Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prepare release v0.19.0 #500

Merged
merged 1 commit into from
Dec 4, 2024
Merged

Prepare release v0.19.0 #500

merged 1 commit into from
Dec 4, 2024

Conversation

kvaps
Copy link
Member

@kvaps kvaps commented Dec 3, 2024

Summary by CodeRabbit

Release Notes

  • New Features

    • Updated container images for various components to their latest versions, enhancing performance and security.
  • Bug Fixes

    • Addressed potential issues by upgrading image tags and digests for components such as CozyStack, ClickHouse, PostgreSQL, and others.
  • Documentation

    • Updated values.yaml configurations for multiple packages to reflect the latest image versions and digests.

These updates ensure improved functionality and reliability across the application.

@dosubot dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Dec 3, 2024
Copy link
Contributor

coderabbitai bot commented Dec 3, 2024

Warning

Rate limit exceeded

@kvaps has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 4 minutes and 57 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 9fce455 and b213992.

Walkthrough

The pull request updates several Docker image references and tags across various components in the CozyStack application. Key changes include updating the container images for cozystack, darkhttpd, clickhouse-backup, postgres-backup, and others to their latest versions. This includes modifications to SHA256 digests to reflect the new images. The changes are primarily focused on ensuring that the application uses the most recent versions of its dependencies without altering any underlying logic or control flow.

Changes

File Path Change Summary
manifests/cozystack-installer.yaml Updated cozystack and darkhttpd images from v0.18.0 to v0.19.0.
packages/apps/clickhouse/images/clickhouse-backup.tag Updated image tag from 0.6.0 to 0.6.1, changed SHA256 digest.
packages/apps/ferretdb/images/postgres-backup.tag Updated SHA256 digest for postgres-backup image.
packages/apps/http-cache/images/nginx-cache.tag Updated SHA256 digest for nginx-cache image.
packages/apps/kubernetes/images/cluster-autoscaler.tag Updated SHA256 digest for cluster-autoscaler image.
packages/apps/kubernetes/images/kubevirt-cloud-provider.tag Updated SHA256 digest for kubevirt-cloud-provider image.
packages/apps/kubernetes/images/kubevirt-csi-driver.tag Updated SHA256 digest for kubevirt-csi-driver image.
packages/apps/kubernetes/images/ubuntu-container-disk.tag Updated SHA256 digest for ubuntu-container-disk image.
packages/apps/mysql/images/mariadb-backup.tag Updated SHA256 digest for mariadb-backup image.
packages/apps/postgres/images/postgres-backup.tag Updated SHA256 digest for postgres-backup image.
packages/core/installer/values.yaml Updated cozystack image version from v0.18.0 to v0.19.0, changed SHA256 digest.
packages/core/testing/values.yaml Updated e2e-sandbox image version from v0.18.0 to v0.19.0.
packages/system/bucket/images/s3manager.tag Updated SHA256 digest for s3manager image.
packages/system/cilium/values.yaml Updated Cilium image tag from 1.16.3 to 1.16.4, changed SHA256 digest.
packages/system/cozystack-api/values.yaml Updated cozystackAPI image from latest to v0.19.0, changed SHA256 digest.
packages/system/dashboard/values.yaml Updated dashboard and kubeappsapis image tags from v0.18.0 to v0.19.0, changed SHA256 digests.
packages/system/kamaji/values.yaml Updated image tag from v0.18.0 to v0.19.0, changed SHA256 digest.
packages/system/kubeovn/values.yaml Updated kubeovn image tag with a new SHA256 digest.

Possibly related PRs

Suggested labels

size:L, enhancement, documentation

Suggested reviewers

  • themoriarti

🐰 In the code, we hop and play,
New images here, hip-hip-hooray!
From v0.18 to v0.19,
CozyStack's fresh and oh so fine!
With every tag, our project grows,
A happy dance, as progress flows! 🐇✨


Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)
manifests/cozystack-installer.yaml (1)

Line range hint 71-104: Security Review: Deployment uses privileged configurations

While not changed in this PR, it's worth noting that this deployment uses sensitive configurations:

  1. hostNetwork: true - Provides direct access to host network
  2. cluster-admin role binding - Grants full cluster access

These configurations are likely required for the installer's functionality but should be documented and reviewed periodically.

Consider:

  1. Adding comments explaining why these privileged settings are necessary
  2. Documenting security implications in the deployment guide
  3. Implementing additional security controls if possible
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between ba42118 and 61dfeaa.

📒 Files selected for processing (18)
  • manifests/cozystack-installer.yaml (2 hunks)
  • packages/apps/clickhouse/images/clickhouse-backup.tag (1 hunks)
  • packages/apps/ferretdb/images/postgres-backup.tag (1 hunks)
  • packages/apps/http-cache/images/nginx-cache.tag (1 hunks)
  • packages/apps/kubernetes/images/cluster-autoscaler.tag (1 hunks)
  • packages/apps/kubernetes/images/kubevirt-cloud-provider.tag (1 hunks)
  • packages/apps/kubernetes/images/kubevirt-csi-driver.tag (1 hunks)
  • packages/apps/kubernetes/images/ubuntu-container-disk.tag (1 hunks)
  • packages/apps/mysql/images/mariadb-backup.tag (1 hunks)
  • packages/apps/postgres/images/postgres-backup.tag (1 hunks)
  • packages/core/installer/values.yaml (1 hunks)
  • packages/core/testing/values.yaml (1 hunks)
  • packages/system/bucket/images/s3manager.tag (1 hunks)
  • packages/system/cilium/values.yaml (1 hunks)
  • packages/system/cozystack-api/values.yaml (1 hunks)
  • packages/system/dashboard/values.yaml (1 hunks)
  • packages/system/kamaji/values.yaml (1 hunks)
  • packages/system/kubeovn/values.yaml (1 hunks)
✅ Files skipped from review due to trivial changes (14)
  • packages/apps/clickhouse/images/clickhouse-backup.tag
  • packages/core/testing/values.yaml
  • packages/apps/http-cache/images/nginx-cache.tag
  • packages/system/bucket/images/s3manager.tag
  • packages/apps/kubernetes/images/kubevirt-csi-driver.tag
  • packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
  • packages/system/kubeovn/values.yaml
  • packages/apps/ferretdb/images/postgres-backup.tag
  • packages/apps/postgres/images/postgres-backup.tag
  • packages/apps/kubernetes/images/ubuntu-container-disk.tag
  • packages/system/kamaji/values.yaml
  • packages/apps/mysql/images/mariadb-backup.tag
  • packages/core/installer/values.yaml
  • packages/apps/kubernetes/images/cluster-autoscaler.tag
🔇 Additional comments (4)
packages/system/cozystack-api/values.yaml (1)

2-2: LGTM! Good practice moving from 'latest' to specific version.

The change from using the 'latest' tag to a specific version 'v0.19.0' improves deployment stability and reproducibility. The SHA256 digest ensures image integrity.

packages/system/cilium/values.yaml (1)

15-16: Verify Cilium 1.16.4 release notes and compatibility.

The patch version upgrade from 1.16.3 to 1.16.4 should be reviewed for:

  • Any breaking changes
  • Security fixes that might need additional configuration
✅ Verification successful

Cilium 1.16.4 upgrade includes important security fix and bug fixes

This version includes a security advisory (GHSA-xg58-75qf-9r67) and multiple bug fixes that improve stability. Key changes:

  • Security fix for a reported vulnerability
  • Fixed potential deadlock with DNS interception
  • Fixed packet drops for pod-to-pod connections with IPsec
  • Fixed performance regression with network policies in large clusters
  • Improved stability for Wireguard and BGP features

The upgrade is recommended as it addresses security and stability issues.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for Cilium release information and potential security advisories
gh api graphql -f query='
{
  repository(owner: "cilium", name: "cilium") {
    release(tagName: "v1.16.4") {
      description
      createdAt
    }
    vulnerabilityAlerts(first: 5, states: OPEN) {
      nodes {
        securityVulnerability {
          package { name }
          vulnerableVersionRange
          firstPatchedVersion { identifier }
        }
      }
    }
  }
}'

Length of output: 14685

packages/system/dashboard/values.yaml (1)

36-37: LGTM! Version consistency maintained across components.

Both dashboard and kubeappsapis components are consistently updated to v0.19.0, maintaining version parity. SHA256 digests are properly updated for both images.

Also applies to: 42-43

manifests/cozystack-installer.yaml (1)

71-71: LGTM: Version updates align with release v0.19.0

The container image versions have been consistently updated to v0.19.0 for both containers, which aligns with the release objectives.

Let's verify the image availability and digest:

Also applies to: 90-90

✅ Verification successful

Version v0.19.0 is consistently referenced across the codebase with verified digests

The version update to v0.19.0 is well-documented across multiple components in the codebase, with several images having specific SHA256 digests, indicating they have been properly built and published. The image references in cozystack-installer.yaml align with other components' versions, maintaining consistency throughout the release.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify if the new image exists and get its digest
gh api \
  -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
  /repos/aenix-io/cozystack/pkgs/container/cozystack%2Fcozystack/versions | \
  jq '.[] | select(.metadata.container.tags[] == "v0.19.0")'

Length of output: 408


Script:

#!/bin/bash
# Let's try a different approach to verify the image
# First, let's check if there are any other references to this version in the codebase
rg "v0.19.0" --type yaml

# Also check for any version-related changes in recent commits
git log -n 5 --oneline

Length of output: 952

Copy link
Collaborator

@themoriarti themoriarti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Dec 3, 2024
@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Dec 3, 2024
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🧹 Outside diff range and nitpick comments (7)
hack/e2e.sh (2)

191-192: Consolidate EtcD Member Checks for Robustness

The current commands for checking etcd members use a combination of timeout and loops. This approach may cause unnecessary complexity and potential issues with signal handling. Consider consolidating these checks into a single, more efficient command.

Apply this diff to simplify the etcd readiness check:

-timeout 180 sh -c 'until timeout -s 9 2 talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1; do sleep 1; done'
-timeout 60 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done'
+timeout 180 sh -c 'until talosctl etcd members -n 192.168.123.11 -e 192.168.123.10 >/dev/null 2>&1; do sleep 1; done'

This change waits for the etcd cluster to be ready by checking a single node and reduces complexity.


313-315: Consistent Formatting in JSON Patches

Ensure consistency in the JSON patch formatting for better readability and maintenance.

Apply this diff to adjust the indentation:

 kubectl patch -n tenant-root ingresses.apps.cozystack.io ingress --type=merge -p '{"spec":{
-  "dashboard": true
+    "dashboard": true
 }}'
packages/apps/tenant/templates/keycloakgroups.yaml (1)

53-53: Add Newline at End of File for POSIX Compliance

It's considered good practice to end files with a newline character. This can prevent issues with some tools that may not handle files without a terminating newline correctly.

Ensure there is a newline at the end of the file.

packages/apps/tenant/templates/kubeconfig.yaml (1)

21-21: Update Kubeconfig Server Address if API Server Endpoint Changes

The server address in the kubeconfig is set to use {{ $apiServerEndpoint }}. If the API server endpoint changes, ensure that the kubeconfig is regenerated or updated accordingly.

Consider automating the update of kubeconfig files when the API server endpoint changes to maintain seamless access for users.

packages/core/platform/bundles/paas-hosted.yaml (2)

2-10: Consider adding type validation for OIDC configuration

While the presence check for api-server-endpoint is good, consider validating that oidc-enabled is a valid boolean value to prevent runtime issues.

 {{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
+{{- if and $oidcEnabled (ne $oidcEnabled "true") (ne $oidcEnabled "false") }}
+{{- fail "ERROR oidc-enabled in cozystack ConfigMap must be 'true' or 'false'" }}
+{{- end }}

Line range hint 166-184: Consider defining resource requirements for Keycloak components

The Keycloak-related releases should have resource requests and limits defined to ensure proper resource allocation and prevent resource starvation.

Consider adding resource configurations in the respective charts:

  • Memory and CPU limits/requests for Keycloak server
  • Resource constraints for the operator
  • Proper sizing based on expected load
packages/core/platform/bundles/paas-full.yaml (1)

Line range hint 270-288: Consider adding health check configurations

For better reliability and monitoring, consider adding readiness and liveness probe configurations for the Keycloak components.

Consider adding in the respective charts:

  • Readiness probes to ensure proper initialization
  • Liveness probes to detect and recover from failures
  • Startup probes for components with longer initialization times
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 61dfeaa and 80b95e9.

📒 Files selected for processing (27)
  • hack/e2e.sh (5 hunks)
  • manifests/cozystack-installer.yaml (2 hunks)
  • packages/apps/clickhouse/images/clickhouse-backup.tag (1 hunks)
  • packages/apps/ferretdb/images/postgres-backup.tag (1 hunks)
  • packages/apps/http-cache/images/nginx-cache.tag (1 hunks)
  • packages/apps/kubernetes/images/cluster-autoscaler.tag (1 hunks)
  • packages/apps/kubernetes/images/kubevirt-cloud-provider.tag (1 hunks)
  • packages/apps/kubernetes/images/kubevirt-csi-driver.tag (1 hunks)
  • packages/apps/kubernetes/images/ubuntu-container-disk.tag (1 hunks)
  • packages/apps/mysql/images/mariadb-backup.tag (1 hunks)
  • packages/apps/postgres/images/postgres-backup.tag (1 hunks)
  • packages/apps/tenant/templates/dashboard-resourcemap.yaml (1 hunks)
  • packages/apps/tenant/templates/keycloakgroups.yaml (2 hunks)
  • packages/apps/tenant/templates/kubeconfig.yaml (3 hunks)
  • packages/core/installer/values.yaml (1 hunks)
  • packages/core/platform/bundles/distro-full.yaml (0 hunks)
  • packages/core/platform/bundles/distro-hosted.yaml (0 hunks)
  • packages/core/platform/bundles/paas-full.yaml (4 hunks)
  • packages/core/platform/bundles/paas-hosted.yaml (3 hunks)
  • packages/core/testing/values.yaml (1 hunks)
  • packages/system/bucket/images/s3manager.tag (1 hunks)
  • packages/system/cilium/values.yaml (1 hunks)
  • packages/system/cozystack-api/values.yaml (1 hunks)
  • packages/system/dashboard/values.yaml (1 hunks)
  • packages/system/kamaji/values.yaml (1 hunks)
  • packages/system/keycloak-configure/templates/configure-kk.yaml (1 hunks)
  • packages/system/kubeovn/values.yaml (1 hunks)
💤 Files with no reviewable changes (2)
  • packages/core/platform/bundles/distro-full.yaml
  • packages/core/platform/bundles/distro-hosted.yaml
✅ Files skipped from review due to trivial changes (1)
  • packages/system/dashboard/values.yaml
🚧 Files skipped from review as they are similar to previous changes (17)
  • packages/apps/clickhouse/images/clickhouse-backup.tag
  • packages/apps/http-cache/images/nginx-cache.tag
  • packages/apps/kubernetes/images/kubevirt-csi-driver.tag
  • packages/system/kamaji/values.yaml
  • packages/system/kubeovn/values.yaml
  • packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
  • packages/system/cozystack-api/values.yaml
  • packages/apps/kubernetes/images/cluster-autoscaler.tag
  • manifests/cozystack-installer.yaml
  • packages/apps/kubernetes/images/ubuntu-container-disk.tag
  • packages/system/bucket/images/s3manager.tag
  • packages/core/testing/values.yaml
  • packages/apps/postgres/images/postgres-backup.tag
  • packages/system/cilium/values.yaml
  • packages/apps/ferretdb/images/postgres-backup.tag
  • packages/apps/mysql/images/mariadb-backup.tag
  • packages/core/installer/values.yaml
🧰 Additional context used
🪛 yamllint (1.35.1)
packages/apps/tenant/templates/keycloakgroups.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/apps/tenant/templates/dashboard-resourcemap.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

🔇 Additional comments (8)
hack/e2e.sh (2)

340-346: Ensure OIDC Components Are Properly Deployed

The script adds a section to test OIDC by patching the ConfigMap and waiting for Keycloak resources. Verify that all necessary components are correctly configured and deployed to enable OIDC functionality.

Run the following script to confirm the status of OIDC-related resources:

✅ Verification successful

OIDC Components Are Properly Configured

The verification confirms that the OIDC test in hack/e2e.sh is properly integrated with the required components:

  • The Keycloak components (keycloak, keycloak-operator, keycloak-configure) are defined in the platform bundles with correct dependencies
  • OIDC configuration is properly set up in the cluster with:
    • Correct issuer URL configuration
    • Required claims (username, groups)
    • Proper client configuration for both Kubernetes and Kubeapps
  • The test follows the correct deployment order by waiting for all required HelmReleases
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that Keycloak resources are ready for OIDC.

# Check the status of Keycloak HelmReleases
kubectl get hr -n cozy-keycloak keycloak keycloak-operator

# Validate that 'oidc-enabled' is set to 'true' in the ConfigMap
kubectl get cm cozystack -n cozy-system -o jsonpath='{.data.oidc-enabled}'

Length of output: 333


Script:

#!/bin/bash
# Let's verify the OIDC configuration in the codebase

# Check for OIDC-related configurations in Helm charts
fd . "charts/" --type f --exec grep -l "oidc" {} \;

# Look for OIDC-related configurations in the codebase
rg "oidc" -l

# Check for Keycloak-related configurations
fd . "charts/" --type f --exec grep -l "keycloak" {} \;

# Look for HelmRelease definitions for Keycloak
rg -l "kind:\s*HelmRelease.*name:\s*keycloak" 

Length of output: 1313


Script:

#!/bin/bash
# Let's check the specific OIDC and Keycloak configurations

# Check the e2e test script for OIDC test context
rg "oidc" -A 5 -B 5 hack/e2e.sh

# Look for Keycloak HelmRelease definitions in platform bundles
rg "keycloak" -A 5 -B 5 "packages/core/platform/bundles/paas-hosted.yaml" "packages/core/platform/bundles/paas-full.yaml"

# Check Keycloak configuration template
rg "keycloak" -A 5 -B 5 "packages/system/keycloak-configure/templates/configure-kk.yaml"

Length of output: 8382


213-214: Verify Hardcoded Configuration Values

The root-host and api-server-endpoint are hardcoded with example values. Ensure that these values are appropriate for your environment or consider making them configurable.

Run the following script to check for hardcoded values:

Ensure that these values are correctly set according to your deployment requirements.

packages/apps/tenant/templates/keycloakgroups.yaml (1)

1-1: ⚠️ Potential issue

Resolve YAML Syntax Error Due to Leading Dash

The static analysis tool reports a syntax error on line 1. This is likely due to an unexpected leading dash (-). Ensure that the Helm template directives are correctly formatted without introducing YAML syntax errors.

Apply this diff to fix the syntax error:

-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{ $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}

Alternatively, ensure there is no extra dash in the Helm template directive.

Likely invalid or redundant comment.

🧰 Tools
🪛 yamllint (1.35.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/apps/tenant/templates/kubeconfig.yaml (2)

45-45: Handle Absence of 'k8sClientSecret' Gracefully

The script checks for the existence of $k8sClientSecret. Ensure that if the secret is not present, the script handles it gracefully without causing errors.

Run the following script to check for the existence of the secret:

Ensure that the secret exists before proceeding.


6-6: Ensure 'api-server-endpoint' Is Defined in ConfigMap

The variable api-server-endpoint is used but may not be defined in the cozyConfig.data. Verify that it exists to prevent runtime errors.

Run the following script to check if api-server-endpoint is set:

Ensure that the output is not empty and contains a valid API server endpoint.

packages/system/keycloak-configure/templates/configure-kk.yaml (1)

84-84: Review Hardcoded 'webUrl' Value

The webUrl for the Keycloak client kubernetes has been changed to https://localhost:8000/oauth2/callback. Verify that this is the intended URL for OAuth2 callbacks and that it aligns with your deployment architecture.

If the application is not running on localhost:8000, consider updating the webUrl to reflect the correct callback URL.

packages/core/platform/bundles/paas-hosted.yaml (1)

156-164: Verify existence of kubeapps-auth-config ConfigMap when OIDC is enabled

When OIDC is enabled, the configuration depends on the kubeapps-auth-config ConfigMap, but its existence is not validated. This could lead to deployment failures.

packages/core/platform/bundles/paas-full.yaml (1)

226-234: ⚠️ Potential issue

Fix inconsistent dashboard dependencies

There's an inconsistency in the dashboard's dependencies:

  • Line 225 shows unconditional dependency on keycloak-configure
  • Lines 226-234 show conditional dependency based on $oidcEnabled

This could lead to deployment failures when OIDC is disabled.

- dependsOn: [cilium,kubeovn,keycloak-configure]
+ dependsOn: [cilium,kubeovn]
  {{- if $oidcEnabled }}
  dependsOn: [keycloak-configure]

Likely invalid or redundant comment.

hack/e2e.sh Outdated
Comment on lines 127 to 132
apiServer:
extraArgs:
oidc-issuer-url: "https://keycloak.example.org/realms/cozy"
oidc-client-id: "kubernetes"
oidc-username-claim: "preferred_username"
oidc-groups-claim: "groups"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Parameterize OIDC Configuration Values

The OIDC configuration parameters oidc-issuer-url, oidc-client-id, oidc-username-claim, and oidc-groups-claim are hardcoded with example values. To enhance flexibility and avoid potential errors, consider parameterizing these values or referencing them from a configuration file or environment variables.

Apply this diff to parameterize the OIDC configuration:

 apiServer:
   extraArgs:
-    oidc-issuer-url: "https://keycloak.example.org/realms/cozy"
-    oidc-client-id: "kubernetes"
-    oidc-username-claim: "preferred_username"
-    oidc-groups-claim: "groups"
+    oidc-issuer-url: "${OIDC_ISSUER_URL}"
+    oidc-client-id: "${OIDC_CLIENT_ID}"
+    oidc-username-claim: "${OIDC_USERNAME_CLAIM}"
+    oidc-groups-claim: "${OIDC_GROUPS_CLAIM}"

Ensure that the corresponding environment variables are set before running the script.

Committable suggestion skipped: line range outside the PR's diff.

hack/e2e.sh Outdated
Comment on lines 299 to 305
kubectl patch -n tenant-root tenants.apps.cozystack.io root --type=merge -p '{"spec":{
"host": "example.org",
"ingress": true,
"monitoring": true,
"etcd": true,
"isolated": true
}}}'
}}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Parameterize Tenant Configuration Values

In the kubectl patch command, the host is set to "example.org". Consider parameterizing this value to make the script more adaptable to different environments.

Apply this diff to parameterize the host value:

 kubectl patch -n tenant-root tenants.apps.cozystack.io root --type=merge -p '{"spec":{
-  "host": "example.org",
+  "host": "'$HOST_DOMAIN'",
   "ingress": true,
   "monitoring": true,
   "etcd": true,
   "isolated": true
 }}'

Remember to set the HOST_DOMAIN environment variable before running the script.

Committable suggestion skipped: line range outside the PR's diff.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "tenant.name" . }}-dashboard-resources
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Correct Indentation in YAML File

There is a syntax error indicated by the static analysis tool due to improper indentation on line 4. Ensure that the name field is correctly indented under metadata.

Apply this diff to fix the indentation error:

 metadata:
- name: {{ include "tenant.name" . }}-dashboard-resources
+  name: {{ include "tenant.name" . }}-dashboard-resources

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 yamllint (1.35.1)

[error] 4-4: syntax error: expected , but found ''

(syntax)

@@ -82,7 +81,7 @@ spec:
clientId: kubernetes
directAccess: true
public: false
webUrl: https://{{ $apiServerAdress }}/oauth2/callback
webUrl: https://localhost:8000/oauth2/callback
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Ensure Consistent Use of Variables

The removal of the $apiServerAdress variable may affect other parts of the configuration if they rely on it. Ensure that all references to this variable are updated accordingly.

Search the codebase for any remaining references to $apiServerAdress:

#!/bin/bash
# Description: Find references to '$apiServerAdress' in the codebase.

rg '\$apiServerAdress' .

Update any occurrences to prevent undefined variable errors.

Comment on lines 1 to 10
{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
{{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
{{- $host := index $cozyConfig.data "root-host" }}
{{- if not $host }}
{{- fail "ERROR need root-host in cozystack ConfigMap" }}
{{- end }}
{{- $apiServerEndpoint := index $cozyConfig.data "api-server-endpoint" }}
{{- if not $apiServerEndpoint }}
{{- fail "ERROR need api-server-endpoint in cozystack ConfigMap" }}
{{- end }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider extracting common configuration validation

The configuration validation logic is duplicated between paas-hosted.yaml and paas-full.yaml. Consider extracting this into a shared template to maintain DRY principles and ensure consistent validation across files.

Consider creating a shared template file (e.g., _helpers.tpl) with:

{{- define "cozystack.validateConfig" -}}
{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
{{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
{{- $host := index $cozyConfig.data "root-host" }}
{{- if not $host }}
{{- fail "ERROR need root-host in cozystack ConfigMap" }}
{{- end }}
{{- $apiServerEndpoint := index $cozyConfig.data "api-server-endpoint" }}
{{- if not $apiServerEndpoint }}
{{- fail "ERROR need api-server-endpoint in cozystack ConfigMap" }}
{{- end }}
{{- end -}}
🧰 Tools
🪛 yamllint (1.35.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:L This PR changes 100-499 lines, ignoring generated files. labels Dec 4, 2024
@kvaps kvaps merged commit c62a83a into main Dec 4, 2024
1 of 2 checks passed
@kvaps kvaps deleted the release-0.19.0 branch December 4, 2024 20:05
klinch0 pushed a commit to klinch0/cozystack that referenced this pull request Dec 5, 2024
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Release Notes

- **New Features**
- Updated container images for various components to their latest
versions, enhancing performance and security.

- **Bug Fixes**
- Addressed potential issues by upgrading image tags and digests for
components such as CozyStack, ClickHouse, PostgreSQL, and others.

- **Documentation**
- Updated `values.yaml` configurations for multiple packages to reflect
the latest image versions and digests.

These updates ensure improved functionality and reliability across the
application.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This was referenced Dec 9, 2024
This was referenced Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lgtm This PR has been approved by a maintainer size:M This PR changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants