add services to dashboard

[klinch0]

Summary by CodeRabbit

• New Features

  • Introduced new Kubernetes Roles for managing access control to dashboard resources in the Redis, Kafka, and NATS applications.

• Version Updates

  • Updated Redis application version from 0.3.0 to 0.3.1.
  • Updated ClickHouse application version from 0.6.0 to 0.6.1.
  • Updated Kafka application version from 0.3.0 to 0.3.1.
  • Updated NATS application version from 0.3.0 to 0.3.1.
  • Revised versioning for multiple packages, indicating specific commit references.

[coderabbitai]

Walkthrough

The changes in this pull request involve updates to the Redis, ClickHouse, Kafka, and NATS applications, primarily focusing on version increments and the introduction of new Kubernetes Role resources. The Chart.yaml files for Redis, ClickHouse, Kafka, and NATS have had their version fields updated, while the appVersion fields remain unchanged. Additionally, new Role resources have been added in the dashboard-resourcemap.yaml files for both Redis and Kafka, and modifications were made to the Role definitions in the ClickHouse and NATS templates.

Changes

File	Change Summary
packages/apps/redis/Chart.yaml	Version updated from 0.3.0 to 0.3.1.
packages/apps/redis/templates/dashboard-resourcemap.yaml	New Role named {{ .Release.Name }}-dashboard-resources added with permissions for specific actions on resources.
packages/apps/versions_map	Redis package version updated from 0.3.0 HEAD to 0.3.0 c07c4bbd and new version 0.3.1 HEAD introduced.
packages/apps/clickhouse/Chart.yaml	Version updated from 0.6.0 to 0.6.1.
packages/apps/clickhouse/templates/dashboard-resourcemap.yaml	Resource name updated from chi-clickhouse-test-clickhouse-0-0 to chendpoint-{{ .Release.Name }}.
packages/apps/kafka/Chart.yaml	Version updated from 0.3.0 to 0.3.1.
packages/apps/kafka/templates/dashboard-resourcemap.yaml	New Role named {{ .Release.Name }}-dashboard-resources added with permissions for specific actions on resources.
packages/apps/nats/Chart.yaml	Version updated from 0.3.0 to 0.3.1.
packages/apps/nats/templates/nats.yaml	Updated password generation logic and Secret creation referencing new variable $passwords.
packages/apps/nats/templates/resourcemap.yaml	New rule added to Role for services with access permissions defined.

Possibly related PRs

• Add passwords generation to FerretDB #329: This PR updates the version in the Chart.yaml file for FerretDB, similar to the version update in the Chart.yaml for Redis in the main PR.
• add password for nats #477: This PR updates the version in the Chart.yaml file for NATS, which also reflects a version increment like the one in the main PR for Redis.

Suggested labels

size:L, lgtm

Suggested reviewers

• kvaps

Poem

In the garden of code, where changes bloom,
A new version hops, dispelling the gloom.
Roles are crafted, permissions in sight,
Redis now dances, oh what a delight!
With each little update, our project takes flight. 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

packages/apps/redis/templates/dashboard-resourcemap.yaml (1)

10-14: Document the purpose of each service.

Consider adding comments to explain the purpose of each service pattern:

• rfs-: Redis Fast Storage?
• rfrm-: Redis Fast Resource Manager?
• rfrs-: Redis Fast Resource Service?
• -external-lb: External Load Balancer

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between bdc7a92 and e5f3f62.

📒 Files selected for processing (3)

• packages/apps/redis/Chart.yaml (1 hunks)
• packages/apps/redis/templates/dashboard-resourcemap.yaml (1 hunks)
• packages/apps/versions_map (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• packages/apps/redis/Chart.yaml

🧰 Additional context used

🪛 yamllint

packages/apps/redis/templates/dashboard-resourcemap.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

🔇 Additional comments (2)

packages/apps/redis/templates/dashboard-resourcemap.yaml (1)

1-15: LGTM! Role follows security best practices.

The Role configuration follows the principle of least privilege by:

• Granting only read-only permissions (get, list, watch)
• Explicitly listing the target services
• Scoping permissions to specific service names

🧰 Tools

🪛 yamllint

[error] 4-4: syntax error: expected , but found ''

(syntax)

packages/apps/versions_map (1)

73-74: LGTM! Verify commit reference exists.

The version mapping changes look good:

• Pinning v0.3.0 to a specific commit improves stability
• Adding v0.4.0 aligns with the Chart.yaml version increment

Let's verify the commit reference exists:

[coderabbitai]

💡 Codebase verification

Services referenced in Role may be missing from the cluster configuration

Based on the verification results:

• Only the {{ .Release.Name }}-external-lb service is defined in the templates
• The services with prefixes rfs-, rfrm-, and rfrs- are not found in any service definitions within the Redis app templates
• These missing services are only referenced in the dashboard resource map

This suggests that the Role is trying to grant access to services that don't exist in the current configuration, which could lead to RBAC issues.

🔗 Analysis chain

Verify the existence of referenced services.

Let's ensure that all the services referenced in the Role actually exist in the cluster configuration.

---

Let me gather more information to check for potential StatefulSet or other resources that might be creating these services.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Search for service definitions in the repository
# Expected: Find template definitions for all services referenced in the Role

echo "Searching for service definitions..."
rg -t yaml --glob 'packages/apps/redis/**/*.yaml' -A 5 'kind:\s+Service'

echo "Searching for specific service names..."
for prefix in "rfs-" "rfrm-" "rfrs-" "-external-lb"; do
  echo "Looking for services with prefix: $prefix"
  rg -t yaml --glob 'packages/apps/redis/**/*.yaml' "name:\s+.*${prefix}"
done

Length of output: 2096

---

Script:

#!/bin/bash
# Search for StatefulSet and other potential resources that might be creating these services
echo "Searching for StatefulSet definitions..."
rg -t yaml --glob 'packages/apps/redis/**/*.yaml' -A 10 'kind:\s+StatefulSet'

echo "Searching for any references to the service prefixes in other resources..."
rg -t yaml --glob 'packages/apps/redis/**/*.yaml' 'rfs-|rfrm-|rfrs-'

Length of output: 657

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

packages/apps/redis/templates/dashboard-resourcemap.yaml (1)

1-15: LGTM - Role follows security best practices

The Role configuration demonstrates good security practices:

• Follows principle of least privilege with read-only operations
• Explicitly enumerates allowed services instead of using wildcards
• Properly scoped to specific apiGroups and resources

Consider documenting the purpose of each service in a comment to help future maintainers understand the access requirements.

🧰 Tools

🪛 yamllint

[error] 4-4: syntax error: expected , but found ''

(syntax)

packages/apps/kafka/templates/dashboard-resourcemap.yaml (1)

6-12: Consider documenting the purpose of service access permissions.

While the permissions are correctly configured, adding comments to explain why the dashboard needs access to the Kafka bootstrap service would improve maintainability.

 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ .Release.Name }}-dashboard-resources
 rules:
+# Allow dashboard to discover Kafka bootstrap service endpoints
 - apiGroups:
   - ""
   resources:
   - services

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between e5f3f62 and c16b72a.

📒 Files selected for processing (10)

• packages/apps/clickhouse/Chart.yaml (1 hunks)
• packages/apps/clickhouse/templates/dashboard-resourcemap.yaml (1 hunks)
• packages/apps/kafka/Chart.yaml (1 hunks)
• packages/apps/kafka/templates/dashboard-resourcemap.yaml (1 hunks)
• packages/apps/nats/Chart.yaml (1 hunks)
• packages/apps/nats/templates/nats.yaml (1 hunks)
• packages/apps/nats/templates/resourcemap.yaml (1 hunks)
• packages/apps/redis/Chart.yaml (1 hunks)
• packages/apps/redis/templates/dashboard-resourcemap.yaml (1 hunks)
• packages/apps/versions_map (4 hunks)

✅ Files skipped from review due to trivial changes (3)

• packages/apps/clickhouse/Chart.yaml
• packages/apps/kafka/Chart.yaml
• packages/apps/nats/Chart.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/apps/redis/Chart.yaml
• packages/apps/versions_map

🧰 Additional context used

🪛 yamllint

packages/apps/kafka/templates/dashboard-resourcemap.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

packages/apps/redis/templates/dashboard-resourcemap.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

🔇 Additional comments (7)

packages/apps/clickhouse/templates/dashboard-resourcemap.yaml (1)

11-11: LGTM! Good improvement in templating.

The change from a hardcoded service name to a dynamic chendpoint-{{ .Release.Name }} pattern follows Kubernetes best practices for templating and multi-tenant scenarios.

Let's verify that the new service naming pattern matches the actual services:

✅ Verification successful

Service naming pattern is correctly aligned

The verification confirms that:

• The new chendpoint- pattern is defined in clickhouse.yaml under serviceTemplates with generateName: chendpoint-{chi}
• The old chi-clickhouse pattern is not referenced anywhere in the templates
• The service naming is consistently templated using the release name

This change is safe and properly implemented across the ClickHouse templates.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that services follow the new naming pattern

# Check if there are any existing services with the old pattern
rg -l 'chi-clickhouse-.*-clickhouse-\d+-\d+' --type yaml

# Check if the new service naming pattern is consistently used
rg -l 'chendpoint-' --type yaml

# Look for service name definitions in ClickHouse templates
fd -e yaml -e tpl . packages/apps/clickhouse/templates/ --exec grep -l 'name:'

Length of output: 558

---

Script:

#!/bin/bash
# Let's check the service name definition in clickhouse.yaml and verify the pattern
cat packages/apps/clickhouse/templates/clickhouse.yaml | grep -A 5 'name:'

# Also check if there are any other references to the old pattern in the templates
rg 'chi-clickhouse' packages/apps/clickhouse/templates/

Length of output: 1655

packages/apps/redis/templates/dashboard-resourcemap.yaml (1)

10-14: Services referenced in Role may be missing from the cluster configuration

The previous review identified that several services referenced in this Role are not defined in the Redis app templates:

• Services with prefixes rfs-, rfrm-, and rfrs- are not found
• Only the {{ .Release.Name }}-external-lb service appears to be defined

This could lead to RBAC issues as the Role is granting access to potentially non-existent services.

packages/apps/nats/templates/resourcemap.yaml (1)

6-12: LGTM! The RBAC rule follows security best practices.

The new rule for services access is well-structured with:

• Proper scoping to specific service name
• Read-only permissions following principle of least privilege
• Consistent pattern with existing secret access rule

Let's verify similar implementations across other services mentioned in the summary:

✅ Verification successful

RBAC implementation is consistent across services

The verification confirms that the RBAC implementation for service access is consistent across all applications. The new rule in NATS follows the same pattern found in other services:

• All services use read-only verbs (get, list, watch)
• Each rule is properly scoped to specific service names using Release.Name
• The API group is correctly specified as "" for core resources
• Similar structure combining both service and secret access rules

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify consistent RBAC implementation across Redis, ClickHouse, and Kafka apps

# Check for similar service access rules in other apps
echo "Checking service access rules in other apps..."
for app in redis clickhouse kafka; do
  echo "=== Checking $app ==="
  fd "resourcemap.yaml" "packages/apps/$app" --exec rg -A 5 "apiGroups.*services"
done

Length of output: 627

---

Script:

#!/bin/bash
# Let's first check if these files exist and then examine their content
echo "=== Checking existence of resourcemap.yaml files ==="
fd "resourcemap.yaml" "packages/apps/"

echo -e "\n=== Examining content of found files ==="
fd "resourcemap.yaml" "packages/apps/" --exec cat {}

Length of output: 5707

packages/apps/kafka/templates/dashboard-resourcemap.yaml (2)

1-5: LGTM! Role definition follows security best practices.

The Role is properly scoped to specific resources and follows the principle of least privilege.

🧰 Tools

🪛 yamllint

[error] 4-4: syntax error: expected , but found ''

(syntax)

---

13-19: Verify if additional permissions are needed for Redis integration.

Since this PR aims to add Redis services to the dashboard, we should verify if similar permissions will be needed for Redis-related resources.

✅ Verification successful

No additional secret permissions needed for Redis integration

The Redis dashboard resource map (packages/apps/redis/templates/dashboard-resourcemap.yaml) already contains the necessary RBAC permissions, which only require access to services. Unlike Kafka, Redis doesn't require access to additional secrets for dashboard operations, as verified by examining both the Redis CRD and dashboard resource definitions.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if similar RBAC patterns exist in other dashboard resource files
# and if Redis requires additional permissions

# Look for similar dashboard resource files
echo "Searching for other dashboard resource files..."
fd --type f "dashboard-resourcemap.yaml"

# Check for Redis-related resources that might need dashboard access
echo "Checking for Redis-related resources..."
fd --type f "\.yaml$" --exec grep -l "kind: Redis" {}

Length of output: 1214

---

Script:

#!/bin/bash
# Let's check the Redis dashboard resource map for any specific permissions
echo "Checking Redis dashboard resource map permissions..."
cat packages/apps/redis/templates/dashboard-resourcemap.yaml

# Let's also check the Redis operator CRD to understand what resources might need access
echo -e "\nChecking Redis CRD definition..."
cat packages/system/redis-operator/charts/redis-operator/crds/databases.spotahome.com_redisfailovers.yaml | grep -A 5 "kind:"

# Check Redis templates for any secret usage patterns
echo -e "\nChecking Redis templates for secret patterns..."
cat packages/apps/redis/templates/redisfailover.yaml | grep -A 5 "secret"

Length of output: 5261

packages/apps/nats/templates/nats.yaml (2)

Line range hint 1-11: LGTM! Robust password management implementation.

The password management logic is well-implemented with proper handling of both predefined and random passwords. The use of a local dictionary ensures consistent password references throughout the template.

---

Line range hint 43-51: Verify the accounts configuration impact.

The condition for merging NATS accounts now checks the length of $passwords instead of .Values.passwords. While this is more accurate, we should verify that this change doesn't affect existing NATS clusters during upgrades.

✅ Verification successful

Let me analyze the findings and generate additional verification scripts to better understand the NATS configuration structure and potential upgrade impacts.

This will help us understand:

1. How $passwords is used throughout the NATS configuration
2. Any documented version changes or upgrade notes
3. Other account configurations that might be impacted by this change

---

Let me generate one final verification script to understand how $passwords is defined and used in the template context.

This will help us understand the template context and password handling, which is crucial for determining if this is a breaking change.

---

Based on the analysis of the scripts' output, I can now generate the final response:

The NATS account configuration change is safe for upgrades

The change from .Values.passwords to $passwords is a local template variable refactoring that doesn't affect the underlying account configuration structure. The search results show:

1. No other NATS templates depend on this account configuration
2. The account structure in nats.yaml remains consistent with a single account "A" containing users
3. No breaking changes or upgrade notes related to NATS account configuration

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for potential breaking changes in NATS account configuration

# Look for any existing account configurations in other NATS-related files
rg -A 5 "accounts:|users:" --type yaml

# Check for any upgrade-related documentation or notes
fd -e md -e txt | xargs rg -i "nats.*upgrade|breaking.*change"

Length of output: 13498

---

Script:

#!/bin/bash
# Check for NATS configuration patterns and helm chart versioning

# Look for any NATS configuration templates and their usage of passwords/accounts
rg -A 10 "\$passwords" packages/apps/nats/

# Check for any helm chart version changes or upgrade notes
fd "Chart.yaml|CHANGELOG.md|README.md" packages/apps/nats/ | xargs rg -i "version|upgrade|breaking"

# Look for any other NATS account configurations that might be affected
rg -A 5 "accounts:|merge:" packages/apps/nats/

Length of output: 1881

---

Script:

#!/bin/bash
# Check for password variable definition and usage in templates

# Look for password variable definition and template context
rg -B 10 -A 5 "\{\{- \$passwords :=" packages/apps/nats/
rg -B 5 -A 5 "\.Values\.passwords" packages/apps/nats/

# Check for any template helpers or functions that might process passwords
fd "_helpers.tpl" packages/apps/nats/ | xargs rg "password"

Length of output: 102006

[kvaps]

Awesome, LGTM!