Skip to content

[MOSIP-44684] Fixed the issue related to pushing reports to MinIO#177

Open
abhishek8shankar wants to merge 2 commits into
mosip:developfrom
abhishek8shankar:MOSIP-44684
Open

[MOSIP-44684] Fixed the issue related to pushing reports to MinIO#177
abhishek8shankar wants to merge 2 commits into
mosip:developfrom
abhishek8shankar:MOSIP-44684

Conversation

@abhishek8shankar

@abhishek8shankar abhishek8shankar commented May 13, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • Chores
    • Improved installer: stricter error handling, empty-input exit, and enhanced prompts.
    • Stronger S3 onboarding validation for bucket, region, and endpoint inputs; retrieves required S3 credentials automatically.
    • Container build now verifies the storage client binary version during image creation.
    • Deployment process uses enhanced wait behavior for installs.
    • Default S3 secret cleared and onboarding module list updated (some modules added/removed).

Review Change Stack

Signed-off-by: Abhi <abhishek.shankarcs@gmail.com>
@coderabbitai

coderabbitai Bot commented May 13, 2026

Copy link
Copy Markdown

Walkthrough

Updates Dockerfile to verify MinIO mc during image build and reorders build arguments/ENTRYPOINT. Strengthens deploy/install.sh with strict bash options, non-empty and pattern validation for S3 inputs, retrieves S3 credentials from Kubernetes, and uses Helm --wait/--wait-for-jobs. Helm values remove a hardcoded S3 user-secret.

Changes

Dockerfile Container Image Build

Layer / File(s) Summary
MinIO mc binary installation and verification
Dockerfile
curl -fsSL downloads mc, chmod makes it executable, and mc --version verifies installation during image build.
Dockerfile structure reorganization
Dockerfile
Container user/group build arguments are repositioned alongside surrounding comments/blank lines, and ENTRYPOINT ["./entrypoint.sh"] is moved to a later line without content change.

S3 Onboarding Script and Configuration

Layer / File(s) Summary
Bash error handling and script initialization
deploy/install.sh
Script enables set -e and set -o (errexit, nounset, errtrace, pipefail) and invokes installing_onboarder.
User flag input validation
deploy/install.sh
Header normalized and explicit check exits when initial flag prompt input is empty; onboarding start adjusted for namespace/configmap deletion steps.
S3 parameter input validation
deploy/install.sh
Validates s3_bucket and s3_region against empty and whitelist patterns (no spaces/special chars) and requires non-empty s3_url, exiting on invalid input.
Kubernetes credential retrieval and Helm deployment
deploy/install.sh
Fetches s3-user-secret and s3-user-key from Kubernetes and passes host/region/bucket/user-key to Helm install with --wait and --wait-for-jobs, keeping ENABLE_INSECURE override.
Post-deployment messaging and confirmation
deploy/install.sh
Adjusts post-Helm messaging and GitHub README URL formatting, then prompts for confirmation and prints success vs pending messages per response.
Helm chart S3 secrets configuration
helm/partner-onboarder/values.yaml
onboarding.secrets.s3.s3-user-secret default changed from 'password' to '', enabling population from Kubernetes.

Deployment values update

Layer / File(s) Summary
Onboarding modules and variables
deploy/values.yaml
Removes mobileid and demo-oidc, adds mimoto, mock-rp-oidc, mimoto-oidc, signup-oidc (all enabled: false), and keeps onboarding.variables (push_reports_to_s3: true, mosipid: false) positioned after modules.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 In a burrow of code I hop with cheer,
I curl the bytes and chase each fear,
Secrets fetched from gardens green,
Helm plants seeds where pods convene,
Ship it snug — the onboarding's near! 🌱

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The PR title references pushing reports to MinIO, but the changeset encompasses broader infrastructure changes including bash error handling, S3 input validation, and Helm configurations that extend beyond just MinIO report pushing. Clarify whether the title should reflect the broader scope of changes (error handling, S3 validation, Helm updates) or if it accurately represents the primary objective; consider if the title is too narrow for the actual changes made.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🧹 Nitpick comments (2)
deploy/install.sh (2)

33-33: ⚡ Quick win

Use read -r to prevent backslash interpretation.

The read commands at lines 33, 53, 65, 72, and 107 should use the -r flag to prevent backslash sequences from being interpreted. Without -r, input containing backslashes will be mangled. While unlikely for the current use cases, using read -r is a shell scripting best practice.

🐚 Proposed fix
-  read -p "Is values.yaml for onboarder chart set correctly as part of Pre-requisites?(Y/n) " yn;
+  read -r -p "Is values.yaml for onboarder chart set correctly as part of Pre-requisites?(Y/n) " yn;
 
   if [ "$yn" = "Y" ]; then
 
     echo Istio label
     kubectl label ns $NS istio-injection=disabled --overwrite
 
     helm repo update
 
     echo Copy configmaps
     kubectl -n $NS --ignore-not-found=true delete cm s3
     kubectl -n $NS --ignore-not-found=true delete cm onboarder-namespace
 
     sed -i 's/\r$//' copy_cm.sh
     ./copy_cm.sh
 
     echo Copy secrets
     sed -i 's/\r$//' copy_secrets.sh
     ./copy_secrets.sh
 
-    read -p "Provide onboarder bucket name : " s3_bucket
+    read -r -p "Provide onboarder bucket name : " s3_bucket
 
     if [[ -z "$s3_bucket" ]]; then
       echo "s3_bucket not provided; EXITING;"
       exit 1
     fi
 
     if [[ $s3_bucket == *[' !@#$%^&*()+']* ]]; then
       echo "s3_bucket should not contain spaces / any special character; EXITING"
       exit 1
     fi
 
-    read -p "Provide onboarder s3 bucket region : " s3_region
+    read -r -p "Provide onboarder s3 bucket region : " s3_region
 
     if [[ $s3_region == *[' !@#$%^&*()+']* ]]; then
       echo "s3_region should not contain spaces / any special character; EXITING"
       exit 1
     fi
 
-    read -p "Provide S3 URL : " s3_url
+    read -r -p "Provide S3 URL : " s3_url
 
     if [[ -z "$s3_url" ]]; then
       echo "s3_url not provided; EXITING;"
       exit 1
     fi

...

     echo -e "\e[1mHave you completed the changes mentioned in the onboarding document? (y/n)\e[0m"
-    read answer
+    read -r answer

As per static analysis hints, Shellcheck flags these as SC2162.

Also applies to: 53-53, 65-65, 72-72, 107-107

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/install.sh` at line 33, The read prompts in deploy/install.sh are
missing the -r flag, so backslashes in user input could be interpreted; update
each interactive read invocation (the prompt lines using read like the one
asking "Is values.yaml for onboarder chart set correctly..." and the other read
calls at the same locations) to use read -r so input is read raw (e.g., change
read "..." to read -r "...") for all occurrences flagged (the read calls at the
lines corresponding to the prompts around the values.yaml check and the other
prompts referenced).

60-63: ⚡ Quick win

Consider more appropriate validation patterns for S3 parameters.

The current character validation pattern *[' !@#$%^&*()+']* has a few concerns:

  1. For s3_bucket: AWS S3 bucket names have specific rules (lowercase letters, numbers, hyphens, and periods only; 3-63 characters). The current pattern allows many characters that would fail S3 bucket creation.
  2. For s3_region: AWS regions follow a specific format (e.g., us-east-1). The current pattern rejects hyphens, which are required.
  3. Pattern inconsistency: The error message says "any special character" but only checks a subset.
💡 Proposed fix with more accurate validation
     if [[ -z "$s3_bucket" ]]; then
       echo "s3_bucket not provided; EXITING;"
       exit 1
     fi
 
-    if [[ $s3_bucket == *[' !@#$%^&*()+']* ]]; then
-      echo "s3_bucket should not contain spaces / any special character; EXITING"
+    if [[ ! "$s3_bucket" =~ ^[a-z0-9][a-z0-9.-]{1,61}[a-z0-9]$ ]]; then
+      echo "s3_bucket must be 3-63 characters, lowercase letters, numbers, hyphens, and periods only; EXITING"
       exit 1
     fi
 
     read -p "Provide onboarder s3 bucket region : " s3_region
 
-    if [[ $s3_region == *[' !@#$%^&*()+']* ]]; then
-      echo "s3_region should not contain spaces / any special character; EXITING"
+    if [[ -n "$s3_region" && ! "$s3_region" =~ ^[a-z0-9-]+$ ]]; then
+      echo "s3_region should contain only lowercase letters, numbers, and hyphens; EXITING"
       exit 1
     fi

Note: If using MinIO or other S3-compatible storage with different naming rules, adjust the regex accordingly.

Also applies to: 67-70

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/install.sh` around lines 60 - 63, Replace the brittle glob check with
proper regex validation for S3 names: validate s3_bucket using a regex enforcing
S3 rules (3–63 chars, lowercase letters, numbers, hyphens and periods, cannot
start or end with a hyphen/period) and check length separately (refer to
variable s3_bucket), and validate s3_region with a region pattern like
^[a-z]{2}(-[a-z]+)*-\d+$ (refer to variable s3_region) so hyphens are allowed;
also update the echo messages to state the exact validation rule that failed;
apply the same corrected validation logic where s3_region/s3_bucket are
currently checked (the blocks around the existing checks).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy/install.sh`:
- Around line 65-70: The s3_region validation currently only checks for special
characters but not emptiness; update the install.sh validation for the variable
s3_region to include an empty-string check consistent with s3_bucket and s3_url
validations (or add a clear comment if empty is intentionally allowed). Locate
the prompt/read for s3_region and the following conditional that uses the
pattern check, then add the same empty-check logic used for s3_bucket/s3_url (or
annotate intent) so that s3_region cannot be blank unless explicitly permitted.
- Around line 79-81: The script fetches s3_user_secret and s3_user_key via
kubectl but does not validate them; update the install.sh after the kubectl
commands to check that both s3_user_secret and s3_user_key are non-empty (and
not null/unset) and if either is empty print a clear error mentioning the
missing variable and exit non-zero before running Helm, referencing the
variables s3_user_secret and s3_user_key and the kubectl retrieval commands so
the validation runs immediately after those lines.
- Around line 119-126: Move the error-handling flags (set -e, set -o errexit,
set -o nounset, set -o errtrace, set -o pipefail) to immediately after the
script shebang so they apply to the entire script execution, and remove the
duplicate block currently placed just before the call to installing_onboarder;
ensure the flags are placed before any namespace creation, prompts or
environment setup so functions like installing_onboarder and any earlier logic
run under the strict error semantics.
- Line 90: The unquoted use of the shell variable ENABLE_INSECURE can cause word
splitting/globbing (SC2086); update the invocation that currently uses
$ENABLE_INSECURE so the flag is safely quoted as "$ENABLE_INSECURE" or,
preferably, change the pattern to conditionally append the flag only when
ENABLE_INSECURE is non-empty (e.g., test -n "$ENABLE_INSECURE" and then include
the flag) so that the code that references ENABLE_INSECURE is robust against
multi-word values.

In `@Dockerfile`:
- Around line 16-18: Pin the MinIO mc binary to a specific release and verify
its SHA256 checksum before making it executable: replace the current curl of the
floating URL that downloads /bin/mc with two downloads (the specific RELEASE.*
mc binary and its corresponding .sha256sum), run sha256sum -c against the
downloaded checksum, then chmod +x /bin/mc and run mc --version; reference the
mc binary download and the checksum verification step so the Dockerfile uses a
fixed release and validates integrity.

---

Nitpick comments:
In `@deploy/install.sh`:
- Line 33: The read prompts in deploy/install.sh are missing the -r flag, so
backslashes in user input could be interpreted; update each interactive read
invocation (the prompt lines using read like the one asking "Is values.yaml for
onboarder chart set correctly..." and the other read calls at the same
locations) to use read -r so input is read raw (e.g., change read "..." to read
-r "...") for all occurrences flagged (the read calls at the lines corresponding
to the prompts around the values.yaml check and the other prompts referenced).
- Around line 60-63: Replace the brittle glob check with proper regex validation
for S3 names: validate s3_bucket using a regex enforcing S3 rules (3–63 chars,
lowercase letters, numbers, hyphens and periods, cannot start or end with a
hyphen/period) and check length separately (refer to variable s3_bucket), and
validate s3_region with a region pattern like ^[a-z]{2}(-[a-z]+)*-\d+$ (refer to
variable s3_region) so hyphens are allowed; also update the echo messages to
state the exact validation rule that failed; apply the same corrected validation
logic where s3_region/s3_bucket are currently checked (the blocks around the
existing checks).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0eb0260d-21aa-4124-853a-b51f76111521

📥 Commits

Reviewing files that changed from the base of the PR and between 8c50bcd and f895a87.

📒 Files selected for processing (3)
  • Dockerfile
  • deploy/install.sh
  • helm/partner-onboarder/values.yaml

Comment thread deploy/install.sh
Comment thread deploy/install.sh
Comment thread deploy/install.sh
Comment thread deploy/install.sh
Comment thread Dockerfile
Signed-off-by: Abhishek S <127825992+abhishek8shankar@users.noreply.github.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy/values.yaml`:
- Around line 11-26: Remove or guard all references to the deleted modules in
install/default.sh: delete the certificate upload block that targets "mobileid"
and remove the client ID extraction that looks for
"mpartner-default-demo-oidc-clientID" (or replace it with the current valid
client name if applicable); ensure any variables, conditional checks or function
calls tied to "mobileid" or "demo-oidc" are also removed or wrapped behind a
feature flag check so the script no longer assumes those modules exist during
onboarding.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 23966c40-3770-4acc-adbb-d2b52467b497

📥 Commits

Reviewing files that changed from the base of the PR and between f895a87 and 3cf13ba.

📒 Files selected for processing (1)
  • deploy/values.yaml

Comment thread deploy/values.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants