feat: Add optional DB secret volume mount in Helm Chart

[lachen-nv]

Description

Add secret-based DB password support to carbide-rest chart

• Add optional secrets.dbCreds field to carbide-rest-api and carbide-rest-workflow sub-charts. When set, DB password is read from a mounted secret file instead of plaintext in ConfigMap, enabling secure deployment in production environments.
• Bump chart version 0.1.2 → 0.1.3

Type of Change

• Feature - New feature or functionality (feat:)
• Fix - Bug fixes (fix:)
• Chore - Modification or removal of existing functionality (chore:)
• Refactor - Refactoring of existing functionality (refactor:)
• Docs - Changes in documentation or OpenAPI schema (docs:)
• CI - Changes in Github workflows. Requires additional scrutiny (ci:)
• Version - Issuing a new release version (version:)

Services Affected

• API - API models or endpoints updated
• Workflow - Workflow service updated
• DB - DB DAOs or migrations updated
• Site Manager - Site Manager updated
• Cert Manager - Cert Manager updated
• Site Agent - Site Agent updated
• RLA - RLA service updated
• Powershelf Manager - Powershelf Manager updated
• NVSwitch Manager - NVSwitch Manager updated

Related Issues (Optional)

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates Helm charts for the carbide-rest application to support database credentials via Kubernetes secrets. Changes include a chart version bump, conditional configuration handling in ConfigMap templates, volume mount additions in deployment manifests, new helper templates for credential secret management, and values.yaml additions to expose the secrets.dbCreds configuration option. When enabled, plaintext passwords are replaced with a passwordPath pointing to /var/secrets/db/password.

Changes

Cohort / File(s)	Summary
Chart Version Management helm/charts/carbide-rest/Chart.yaml	Bumped chart version from 0.1.2 to 0.1.3.
Database Credentials Configuration Templates helm/charts/carbide-rest/charts/carbide-rest-api/templates/configmap.yaml, helm/charts/carbide-rest/charts/carbide-rest-workflow/templates/configmap.yaml	Added conditional blocks that, when secrets.dbCreds is set, create a modified config copy with db.passwordPath injected and db.password removed, then render as YAML.
Database Credentials Volume Management helm/charts/carbide-rest/charts/carbide-rest-workflow/templates/_helpers.tpl	Added two new helper templates: carbide-rest-workflow.dbCredsVolumeMount for conditional volume mount at /var/secrets/db (readOnly), and carbide-rest-workflow.dbCredsVolume for conditional secret-based volume sourcing the dbCreds secret with key mapping password → password.
Deployment Manifests with Credentials Mounting helm/charts/carbide-rest/charts/carbide-rest-api/templates/deployment.yaml, helm/charts/carbide-rest/charts/carbide-rest-workflow/templates/deployment-cloud-worker.yaml, helm/charts/carbide-rest/charts/carbide-rest-workflow/templates/deployment-site-worker.yaml	Added conditional volume mounts and secret volumes for database credentials when secrets.dbCreds is enabled, using helper templates for consistent configuration across deployments.
Values Configuration helm/charts/carbide-rest/charts/carbide-rest-api/values.yaml, helm/charts/carbide-rest/charts/carbide-rest-workflow/values.yaml	Added new secrets.dbCreds field (empty string default) with documentation noting that plaintext db.password is ignored when this secret reference is set.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 Hops through secrets with glee,
Passwords hidden where they should be,
No plaintext in sight, just volumes that mount,
Each template revised with conditional account! 🔐✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description clearly explains the feature, its purpose (secure production deployments), affected components, and the version bump, directly corresponding to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately describes the main change: adding optional DB secret volume mount support to the Helm chart, which is the primary feature introduced across multiple template and values files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use TruffleHog to scan for secrets in your code with verification capabilities.

Add a TruffleHog config file (e.g. trufflehog-config.yml, trufflehog.yml) to your project to customize detectors and scanning behavior. The tool runs only when a config file is present.

[lachen-nv]

/ok to test 6e2bef5

[github-actions]

🔐 TruffleHog Secret Scan

✅ No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

_{🕐 Last updated: 2026-03-16 12:59:41 UTC | Commit: 6e2bef5}

[github-actions]

🛡️ Vulnerability Scan

🚨 Found 64 vulnerability(ies)
📊 vs main: 64 (no change)

Severity Breakdown:

• 🔴 Critical/High: 64
• 🟡 Medium: 0
• 🔵 Low/Info: 0

🔗 View full details in Security tab

_{🕐 Last updated: 2026-03-16 12:59:53 UTC | Commit: 6e2bef5}

[coderabbitai]

🧹 Nitpick comments (2)

helm/charts/carbide-rest/charts/carbide-rest-api/templates/deployment.yaml (1)

91-96: Harden DB secret volume file permissions.

Consider setting defaultMode: 0400 on the secret volume at Line 91–96 to reduce in-container secret readability scope.

Proposed hardening patch

         - name: db-creds
           secret:
             secretName: {{ .Values.secrets.dbCreds }}
+            defaultMode: 0400
             items:
               - key: password
                 path: password

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helm/charts/carbide-rest/charts/carbide-rest-api/templates/deployment.yaml`
around lines 91 - 96, The secret volume mount defined under the secret block
that uses .Values.secrets.dbCreds (the secretName with items key: password path:
password) should set defaultMode: 0400 to restrict in-container file
permissions; update the secret section in the deployment template to add
defaultMode: 0400 (octal) alongside secretName and items so the rendered secret
file is readable only by the container owner.

helm/charts/carbide-rest/charts/carbide-rest-api/templates/configmap.yaml (1)

11-18: Consider extracting shared DB config-morph logic into a helper template.

Line 11–18 is correct, but this logic now exists in both API and workflow configmaps; centralizing it would reduce drift risk on future changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helm/charts/carbide-rest/charts/carbide-rest-api/templates/configmap.yaml`
around lines 11 - 18, Duplicate DB config-morph logic (the deepCopy into
$config, setting $config.db "passwordPath" and unsetting $config.db "password"
using set/unset) appears in multiple configmap templates; extract this into a
reusable helper template (e.g., define a named template like "carbide.dbConfig"
in templates/_helpers.tpl) that accepts the chart context (or .Values.config and
.Values.secrets.dbCreds) and returns the transformed config YAML, then replace
the duplicated block in both carbide-rest-api and workflow configmap templates
with an include call to that helper (ensuring you preserve the conditional on
.Values.secrets.dbCreds and the use of toYaml | nindent 4 when rendering).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@helm/charts/carbide-rest/charts/carbide-rest-api/templates/configmap.yaml`:
- Around line 11-18: Duplicate DB config-morph logic (the deepCopy into $config,
setting $config.db "passwordPath" and unsetting $config.db "password" using
set/unset) appears in multiple configmap templates; extract this into a reusable
helper template (e.g., define a named template like "carbide.dbConfig" in
templates/_helpers.tpl) that accepts the chart context (or .Values.config and
.Values.secrets.dbCreds) and returns the transformed config YAML, then replace
the duplicated block in both carbide-rest-api and workflow configmap templates
with an include call to that helper (ensuring you preserve the conditional on
.Values.secrets.dbCreds and the use of toYaml | nindent 4 when rendering).

In `@helm/charts/carbide-rest/charts/carbide-rest-api/templates/deployment.yaml`:
- Around line 91-96: The secret volume mount defined under the secret block that
uses .Values.secrets.dbCreds (the secretName with items key: password path:
password) should set defaultMode: 0400 to restrict in-container file
permissions; update the secret section in the deployment template to add
defaultMode: 0400 (octal) alongside secretName and items so the rendered secret
file is readable only by the container owner.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d681675b-7a35-4d82-8a12-7e09e9cea446

📥 Commits

Reviewing files that changed from the base of the PR and between 746492b and 6e2bef5.

📒 Files selected for processing (9)

• helm/charts/carbide-rest/Chart.yaml
• helm/charts/carbide-rest/charts/carbide-rest-api/templates/configmap.yaml
• helm/charts/carbide-rest/charts/carbide-rest-api/templates/deployment.yaml
• helm/charts/carbide-rest/charts/carbide-rest-api/values.yaml
• helm/charts/carbide-rest/charts/carbide-rest-workflow/templates/_helpers.tpl
• helm/charts/carbide-rest/charts/carbide-rest-workflow/templates/configmap.yaml
• helm/charts/carbide-rest/charts/carbide-rest-workflow/templates/deployment-cloud-worker.yaml
• helm/charts/carbide-rest/charts/carbide-rest-workflow/templates/deployment-site-worker.yaml
• helm/charts/carbide-rest/charts/carbide-rest-workflow/values.yaml

[thossain-nv]

We should probably remove this altogether?

[lachen-nv]

thanks @thossain-nv , I will check the scope for this change and send another PR.