modified k8s manifests for minikube compatibility and project needs

[abhay41]

Summary

Replaced the original Kubernetes manifests designed for Kind with updated versions compatible with Minikube and tailored to my project setup.

Changes Made

• Removed Kind-specific K8s configuration files
• Added:
  • Deployments for frontend, backend, and MongoDB
  • Services for internal and external access
  • Ingress configuration
  • Namespace: chat-app

Why This Change?

The previous manifests were well-structured but tailored for the Kind cluster setup. I adapted the configuration to run smoothly on Minikube, ensuring compatibility with my development environment and project architecture.

Notes

• Make sure ingress-nginx controller is installed in Minikube before applying ingress.yaml.
• These changes are specific to my use case but might be helpful to others using Minikube.

Summary by CodeRabbit

• New Features
  • Introduced Kubernetes Ingress for HTTP routing to frontend and backend services.
  • Added new Kubernetes manifests for backend, frontend, and MongoDB deployments, as well as persistent volume and secret resources.
• Bug Fixes
  • Updated service definitions to use internal ClusterIP instead of NodePort, improving security and cluster integration.
• Refactor
  • Renamed and restructured several Kubernetes resources for consistency (e.g., MongoDB service and PVC).
  • Removed unused or redundant configuration files and documentation.
• Chores
  • Improved YAML formatting and removed obsolete files for a cleaner deployment setup.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
full-stack-chat-app	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Aug 2, 2025 10:37pm

[coderabbitai]

Walkthrough

This change restructures the Kubernetes deployment for a chat application. It removes several old YAML manifests, replacing them with updated deployment, service, ingress, persistent volume, and secret definitions. The new configuration standardizes naming, updates images, modifies service exposure (removing NodePort), introduces an Ingress resource, and revises persistent storage for MongoDB.

Changes

Cohort / File(s)	Change Summary
Documentation Removal k8s/README.md	Deleted the comprehensive deployment guide for Kubernetes and Docker Compose.
Backend Deployment Update k8s/backend-deployment.yaml, k8s/backend-deployment.yml	Removed old backend deployment manifest; added new deployment with updated image, environment variables, and secret reference.
Backend Secrets Update k8s/backend-secrets.yaml, k8s/secrets.yml	Removed old backend JWT secret; added new secret manifest with base64-encoded JWT.
Backend Service Update k8s/backend-service.yml	Changed backend service from NodePort to default ClusterIP by removing nodePort and type.
Frontend Deployment Update k8s/frontend-deployment.yaml, k8s/frontend-deployment.yml	Removed old frontend deployment (with NGINX config and probes); added new deployment using updated image and simplified configuration.
Frontend Service Update k8s/frontend-service.yml	Changed frontend service from NodePort to ClusterIP by removing protocol, nodePort, and type.
Frontend ConfigMap Removal k8s/frontend-configmap.yaml	Removed ConfigMap for NGINX frontend configuration.
Ingress Addition k8s/ingress.yml	Added new Ingress resource for routing / to frontend and /api to backend.
MongoDB Deployment Update k8s/mongodb-deployment.yaml, k8s/mongodb-deployment.yml	Removed old MongoDB deployment; added new deployment using official image, updated PVC reference, and environment variables.
MongoDB Storage Update k8s/mongodb-pv.yml, k8s/mongodb-pvc.yml	Added new PersistentVolume; updated PersistentVolumeClaim name, size (1Gi→5Gi), and removed storageClassName.
MongoDB Service Update k8s/mongodb-service.yml	Changed service name from mongodb to mongodb-service and removed explicit type.
Kind Cluster Config Removal k8s/kind-config.yaml	Deleted Kind cluster configuration YAML.
Namespace Formatting k8s/namespace.yml	Adjusted indentation for the name field; no semantic change.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Ingress
    participant Frontend Service
    participant Backend Service
    participant MongoDB Service

    User->>Ingress: HTTP request /
    Ingress->>Frontend Service: Forward to frontend (port 80)
    Frontend Service->>Frontend Pod: Serve static content

    User->>Ingress: HTTP request /api
    Ingress->>Backend Service: Forward to backend (port 5001)
    Backend Service->>Backend Pod: Handle API logic
    Backend Pod->>MongoDB Service: Query database
    MongoDB Service->>MongoDB Pod: Access data

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~15–20 minutes

Poem

Hopping through YAML, I see
Services clustered, as neat as can be.
Ingress now leads the way,
Secrets are tucked, PVs here to stay.
Old docs and configs, we bid you adieu—
The chat app hops forward, shiny and new!
🐰✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 9

🔭 Outside diff range comments (1)

k8s/secrets.yml (1)

1-9: Do not commit real secrets & remove trailing whitespace

1. The base-64 value appears to be an actual JWT secret. Storing secrets in the repo is a security risk – switch to:
   • kubectl create secret … --from-literal,
   • a SealedSecret, or
   • an External Secrets operator.
2. YAMLlint flagged the trailing space at Line 8.

-  jwt: N2MxZjBkYmIyOGMxOGE5MmI4ODdiNGU0MTI3MGY1NmY= 
+  jwt: <base64-encoded-placeholder>

At minimum replace the value with a placeholder before merging.

🧹 Nitpick comments (9)

k8s/namespace.yml (1)

4-4: Nit: align indentation for consistency

Line 4 uses a single leading space while the file (and all other manifests) use two. YAML tolerates this, but it stands out when grepping manifests.

- name: chat-app
+  name: chat-app

k8s/mongodb-service.yml (1)

12-12: Add a final newline to satisfy linters

YAMLlint warns about the missing newline at EOF.

-      targetPort: 27017
+      targetPort: 27017
+

k8s/frontend-service.yml (1)

3-11: Clean up trailing spaces & double-check Service exposure strategy

• Lines 3, 10 & 11 have trailing whitespace – YAMLlint errors.
• Service switched from NodePort to implicit ClusterIP. That’s fine as long as the new Ingress is enabled in Minikube (minikube addons enable ingress).

-metadata: 
+metadata:
...
-    - port: 80      
-      targetPort: 80 
+    - port: 80
+      targetPort: 80

k8s/backend-service.yml (2)

3-3: Trailing whitespace breaks some linters/CI pipelines

Remove the two trailing spaces after metadata:.

-metadata: 
+metadata:

---

6-13: Be explicit about the Service type for future maintainability

The manifest relies on the implicit default (ClusterIP).
Being explicit avoids confusion when port-exposure requirements change:

 spec:
+  type: ClusterIP        # explicit – ingress handles external traffic
   selector:
     app: backend
   ports:
     - protocol: TCP
       port: 5001       # Port exposed inside the cluster
       targetPort: 5001 # Matches container port

k8s/frontend-deployment.yml (1)

16-21: Add basic pod security context

Same as the MongoDB deployment, restrict privilege escalation:

    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1001
       containers:

k8s/backend-deployment.yml (3)

19-19: Avoid latest – pin the backend image to an explicit version tag.
latest breaks reproducibility and can silently pull incompatible images in CI / prod. Publish a semver tag (e.g. 1.3.0) and reference that instead.

-          image: abhay41/chatapp-backend:latest
+          image: abhay41/chatapp-backend:1.3.0   # ← example pin

---

17-21: Add liveness & readiness probes and resource requests/limits for production resilience.
Without probes Kubernetes cannot detect hung processes, and missing resources hinder scheduling & autoscaling.

Example snippet to append under the container:

          resources:
            requests:
              cpu: "100m"
              memory: "128Mi"
            limits:
              cpu: "500m"
              memory: "256Mi"

          readinessProbe:
            httpGet:
              path: /api/health
              port: 5001
            initialDelaySeconds: 5
            periodSeconds: 10

          livenessProbe:
            httpGet:
              path: /api/health
              port: 5001
            initialDelaySeconds: 15
            periodSeconds: 20

---

33-33: Terminate file with a trailing newline.
yaml-lint fails (new-line-at-end-of-file). Add a \n after the last line to keep tooling happy.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f3d38e3 and 6f7d638.

📒 Files selected for processing (18)

• k8s/README.md (0 hunks)
• k8s/backend-deployment.yaml (0 hunks)
• k8s/backend-deployment.yml (1 hunks)
• k8s/backend-secrets.yaml (0 hunks)
• k8s/backend-service.yml (1 hunks)
• k8s/frontend-configmap.yaml (0 hunks)
• k8s/frontend-deployment.yaml (0 hunks)
• k8s/frontend-deployment.yml (1 hunks)
• k8s/frontend-service.yml (1 hunks)
• k8s/ingress.yml (1 hunks)
• k8s/kind-config.yaml (0 hunks)
• k8s/mongodb-deployment.yaml (0 hunks)
• k8s/mongodb-deployment.yml (1 hunks)
• k8s/mongodb-pv.yml (1 hunks)
• k8s/mongodb-pvc.yml (1 hunks)
• k8s/mongodb-service.yml (1 hunks)
• k8s/namespace.yml (1 hunks)
• k8s/secrets.yml (1 hunks)

💤 Files with no reviewable changes (7)

• k8s/kind-config.yaml
• k8s/backend-deployment.yaml
• k8s/backend-secrets.yaml
• k8s/mongodb-deployment.yaml
• k8s/frontend-configmap.yaml
• k8s/README.md
• k8s/frontend-deployment.yaml

🧰 Additional context used

🪛 YAMLlint (1.37.1)

k8s/frontend-service.yml

[error] 3-3: trailing spaces

(trailing-spaces)

---

[error] 10-10: trailing spaces

(trailing-spaces)

---

[error] 11-11: trailing spaces

(trailing-spaces)

k8s/backend-service.yml

[error] 3-3: trailing spaces

(trailing-spaces)

k8s/mongodb-service.yml

[error] 12-12: no new line character at the end of file

(new-line-at-end-of-file)

k8s/secrets.yml

[error] 8-8: trailing spaces

(trailing-spaces)

k8s/backend-deployment.yml

[error] 33-33: no new line character at the end of file

(new-line-at-end-of-file)

🪛 Checkov (3.2.334)

k8s/mongodb-deployment.yml

[MEDIUM] 1-33: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[MEDIUM] 1-33: Minimize the admission of root containers

(CKV_K8S_23)

k8s/backend-deployment.yml

[MEDIUM] 1-33: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[MEDIUM] 1-33: Minimize the admission of root containers

(CKV_K8S_23)

---

[MEDIUM] 26-27: Basic Auth Credentials

(CKV_SECRET_4)

k8s/frontend-deployment.yml

[MEDIUM] 1-21: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[MEDIUM] 1-21: Minimize the admission of root containers

(CKV_K8S_23)

[coderabbitai]

🛠️ Refactor suggestion

Add a securityContext to drop root privileges and disallow privilege escalation.
Static analysis (CKV_K8S_20 / 23) flags the container as running as root. Harden it:

       containers:
         - name: chat-backend
           image: abhay41/chatapp-backend:latest
+          securityContext:
+            runAsUser: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
           ports:
             - containerPort: 5001

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	containers:
	- name: chat-backend
	image: abhay41/chatapp-backend:latest
	ports:
	- containerPort: 5001
	containers:
	- name: chat-backend
	image: abhay41/chatapp-backend:latest
	securityContext:
	runAsUser: 1000
	runAsNonRoot: true
	allowPrivilegeEscalation: false
	ports:
	- containerPort: 5001

🤖 Prompt for AI Agents

In k8s/backend-deployment.yml around lines 17 to 21, the container definition
lacks a securityContext to prevent running as root and disallow privilege
escalation. Add a securityContext section under the container spec with
runAsNonRoot set to true, runAsUser set to a non-root user ID (e.g., 1000), and
allowPrivilegeEscalation set to false to harden the container's security
posture.

[coderabbitai]

⚠️ Potential issue

Hard-coded DB credentials leak secrets – move the entire URI to a Secret.
Shipping root:admin in plain text violates basic 12-factor & K8s security guidelines and is caught by CKV_SECRET_4. Mount the connection string via valueFrom.secretKeyRef (or split user/pass into two keys) and delete the literal.

-            - name: MONGODB_URI
-              value: "mongodb://root:admin@mongodb-service:27017/chatApp?authSource=admin&retryWrites=true&w=majority"
+            - name: MONGODB_URI
+              valueFrom:
+                secretKeyRef:
+                  name: chatapp-secrets
+                  key: mongodb-uri

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: MONGODB_URI
	value: "mongodb://root:admin@mongodb-service:27017/chatApp?authSource=admin&retryWrites=true&w=majority"
	- name: MONGODB_URI
	valueFrom:
	secretKeyRef:
	name: chatapp-secrets
	key: mongodb-uri

🤖 Prompt for AI Agents

In k8s/backend-deployment.yml at lines 25 to 26, the MongoDB URI with hard-coded
credentials is exposed as plain text. To fix this, remove the literal URI from
the value field and instead reference it securely using valueFrom.secretKeyRef,
pointing to a Kubernetes Secret that stores the connection string. Create or
update the Secret to hold the URI or separate user and password keys, then mount
these securely in the deployment manifest.

[coderabbitai]

🛠️ Refactor suggestion

Unpinned image and missing health probes

1. Pin the image tag (chatapp-frontend:v1.0.0) to ensure reproducible deploys.
2. Add readiness & liveness probes so the ingress doesn’t route to an unhealthy pod.

-          image: abhay41/chatapp-frontend:latest
+          image: abhay41/chatapp-frontend:v1.0.0
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 80
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 80
+            initialDelaySeconds: 15
+            periodSeconds: 20

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	image: abhay41/chatapp-frontend:latest
	ports:
	- containerPort: 80
	image: abhay41/chatapp-frontend:v1.0.0
	readinessProbe:
	httpGet:
	path: /
	port: 80
	initialDelaySeconds: 5
	periodSeconds: 10
	livenessProbe:
	httpGet:
	path: /
	port: 80
	initialDelaySeconds: 15
	periodSeconds: 20
	ports:
	- containerPort: 80

🧰 Tools

🪛 Checkov (3.2.334)

[MEDIUM] 1-21: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[MEDIUM] 1-21: Minimize the admission of root containers

(CKV_K8S_23)

🤖 Prompt for AI Agents

In k8s/frontend-deployment.yml around lines 19 to 21, the container image tag is
unpinned and health probes are missing. Update the image tag from "latest" to a
fixed version like "v1.0.0" to ensure consistent deployments. Add both
readinessProbe and livenessProbe configurations under the container spec to
enable Kubernetes to check pod health and prevent routing traffic to unhealthy
pods.

[coderabbitai]

⚠️ Potential issue

rewrite-target: / masks path information – likely breaks /api routing

With the global rewrite every request ends up at /, so
/api/auth/login → backend request / (path stripped).
If the backend expects the /api prefix, remove the annotation or use regex-based rewrites:

 metadata:
   name: chatapp-ingress
   namespace: chat-app
   annotations:
-    nginx.ingress.kubernetes.io/rewrite-target: /
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2

and change the path rules:

-  - path: /api
+  - path: /api(/|$)(.*)

Additionally, set the ingress class for Minikube NGINX:

  annotations:
    ingressClassName: nginx

🤖 Prompt for AI Agents

In k8s/ingress.yml around lines 6 to 7, the annotation
'nginx.ingress.kubernetes.io/rewrite-target: /' causes all paths to be rewritten
to '/', stripping path information and breaking routes like '/api/auth/login'.
To fix this, remove this annotation or replace it with a regex-based rewrite
that preserves the path prefix as needed. Also, update the path rules to match
the regex accordingly. Additionally, add the annotation 'ingressClassName:
nginx' to specify the ingress class for Minikube NGINX.

[coderabbitai]

🛠️ Refactor suggestion

Harden the pod – disallow privilege escalation & run as non-root

Add a simple securityContext block:

     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999
+        fsGroup: 999
       containers:

This addresses CKV_K8S_20 / 23 and improves baseline security.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	containers:
	- name: chatapp-mongodb
	image: mongo:latest
	ports:
	- containerPort: 27017
	env:
	- name: MONGO_INITDB_ROOT_USERNAME
	value: root
	- name: MONGO_INITDB_ROOT_PASSWORD
	value: admin
	volumeMounts:
	- name: mongodb-storage
	mountPath: /data/db
	volumes:
	spec:
	securityContext:
	runAsNonRoot: true
	runAsUser: 999
	fsGroup: 999
	containers:
	- name: chatapp-mongodb
	image: mongo:latest
	ports:
	- containerPort: 27017
	env:
	- name: MONGO_INITDB_ROOT_USERNAME
	value: root
	- name: MONGO_INITDB_ROOT_PASSWORD
	value: admin
	volumeMounts:
	- name: mongodb-storage
	mountPath: /data/db
	volumes:

🤖 Prompt for AI Agents

In k8s/mongodb-deployment.yml around lines 17 to 30, the container lacks a
securityContext to prevent privilege escalation and to run as a non-root user.
Add a securityContext block under the container definition with runAsNonRoot set
to true and allowPrivilegeEscalation set to false to harden the pod and improve
security compliance.

[coderabbitai]

🛠️ Refactor suggestion

Pin the MongoDB image tag to avoid accidental major upgrades

mongo:latest can introduce breaking changes without notice. Pin to a known-good version (e.g. 6.0.11) and enable predictable roll-outs.

-          image: mongo:latest
+          image: mongo:6.0.11

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: chatapp-mongodb
	image: mongo:latest
	ports:
	- containerPort: 27017
	- name: chatapp-mongodb
	image: mongo:6.0.11
	ports:
	- containerPort: 27017

🤖 Prompt for AI Agents

In k8s/mongodb-deployment.yml around lines 18 to 21, the MongoDB image tag is
set to 'latest', which risks unintentional major upgrades. Change the image tag
from 'mongo:latest' to a specific version like 'mongo:6.0.11' to ensure stable
and predictable deployments.

[coderabbitai]

⚠️ Potential issue

Root credentials are hard-coded in plain text – move them to a Secret

Exposing DB passwords in the manifest risks leaking in VCS/history.
Create a Secret and reference it via valueFrom.secretKeyRef:

-          env:
-            - name: MONGO_INITDB_ROOT_USERNAME
-              value: root
-            - name: MONGO_INITDB_ROOT_PASSWORD
-              value: admin
+          env:
+            - name: MONGO_INITDB_ROOT_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: mongodb-auth
+                  key: username
+            - name: MONGO_INITDB_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mongodb-auth
+                  key: password

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	env:
	- name: MONGO_INITDB_ROOT_USERNAME
	value: root
	- name: MONGO_INITDB_ROOT_PASSWORD
	value: admin
	env:
	- name: MONGO_INITDB_ROOT_USERNAME
	valueFrom:
	secretKeyRef:
	name: mongodb-auth
	key: username
	- name: MONGO_INITDB_ROOT_PASSWORD
	valueFrom:
	secretKeyRef:
	name: mongodb-auth
	key: password

🤖 Prompt for AI Agents

In k8s/mongodb-deployment.yml around lines 22 to 26, the MongoDB root username
and password are hard-coded as plain text environment variables, which is
insecure. Create a Kubernetes Secret resource to store these credentials
securely, then update the deployment manifest to reference the Secret using
valueFrom.secretKeyRef for both MONGO_INITDB_ROOT_USERNAME and
MONGO_INITDB_ROOT_PASSWORD environment variables.

[coderabbitai]

💡 Verification agent

❓ Verification inconclusive

Add storageClassName & reclaim policy to make the PV bindable and durable

With a hostPath PV Minikube will happily mount /data, but the PV currently:

• Has no storageClassName – if the PVC specifies anything (even the default standard) this PV will never bind.
• Falls back to the default Delete reclaim policy – data will be wiped on PVC deletion, which is rarely what you want for a database.

A minimal hard-coded class plus Retain is usually safer for local dev:

 spec:
+  storageClassName: manual       # PVC must use the same value (or leave it empty)
+  persistentVolumeReclaimPolicy: Retain
   capacity:
     storage: 5Gi
   accessModes:
     - ReadWriteOnce
   hostPath:
     path: /data

---

Add storageClassName & persistentVolumeReclaimPolicy for reliable binding and data retention

The PV defined in k8s/mongodb-pv.yml currently:

• Lacks a storageClassName – it will only bind to a PVC that omits any class (defaults to an empty string), so most PVCs (e.g. using the “standard” class) won’t ever bind.
• Defaults to a Delete reclaim policy – data is discarded when the PVC is removed.

To ensure local-dev durability and explicit binding, update lines 5–11 as follows:

 spec:
+  storageClassName: manual                  # PVC must use the same class (or leave it unset)
+  persistentVolumeReclaimPolicy: Retain     # retain data on PVC deletion
   capacity:
     storage: 5Gi
   accessModes:
     - ReadWriteOnce
   hostPath:
     path: /data

Tagging this as a required change to prevent binding failures and accidental data loss.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	spec:
	capacity:
	storage: 5Gi
	accessModes:
	- ReadWriteOnce
	hostPath:
	path: /data
	spec:
	storageClassName: manual # PVC must use the same class (or leave it unset)
	persistentVolumeReclaimPolicy: Retain # retain data on PVC deletion
	capacity:
	storage: 5Gi
	accessModes:
	- ReadWriteOnce
	hostPath:
	path: /data

🤖 Prompt for AI Agents

In k8s/mongodb-pv.yml around lines 5 to 11, add the field storageClassName with
a specific value to ensure the PV binds correctly to PVCs using that class, and
set persistentVolumeReclaimPolicy to Retain to prevent data loss when the PVC is
deleted. Update the spec section to include these two fields explicitly for
reliable binding and data retention.

[coderabbitai]

⚠️ Potential issue

PVC may fail to bind to the static PV – storageClassName must be set/empty-stringed

Because a default StorageClass usually exists on Minikube, omitting storageClassName on the PVC will trigger dynamic provisioning instead of binding to your static mongodb-pv.
Either add the same storageClass used on the PV or explicitly bind to the “no-class” PV by setting an empty string:

 spec:
+  storageClassName: ""   # ensures the claim binds to mongodb-pv (no SC)
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
       storage: 5Gi

Also applies to: 11-11

🤖 Prompt for AI Agents

In k8s/mongodb-pvc.yml around lines 4 to 5 and 11 to 11, the
PersistentVolumeClaim lacks the storageClassName field, which can cause it to
dynamically provision storage instead of binding to the intended static
PersistentVolume. To fix this, explicitly set the storageClassName in the PVC to
match the storageClassName of the static PV or set it to an empty string ("") to
bind to a PV without a storage class.