"self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/github-labels?ref=main",
"git": "https://api.github.com/repos/GluuFederation/flex/git/trees/38b7719aa45e97cd9323d397f5edbb714257aac9",
"html": "https://github.com/GluuFederation/flex/tree/main/automation/github-labels"
}
},
{
"name": "janssen_helm_chart",
"path": "automation/janssen_helm_chart",
"sha": "cdfeead3b4b79a156ba585c3334b95ec267d4e8d",
"size": 0,
"url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/janssen_helm_chart?ref=main",
"html_url": "https://github.com/GluuFederation/flex/tree/main/automation/janssen_helm_chart",
"git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/cdfeead3b4b79a156ba585c3334b95ec267d4e8d",
"download_url": null,
"type": "dir",
"_links": {
"self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/janssen_helm_chart?ref=main",
"git": "https://api.github.com/repos/GluuFederation/flex/git/trees/cdfeead3b4b79a156ba585c3334b95ec267d4e8d",
"html": "https://github.com/GluuFederation/flex/tree/main/automation/janssen_helm_chart"
}
},
{
"name": "markdown",
"path": "automation/markdown",
"sha": "86b70f1bbbaf5b2116a201e80ca1eebde3e9b16d",
"size": 0,
"url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/markdown?ref=main",
"html_url": "https://github.com/GluuFederation/flex/tree/main/automation/markdown",
"git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/86b70f1bbbaf5b2116a201e80ca1eebde3e9b16d",
"download_url": null,
"type": "dir",
"_links": {
"self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/markdown?ref=main",
"git": "https://api.github.com/repos/GluuFederation/flex/git/trees/86b70f1bbbaf5b2116a201e80ca1eebde3e9b16d",
"html": "https://github.com/GluuFederation/flex/tree/main/automation/markdown"
}
},
{
"name": "packaging",
"path": "automation/packaging",
=== Attempting to retrieve nightly branch automation directory ===
[
{
"name": "auto_update_image_pr.py",
"path": "automation/auto_update_image_pr.py",
"sha": "1f8de3eb7bc3f98e26a162fc9450ed1fc76a3bad",
"size": 1916,
"url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/auto_update_image_pr.py?ref=nightly",
"html_url": "https://github.com/GluuFederation/flex/blob/nightly/automation/auto_update_image_pr.py",
"git_url": "https://api.github.com/repos/GluuFederation/flex/git/blobs/1f8de3eb7bc3f98e26a162fc9450ed1fc76a3bad",
"download_url": "https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/auto_update_image_pr.py",
"type": "file",
"_links": {
"self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/auto_update_image_pr.py?ref=nightly",
"git": "https://api.github.com/repos/GluuFederation/flex/git/blobs/1f8de3eb7bc3f98e26a162fc9450ed1fc76a3bad",
"html": "https://github.com/GluuFederation/flex/blob/nightly/automation/auto_update_image_pr.py"
}
},
{
"name": "common.py",
"path": "automation/common.py",
"sha": "abbe4787674e2ac1e92a08354a09b2776768d7ed",
"size": 2077,
"url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/common.py?ref=nightly",
"html_url": "https://github.com/GluuFederation/flex/blob/nightly/automation/common.py",
"git_url": "https://api.github.com/repos/GluuFederation/flex/git/blobs/abbe4787674e2ac1e92a08354a09b2776768d7ed",
"download_url": "https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/common.py",
"type": "file",
"_links": {
"self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/common.py?ref=nightly",
"git": "https://api.github.com/repos/GluuFederation/flex/git/blobs/abbe4787674e2ac1e92a08354a09b2776768d7ed",
"html": "https://github.com/GluuFederation/flex/blob/nightly/automation/common.py"
}
},
{
"name": "docs",
"path": "automation/docs",
"sha": "5b35490ccfef8783eeed9b32627d2b48d91a8039",
"size": 0,
"url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/docs?ref=nightly",
"html_url": "https://github.com/GluuFederation/flex/tree/nightly/automation/docs",
"git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/5b35490ccfef8783eeed9b32627d2b48d91a8039",
"download_url": null,
"type": "dir",
"_links": {
"self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/docs?ref=nightly",
"git": "https://api.github.com/repos/GluuFederation/flex/git/trees/5b35490ccfef8783eeed9b32627d2b48d91a8039",
"html": "https://github.com/GluuFederation/flex/tree/nightly/automation/docs"
}
},
{
"name": "github-labels",
"path": "automation/github-labels",
"sha": "38b7719aa45e97cd9323d397f5edbb714257aac9",
"size": 0,
"url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/github-labels?ref=nightly",
"html_url": "https://github.com/GluuFederation/flex/tree/nightly/automation/github-labels",
"git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/38b7719aa45e97cd9323d397f5edbb714257aac9",
"download_url": null,
"type": "dir",
"_links": {
"self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/github-labels?ref=nightly",
"git": "https://api.github.com/repos/GluuFederation/flex/git/trees/38b7719aa45e97cd9323d397f5edbb714257aac9",
"html": "https://github.com/GluuFederation/flex/tree/nightly/automation/github-labels"
}
},
{
"name": "janssen_helm_chart",
"path": "automation/janssen_helm_chart",
"sha": "cdfeead3b4b79a156ba585c3334b95ec267d4e8d",
"size": 0,
"url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/janssen_helm_chart?ref=nightly",
"html_url": "https://github.com/GluuFederation/flex/tree/nightly/automation/janssen_helm_chart",
"git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/cdfeead3b4b79a156ba585c3334b95ec267d4e8d",
"download_url": null,
"type": "dir",
"_links": {
"self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/janssen_helm_chart?ref=nightly",
"git": "https://api.github.com/repos/GluuFederation/flex/git/trees/cdfeead3b4b79a156ba585c3334b95ec267d4e8d",
"html": "https://github.com/GluuFederation/flex/tree/nightly/automation/janssen_helm_chart"
}
},
{
"name": "markdown",
"path": "automation/markdown",
"sha": "86b70f1bbbaf5b2116a201e80ca1eebde3e9b16d",
"size": 0,
"url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/markdown?ref=nightly",
"html_url": "https://github.com/GluuFederation/flex/tree/nightly/automation/markdown",
"git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/86b70f1bbbaf5b2116a201e80ca1eebde3e9b16d",
"download_url": null,
"type": "dir",
"_links": {
"self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/markdown?ref=nightly",
"git": "https://api.github.com/repos/GluuFederation/flex/git/trees/86b70f1bbbaf5b2116a201e80ca1eebde3e9b16d",
"html": "https://github.com/GluuFederation/flex/tree/nightly/automation/markdown"
}
},
{
"name": "packaging",
"path": "automation/packaging",
</shell_result>
The verification has confirmed the critical issue. The pgsql.yaml and mysql.yaml files do not exist in the automation/ directory—both URLs return HTTP 404 errors. The directory listing shows only Python scripts and subdirectories, no YAML files.
YAML files referenced in wget commands do not exist and will cause failures.
Both URLs return HTTP 404:
https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml→ Not foundhttps://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/mysql.yaml→ Not found
Users following lines 170-175 will fail at the wget step. Either:
- The YAML files need to be created and committed to the
automation/directory, or - The documentation must reference the correct location/branch where these manifests exist
Additionally, the instruction "adjust values as preferred" remains vague without examples of which configuration parameters (credentials, database name, storage class, resource limits) require customization.
🧰 Tools
🪛 markdownlint-cli2 (0.18.1)
170-170: Trailing spaces
Expected: 0 or 2; Actual: 1
(MD009, no-trailing-spaces)
172-172: Fenced code blocks should be surrounded by blank lines
(MD031, blanks-around-fences)
🤖 Prompt for AI Agents
In docs/admin/recipes/getting-started-rancher.md around lines 170 to 175, the
wget references to
https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml
(and similarly mysql.yaml) point to non-existent files and will 404; either add
the missing YAML manifests into the automation/ directory in the repo (commit
pgsql.yaml and mysql.yaml with the expected deployment/service/volume specs) or
update the documentation to point to the correct existing manifest URLs/branch;
also replace the vague "adjust values as preferred" with a short list of
concrete configurable fields (e.g., credentials, database name, storageClass,
resource requests/limits) and an example or link to the manifest sections users
should edit.
| - Scroll through the sections to get familiar with the options. For minimal setup follow with the next instructions. | ||
| - Add `License SSA`. Before initiating the setup, please obtain an [SSA](https://docs.gluu.org/vreplace-flex-version/install/agama/prerequisites/#obtaining-an-ssa) for Flex trial, after which you will issued a JWT. | ||
| - Click on the `Persistence` section. Change `SQL database host uri` to `postgresql.postgres.svc.cluster.local` in the case of `PostgreSQL` or `my-release-mysql.gluu.svc.cluster.local` in the case of `MySQL`. Also set `SQL database username`,`SQL password`, and `SQL database name` to the values you used during the database installation. | ||
| - Click on the `Persistence` section. Change `SQL database host uri` to `postgresql.gluu.svc` in the case of `PostgreSQL` or `mysql.gluu.svc` in the case of `MySQL`. Also set `SQL database username`,`SQL password`, and `SQL database name` to the values you used during the database installation. |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
🧩 Analysis chain
Script executed:
#!/bin/bash
# Find pgsql.yaml and mysql.yaml files
find . -type f \( -name "pgsql.yaml" -o -name "mysql.yaml" \) | head -20Repository: GluuFederation/flex
<shell_result>
Repository: GluuFederation/flex
Exit code: 0
stdout:
./automation/mysql.yaml
./automation/pgsql.yaml
</shell_result>
Script executed:
#!/bin/bash
# Read the mysql.yaml file to check service definition
echo "=== mysql.yaml ==="
cat ./automation/mysql.yamlRepository: GluuFederation/flex
<shell_result>
Repository: GluuFederation/flex
Exit code: 0
stdout:
=== mysql.yaml ===
apiVersion: v1
kind: Secret
metadata:
name: mysql-secret
namespace: gluu
type: Opaque
stringData:
root-password: Test1234#
---
apiVersion: v1
kind: Service
metadata:
name: mysql
namespace: gluu
spec:
ports:
- port: 3306
selector:
app: mysql
clusterIP: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql
namespace: gluu
spec:
selector:
matchLabels:
app: mysql
strategy:
type: Recreate
template:
metadata:
labels:
app: mysql
spec:
containers:
- image: mysql:8.0
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: root-password
- name: MYSQL_DATABASE
value: gluu
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-persistent-storage
mountPath: /var/lib/mysql
volumes:
- name: mysql-persistent-storage
persistentVolumeClaim:
claimName: mysql-pv-claim
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql-pv-claim
namespace: gluu
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
</shell_result>
Script executed:
#!/bin/bash
# Read the pgsql.yaml file to check service definition
echo "=== pgsql.yaml ==="
cat ./automation/pgsql.yamlRepository: GluuFederation/flex
<shell_result>
Repository: GluuFederation/flex
Exit code: 0
stdout:
=== pgsql.yaml ===
apiVersion: v1
kind: Secret
metadata:
name: postgresql-secret
namespace: gluu
type: Opaque
stringData:
postgresql-password: Test1234#
---
apiVersion: v1
kind: Service
metadata:
name: postgresql
namespace: gluu
spec:
ports:
- port: 5432
selector:
app: postgresql
clusterIP: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgresql
namespace: gluu
spec:
selector:
matchLabels:
app: postgresql
strategy:
type: Recreate
template:
metadata:
labels:
app: postgresql
spec:
containers:
- image: postgres:16
name: postgresql
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgresql-secret
key: postgresql-password
- name: POSTGRES_DB
value: gluu
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
ports:
- containerPort: 5432
name: postgresql
volumeMounts:
- name: postgresql-persistent-storage
mountPath: /var/lib/postgresql/data
volumes:
- name: postgresql-persistent-storage
persistentVolumeClaim:
claimName: postgresql-pv-claim
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: postgresql-pv-claim
namespace: gluu
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
</shell_result>
Based on my verification of the deployment manifests, I can now provide the rewritten review comment:
Hostname verification confirms values are correct; consider adding verification step for user clarity.
Line 214 references postgresql.gluu.svc and mysql.gluu.svc, which correctly match the service definitions in pgsql.yaml and mysql.yaml (both services are deployed in the gluu namespace). However, the instruction could be clearer for users unfamiliar with Kubernetes DNS conventions.
Consider adding a verification step:
Change `SQL database host uri` to `postgresql.gluu.svc` (for PostgreSQL) or `mysql.gluu.svc` (for MySQL).
To verify the service names after deployment, run:
kubectl get svc -n gluu
🤖 Prompt for AI Agents
docs/admin/recipes/getting-started-rancher.md around line 214: the instructions
list the correct hostnames `postgresql.gluu.svc` and `mysql.gluu.svc` but lack a
verification step for users unfamiliar with Kubernetes DNS; update the sentence
to first instruct users to set `SQL database host uri` to `postgresql.gluu.svc`
(PostgreSQL) or `mysql.gluu.svc` (MySQL) and then add a short verification
command suggestion such as running `kubectl get svc -n gluu` to confirm the
service names are present in the `gluu` namespace.
3 participants
closes #2469
Summary by CodeRabbit
Release Notes
New Features
Documentation
Chores
✏️ Tip: You can customize this high-level summary in your review settings.