Conversation
Signed-off-by: Bonusree <bonusree@appscode.com>
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 34433002 | Triggered | Generic CLI Secret | ec54da8 | docs/guides/percona-xtradb/initialization/script_source.md | View secret |
| 34433003 | Triggered | Generic CLI Secret | ec54da8 | docs/guides/clickhouse/initialization/script_source.md | View secret |
| 34433003 | Triggered | Generic CLI Secret | ec54da8 | docs/guides/clickhouse/initialization/script_source.md | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughThis PR adds new documentation guides for initializing databases using Script Source backed by Kubernetes ConfigMaps, covering ClickHouse, PerconaXtraDB, PgBouncer, ProxySQL, and RabbitMQ. It also includes a new ClickHouse example manifest and a minor command update in the existing Postgres initialization guide. ChangesScript Source Initialization Documentation
Estimated code review effort: 2 (Simple) | ~15 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/guides/clickhouse/initialization/script_source.md`:
- Around line 89-91: The `kubectl create -f` example in the `script-clickhouse`
initialization docs points to the wrong manifest filename and will 404. Update
the URL in the command to match the actual added manifest name used by this
guide, keeping the `script_clickhouse` example consistent with the generated
file path so the CR creation step works.
- Around line 228-245: The ClickHouse walkthrough in the initialization script
source is exposing a concrete auth secret and then reusing it in the example
client commands. Update the section around the password retrieval and the
`kubectl exec ... clickhouse-client` examples to use a placeholder or shell
variable instead of embedding the actual value, and keep the secret retrieval
command as the only way to obtain it.
In `@docs/guides/rabbitmq/initialization/script_source.md`:
- Around line 113-125: The RabbitMQ initialization example is exposing a
concrete password value in the walkthrough. Update the password example in the
script_source.md guide so it uses a placeholder instead of a reusable-looking
secret, keeping the command and context intact while removing the generated
credential-like value. Use the existing Username/Password example block to
locate the change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 69f85a73-87b8-48eb-8690-2f58710c8ff7
📒 Files selected for processing (11)
docs/examples/clickhouse/initialization/script_clickhouse.yamldocs/guides/clickhouse/initialization/_index.mddocs/guides/clickhouse/initialization/script_source.mddocs/guides/percona-xtradb/initialization/_index.mddocs/guides/percona-xtradb/initialization/script_source.mddocs/guides/pgbouncer/initialization/script_source.mddocs/guides/postgres/initialization/script_source.mddocs/guides/proxysql/initialization/_index.mddocs/guides/proxysql/initialization/script_source.mddocs/guides/rabbitmq/initialization/_index.mddocs/guides/rabbitmq/initialization/script_source.md
| ```bash | ||
| $ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/clickhouse/initialization/script-clickhouse.yaml | ||
| clickhouse.kubedb.com/script-clickhouse created |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Fix the example manifest path.
The kubectl create -f command points at script-clickhouse.yaml, but the file added in this PR is script_clickhouse.yaml. That URL will 404 and blocks the tutorial at the CR creation step.
🐛 Proposed fix
- $ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/clickhouse/initialization/script-clickhouse.yaml
+ $ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/clickhouse/initialization/script_clickhouse.yaml📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ```bash | |
| $ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/clickhouse/initialization/script-clickhouse.yaml | |
| clickhouse.kubedb.com/script-clickhouse created |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/guides/clickhouse/initialization/script_source.md` around lines 89 - 91,
The `kubectl create -f` example in the `script-clickhouse` initialization docs
points to the wrong manifest filename and will 404. Update the URL in the
command to match the actual added manifest name used by this guide, keeping the
`script_clickhouse` example consistent with the generated file path so the CR
creation step works.
| - Password: Run the following command to get the *password*: | ||
|
|
||
| ```bash | ||
| $ kubectl get secret -n demo script-clickhouse-auth -o jsonpath='{.data.password}' | base64 -d | ||
| NkBpF0IQRCZ2isMb | ||
| ``` | ||
|
|
||
| Now, connect to ClickHouse using the `clickhouse-client` and run the following query to confirm initialization: | ||
|
|
||
| ```bash | ||
| $ kubectl exec -it -n demo script-clickhouse-0 -- clickhouse-client --user=admin --password=NkBpF0IQRCZ2isMb --query "SHOW TABLES FROM init_script" | ||
| kubedb_table | ||
| ``` | ||
|
|
||
| You can also verify that the table was populated correctly: | ||
|
|
||
| ```bash | ||
| $ kubectl exec -it -n demo script-clickhouse-0 -- clickhouse-client --user=admin --password=NkBpF0IQRCZ2isMb --query "SELECT * FROM init_script.kubedb_table" |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Redact the auth secret from the walkthrough.
The example publishes a concrete password and reuses it in the clickhouse-client command. Replace it with a placeholder or shell variable so the docs don’t embed credential-like values.
🛡️ Proposed fix
- NkBpF0IQRCZ2isMb
+ <password>
...
- $ kubectl exec -it -n demo script-clickhouse-0 -- clickhouse-client --user=admin --password=NkBpF0IQRCZ2isMb --query "SHOW TABLES FROM init_script"
+ $ kubectl exec -it -n demo script-clickhouse-0 -- clickhouse-client --user=admin --password="$PASSWORD" --query "SHOW TABLES FROM init_script"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - Password: Run the following command to get the *password*: | |
| ```bash | |
| $ kubectl get secret -n demo script-clickhouse-auth -o jsonpath='{.data.password}' | base64 -d | |
| NkBpF0IQRCZ2isMb | |
| ``` | |
| Now, connect to ClickHouse using the `clickhouse-client` and run the following query to confirm initialization: | |
| ```bash | |
| $ kubectl exec -it -n demo script-clickhouse-0 -- clickhouse-client --user=admin --password=NkBpF0IQRCZ2isMb --query "SHOW TABLES FROM init_script" | |
| kubedb_table | |
| ``` | |
| You can also verify that the table was populated correctly: | |
| ```bash | |
| $ kubectl exec -it -n demo script-clickhouse-0 -- clickhouse-client --user=admin --password=NkBpF0IQRCZ2isMb --query "SELECT * FROM init_script.kubedb_table" | |
| - Password: Run the following command to get the *password*: |
🧰 Tools
🪛 Betterleaks (1.6.0)
[high] 238-238: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
[high] 245-245: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/guides/clickhouse/initialization/script_source.md` around lines 228 -
245, The ClickHouse walkthrough in the initialization script source is exposing
a concrete auth secret and then reusing it in the example client commands.
Update the section around the password retrieval and the `kubectl exec ...
clickhouse-client` examples to use a placeholder or shell variable instead of
embedding the actual value, and keep the secret retrieval command as the only
way to obtain it.
Source: Linters/SAST tools
| - Username: Run the following command to get the *username*: | ||
|
|
||
| ```bash | ||
| $ kubectl get secret -n demo script-rabbitmq-auth -o jsonpath='{.data.username}' | base64 -d | ||
| admin | ||
| ``` | ||
|
|
||
| - Password: Run the following command to get the *password*: | ||
|
|
||
| ```bash | ||
| $ kubectl get secret -n demo script-rabbitmq-auth -o jsonpath='{.data.password}' | base64 -d | ||
| S3cur3P@ssw0rd | ||
| ``` |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Redact the generated password in the example.
The doc prints a concrete password value and makes it look reusable. Replace it with a placeholder so the walkthrough doesn’t publish credential-like data.
🛡️ Proposed fix
- S3cur3P@ssw0rd
+ <password>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - Username: Run the following command to get the *username*: | |
| ```bash | |
| $ kubectl get secret -n demo script-rabbitmq-auth -o jsonpath='{.data.username}' | base64 -d | |
| admin | |
| ``` | |
| - Password: Run the following command to get the *password*: | |
| ```bash | |
| $ kubectl get secret -n demo script-rabbitmq-auth -o jsonpath='{.data.password}' | base64 -d | |
| S3cur3P@ssw0rd | |
| ``` | |
| - Username: Run the following command to get the *username*: |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/guides/rabbitmq/initialization/script_source.md` around lines 113 - 125,
The RabbitMQ initialization example is exposing a concrete password value in the
walkthrough. Update the password example in the script_source.md guide so it
uses a placeholder instead of a reusable-looking secret, keeping the command and
context intact while removing the generated credential-like value. Use the
existing Username/Password example block to locate the change.
Signed-off-by: Bonusree <bonusree@appscode.com>
|
Visit the preview URL for this PR (updated for commit 1d6f6aa): https://kubedb-v2-hugo--pr949-init-8hej03nl.web.app (expires Wed, 08 Jul 2026 12:49:40 GMT) 🔥 via Firebase Hosting GitHub Action 🌎 Sign: 0f29ae8ae0bd54a99bf2b223b6833be47acd5943 |
Summary by CodeRabbit