Skip to content

fix: replace bitnami commercial images with free official images #2477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
moabu merged 1 commit into from
Nov 27, 2025
Merged

fix: replace bitnami commercial images with free official images #2477

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 70 additions & 0 deletions automation/mysql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
apiVersion: v1
kind: Secret
metadata:
name: mysql-secret
namespace: gluu
type: Opaque
stringData:
root-password: Test1234#
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Hardcoded credentials pose security risk — consider parameterization.

The root password "Test1234#" is hardcoded in the YAML manifest. For production use, this should be externalized via environment variables or sealed secrets.

For demo/test purposes, consider adding a comment warning users to change this value before production deployment.

Also applies to: 8-8

🤖 Prompt for AI Agents 
In automation/mysql.yaml around line 8, the root password is hardcoded as
"Test1234#" which is a security risk; replace the literal with a reference to an
external secret or environment variable (e.g., point to a Kubernetes Secret or
use an env var like MYSQL_ROOT_PASSWORD) and update the manifest to read from
that secret, or document using a sealed secret for production; if you must keep
a default for demos/tests add a clear comment above this line warning users to
change it before production and include instructions in README on how to
create/populate the external secret.

---
apiVersion: v1
kind: Service
metadata:
name: mysql
namespace: gluu
spec:
ports:
- port: 3306
selector:
app: mysql
clusterIP: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql
namespace: gluu
spec:
selector:
matchLabels:
app: mysql
strategy:
type: Recreate
template:
metadata:
labels:
app: mysql
spec:
containers:
- image: mysql:8.0
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: root-password
- name: MYSQL_DATABASE
value: gluu
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-persistent-storage
mountPath: /var/lib/mysql
volumes:
- name: mysql-persistent-storage
persistentVolumeClaim:
claimName: mysql-pv-claim
---
Comment on lines +22 to +59
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Script executed:

#!/bin/bash
# Check if the file exists and view its content
if [ -f "automation/mysql.yaml" ]; then
  echo "=== File found ===" 
  wc -l automation/mysql.yaml
  echo ""
  echo "=== Content ===" 
  cat -n automation/mysql.yaml
else
  echo "File not found at automation/mysql.yaml"
  # Try to locate it
  find . -name "mysql.yaml" -type f 2>/dev/null | head -20
fi

Repository: GluuFederation/flex

<shell_result>
Repository: GluuFederation/flex
Exit code: 0

stdout:

=== File found ===
70 automation/mysql.yaml

=== Content ===
     1	apiVersion: v1
     2	kind: Secret
     3	metadata:
     4	  name: mysql-secret
     5	  namespace: gluu
     6	type: Opaque
     7	stringData:
     8	  root-password: Test1234#
     9	---
    10	apiVersion: v1
    11	kind: Service
    12	metadata:
    13	  name: mysql
    14	  namespace: gluu
    15	spec:
    16	  ports:
    17	  - port: 3306
    18	  selector:
    19	    app: mysql
    20	  clusterIP: None
    21	---
    22	apiVersion: apps/v1
    23	kind: Deployment
    24	metadata:
    25	  name: mysql
    26	  namespace: gluu
    27	spec:
    28	  selector:
    29	    matchLabels:
    30	      app: mysql
    31	  strategy:
    32	    type: Recreate
    33	  template:
    34	    metadata:
    35	      labels:
    36	        app: mysql
    37	    spec:
    38	      containers:
    39	      - image: mysql:8.0
    40	        name: mysql
    41	        env:
    42	        - name: MYSQL_ROOT_PASSWORD
    43	          valueFrom:
    44	            secretKeyRef:
    45	              name: mysql-secret
    46	              key: root-password
    47	        - name: MYSQL_DATABASE
    48	          value: gluu
    49	        ports:
    50	        - containerPort: 3306
    51	          name: mysql
    52	        volumeMounts:
    53	        - name: mysql-persistent-storage
    54	          mountPath: /var/lib/mysql
    55	      volumes:
    56	      - name: mysql-persistent-storage
    57	        persistentVolumeClaim:
    58	          claimName: mysql-pv-claim
    59	---
    60	apiVersion: v1
    61	kind: PersistentVolumeClaim
    62	metadata:
    63	  name: mysql-pv-claim
    64	  namespace: gluu
    65	spec:
    66	  accessModes:
    67	    - ReadWriteOnce
    68	  resources:
    69	    requests:
    70	      storage: 5Gi

</shell_result>

CKV_K8S_35 Checkov security check MySQL secrets

<web_search_result>
Summary

  • CKV_K8S_35 enforces the recommendation to avoid exposing secrets as environment variables (e.g., MYSQL_ROOT_PASSWORD via env / envFrom) and instead mount Kubernetes Secrets as files (volumes) so secrets are less likely to leak in logs, process listings or debugging output. [1][2]

Why it matters for MySQL

  • The official MySQL image and many apps default to env vars (MYSQL_ROOT_PASSWORD, etc.), which triggers CKV_K8S_35. To satisfy the check you must stop injecting the secret via container env and supply it from a mounted secret file (or another file-based mechanism) and adapt startup/init logic accordingly. [1][2]

Simple remediation options

  1. Mount the Secret as a volume and read it from a file (example):
    apiVersion: v1
    kind: Pod
    metadata:
    name: mysql
    spec:
    containers:
  • name: mysql
    image: mysql:8
    volumeMounts:
    • name: mysql-secret-vol
      mountPath: /etc/secrets
      readOnly: true
      volumes:
  • name: mysql-secret-vol
    secret:
    secretName: mysql-secret
    (then change your init/startup to read credentials from /etc/secrets/ instead of env). [1][3]
  1. Use init scripts or docker-entrypoint-initdb.d mounted from the Secret (for the MySQL image) so MySQL is initialized using file-based credentials rather than env vars. This keeps the secret in a file inside the container filesystem. [2][5]

Notes

  • If you cannot change the application immediately, you can suppress the Checkov rule per-project (annotations or checkov:skip), but this is a temporary workaround — prefer remediating. [3]

References

  • Check explanation / remediation guidance (industry/CIS guidance) on preferring file-mounted secrets. [1][2]
  • Checkov docs for skipping/suppressing rules (if needed). [3]

Would you like a ready-to-apply Deployment manifest that shows mounting a MySQL secret and an example init script that reads the password from a file?
</web_search_result>

All security hardening recommendations are valid and well-founded.

The review accurately identifies five production readiness gaps in the MySQL Deployment:

  1. Security context – Required to prevent privilege escalation and enforce non-root execution.
  2. Resource constraints – Necessary to prevent resource exhaustion and ensure cluster stability.
  3. Health checks – Improves pod lifecycle reliability and orchestration.
  4. Image digest – Ensures reproducible deployments instead of relying on mutable tags.
  5. Credential handling – The current use of secretKeyRef in environment variables triggers CKV_K8S_35. Per Checkov and security best practices, secrets should be mounted as volumes and read from files, not injected as env vars, to reduce exposure in logs and process listings.

The file confirms the Deployment lacks all five hardening measures. The example improvements are accurate and applicable. The characterization as acceptable for demo/test but requiring hardening for production is appropriate.

🧰 Tools
🪛 Checkov (3.2.334)

[medium] 22-59: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[low] 22-59: CPU limits should be set

(CKV_K8S_11)

[low] 22-59: CPU requests should be set

(CKV_K8S_10)

[low] 22-59: Apply security context to your containers

(CKV_K8S_30)

[low] 22-59: Minimize the admission of containers with the NET_RAW capability

(CKV_K8S_28)

[low] 22-59: Image should use digest

(CKV_K8S_43)

[low] 22-59: Image Pull Policy should be Always

(CKV_K8S_15)

[low] 22-59: Liveness Probe Should be Configured

(CKV_K8S_8)

[low] 22-59: Memory limits should be set

(CKV_K8S_13)

[low] 22-59: Memory requests should be set

(CKV_K8S_12)

[low] 22-59: Minimize the admission of containers with capabilities assigned

(CKV_K8S_37)

[low] 22-59: Apply security context to your pods and containers

(CKV_K8S_29)

[low] 22-59: Use read-only filesystem for containers where possible

(CKV_K8S_22)

[low] 22-59: Readiness Probe Should be Configured

(CKV_K8S_9)

[medium] 22-59: Minimize the admission of root containers

(CKV_K8S_23)

[low] 22-59: Containers should run as a high UID to avoid host conflict

(CKV_K8S_40)

[low] 22-59: Ensure that the seccomp profile is set to docker/default or runtime/default

(CKV_K8S_31)

[low] 22-59: Prefer using secrets as files over secrets as environment variables

(CKV_K8S_35)

[low] 22-59: Ensure that Service Account Tokens are only mounted where necessary

(CKV_K8S_38)

🤖 Prompt for AI Agents 
In automation/mysql.yaml around lines 22 to 59, the Deployment is missing
production hardening: add a pod/container securityContext (e.g., runAsNonRoot:
true, runAsUser with non-root UID, and allowPrivilegeEscalation: false) to
prevent privileged execution; add resource requests and limits for cpu/memory on
the container to avoid resource exhaustion; add livenessProbe and readinessProbe
(tcpSocket or exec against mysql socket/health endpoint) so Kubernetes can
manage pod lifecycle; pin the image to an immutable digest (replace mysql:8.0
with mysql@sha256:... or a specific digest) to ensure reproducible images; and
stop injecting the root password via env var-secretKeyRef — mount the Kubernetes
Secret as a volume and read the password from a file (or use projected secret)
so credentials are not exposed in process envs or logs. Ensure these changes are
applied within the same pod template and that any necessary user/permission
adjustments are made to allow MySQL to read the mounted secret file.

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql-pv-claim
namespace: gluu
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
72 changes: 72 additions & 0 deletions automation/pgsql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
apiVersion: v1
kind: Secret
metadata:
name: postgresql-secret
namespace: gluu
type: Opaque
stringData:
postgresql-password: Test1234#
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Hardcoded credentials pose security risk — consider parameterization.

The password "Test1234#" is hardcoded in the YAML manifest. For production use, externalize via environment variables or sealed secrets. Add a warning comment for demo/test users to change before production.

Also applies to: 8-8

🤖 Prompt for AI Agents 
In automation/pgsql.yaml around line 8, the postgresql-password is hardcoded as
"Test1234#" which is a security risk; replace this literal with a reference to
an external secret (e.g., a Kubernetes Secret, sealed secret, or an environment
variable/SecretRef) and update the manifest to read the password from that
secret, ensuring the value is not checked into source control; additionally add
a clear comment in the file warning that the current value is only for demo/test
and must be replaced with a secure secret in production.

---
apiVersion: v1
kind: Service
metadata:
name: postgresql
namespace: gluu
spec:
ports:
- port: 5432
selector:
app: postgresql
clusterIP: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgresql
namespace: gluu
spec:
selector:
matchLabels:
app: postgresql
strategy:
type: Recreate
template:
metadata:
labels:
app: postgresql
spec:
containers:
- image: postgres:16
name: postgresql
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgresql-secret
key: postgresql-password
- name: POSTGRES_DB
value: gluu
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
ports:
- containerPort: 5432
name: postgresql
volumeMounts:
- name: postgresql-persistent-storage
mountPath: /var/lib/postgresql/data
volumes:
- name: postgresql-persistent-storage
persistentVolumeClaim:
claimName: postgresql-pv-claim
---
Comment on lines +22 to +61
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Script executed:

# First, let's look at the structure and find the relevant files
fd -e yaml . automation/ 2>/dev/null | head -20

Repository: GluuFederation/flex

<shell_result>
Repository: GluuFederation/flex
Exit code: 0

stdout:

automation/janssen_helm_chart/non_janssen.yaml
automation/mysql.yaml
automation/pgsql.yaml
automation/rancher-partner-charts/package.yaml
automation/rancher-partner-charts/questions.yaml

</shell_result>

Script executed:

# Read the PostgreSQL manifest
cat -n automation/pgsql.yaml

Repository: GluuFederation/flex

<shell_result>
Repository: GluuFederation/flex
Exit code: 0

stdout:

     1	apiVersion: v1
     2	kind: Secret
     3	metadata:
     4	  name: postgresql-secret
     5	  namespace: gluu
     6	type: Opaque
     7	stringData:
     8	  postgresql-password: Test1234#
     9	---
    10	apiVersion: v1
    11	kind: Service
    12	metadata:
    13	  name: postgresql
    14	  namespace: gluu
    15	spec:
    16	  ports:
    17	  - port: 5432
    18	  selector:
    19	    app: postgresql
    20	  clusterIP: None
    21	---
    22	apiVersion: apps/v1
    23	kind: Deployment
    24	metadata:
    25	  name: postgresql
    26	  namespace: gluu
    27	spec:
    28	  selector:
    29	    matchLabels:
    30	      app: postgresql
    31	  strategy:
    32	    type: Recreate
    33	  template:
    34	    metadata:
    35	      labels:
    36	        app: postgresql
    37	    spec:
    38	      containers:
    39	      - image: postgres:16
    40	        name: postgresql
    41	        env:
    42	        - name: POSTGRES_PASSWORD
    43	          valueFrom:
    44	            secretKeyRef:
    45	              name: postgresql-secret
    46	              key: postgresql-password
    47	        - name: POSTGRES_DB
    48	          value: gluu
    49	        - name: PGDATA
    50	          value: /var/lib/postgresql/data/pgdata
    51	        ports:
    52	        - containerPort: 5432
    53	          name: postgresql
    54	        volumeMounts:
    55	        - name: postgresql-persistent-storage
    56	          mountPath: /var/lib/postgresql/data
    57	      volumes:
    58	      - name: postgresql-persistent-storage
    59	        persistentVolumeClaim:
    60	          claimName: postgresql-pv-claim
    61	---
    62	apiVersion: v1
    63	kind: PersistentVolumeClaim
    64	metadata:
    65	  name: postgresql-pv-claim
    66	  namespace: gluu
    67	spec:
    68	  accessModes:
    69	    - ReadWriteOnce
    70	  resources:
    71	    requests:
    72	      storage: 5Gi

</shell_result>

Script executed:

# Read the MySQL manifest for comparison
cat -n automation/mysql.yaml

Repository: GluuFederation/flex

<shell_result>
Repository: GluuFederation/flex
Exit code: 0

stdout:

     1	apiVersion: v1
     2	kind: Secret
     3	metadata:
     4	  name: mysql-secret
     5	  namespace: gluu
     6	type: Opaque
     7	stringData:
     8	  root-password: Test1234#
     9	---
    10	apiVersion: v1
    11	kind: Service
    12	metadata:
    13	  name: mysql
    14	  namespace: gluu
    15	spec:
    16	  ports:
    17	  - port: 3306
    18	  selector:
    19	    app: mysql
    20	  clusterIP: None
    21	---
    22	apiVersion: apps/v1
    23	kind: Deployment
    24	metadata:
    25	  name: mysql
    26	  namespace: gluu
    27	spec:
    28	  selector:
    29	    matchLabels:
    30	      app: mysql
    31	  strategy:
    32	    type: Recreate
    33	  template:
    34	    metadata:
    35	      labels:
    36	        app: mysql
    37	    spec:
    38	      containers:
    39	      - image: mysql:8.0
    40	        name: mysql
    41	        env:
    42	        - name: MYSQL_ROOT_PASSWORD
    43	          valueFrom:
    44	            secretKeyRef:
    45	              name: mysql-secret
    46	              key: root-password
    47	        - name: MYSQL_DATABASE
    48	          value: gluu
    49	        ports:
    50	        - containerPort: 3306
    51	          name: mysql
    52	        volumeMounts:
    53	        - name: mysql-persistent-storage
    54	          mountPath: /var/lib/mysql
    55	      volumes:
    56	      - name: mysql-persistent-storage
    57	        persistentVolumeClaim:
    58	          claimName: mysql-pv-claim
    59	---
    60	apiVersion: v1
    61	kind: PersistentVolumeClaim
    62	metadata:
    63	  name: mysql-pv-claim
    64	  namespace: gluu
    65	spec:
    66	  accessModes:
    67	    - ReadWriteOnce
    68	  resources:
    69	    requests:
    70	      storage: 5Gi

</shell_result>

All suggested improvements are valid and confirmed missing from the PostgreSQL deployment manifest.

The review comment is accurate. Both the PostgreSQL and MySQL manifests in automation/ lack the five critical security and operational hardening measures:

  1. Security context — Neither deployment defines securityContext for pod or container level
  2. Resource constraints — No requests or limits for CPU/memory are defined
  3. Health checks — No livenessProbe or readinessProbe configured
  4. Image digest — Both use mutable tags (postgres:16, mysql:8.0)
  5. Credential handling — Secrets are injected via environment variables; volume mounts are the more secure alternative

The manifests are structured identically and demonstrate identical gaps, confirming the comparison to automation/mysql.yaml is valid. These are standard Kubernetes hardening practices recommended for production deployments. The current state is appropriate for demo/test purposes but does require the suggested improvements before production use.

🧰 Tools
🪛 Checkov (3.2.334)

[medium] 22-61: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[low] 22-61: CPU limits should be set

(CKV_K8S_11)

[low] 22-61: CPU requests should be set

(CKV_K8S_10)

[low] 22-61: Apply security context to your containers

(CKV_K8S_30)

[low] 22-61: Minimize the admission of containers with the NET_RAW capability

(CKV_K8S_28)

[low] 22-61: Image should use digest

(CKV_K8S_43)

[low] 22-61: Image Pull Policy should be Always

(CKV_K8S_15)

[low] 22-61: Liveness Probe Should be Configured

(CKV_K8S_8)

[low] 22-61: Memory limits should be set

(CKV_K8S_13)

[low] 22-61: Memory requests should be set

(CKV_K8S_12)

[low] 22-61: Minimize the admission of containers with capabilities assigned

(CKV_K8S_37)

[low] 22-61: Apply security context to your pods and containers

(CKV_K8S_29)

[low] 22-61: Use read-only filesystem for containers where possible

(CKV_K8S_22)

[low] 22-61: Readiness Probe Should be Configured

(CKV_K8S_9)

[medium] 22-61: Minimize the admission of root containers

(CKV_K8S_23)

[low] 22-61: Containers should run as a high UID to avoid host conflict

(CKV_K8S_40)

[low] 22-61: Ensure that the seccomp profile is set to docker/default or runtime/default

(CKV_K8S_31)

[low] 22-61: Prefer using secrets as files over secrets as environment variables

(CKV_K8S_35)

[low] 22-61: Ensure that Service Account Tokens are only mounted where necessary

(CKV_K8S_38)

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: postgresql-pv-claim
namespace: gluu
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
17 changes: 7 additions & 10 deletions automation/startflexdemo.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,9 @@ if [[ $INSTALL_ISTIO == "true" ]]; then
cd ..
fi

PERSISTENCE_TYPE="sql"
if [[ $GLUU_PERSISTENCE == "MYSQL" ]]; then
sudo microk8s.kubectl get po --kubeconfig="$KUBECONFIG"
sudo helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql --kubeconfig="$KUBECONFIG"
sudo wget https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/mysql.yaml
sudo microk8s.kubectl apply -f mysql.yaml --kubeconfig="$KUBECONFIG"
cat << EOF > override.yaml
config:
countryCode: US
Expand All @@ -76,15 +75,14 @@ config:
cnSqlDbName: gluu
cnSqlDbPort: 3306
cnSqlDbDialect: mysql
cnSqlDbHost: my-release-mysql.gluu.svc
cnSqlDbHost: mysql.gluu.svc
cnSqlDbUser: root
cnSqlDbTimezone: UTC
cnSqldbUserPassword: Test1234#
EOF
fi
if [[ $GLUU_PERSISTENCE == "PGSQL" ]]; then
sudo microk8s.kubectl get po --kubeconfig="$KUBECONFIG"
sudo helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql --kubeconfig="$KUBECONFIG"
else
sudo wget https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml
sudo microk8s.kubectl apply -f pgsql.yaml --kubeconfig="$KUBECONFIG"
cat << EOF > override.yaml
config:
countryCode: US
Expand All @@ -95,7 +93,7 @@ config:
cnSqlDbName: gluu
cnSqlDbPort: 5432
cnSqlDbDialect: pgsql
cnSqlDbHost: my-release-postgresql.gluu.svc
cnSqlDbHost: postgresql.gluu.svc
cnSqlDbUser: postgres
cnSqlDbTimezone: UTC
cnSqldbUserPassword: Test1234#
Expand All @@ -108,7 +106,6 @@ global:
testEnviroment: true
istio:
enable: $INSTALL_ISTIO
cnPersistenceType: $PERSISTENCE_TYPE
admin-ui:
ingress:
adminUiEnabled: true
Expand Down
36 changes: 10 additions & 26 deletions docs/admin/recipes/getting-started-rancher.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,18 +167,12 @@ kubectl get secret cn -o json -n <namespace>
To install a quick setup with `PostgreSQL` as the backend, you need to provide the connection parameters of a fresh setup.
For a test setup, you can follow the below instructions:

- `Apps` --> `Charts` and search for `Postgres`.
- Click on `Install` on the right side of the window.
- Create a new namespace called `postgres` and hit `Next`.
- You should be on the `Edit YAML` page. Modify the below keys as desired. These values will be inputted in the installation of `Gluu Flex`

| Key |
|-----------------|
| `auth.database` |
| `auth.username` |
| `auth.password` |

- Click `Install` at the bottom right of the page.
- Open a kubectl shell from the top right navigation menu `>_`.
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix markdown formatting issues from linter.

Three formatting issues were flagged by markdownlint:

  • Line 170: Trailing spaces detected
  • Line 172: Fenced code block needs blank line above it
  • Line 186: Fenced code block needs blank line above it

Apply this diff to fix formatting:

    To install a quick setup with `PostgreSQL` as the backend, you need to provide the connection parameters of a fresh setup. 
    For a test setup, you can follow the below instructions:
~
-    - Open a kubectl shell from the top right navigation menu `>_`. 
+    - Open a kubectl shell from the top right navigation menu `>_`.
    - Run:
+
        ```bash
         wget https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml 
         kubectl apply -f pgsql.yaml #adjust values as preferred

And for MySQL:

     To install a quick setup with `MySQL` as the backend, you need to provide the connection parameters of a fresh setup. 
     For a test setup, you can follow the below instructions:
~
     - Open a kubectl shell from the top right navigation menu `>_`. 
     - Run:
+
         ```bash
         wget https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/mysql.yaml 
         kubectl apply -f mysql.yaml #adjust values as preferred

Also applies to: 172-172, 186-186

🧰 Tools
🪛 markdownlint-cli2 (0.18.1)

170-170: Trailing spaces
Expected: 0 or 2; Actual: 1

(MD009, no-trailing-spaces)

🤖 Prompt for AI Agents 
In docs/admin/recipes/getting-started-rancher.md around lines 170, 172, and 186,
fix the markdownlint issues by removing trailing spaces at line 170, and
ensuring there is a blank line immediately above each fenced code block at lines
172 and 186 (insert a single empty line before each ```bash fence); also verify
the fenced blocks are properly opened and closed with backticks and that the
wget/kubectl lines are inside those fenced blocks.

- Run:
```bash
wget https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml
kubectl apply -f pgsql.yaml #adjust values as preferred
```
Comment on lines +170 to +175
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Script executed:

#!/bin/bash
# Verify YAML file accessibility and check their structure
echo "=== Checking PostgreSQL YAML accessibility ==="
if curl -s -o /dev/null -w "%{http_code}" https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml; then
  echo " (HTTP status code above)"
fi

echo -e "\n=== Checking MySQL YAML accessibility ==="
if curl -s -o /dev/null -w "%{http_code}" https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/mysql.yaml; then
  echo " (HTTP status code above)"
fi

echo -e "\n=== PostgreSQL YAML content (first 40 lines) ==="
curl -s https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml | head -40

echo -e "\n=== MySQL YAML content (first 40 lines) ==="
curl -s https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/mysql.yaml | head -40

Repository: GluuFederation/flex

<shell_result>
Repository: GluuFederation/flex
Exit code: 0

stdout:

=== Checking PostgreSQL YAML accessibility ===
404 (HTTP status code above)

=== Checking MySQL YAML accessibility ===
404 (HTTP status code above)

=== PostgreSQL YAML content (first 40 lines) ===
404: Not Found
=== MySQL YAML content (first 40 lines) ===
404: Not Found

</shell_result>

Script executed:

#!/bin/bash
# Check if YAML files exist in the repository at different locations
echo "=== Checking for pgsql.yaml and mysql.yaml in GluuFederation/flex repository ==="

# Try to find files in different branches and paths using GitHub API
curl -s "https://api.github.com/search/code?q=repo:GluuFederation/flex+filename:pgsql.yaml" | python3 << 'EOF'
import json, sys
try:
    data = json.load(sys.stdin)
    if data.get('total_count', 0) > 0:
        print("PostgreSQL YAML files found:")
        for item in data.get('items', []):
            print(f"  - {item['path']} (branch: {item.get('repository', {}).get('default_branch', 'N/A')})")
    else:
        print("No pgsql.yaml files found in repository")
except:
    print("Error parsing response")
EOF

echo ""

curl -s "https://api.github.com/search/code?q=repo:GluuFederation/flex+filename:mysql.yaml" | python3 << 'EOF'
import json, sys
try:
    data = json.load(sys.stdin)
    if data.get('total_count', 0) > 0:
        print("MySQL YAML files found:")
        for item in data.get('items', []):
            print(f"  - {item['path']} (branch: {item.get('repository', {}).get('default_branch', 'N/A')})")
    else:
        print("No mysql.yaml files found in repository")
except:
    print("Error parsing response")
EOF

echo ""
echo "=== Checking automation directory in nightly branch ==="
curl -s "https://api.github.com/repos/GluuFederation/flex/contents/automation?ref=nightly" | python3 << 'EOF'
import json, sys
try:
    data = json.load(sys.stdin)
    if isinstance(data, list):
        print("Files in automation/ directory (nightly branch):")
        for item in data:
            print(f"  - {item['name']}")
    elif 'message' in data:
        print(f"Error: {data['message']}")
    else:
        print("Unexpected response format")
except Exception as e:
    print(f"Error: {e}")
EOF

Repository: GluuFederation/flex

<shell_result>
Repository: GluuFederation/flex
Exit code: 0

stdout:

=== Checking for pgsql.yaml and mysql.yaml in GluuFederation/flex repository ===
Error parsing response

Error parsing response

=== Checking automation directory in nightly branch ===
Error: Expecting value: line 1 column 1 (char 0)

</shell_result>

Script executed:

#!/bin/bash
# Direct check of the nightly branch contents
echo "=== Attempting to retrieve main branch automation directory ==="
curl -s -H "Accept: application/vnd.github.v3+json" \
  "https://api.github.com/repos/GluuFederation/flex/contents/automation" | head -100

echo ""
echo "=== Attempting to retrieve nightly branch automation directory ==="
curl -s -H "Accept: application/vnd.github.v3+json" \
  "https://api.github.com/repos/GluuFederation/flex/contents/automation?ref=nightly" | head -100

Repository: GluuFederation/flex

<shell_result>
Repository: GluuFederation/flex
Exit code: 0

stdout:

=== Attempting to retrieve main branch automation directory ===
[
  {
    "name": "auto_update_image_pr.py",
    "path": "automation/auto_update_image_pr.py",
    "sha": "1f8de3eb7bc3f98e26a162fc9450ed1fc76a3bad",
    "size": 1916,
    "url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/auto_update_image_pr.py?ref=main",
    "html_url": "https://github.com/GluuFederation/flex/blob/main/automation/auto_update_image_pr.py",
    "git_url": "https://api.github.com/repos/GluuFederation/flex/git/blobs/1f8de3eb7bc3f98e26a162fc9450ed1fc76a3bad",
    "download_url": "https://raw.githubusercontent.com/GluuFederation/flex/main/automation/auto_update_image_pr.py",
    "type": "file",
    "_links": {
      "self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/auto_update_image_pr.py?ref=main",
      "git": "https://api.github.com/repos/GluuFederation/flex/git/blobs/1f8de3eb7bc3f98e26a162fc9450ed1fc76a3bad",
      "html": "https://github.com/GluuFederation/flex/blob/main/automation/auto_update_image_pr.py"
    }
  },
  {
    "name": "common.py",
    "path": "automation/common.py",
    "sha": "abbe4787674e2ac1e92a08354a09b2776768d7ed",
    "size": 2077,
    "url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/common.py?ref=main",
    "html_url": "https://github.com/GluuFederation/flex/blob/main/automation/common.py",
    "git_url": "https://api.github.com/repos/GluuFederation/flex/git/blobs/abbe4787674e2ac1e92a08354a09b2776768d7ed",
    "download_url": "https://raw.githubusercontent.com/GluuFederation/flex/main/automation/common.py",
    "type": "file",
    "_links": {
      "self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/common.py?ref=main",
      "git": "https://api.github.com/repos/GluuFederation/flex/git/blobs/abbe4787674e2ac1e92a08354a09b2776768d7ed",
      "html": "https://github.com/GluuFederation/flex/blob/main/automation/common.py"
    }
  },
  {
    "name": "docs",
    "path": "automation/docs",
    "sha": "5b35490ccfef8783eeed9b32627d2b48d91a8039",
    "size": 0,
    "url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/docs?ref=main",
    "html_url": "https://github.com/GluuFederation/flex/tree/main/automation/docs",
    "git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/5b35490ccfef8783eeed9b32627d2b48d91a8039",
    "download_url": null,
    "type": "dir",
    "_links": {
      "self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/docs?ref=main",
      "git": "https://api.github.com/repos/GluuFederation/flex/git/trees/5b35490ccfef8783eeed9b32627d2b48d91a8039",
      "html": "https://github.com/GluuFederation/flex/tree/main/automation/docs"
    }
  },
  {
    "name": "github-labels",
    "path": "automation/github-labels",
    "sha": "38b7719aa45e97cd9323d397f5edbb714257aac9",
    "size": 0,
    "url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/github-labels?ref=main",
    "html_url": "https://github.com/GluuFederation/flex/tree/main/automation/github-labels",
    "git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/38b7719aa45e97cd9323d397f5edbb714257aac9",
    "download_url": null,
    "type": "dir",
    "_links": {
      "self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/github-labels?ref=main",
      "git": "https://api.github.com/repos/GluuFederation/flex/git/trees/38b7719aa45e97cd9323d397f5edbb714257aac9",
      "html": "https://github.com/GluuFederation/flex/tree/main/automation/github-labels"
    }
  },
  {
    "name": "janssen_helm_chart",
    "path": "automation/janssen_helm_chart",
    "sha": "cdfeead3b4b79a156ba585c3334b95ec267d4e8d",
    "size": 0,
    "url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/janssen_helm_chart?ref=main",
    "html_url": "https://github.com/GluuFederation/flex/tree/main/automation/janssen_helm_chart",
    "git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/cdfeead3b4b79a156ba585c3334b95ec267d4e8d",
    "download_url": null,
    "type": "dir",
    "_links": {
      "self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/janssen_helm_chart?ref=main",
      "git": "https://api.github.com/repos/GluuFederation/flex/git/trees/cdfeead3b4b79a156ba585c3334b95ec267d4e8d",
      "html": "https://github.com/GluuFederation/flex/tree/main/automation/janssen_helm_chart"
    }
  },
  {
    "name": "markdown",
    "path": "automation/markdown",
    "sha": "86b70f1bbbaf5b2116a201e80ca1eebde3e9b16d",
    "size": 0,
    "url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/markdown?ref=main",
    "html_url": "https://github.com/GluuFederation/flex/tree/main/automation/markdown",
    "git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/86b70f1bbbaf5b2116a201e80ca1eebde3e9b16d",
    "download_url": null,
    "type": "dir",
    "_links": {
      "self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/markdown?ref=main",
      "git": "https://api.github.com/repos/GluuFederation/flex/git/trees/86b70f1bbbaf5b2116a201e80ca1eebde3e9b16d",
      "html": "https://github.com/GluuFederation/flex/tree/main/automation/markdown"
    }
  },
  {
    "name": "packaging",
    "path": "automation/packaging",

=== Attempting to retrieve nightly branch automation directory ===
[
  {
    "name": "auto_update_image_pr.py",
    "path": "automation/auto_update_image_pr.py",
    "sha": "1f8de3eb7bc3f98e26a162fc9450ed1fc76a3bad",
    "size": 1916,
    "url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/auto_update_image_pr.py?ref=nightly",
    "html_url": "https://github.com/GluuFederation/flex/blob/nightly/automation/auto_update_image_pr.py",
    "git_url": "https://api.github.com/repos/GluuFederation/flex/git/blobs/1f8de3eb7bc3f98e26a162fc9450ed1fc76a3bad",
    "download_url": "https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/auto_update_image_pr.py",
    "type": "file",
    "_links": {
      "self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/auto_update_image_pr.py?ref=nightly",
      "git": "https://api.github.com/repos/GluuFederation/flex/git/blobs/1f8de3eb7bc3f98e26a162fc9450ed1fc76a3bad",
      "html": "https://github.com/GluuFederation/flex/blob/nightly/automation/auto_update_image_pr.py"
    }
  },
  {
    "name": "common.py",
    "path": "automation/common.py",
    "sha": "abbe4787674e2ac1e92a08354a09b2776768d7ed",
    "size": 2077,
    "url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/common.py?ref=nightly",
    "html_url": "https://github.com/GluuFederation/flex/blob/nightly/automation/common.py",
    "git_url": "https://api.github.com/repos/GluuFederation/flex/git/blobs/abbe4787674e2ac1e92a08354a09b2776768d7ed",
    "download_url": "https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/common.py",
    "type": "file",
    "_links": {
      "self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/common.py?ref=nightly",
      "git": "https://api.github.com/repos/GluuFederation/flex/git/blobs/abbe4787674e2ac1e92a08354a09b2776768d7ed",
      "html": "https://github.com/GluuFederation/flex/blob/nightly/automation/common.py"
    }
  },
  {
    "name": "docs",
    "path": "automation/docs",
    "sha": "5b35490ccfef8783eeed9b32627d2b48d91a8039",
    "size": 0,
    "url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/docs?ref=nightly",
    "html_url": "https://github.com/GluuFederation/flex/tree/nightly/automation/docs",
    "git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/5b35490ccfef8783eeed9b32627d2b48d91a8039",
    "download_url": null,
    "type": "dir",
    "_links": {
      "self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/docs?ref=nightly",
      "git": "https://api.github.com/repos/GluuFederation/flex/git/trees/5b35490ccfef8783eeed9b32627d2b48d91a8039",
      "html": "https://github.com/GluuFederation/flex/tree/nightly/automation/docs"
    }
  },
  {
    "name": "github-labels",
    "path": "automation/github-labels",
    "sha": "38b7719aa45e97cd9323d397f5edbb714257aac9",
    "size": 0,
    "url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/github-labels?ref=nightly",
    "html_url": "https://github.com/GluuFederation/flex/tree/nightly/automation/github-labels",
    "git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/38b7719aa45e97cd9323d397f5edbb714257aac9",
    "download_url": null,
    "type": "dir",
    "_links": {
      "self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/github-labels?ref=nightly",
      "git": "https://api.github.com/repos/GluuFederation/flex/git/trees/38b7719aa45e97cd9323d397f5edbb714257aac9",
      "html": "https://github.com/GluuFederation/flex/tree/nightly/automation/github-labels"
    }
  },
  {
    "name": "janssen_helm_chart",
    "path": "automation/janssen_helm_chart",
    "sha": "cdfeead3b4b79a156ba585c3334b95ec267d4e8d",
    "size": 0,
    "url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/janssen_helm_chart?ref=nightly",
    "html_url": "https://github.com/GluuFederation/flex/tree/nightly/automation/janssen_helm_chart",
    "git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/cdfeead3b4b79a156ba585c3334b95ec267d4e8d",
    "download_url": null,
    "type": "dir",
    "_links": {
      "self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/janssen_helm_chart?ref=nightly",
      "git": "https://api.github.com/repos/GluuFederation/flex/git/trees/cdfeead3b4b79a156ba585c3334b95ec267d4e8d",
      "html": "https://github.com/GluuFederation/flex/tree/nightly/automation/janssen_helm_chart"
    }
  },
  {
    "name": "markdown",
    "path": "automation/markdown",
    "sha": "86b70f1bbbaf5b2116a201e80ca1eebde3e9b16d",
    "size": 0,
    "url": "https://api.github.com/repos/GluuFederation/flex/contents/automation/markdown?ref=nightly",
    "html_url": "https://github.com/GluuFederation/flex/tree/nightly/automation/markdown",
    "git_url": "https://api.github.com/repos/GluuFederation/flex/git/trees/86b70f1bbbaf5b2116a201e80ca1eebde3e9b16d",
    "download_url": null,
    "type": "dir",
    "_links": {
      "self": "https://api.github.com/repos/GluuFederation/flex/contents/automation/markdown?ref=nightly",
      "git": "https://api.github.com/repos/GluuFederation/flex/git/trees/86b70f1bbbaf5b2116a201e80ca1eebde3e9b16d",
      "html": "https://github.com/GluuFederation/flex/tree/nightly/automation/markdown"
    }
  },
  {
    "name": "packaging",
    "path": "automation/packaging",

</shell_result>

The verification has confirmed the critical issue. The pgsql.yaml and mysql.yaml files do not exist in the automation/ directory—both URLs return HTTP 404 errors. The directory listing shows only Python scripts and subdirectories, no YAML files.

YAML files referenced in wget commands do not exist and will cause failures.

Both URLs return HTTP 404:

  • https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml → Not found
  • https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/mysql.yaml → Not found

Users following lines 170-175 will fail at the wget step. Either:

  1. The YAML files need to be created and committed to the automation/ directory, or
  2. The documentation must reference the correct location/branch where these manifests exist

Additionally, the instruction "adjust values as preferred" remains vague without examples of which configuration parameters (credentials, database name, storage class, resource limits) require customization.

🧰 Tools
🪛 markdownlint-cli2 (0.18.1)

170-170: Trailing spaces
Expected: 0 or 2; Actual: 1

(MD009, no-trailing-spaces)

172-172: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

🤖 Prompt for AI Agents 
In docs/admin/recipes/getting-started-rancher.md around lines 170 to 175, the
wget references to
https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/pgsql.yaml
(and similarly mysql.yaml) point to non-existent files and will 404; either add
the missing YAML manifests into the automation/ directory in the repo (commit
pgsql.yaml and mysql.yaml with the expected deployment/service/volume specs) or
update the documentation to point to the correct existing manifest URLs/branch;
also replace the vague "adjust values as preferred" with a short list of
concrete configurable fields (e.g., credentials, database name, storageClass,
resource requests/limits) and an example or link to the manifest sections users
should edit.


### Install MySQL database
!!! Note
Expand All @@ -189,21 +183,11 @@ kubectl get secret cn -o json -n <namespace>

- Open a kubectl shell from the top right navigation menu `>_`.
- Run:
```bash
wget https://raw.githubusercontent.com/GluuFederation/flex/nightly/automation/mysql.yaml
kubectl apply -f mysql.yaml #adjust values as preferred
```
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
kubectl create ns gluu #Create gluu namespace
```
- Pass in a custom password for the database. Here we used `Test1234#`. The admin user will be left as `root`. Notice we are installing in the `gluu` namespace. Run

```
helm install my-release --set auth.rootPassword=Test1234#,auth.database=jans bitnami/mysql -n gluu
```

### Successful Installation
After the installation is successful, you should have a `Statefulset` active in the rancher UI as shown in the screenshot below.

<img width="1504" alt="Screenshot 2022-07-05 at 14 54 26" src="https://user-images.githubusercontent.com/17182751/177326700-9215436c-f1c2-467f-94ff-601ff7fbdbfb.png">


2. Install [Nginx-Ingress](https://github.com/kubernetes/ingress-nginx), if you are not using Istio ingress
Expand All @@ -227,7 +211,7 @@ kubectl get secret cn -o json -n <namespace>
- Change the namespace from `default` to `gluu`, then click on `Next`.
- Scroll through the sections to get familiar with the options. For minimal setup follow with the next instructions.
- Add `License SSA`. Before initiating the setup, please obtain an [SSA](https://docs.gluu.org/vreplace-flex-version/install/agama/prerequisites/#obtaining-an-ssa) for Flex trial, after which you will issued a JWT.
- Click on the `Persistence` section. Change `SQL database host uri` to `postgresql.postgres.svc.cluster.local` in the case of `PostgreSQL` or `my-release-mysql.gluu.svc.cluster.local` in the case of `MySQL`. Also set `SQL database username`,`SQL password`, and `SQL database name` to the values you used during the database installation.
- Click on the `Persistence` section. Change `SQL database host uri` to `postgresql.gluu.svc` in the case of `PostgreSQL` or `mysql.gluu.svc` in the case of `MySQL`. Also set `SQL database username`,`SQL password`, and `SQL database name` to the values you used during the database installation.
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

Script executed:

#!/bin/bash
# Find pgsql.yaml and mysql.yaml files
find . -type f \( -name "pgsql.yaml" -o -name "mysql.yaml" \) | head -20

Repository: GluuFederation/flex

<shell_result>
Repository: GluuFederation/flex
Exit code: 0

stdout:

./automation/mysql.yaml
./automation/pgsql.yaml

</shell_result>

Script executed:

#!/bin/bash
# Read the mysql.yaml file to check service definition
echo "=== mysql.yaml ===" 
cat ./automation/mysql.yaml

Repository: GluuFederation/flex

<shell_result>
Repository: GluuFederation/flex
Exit code: 0

stdout:

=== mysql.yaml ===
apiVersion: v1
kind: Secret
metadata:
  name: mysql-secret
  namespace: gluu
type: Opaque
stringData:
  root-password: Test1234#
---
apiVersion: v1
kind: Service
metadata:
  name: mysql
  namespace: gluu
spec:
  ports:
  - port: 3306
  selector:
    app: mysql
  clusterIP: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mysql
  namespace: gluu
spec:
  selector:
    matchLabels:
      app: mysql
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: mysql
    spec:
      containers:
      - image: mysql:8.0
        name: mysql
        env:
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysql-secret
              key: root-password
        - name: MYSQL_DATABASE
          value: gluu
        ports:
        - containerPort: 3306
          name: mysql
        volumeMounts:
        - name: mysql-persistent-storage
          mountPath: /var/lib/mysql
      volumes:
      - name: mysql-persistent-storage
        persistentVolumeClaim:
          claimName: mysql-pv-claim
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: mysql-pv-claim
  namespace: gluu
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi

</shell_result>

Script executed:

#!/bin/bash
# Read the pgsql.yaml file to check service definition
echo "=== pgsql.yaml ===" 
cat ./automation/pgsql.yaml

Repository: GluuFederation/flex

<shell_result>
Repository: GluuFederation/flex
Exit code: 0

stdout:

=== pgsql.yaml ===
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-secret
  namespace: gluu
type: Opaque
stringData:
  postgresql-password: Test1234#
---
apiVersion: v1
kind: Service
metadata:
  name: postgresql
  namespace: gluu
spec:
  ports:
  - port: 5432
  selector:
    app: postgresql
  clusterIP: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: postgresql
  namespace: gluu
spec:
  selector:
    matchLabels:
      app: postgresql
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: postgresql
    spec:
      containers:
      - image: postgres:16
        name: postgresql
        env:
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: postgresql-secret
              key: postgresql-password
        - name: POSTGRES_DB
          value: gluu
        - name: PGDATA
          value: /var/lib/postgresql/data/pgdata
        ports:
        - containerPort: 5432
          name: postgresql
        volumeMounts:
        - name: postgresql-persistent-storage
          mountPath: /var/lib/postgresql/data
      volumes:
      - name: postgresql-persistent-storage
        persistentVolumeClaim:
          claimName: postgresql-pv-claim
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: postgresql-pv-claim
  namespace: gluu
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi

</shell_result>

Based on my verification of the deployment manifests, I can now provide the rewritten review comment:

Hostname verification confirms values are correct; consider adding verification step for user clarity.

Line 214 references postgresql.gluu.svc and mysql.gluu.svc, which correctly match the service definitions in pgsql.yaml and mysql.yaml (both services are deployed in the gluu namespace). However, the instruction could be clearer for users unfamiliar with Kubernetes DNS conventions.

Consider adding a verification step:

Change `SQL database host uri` to `postgresql.gluu.svc` (for PostgreSQL) or `mysql.gluu.svc` (for MySQL).

To verify the service names after deployment, run:
kubectl get svc -n gluu
🤖 Prompt for AI Agents 
docs/admin/recipes/getting-started-rancher.md around line 214: the instructions
list the correct hostnames `postgresql.gluu.svc` and `mysql.gluu.svc` but lack a
verification step for users unfamiliar with Kubernetes DNS; update the sentence
to first instruct users to set `SQL database host uri` to `postgresql.gluu.svc`
(PostgreSQL) or `mysql.gluu.svc` (MySQL) and then add a short verification
command suggestion such as running `kubectl get svc -n gluu` to confirm the
service names are present in the `gluu` namespace.

- To enable Casa and the Admin UI, navigate to the `Optional Services` section and check the `Enable casa` and `boolean flag to enable admin UI` boxes. You can also enable different services like `Client API` and `Jackrabbit`.
- Click on the section named `Ingress` and enable all the endpoints. You might add LB IP or address if you don't have `FQDN` for `Gluu`.
- To pass your `FQDN` or `Domain` that is intended to serve the Gluu Flex IDP, head to the `Configuration` section:
Expand Down
3 changes: 2 additions & 1 deletion docs/includes/cn-system-requirements.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,6 @@ Use the listing below for a detailed estimation of the minimum required resource
| link | 0.5 | 1GB | N/A | 64 Bit | No |
| saml | 0.5 | 1GB | N/A | 64 Bit | No |
| kc-scheduler - job| 0.3 | 0.3GB | N/A | 64 Bit | No |
| cleanup - job | 0.3 | 0.3GB | N/A | 64 Bit | Yes |

Releases of images are in style 1.0.0-beta.0, 1.0.0-0
Releases of images are in style 0.0.0-nightly or x.y-z-1
31 changes: 11 additions & 20 deletions docs/install/helm-install/amazon-eks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,6 @@ tags:
Add the following yaml snippet to your `override.yaml` file:

```yaml
global:
isFqdnRegistered: false
config:
configmap:
lbAddr: http:// #Add LB address from previous command
Expand All @@ -81,7 +79,6 @@ tags:

```yaml
global:
isFqdnRegistered: true
fqdn: demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu
config:
configmap:
Expand All @@ -102,24 +99,22 @@ tags:

In a production environment, a production grade PostgreSQL server should be used such as `Amazon RDS`

For testing purposes, you can deploy it on the EKS cluster using the following command:
For testing purposes, you can deploy it on the EKS cluster using the following commands:

```
helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql
```bash
wget https://raw.githubusercontent.com/GluuFederation/flex/vreplace-flex-version/automation/pgsql.yaml
kubectl apply -f pgsql.yaml
```

Add the following yaml snippet to your `override.yaml` file:

```yaml

global:
cnPersistenceType: sql
config:
configmap:
cnSqlDbName: gluu
cnSqlDbPort: 5432
cnSqlDbDialect: pgsql
cnSqlDbHost: my-release-postgresql.gluu.svc
cnSqlDbHost: postgresql.gluu.svc
cnSqlDbUser: postgres
cnSqlDbTimezone: UTC
cnSqldbUserPassword: Test1234#
Expand All @@ -129,24 +124,22 @@ tags:

In a production environment, a production grade MySQL server should be used such as `Amazon RDS`

For testing purposes, you can deploy it on the EKS cluster using the following command:
For testing purposes, you can deploy it on the EKS cluster using the following commands:

```
helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql
```bash
wget https://raw.githubusercontent.com/GluuFederation/flex/vreplace-flex-version/automation/mysql.yaml
kubectl apply -f mysql.yaml
```

Add the following yaml snippet to your `override.yaml` file:

```yaml

global:
cnPersistenceType: sql
config:
configmap:
cnSqlDbName: gluu
cnSqlDbPort: 3306
cnSqlDbDialect: mysql
cnSqlDbHost: my-release-mysql.gluu.svc
cnSqlDbHost: mysql.gluu.svc
cnSqlDbUser: root
cnSqlDbTimezone: UTC
cnSqldbUserPassword: Test1234#
Expand All @@ -156,8 +149,6 @@ tags:

```yaml
global:
cnPersistenceType: sql
isFqdnRegistered: true
fqdn: demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu
nginx-ingress:
ingress:
Expand All @@ -174,7 +165,7 @@ tags:
cnSqlDbName: gluu
cnSqlDbPort: 3306
cnSqlDbDialect: mysql
cnSqlDbHost: my-release-mysql.gluu.svc
cnSqlDbHost: mysql.gluu.svc
cnSqlDbUser: root
cnSqlDbTimezone: UTC
cnSqldbUserPassword: Test1234#
Expand Down
Loading