Skip to content

initialization from script#949

Draft
Bonusree wants to merge 2 commits into
masterfrom
init
Draft

initialization from script#949
Bonusree wants to merge 2 commits into
masterfrom
init

Conversation

@Bonusree

@Bonusree Bonusree commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Documentation
    • Added new initialization guides for ClickHouse, PerconaXtraDB, PgBouncer, ProxySQL, and RabbitMQ.
    • Added matching guide index pages to the documentation navigation.
    • Expanded step-by-step examples showing how to initialize each product using ConfigMap-based scripts and verify the setup.
    • Updated Postgres initialization verification steps to use simpler secret lookup commands.

Signed-off-by: Bonusree <bonusree@appscode.com>
@gitguardian

gitguardian Bot commented Jul 1, 2026

Copy link
Copy Markdown

⚠️ GitGuardian has uncovered 3 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
34433002 Triggered Generic CLI Secret ec54da8 docs/guides/percona-xtradb/initialization/script_source.md View secret
34433003 Triggered Generic CLI Secret ec54da8 docs/guides/clickhouse/initialization/script_source.md View secret
34433003 Triggered Generic CLI Secret ec54da8 docs/guides/clickhouse/initialization/script_source.md View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@Bonusree Bonusree marked this pull request as draft July 1, 2026 11:15
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 14982337-8761-4222-8e8d-3d56e83a075d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR adds new documentation guides for initializing databases using Script Source backed by Kubernetes ConfigMaps, covering ClickHouse, PerconaXtraDB, PgBouncer, ProxySQL, and RabbitMQ. It also includes a new ClickHouse example manifest and a minor command update in the existing Postgres initialization guide.

Changes

Script Source Initialization Documentation

Layer / File(s) Summary
ClickHouse Script Source guide and example manifest
docs/examples/clickhouse/initialization/script_clickhouse.yaml, docs/guides/clickhouse/initialization/_index.md, docs/guides/clickhouse/initialization/script_source.md
Adds a ClickHouse manifest using ConfigMap-backed init scripts and a full guide covering setup, CR creation, verification via clickhouse-client, and cleanup.
PerconaXtraDB Script Source guide
docs/guides/percona-xtradb/initialization/_index.md, docs/guides/percona-xtradb/initialization/script_source.md
Adds an index page and a full guide for initializing PerconaXtraDB clusters using a ConfigMap init.sql script, including verification via MySQL queries and cleanup.
PgBouncer Script Source guide
docs/guides/pgbouncer/initialization/script_source.md
Adds a full guide for initializing PgBouncer with a ConfigMap-backed .sh script, including Postgres backend setup, pool verification via psql, and cleanup.
ProxySQL Script Source guide
docs/guides/proxysql/initialization/_index.md, docs/guides/proxysql/initialization/script_source.md
Adds an index page and a full guide for initializing ProxySQL using ConfigMap-backed SQL scripts against a MySQL Group Replication backend, including verification and cleanup.
RabbitMQ Script Source guide
docs/guides/rabbitmq/initialization/_index.md, docs/guides/rabbitmq/initialization/script_source.md
Adds an index page and a full guide for initializing RabbitMQ using a definitions.json ConfigMap, including rabbitmqctl verification and cleanup.
Postgres guide secret command update
docs/guides/postgres/initialization/script_source.md
Updates username/password retrieval commands in the verification steps to use kubectl get secret with simplified jsonpath accessors.

Estimated code review effort: 2 (Simple) | ~15 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the core change: adding documentation for initializing resources from scripts.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch init

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/guides/clickhouse/initialization/script_source.md`:
- Around line 89-91: The `kubectl create -f` example in the `script-clickhouse`
initialization docs points to the wrong manifest filename and will 404. Update
the URL in the command to match the actual added manifest name used by this
guide, keeping the `script_clickhouse` example consistent with the generated
file path so the CR creation step works.
- Around line 228-245: The ClickHouse walkthrough in the initialization script
source is exposing a concrete auth secret and then reusing it in the example
client commands. Update the section around the password retrieval and the
`kubectl exec ... clickhouse-client` examples to use a placeholder or shell
variable instead of embedding the actual value, and keep the secret retrieval
command as the only way to obtain it.

In `@docs/guides/rabbitmq/initialization/script_source.md`:
- Around line 113-125: The RabbitMQ initialization example is exposing a
concrete password value in the walkthrough. Update the password example in the
script_source.md guide so it uses a placeholder instead of a reusable-looking
secret, keeping the command and context intact while removing the generated
credential-like value. Use the existing Username/Password example block to
locate the change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 69f85a73-87b8-48eb-8690-2f58710c8ff7

📥 Commits

Reviewing files that changed from the base of the PR and between 405b88b and ec54da8.

📒 Files selected for processing (11)
  • docs/examples/clickhouse/initialization/script_clickhouse.yaml
  • docs/guides/clickhouse/initialization/_index.md
  • docs/guides/clickhouse/initialization/script_source.md
  • docs/guides/percona-xtradb/initialization/_index.md
  • docs/guides/percona-xtradb/initialization/script_source.md
  • docs/guides/pgbouncer/initialization/script_source.md
  • docs/guides/postgres/initialization/script_source.md
  • docs/guides/proxysql/initialization/_index.md
  • docs/guides/proxysql/initialization/script_source.md
  • docs/guides/rabbitmq/initialization/_index.md
  • docs/guides/rabbitmq/initialization/script_source.md

Comment on lines +89 to +91
```bash
$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/clickhouse/initialization/script-clickhouse.yaml
clickhouse.kubedb.com/script-clickhouse created

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Fix the example manifest path.

The kubectl create -f command points at script-clickhouse.yaml, but the file added in this PR is script_clickhouse.yaml. That URL will 404 and blocks the tutorial at the CR creation step.

🐛 Proposed fix
- $ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/clickhouse/initialization/script-clickhouse.yaml
+ $ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/clickhouse/initialization/script_clickhouse.yaml
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
```bash
$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/clickhouse/initialization/script-clickhouse.yaml
clickhouse.kubedb.com/script-clickhouse created
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/guides/clickhouse/initialization/script_source.md` around lines 89 - 91,
The `kubectl create -f` example in the `script-clickhouse` initialization docs
points to the wrong manifest filename and will 404. Update the URL in the
command to match the actual added manifest name used by this guide, keeping the
`script_clickhouse` example consistent with the generated file path so the CR
creation step works.

Comment on lines +228 to +245
- Password: Run the following command to get the *password*:

```bash
$ kubectl get secret -n demo script-clickhouse-auth -o jsonpath='{.data.password}' | base64 -d
NkBpF0IQRCZ2isMb
```

Now, connect to ClickHouse using the `clickhouse-client` and run the following query to confirm initialization:

```bash
$ kubectl exec -it -n demo script-clickhouse-0 -- clickhouse-client --user=admin --password=NkBpF0IQRCZ2isMb --query "SHOW TABLES FROM init_script"
kubedb_table
```

You can also verify that the table was populated correctly:

```bash
$ kubectl exec -it -n demo script-clickhouse-0 -- clickhouse-client --user=admin --password=NkBpF0IQRCZ2isMb --query "SELECT * FROM init_script.kubedb_table"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Redact the auth secret from the walkthrough.

The example publishes a concrete password and reuses it in the clickhouse-client command. Replace it with a placeholder or shell variable so the docs don’t embed credential-like values.

🛡️ Proposed fix
-  NkBpF0IQRCZ2isMb
+  <password>
...
- $ kubectl exec -it -n demo script-clickhouse-0 -- clickhouse-client --user=admin --password=NkBpF0IQRCZ2isMb --query "SHOW TABLES FROM init_script"
+ $ kubectl exec -it -n demo script-clickhouse-0 -- clickhouse-client --user=admin --password="$PASSWORD" --query "SHOW TABLES FROM init_script"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- Password: Run the following command to get the *password*:
```bash
$ kubectl get secret -n demo script-clickhouse-auth -o jsonpath='{.data.password}' | base64 -d
NkBpF0IQRCZ2isMb
```
Now, connect to ClickHouse using the `clickhouse-client` and run the following query to confirm initialization:
```bash
$ kubectl exec -it -n demo script-clickhouse-0 -- clickhouse-client --user=admin --password=NkBpF0IQRCZ2isMb --query "SHOW TABLES FROM init_script"
kubedb_table
```
You can also verify that the table was populated correctly:
```bash
$ kubectl exec -it -n demo script-clickhouse-0 -- clickhouse-client --user=admin --password=NkBpF0IQRCZ2isMb --query "SELECT * FROM init_script.kubedb_table"
- Password: Run the following command to get the *password*:
🧰 Tools
🪛 Betterleaks (1.6.0)

[high] 238-238: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)


[high] 245-245: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/guides/clickhouse/initialization/script_source.md` around lines 228 -
245, The ClickHouse walkthrough in the initialization script source is exposing
a concrete auth secret and then reusing it in the example client commands.
Update the section around the password retrieval and the `kubectl exec ...
clickhouse-client` examples to use a placeholder or shell variable instead of
embedding the actual value, and keep the secret retrieval command as the only
way to obtain it.

Source: Linters/SAST tools

Comment on lines +113 to +125
- Username: Run the following command to get the *username*:

```bash
$ kubectl get secret -n demo script-rabbitmq-auth -o jsonpath='{.data.username}' | base64 -d
admin
```

- Password: Run the following command to get the *password*:

```bash
$ kubectl get secret -n demo script-rabbitmq-auth -o jsonpath='{.data.password}' | base64 -d
S3cur3P@ssw0rd
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Redact the generated password in the example.

The doc prints a concrete password value and makes it look reusable. Replace it with a placeholder so the walkthrough doesn’t publish credential-like data.

🛡️ Proposed fix
-  S3cur3P@ssw0rd
+  <password>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- Username: Run the following command to get the *username*:
```bash
$ kubectl get secret -n demo script-rabbitmq-auth -o jsonpath='{.data.username}' | base64 -d
admin
```
- Password: Run the following command to get the *password*:
```bash
$ kubectl get secret -n demo script-rabbitmq-auth -o jsonpath='{.data.password}' | base64 -d
S3cur3P@ssw0rd
```
- Username: Run the following command to get the *username*:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/guides/rabbitmq/initialization/script_source.md` around lines 113 - 125,
The RabbitMQ initialization example is exposing a concrete password value in the
walkthrough. Update the password example in the script_source.md guide so it
uses a placeholder instead of a reusable-looking secret, keeping the command and
context intact while removing the generated credential-like value. Use the
existing Username/Password example block to locate the change.

Signed-off-by: Bonusree <bonusree@appscode.com>
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Visit the preview URL for this PR (updated for commit 1d6f6aa):

https://kubedb-v2-hugo--pr949-init-8hej03nl.web.app

(expires Wed, 08 Jul 2026 12:49:40 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: 0f29ae8ae0bd54a99bf2b223b6833be47acd5943

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant