ASM-17946: fix cache pod security context and null volumes rendering

[Alex-Souslik]

What

Three bugs fixed in charts/akeyless-gateway/templates/akeyless-cache/cache.yaml:

1. Cache pod missing fsGroup → Redis permission denied on /data
Added a dedicated pod-level securityContext for the cache pod, driven by the new globalConfig.clusterCache.securityContext value (defaults to fsGroup: 1000). Without this, Redis (GID 1000) cannot write to a PVC-mounted /data directory, causing a crash loop.

2. Cache container security context inherited from gateway
The Redis container was using gateway.deployment.containerSecurityContext — the gateway's own setting. Replaced with a new independent globalConfig.clusterCache.containerSecurityContext value. This also prevents a conflict with ASM-17923 (readOnlyRootFilesystem on the gateway): setting that on the gateway will no longer silently propagate to Redis.

3. Empty volumes/volumeMounts blocks rendered as null
When persistence is disabled, TLS is off, and no extra volumes are set, both blocks were emitted with no content (volumes: null), producing an invalid pod spec. Wrapped both blocks in {{- if or ... }} guards.

Values added

globalConfig:
  clusterCache:
    securityContext:       # pod-level; defaults to fsGroup: 1000
      fsGroup: 1000
    containerSecurityContext: {}  # container-level; empty by default

Chart version

1.20.1 → 1.20.2

Summary by CodeRabbit

• Chores

  • Bumped Helm chart version to 2.0.8
  • Added pod-level and container-level securityContext settings for the cache
  • Improved conditional handling for optional features (persistence, TLS, custom volume mounts/volumes)
  • Ignored local Claude settings file (.claude/settings.local.json)

• Documentation

  • Added repository guide for Helm chart usage, layout, commands, chart versioning rules, and CI/release workflows

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔄 Running review...

📝 Walkthrough

Walkthrough

Adds pod and container securityContext for the cache Deployment, consolidates volumeMounts/volumes conditionals to render when persistence OR TLS OR extra volumes are present, bumps akeyless-gateway chart version to 2.0.8, and adds CLAUDE.md plus a .gitignore entry.

Changes

Cache Security Context and Configuration

Layer / File(s)	Summary
Values Schema charts/akeyless-gateway/values.yaml	Adds globalConfig.clusterCache.securityContext with fsGroup: 1000 and a containerSecurityContext object.
Security Context Implementation charts/akeyless-gateway/templates/akeyless-cache/cache.yaml	Renders pod-level spec.template.spec.securityContext from globalConfig.clusterCache.securityContext and container-level containers[].securityContext from globalConfig.clusterCache.containerSecurityContext.
Volume Conditional Refinement charts/akeyless-gateway/templates/akeyless-cache/cache.yaml	Consolidates volumeMounts and volumes so they emit only when persistence OR TLS OR extra volumes/mounts are configured.
Chart Version charts/akeyless-gateway/Chart.yaml	Chart version updated to 2.0.8.
Docs / Repo Config CLAUDE.md, .gitignore	Adds repository guidance CLAUDE.md and ignores .claude/settings.local.json in .gitignore (duplicate entry present).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• omriezra

Poem

🐰 A hop, a patch, a chart bumped neat,
Pod and container contexts find their seat,
Volumes only mount when options align,
Docs and ignores added — tidy and fine,
The helm hops onward, version now 2.0.8.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main changes: fixing cache pod security context configuration and preventing null volumes rendering in the Helm chart template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ASM-17946

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

charts/akeyless-gateway/templates/akeyless-cache/cache.yaml (1)

147-173: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Validate extraVolumesMounts has matching extraVolumes.

Line 147 can render volumeMounts from extraVolumesMounts while Line 160 may still omit volumes if extraVolumes is empty. That yields mounts referencing non-existent volumes.

Suggested guard

+      {{- if and .Values.globalConfig.clusterCache.extraVolumesMounts (not .Values.globalConfig.clusterCache.extraVolumes) }}
+      {{- fail "globalConfig.clusterCache.extraVolumesMounts requires globalConfig.clusterCache.extraVolumes" }}
+      {{- end }}
       {{- if or .Values.globalConfig.clusterCache.persistence.enabled (eq "true" (include "akeyless-gateway.clusterCache.enableTls" . )) .Values.globalConfig.clusterCache.extraVolumesMounts }}
       volumeMounts:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/akeyless-gateway/templates/akeyless-cache/cache.yaml` around lines 147
- 173, The template can render
.Values.globalConfig.clusterCache.extraVolumesMounts into volumeMounts while not
rendering corresponding .Values.globalConfig.clusterCache.extraVolumes into
volumes, creating mounts that reference missing volumes; update the conditional
logic so the volumes: block is rendered whenever extraVolumesMounts is present
(e.g. extend the existing or condition that controls the volumes block to
include .Values.globalConfig.clusterCache.extraVolumesMounts) or alternatively
wrap the extraVolumesMounts rendering inside a guard that only emits mounts when
.Values.globalConfig.clusterCache.extraVolumes is non-empty; refer to the
symbols .Values.globalConfig.clusterCache.extraVolumesMounts and
.Values.globalConfig.clusterCache.extraVolumes and the volume/volumeMounts
template sections to locate where to apply the guard.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@charts/akeyless-gateway/templates/akeyless-cache/cache.yaml`:
- Around line 147-173: The template can render
.Values.globalConfig.clusterCache.extraVolumesMounts into volumeMounts while not
rendering corresponding .Values.globalConfig.clusterCache.extraVolumes into
volumes, creating mounts that reference missing volumes; update the conditional
logic so the volumes: block is rendered whenever extraVolumesMounts is present
(e.g. extend the existing or condition that controls the volumes block to
include .Values.globalConfig.clusterCache.extraVolumesMounts) or alternatively
wrap the extraVolumesMounts rendering inside a guard that only emits mounts when
.Values.globalConfig.clusterCache.extraVolumes is non-empty; refer to the
symbols .Values.globalConfig.clusterCache.extraVolumesMounts and
.Values.globalConfig.clusterCache.extraVolumes and the volume/volumeMounts
template sections to locate where to apply the guard.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: db0286f1-64a3-4bd1-a7f2-21ca6d0173f1

📥 Commits

Reviewing files that changed from the base of the PR and between 5902934 and b9d64d2.

📒 Files selected for processing (3)

• charts/akeyless-gateway/Chart.yaml
• charts/akeyless-gateway/templates/akeyless-cache/cache.yaml
• charts/akeyless-gateway/values.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/akeyless-gateway/values.yaml`:
- Around line 128-133: The fsGroup in the securityContext is set incorrectly to
the redis user's UID (999); change securityContext.fsGroup to 1000 to match the
redis group GID used by the official redis:8.2.5-alpine image, and update the
surrounding inline comment to state that 1000 is the GID of the redis group (not
the user UID) so the PVC will be chown'ed correctly and writable when
persistence.enabled=true.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a9414407-dd31-4307-937d-d66520ea5fc8

📥 Commits

Reviewing files that changed from the base of the PR and between bc546a4 and 4618850.

📒 Files selected for processing (5)

• .gitignore
• CLAUDE.md
• charts/akeyless-gateway/Chart.yaml
• charts/akeyless-gateway/templates/akeyless-cache/cache.yaml
• charts/akeyless-gateway/values.yaml

✅ Files skipped from review due to trivial changes (2)

• .gitignore
• charts/akeyless-gateway/Chart.yaml