Dockerfile and Trivy files

[meenakshiraw]

my pull request

Summary by CodeRabbit

• New Features

  • Added Kubernetes configuration files for backend secrets, frontend NGINX config, and Kind cluster setup.
  • Introduced Trivy vulnerability scan reports for backend and frontend components.

• Bug Fixes

  • Updated container images, environment variables, and resource limits in Kubernetes deployments for improved compatibility and security.

• Refactor

  • Simplified and clarified Dockerfiles for backend and frontend services.
  • Streamlined docker-compose configuration with unified network, updated container names, and environment variable management.

• Documentation

  • Major improvements to Kubernetes deployment README for clearer setup and cleanup instructions.

• Chores

  • Updated base images and cleaned up configuration files for consistency and maintainability.

• Revert

  • Removed obsolete Kubernetes secret and healthcheck configurations.

[coderabbitai]

Walkthrough

This update introduces and revises Dockerfiles for backend and frontend services, refactors the docker-compose setup, and extensively restructures Kubernetes manifests and documentation. Key changes include new and updated container images, environment variable handling, health checks, resource requests, and secret/configmap management. Additional configuration files and vulnerability scan reports were also added.

Changes

Cohort / File(s)	Change Summary
Backend Docker Containerization backend/Dockerfile	Updated to use Node.js 20-alpine for build and a distroless Node.js 20 runtime. Refined dependency installation, removed health checks, switched entrypoint to node src/index.js, and adjusted comments.
Frontend Docker Containerization frontend/Dockerfile, frontend/nginx.conf	Refactored Dockerfile for clarity, switched Nginx base image, adjusted file copy order, and removed health checks. Nginx config updated to use only index.html and changed backend proxy target to backend.
Multi-stage Node.js Dockerfile Dockerfile	Introduced a new multi-stage Dockerfile for a Node.js app using Node 20 Alpine, separating dependency installation and runtime stages, and exposing port 5001.
Docker Compose Configuration docker-compose.yml	Updated version, simplified service definitions, unified network, adjusted port mappings, renamed containers and volumes, and removed explicit environment variables and health checks.
Frontend Development Config frontend/vite.config.js	Added explicit server configuration: host 0.0.0.0, port 5173, and strict port binding.
Kubernetes Documentation k8s/README.md	Extensively revised for clarity, added step-by-step instructions, improved structure, and updated command references and verification steps.
Kubernetes Backend Deployment k8s/backend-deployment.yaml, k8s/backend-service.yaml, k8s/backend-secrets.yaml	Changed backend image and imagePullPolicy, updated environment variables and secret references, added resource requests/limits, switched service to NodePort, and introduced a new backend secret manifest.
Kubernetes Frontend Deployment k8s/frontend-deployment.yaml, k8s/frontend-service.yaml, k8s/frontend-configmap.yaml	Updated frontend image, added env vars, probes, and resource limits; mounted a new nginx configmap; reformatted service manifest and added explicit protocol.
Kubernetes MongoDB Deployment k8s/mongodb-deployment.yaml, k8s/mongodb-service.yaml, k8s/mongo-pvc.yaml	Changed MongoDB image and credentials, added explicit storage class to PVC, and specified protocol in service.
Kubernetes Kind Cluster Config k8s/kind-config.yaml	Added new Kind cluster config with port mappings for external access.
Kubernetes Secret Removal k8s/jwt-secret.yaml	Deleted old JWT secret manifest.
Trivy Vulnerability Reports trivy-backend-summary.txt, trivy-frontend-summary.txt	Added new vulnerability scan reports for backend (Debian) and frontend (Alpine), listing detected vulnerabilities and warnings.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Nginx (Frontend)
    participant Backend
    participant MongoDB

    User->>Nginx (Frontend): HTTP GET /
    Nginx (Frontend)->>Nginx (Frontend): Serve index.html

    User->>Nginx (Frontend): HTTP API /api/...
    Nginx (Frontend)->>Backend: Proxy /api/...
    Backend->>MongoDB: Query/Update Data
    MongoDB-->>Backend: Response
    Backend-->>Nginx (Frontend): API Response
    Nginx (Frontend)-->>User: API Response

    User->>Nginx (Frontend): WebSocket /socket.io/
    Nginx (Frontend)->>Backend: Proxy WebSocket /socket.io/
    Backend-->>Nginx (Frontend): WebSocket Data
    Nginx (Frontend)-->>User: WebSocket Data

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇
In the warren of YAML, Docker, and code,
I hopped through configs, lightening the load.
Secrets now safer, images up to date,
Compose and clusters coordinate.
With Trivy’s keen nose, vulnerabilities found—
Now our stacks are secure, containers sound.
Let’s nibble some carrots and ship this round!
🥕

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🔭 Outside diff range comments (1)

frontend/nginx.conf (1)

15-21: Avoid double-prefixing paths when proxying /api/*

With location /api/ { … proxy_pass http://backend:5001/api/; } Nginx drops the matched prefix (/api/) before appending the remainder of the URI.
e.g. /api/users → http://backend:5001/api/ (note no users).
If the backend expects the full path you probably want:

-    proxy_pass http://backend:5001/api/;
+    proxy_pass http://backend:5001;

(or use rewrite/proxy_pass with the $request_uri).
Same applies to the Socket.IO block below.

🧹 Nitpick comments (19)

k8s/mongodb-service.yaml (1)

9-12: Consider adding a port name for discoverability

Explicitly declaring protocol: TCP is fine, but a named port (e.g. name: mongo) helps other resources (ingress, probes) reference the service port symbolically and improves readability.

 ports:
-  - protocol: TCP
+  - name: mongo
+    protocol: TCP
     port: 27017
     targetPort: 27017

k8s/backend-secrets.yaml (1)

7-8: Missing trailing newline

YAML-lint flags the lack of a terminating newline. Add one to satisfy linters and POSIX text file conventions.

trivy-backend-summary.txt (1)

1-33: Generated scan output clutters the repository

The Trivy summary contains ANSI color codes and will drift as base images update. Prefer storing reports in CI artifacts or publishing them to a security dashboard instead of committing them to Git.

k8s/mongo-pvc.yaml (1)

11-12: Add newline at EOF to satisfy linters

Same YAML-lint warning as for the secret file. Append a trailing newline.

k8s/mongodb-deployment.yaml (1)

18-18: Pin image by digest for reproducible deploys

Using a mutable tag (iemafzal/mongodb:v1) risks silent upgrades. Pin to a SHA-256 digest or automate image signing to guarantee identical bits across clusters.

trivy-frontend-summary.txt (1)

1-12: Commiting scanner output bloats the repo

Log artifacts (trivy-*.txt) are better kept in CI artifacts or releases, not under version control, to avoid noise and future merge conflicts. Consider adding them to .gitignore.

frontend/vite.config.js (1)

6-11: Fix indentation for the server block to avoid noisy diffs later
server is aligned at the first column while plugins is indented two spaces. Keeping properties at a consistent indentation level improves readability and prevents accidental merge conflicts.

-  plugins: [react()],
-server: {
+  plugins: [react()],
+  server: {
     host: '0.0.0.0',
     port: 5173,
     strictPort: true,
   },

k8s/frontend-deployment.yaml (3)

16-51: Add a pod-level securityContext to satisfy CKV_K8S_20 / 23
Running NGINX as root inside the pod is unnecessary. A minimal non-root context eliminates both “allowPrivilegeEscalation” and “run as root” findings flagged by Checkov.

 spec:
   containers:
   - name: frontend
@@
     resources:
       requests:
         memory: "128Mi"
         cpu: "100m"
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 101 # nginx
+    allowPrivilegeEscalation: false

---

41-44: YAML indentation off by two spaces
Lines 41-44 are indented 10 spaces but should be 8 under volumeMounts:. This currently passes kubectl but will break yamllint and some CI steps.

-          - name: nginx-config
-            mountPath: /etc/nginx/conf.d/default.conf
-            subPath: nginx.conf
+        - name: nginx-config
+          mountPath: /etc/nginx/conf.d/default.conf
+          subPath: nginx.conf

---

51-54: Final newline & indentation
Insert a terminating newline and fix the 2-space over-indent so yamllint passes.

-        - name: nginx-config
-          configMap:
-            name: nginx-config
+      volumes:
+        - name: nginx-config
+          configMap:
+            name: nginx-config
+

k8s/backend-deployment.yaml (1)

34-40: Add trailing newline & non-root securityContext
Same linter and security findings as the frontend manifest. Append a newline and optionally add:

      securityContext:
        runAsNonRoot: true
        allowPrivilegeEscalation: false

k8s/frontend-configmap.yaml (3)

10-18: Remove trailing whitespace to satisfy YAML linting
Several lines within the server block carry superfluous spaces at EOL (e.g., Lines 11, 14, 18). They do not alter behaviour but break yamllint and other CI hooks.

-        server_name localhost;␠
+        server_name localhost;

(repeat for the remaining lines)

---

27-39: Add final newline & clean trailing blanks
The file ends on Line 39 without a newline and still contains a trailing space. Most SCM / CI systems flag this; kube-apiserver accepts it, but formatting hygiene is cheap.

-    }␠
+    }
+

---

19-37: Consider explicit timeouts & header hardening for WebSocket traffic
The two proxy locations omit proxy_read_timeout, which defaults to 60 s in NGINX. Chat/WebSocket sessions will break after a minute of inactivity. In addition, forwarding X-Forwarded-* headers in both /api/ and /socket.io/ keeps logs consistent.

            proxy_set_header X-Forwarded-Host $host;
+           proxy_read_timeout 3600s;

frontend/Dockerfile (1)

12-25: Ship smaller image by switching to distroless or nginx-alpine-slim
nginx:alpine is ~20 MB larger than nginx:alpine-perl or gcr.io/distroless/nginx. Consider a slimmer base to cut attack surface and pull times.

k8s/README.md (2)

99-109: Branch checkout should precede cd k8s
You cd into k8s then switch branches, which works but is non-intuitive and breaks if the directory is absent on the other branch. Swap the commands or drop the cd.

-git clone https://github.com/iemafzalhassan/full-stack_chatApp.git
-cd full-stack_chatApp/k8s
-git checkout DevOps
+git clone https://github.com/iemafzalhassan/full-stack_chatApp.git
+cd full-stack_chatApp
+git checkout DevOps
+cd k8s

---

236-245: Heading punctuation and bare URL violate markdown-lint
Line 120 ends in : and Line 218 contains a bare URL. While harmless for GitHub render, they trip markdownlint. Quick fix:

-### 1. Create Kind Cluster:
+### 1. Create Kind Cluster
...
-The application is exposed through NodePort services:
-http://localhost:8080
+The application is exposed through NodePort services at  
+[http://localhost:8080](http://localhost:8080)

docker-compose.yml (2)

20-24: env_file path couples compose file to project layout
./backend/.env forces consumers to keep the same directory structure. You can instead mount the env file via a relative path (env_file: backend/.env) or use a shared .env at repo root.

---

31-34: Extraneous blank line & trailing spaces
Line 33 contains trailing spaces and a stray blank line, failing yamllint.

-      - "8081:80"␠
-  
+      - "8081:80"

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f3d38e3 and d183874.

📒 Files selected for processing (20)

• Dockerfile (1 hunks)
• backend/Dockerfile (1 hunks)
• docker-compose.yml (1 hunks)
• frontend/Dockerfile (1 hunks)
• frontend/nginx.conf (4 hunks)
• frontend/vite.config.js (1 hunks)
• k8s/README.md (4 hunks)
• k8s/backend-deployment.yaml (1 hunks)
• k8s/backend-secrets.yaml (1 hunks)
• k8s/backend-service.yaml (1 hunks)
• k8s/frontend-configmap.yaml (1 hunks)
• k8s/frontend-deployment.yaml (1 hunks)
• k8s/frontend-service.yaml (1 hunks)
• k8s/jwt-secret.yaml (0 hunks)
• k8s/kind-config.yaml (1 hunks)
• k8s/mongo-pvc.yaml (1 hunks)
• k8s/mongodb-deployment.yaml (1 hunks)
• k8s/mongodb-service.yaml (1 hunks)
• trivy-backend-summary.txt (1 hunks)
• trivy-frontend-summary.txt (1 hunks)

💤 Files with no reviewable changes (1)

• k8s/jwt-secret.yaml

🧰 Additional context used

🪛 YAMLlint (1.37.1)

k8s/mongo-pvc.yaml

[error] 12-12: no new line character at the end of file

(new-line-at-end-of-file)

k8s/backend-secrets.yaml

[error] 8-8: no new line character at the end of file

(new-line-at-end-of-file)

k8s/backend-deployment.yaml

[error] 40-40: no new line character at the end of file

(new-line-at-end-of-file)

k8s/frontend-deployment.yaml

[warning] 41-41: wrong indentation: expected 8 but found 10

(indentation)

---

[warning] 52-52: wrong indentation: expected 6 but found 8

(indentation)

---

[error] 54-54: no new line character at the end of file

(new-line-at-end-of-file)

k8s/frontend-configmap.yaml

[error] 11-11: trailing spaces

(trailing-spaces)

---

[error] 14-14: trailing spaces

(trailing-spaces)

---

[error] 18-18: trailing spaces

(trailing-spaces)

---

[error] 27-27: trailing spaces

(trailing-spaces)

---

[error] 39-39: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 39-39: trailing spaces

(trailing-spaces)

docker-compose.yml

[error] 33-33: trailing spaces

(trailing-spaces)

🪛 Checkov (3.2.334)

k8s/backend-deployment.yaml

[MEDIUM] 1-40: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[MEDIUM] 1-40: Minimize the admission of root containers

(CKV_K8S_23)

---

[MEDIUM] 24-25: Basic Auth Credentials

(CKV_SECRET_4)

k8s/frontend-deployment.yaml

[MEDIUM] 1-54: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[MEDIUM] 1-54: Minimize the admission of root containers

(CKV_K8S_23)

🪛 markdownlint-cli2 (0.17.2)

k8s/README.md

120-120: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

---

218-218: Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (9)

k8s/kind-config.yaml (1)

7-10: NodePort ↔ hostPort mapping mismatch in the docs

You expose container port 30080 as host 8080. In the README you instruct users to access the frontend via NodePort 8080, which is the host port, not the NodePort inside the cluster (30080). Please clarify the wording (or align the port numbers) to avoid confusion.

frontend/nginx.conf (2)

24-34: Replicate the path-preservation fix for WebSocket traffic

If you adjust the /api/ proxy rule, mirror the change here to keep behaviour consistent:

-    proxy_pass http://backend:5001/socket.io/;
+    proxy_pass http://backend:5001;

The backend’s Socket.IO handler will still receive the correct /socket.io/* path.

---

6-6: Dropping index.htm is fine but consider legacy clients

Most modern SPAs only emit index.html, so this is safe. If you served pre-compressed assets (e.g., index.html.gz) or older tooling that produced index.htm, make sure nothing breaks.

k8s/frontend-service.yaml (1)

2-15: Service definition looks correct

Selector, port 80 exposure and NodePort 30080 are valid and within the 30000-32767 range. No functional concerns.

k8s/backend-service.yaml (1)

4-14: NodePort exposure acknowledged

Port 30501 is inside the allowed range and matches the container port 5001. Ensure firewall rules/open ports on cluster nodes if you expect external traffic.

backend/Dockerfile (1)

28-31: Confirm distroless entrypoint expectation
The base image gcr.io/distroless/nodejs20 already defines
ENTRYPOINT ["node"]
so your CMD ["src/index.js"] will be invoked as
node src/index.js

Please ensure that, after the build, /app/src/index.js actually exists in the image (matching your WORKDIR). You can manually verify this in your local environment by running:

docker build -f backend/Dockerfile -t backend-test .
docker run --rm backend-test --version    # should print the Node version
# or inspect the image config:
docker inspect backend-test --format='{{json .Config}}'

Confirm that the Node version prints successfully (proving the ENTRYPOINT and CMD were applied) and that the path is correct.

frontend/Dockerfile (1)

6-10: Leverage Docker cache: isolate dependency install from source copy
Copying the full source before npm ci invalidates the cache on every change. Swap the two COPY instructions:

-COPY package*.json ./
-RUN npm ci
-
-COPY . .
+COPY package*.json ./
+RUN npm ci
+COPY . .

suggest_optional_refactor

k8s/README.md (1)

120-129: Relative path in kind create cluster is wrong after cd k8s
From inside k8s/, --config k8s/kind-config.yaml resolves to k8s/k8s/... and fails. Use --config kind-config.yaml or run the command from repo root.

docker-compose.yml (1)

5-11: Mongo runs without root credentials – confirm application expectations
Environment variables for MONGO_INITDB_ROOT_USERNAME/PASSWORD were removed. If the backend expects authentication, the app will fail at startup. Either re-add the env vars or update backend connection string.

[coderabbitai]

🛠️ Refactor suggestion

Run as non-root to reduce container attack surface
The final image still runs as root (default UID 0). Adding a non-privileged user is a low-effort hardening win and eliminates several security scanner findings.

 FROM node:20-alpine AS runner
+RUN addgroup -S app && adduser -S app -G app
 WORKDIR /app
 ENV NODE_ENV=production
 ...
 EXPOSE 5001
-CMD ["node", "index.js"]
+USER app
+CMD ["node", "index.js"]

🤖 Prompt for AI Agents

In Dockerfile lines 16 to 33, the container runs as root by default, which
increases security risks. To fix this, create a non-root user and group in the
Dockerfile, change ownership of the /app directory to this user, and switch to
this user before the CMD instruction. This ensures the container runs with
limited privileges, reducing the attack surface.

[coderabbitai]

⚠️ Potential issue

Plaintext Mongo credentials – move to a Secret immediately
root:admin is hard-coded in the MONGODB_URI. Anyone with read access to the manifest can extract DB creds.

-        - name: MONGODB_URI
-          value: "mongodb://root:admin@mongodb:27017/chatApp?authSource=admin"
+        - name: MONGODB_URI
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: uri

Create the mongodb-credentials Secret with the base64-encoded URI before applying the deployment.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	value: "mongodb://root:admin@mongodb:27017/chatApp?authSource=admin"
	- name: PORT
	value: "5001"
	- name: NODE_ENV
	- name: MONGODB_URI
	valueFrom:
	secretKeyRef:
	name: mongodb-credentials
	key: uri
	- name: PORT
	value: "5001"
	- name: NODE_ENV

🧰 Tools

🪛 Checkov (3.2.334)

[MEDIUM] 24-25: Basic Auth Credentials

(CKV_SECRET_4)

🤖 Prompt for AI Agents

In k8s/backend-deployment.yaml around lines 24 to 27, the MongoDB URI contains
hard-coded plaintext credentials which is a security risk. Remove the URI from
the deployment manifest and instead create a Kubernetes Secret named
mongodb-credentials containing the base64-encoded MongoDB URI. Then, update the
deployment to reference this Secret as an environment variable to securely
inject the credentials at runtime.

[coderabbitai]

⚠️ Potential issue

Plain-text JWT secret committed to VCS

The secret value is stored in-clear under stringData. Anyone with repo access (or any public fork) can read and misuse the JWT signing key.

Recommended actions:

- stringData:
-   jwt-secret: "<actual-secret>"
+ # Option 1 – use SealedSecrets / External Secrets and commit the sealed object
+ # Option 2 – remove the secret from VCS and load it at runtime (kubectl create secret ...).

At minimum rotate the leaked key before deployment.

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 8-8: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

In k8s/backend-secrets.yaml lines 1 to 8, the JWT secret is stored as plain text
under stringData, exposing it to anyone with repository access. To fix this,
remove the plain-text JWT secret from the file and instead use a secure secret
management solution or environment variables to inject the secret at deployment
time. Also, ensure to rotate the leaked JWT key before deploying to prevent
misuse.

[coderabbitai]

🛠️ Refactor suggestion

Host-port 27017 may clash with a locally-running MongoDB instance

Binding the host port 27017 to the Kind node means any MongoDB already running on the developer machine will fail to start (or the cluster will fail to start on a busy port). If local collisions are likely, consider mapping to an alternate host port (e.g. 27018) and documenting that in the README.

🤖 Prompt for AI Agents

In k8s/kind-config.yaml around lines 6 to 12, the hostPort 27017 is mapped
directly, which can conflict with a local MongoDB instance. Change the hostPort
from 27017 to an alternate port like 27018 to avoid collisions, and update the
README to document this new port mapping for clarity.

[coderabbitai]

⚠️ Potential issue

Hard-coded root credentials leak secrets

MONGO_INITDB_ROOT_USERNAME/PASSWORD are committed in plain text. Store them in a Secret and reference via valueFrom.secretKeyRef to avoid accidental disclosure and allow rotation.

-        env:
-        - name: MONGO_INITDB_ROOT_USERNAME
-          value: root
-        - name: MONGO_INITDB_ROOT_PASSWORD
-          value: admin
+        envFrom:
+        - secretRef:
+            name: mongodb-root-credentials

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: MONGO_INITDB_ROOT_USERNAME
	value: mongoadmin
	value: root
	- name: MONGO_INITDB_ROOT_PASSWORD
	value: secret
	value: admin
	envFrom:
	- secretRef:
	name: mongodb-root-credentials

🤖 Prompt for AI Agents

In k8s/mongodb-deployment.yaml around lines 22 to 25, the root username and
password are hard-coded as plain text, which risks secret leakage. Replace these
values by creating a Kubernetes Secret resource containing the credentials, then
reference them in the deployment using valueFrom.secretKeyRef to securely inject
the secrets and enable easier rotation.