Skip to content

[MOSIP-43894, MOSIP-43640, MOSIP-44014, DSD-9381] Port release-1.3.x …#141

Open
ckm007 wants to merge 9 commits into
mosip:developfrom
ckm007:port/release-1.3.x-to-develop
Open

[MOSIP-43894, MOSIP-43640, MOSIP-44014, DSD-9381] Port release-1.3.x …#141
ckm007 wants to merge 9 commits into
mosip:developfrom
ckm007:port/release-1.3.x-to-develop

Conversation

@ckm007

@ckm007 ckm007 commented Jun 4, 2026

Copy link
Copy Markdown
Member

…improvements to develop

postgres-upgrade:

  • Dockerfile: add COPY for otp-manager and digital-card-service db_upgrade_scripts
  • repo-list.txt: fix resident -> resident-services, add digital-card-service and otp-manager
  • upgrade.csv: append 1.2.x -> 1.3.0 upgrade paths alongside existing 1.1.x -> 1.2.x paths

CI workflow:

  • push-trigger.yml: add MOSIP* branch trigger; add get-db-upgrade-scripts and build-upgrade-dockers jobs to build postgres-upgrade docker image on push

helm/postgres-upgrade:

  • postgres-upgrade-job.yaml: fix indentation and env var quoting (MOSIP-44014)
  • values.yaml: update image from mosipdev:release-1.2.0.1 to mosipqa:develop

deploy:

  • postgres-install.sh: add PostgreSQL image override, ISTIO_ADDONS_CHART_VERSION, switch istio-addons from local chart to mosip/istio-addons helm repo chart
  • postgres-istio-addons-values.yaml: new istio config for postgres
  • masterdata-loader/: new directory replacing flat copy-secrets-masterdata.sh and masterdata-install.sh; install.sh uses CHART_VERSION=0.0.1-develop and mosipDataGithubBranch=develop
  • postgres/ansible/: add ansible playbooks for VM-based postgres setup and cleanup
  • Remove deploy/chart/istio-addons/ (replaced by mosip/istio-addons helm repo chart)

Skipped: helm/postgres-init (develop uses generic template architecture from MOSIP-37808, incompatible with release-1.3.x per-DB template approach); helm chart versions kept as 0.0.1-develop; get_db_data.sh kept as-is (develop pulls all repos from develop branch via $1 parameter)

Summary by CodeRabbit

  • New Features

    • Added CI flows to package and build PostgreSQL upgrade artifacts and images; added automated PostgreSQL provisioning, cleanup, setup and inventory tooling.
  • Documentation

    • Added comprehensive PostgreSQL deployment/operational docs and Masterdata loader README; updated chart README content.
  • Bug Fixes

    • Fixed a conditional syntax error in a DB helper script.
  • Chores

    • Updated upgrade image references, added upgrade scripts, and removed obsolete Istio chart entries and ignore rules.

…improvements to develop

postgres-upgrade:
- Dockerfile: add COPY for otp-manager and digital-card-service db_upgrade_scripts
- repo-list.txt: fix resident -> resident-services, add digital-card-service and otp-manager
- upgrade.csv: append 1.2.x -> 1.3.0 upgrade paths alongside existing 1.1.x -> 1.2.x paths

CI workflow:
- push-trigger.yml: add MOSIP* branch trigger; add get-db-upgrade-scripts and
  build-upgrade-dockers jobs to build postgres-upgrade docker image on push

helm/postgres-upgrade:
- postgres-upgrade-job.yaml: fix indentation and env var quoting (MOSIP-44014)
- values.yaml: update image from mosipdev:release-1.2.0.1 to mosipqa:develop

deploy:
- postgres-install.sh: add PostgreSQL image override, ISTIO_ADDONS_CHART_VERSION,
  switch istio-addons from local chart to mosip/istio-addons helm repo chart
- postgres-istio-addons-values.yaml: new istio config for postgres
- masterdata-loader/: new directory replacing flat copy-secrets-masterdata.sh and
  masterdata-install.sh; install.sh uses CHART_VERSION=0.0.1-develop and
  mosipDataGithubBranch=develop
- postgres/ansible/: add ansible playbooks for VM-based postgres setup and cleanup
- Remove deploy/chart/istio-addons/ (replaced by mosip/istio-addons helm repo chart)

Skipped: helm/postgres-init (develop uses generic template architecture from
MOSIP-37808, incompatible with release-1.3.x per-DB template approach);
helm chart versions kept as 0.0.1-develop; get_db_data.sh kept as-is
(develop pulls all repos from develop branch via $1 parameter)

Signed-off-by: ckm007 <chandrakeshavmishra@gmail.com>
@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@ckm007, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 38 minutes and 38 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2a67df41-6a75-4696-a4c3-208485c59fa8

📥 Commits

Reviewing files that changed from the base of the PR and between bbe01da and c578474.

📒 Files selected for processing (2)
  • .github/workflows/push-trigger.yml
  • deploy/postgres-install.sh

Walkthrough

Adds postgres-upgrade CI artifact/build flow, Ansible-based PostgreSQL provisioning/cleanup tooling and inventory generation, updates Helm/istio install wiring, tweaks masterdata-loader scripts/docs, and includes related templates and Dockerfile adjustments.

Changes

PostgreSQL Infrastructure & Deployment

Layer / File(s) Summary
Postgres-upgrade Docker Build Pipeline
.github/workflows/push-trigger.yml, postgres-upgrade/repo-list.txt, postgres-upgrade/get_db_data.sh, postgres-upgrade/Dockerfile, helm/postgres-upgrade/values.yaml, helm/postgres-upgrade/templates/postgres-upgrade-job.yaml
GitHub Actions workflow adds postgres-upgrade CI path with artifact staging and reusable docker-build invocation; repo list expanded to service-specific entries; get_db_data.sh conditional fixed; Dockerfile copies additional service db upgrade dirs; Helm values/template adjusted and image defaults changed to QA registry.
Istio Helm Chart Refactoring
deploy/postgres-install.sh, deploy/postgres-istio-addons-values.yaml
Postgres install now sets ISTIO_ADDONS_CHART_VERSION and installs mosip/istio-addons with a dedicated values file instead of local chart + ConfigMap-based postgresHost override.
Interactive PostgreSQL Inventory Configuration
deploy/postgres/ansible/setup-vm-inventory.sh, deploy/postgres/ansible/hosts.ini
Interactive script collects VM/SSH/PostgreSQL configuration, generates hosts.ini with connection settings and group variables, and optionally validates connectivity.
PostgreSQL Provision & Configuration Playbook
deploy/postgres/ansible/postgresql-setup.yml
Core playbook handles encrypted password reuse/generation, storage formatting/mounting, OS-package installation, data migration, postgresql.conf/pg_hba.conf updates, credential verification, and emits Kubernetes Secret/ConfigMap YAML.
Playbook Runner & Status/Cleanup Tooling
deploy/postgres/ansible/run-postgresql-playbook.sh, deploy/postgres/ansible/check-postgresql-status.sh, deploy/postgres/ansible/cleanup-postgresql.sh, deploy/postgres/ansible/postgresql-cleanup.yml
Runner script validates prerequisites, manages secrets directory, parses CLI, and executes the playbook; status script aggregates remote health info; cleanup script and playbook provide interactive quick/safe/complete removal with optional backups and device wipe.
PostgreSQL Deployment Documentation
deploy/postgres/ansible/README.md
Comprehensive guide covering quick-start workflow, feature list, configuration examples, advanced usage, Kubernetes artifact generation, security measures, requirements checklist, and change-log.
Masterdata Loader Script Updates
deploy/masterdata-loader/README.md, deploy/masterdata-loader/install.sh, deploy/masterdata-loader/copy_secret.sh
New masterdata-loader README added; install script updated to invoke copy_secret.sh after CRLF stripping; helper download URL fixed to raw.githubusercontent.com.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 I hopped through scripts and playbooks wide,
Packed upgrades, secrets, and mounts beside,
I fetched the patches, built the image light,
And tucked the database in for the night.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 73.33% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title references 4 JIRA tickets and mentions porting release-1.3.x improvements to develop, which aligns with the multi-faceted changeset including postgres-upgrade enhancements, CI workflow updates, Helm chart modifications, and new Ansible deployment infrastructure.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

ckm007 added 2 commits June 4, 2026 15:36
The elif clause for 'esignet' was missing 'then', causing a bash syntax
error. This was a pre-existing bug exposed when the get-db-upgrade-scripts
CI job started executing the script.

Signed-off-by: ckm007 <chandrakeshavmishra@gmail.com>
When triggered by a pull_request event, github.ref is refs/pull/<N>/merge
which strips to 'merge' - a non-existent branch. Use github.head_ref for
PR events to get the actual source branch name.

Signed-off-by: ckm007 <chandrakeshavmishra@gmail.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 17

🧹 Nitpick comments (6)
deploy/postgres-istio-addons-values.yaml (1)

3-5: ⚡ Quick win

Make Istio host/controller values overridable per environment.

istio.host and ingressController are hard-coded, and deploy/postgres-install.sh Line 25 consumes this file directly. That couples the installer to one environment and forces manual edits for others.

Proposed change
--- a/deploy/postgres-install.sh
+++ b/deploy/postgres-install.sh
@@
 NS=postgres
 ISTIO_ADDONS_CHART_VERSION=1.0.0
+ISTIO_HOST="${ISTIO_HOST:-postgres.sandbox.xyz.net}"
+ISTIO_INGRESS_CONTROLLER="${ISTIO_INGRESS_CONTROLLER:-ingressgateway-internal}"
@@
-  helm -n $NS install istio-addons mosip/istio-addons --version $ISTIO_ADDONS_CHART_VERSION -f postgres-istio-addons-values.yaml --wait
+  helm -n $NS install istio-addons mosip/istio-addons \
+    --version $ISTIO_ADDONS_CHART_VERSION \
+    -f postgres-istio-addons-values.yaml \
+    --set istio.host="$ISTIO_HOST" \
+    --set istio.ingressController="$ISTIO_INGRESS_CONTROLLER" \
+    --wait
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/postgres-istio-addons-values.yaml` around lines 3 - 5, The istio.host
and ingressController values are hard-coded in
postgres-istio-addons-values.yaml, coupling the installer to one environment;
update the YAML to make istio.host and ingressController configurable (e.g.,
replace fixed literals with overridable placeholders or defaults) and modify the
installer script that consumes this file so it can accept environment-specific
overrides (via env vars, CLI flags, or passing a different values file) and
inject those into istio.host and ingressController at runtime; ensure the
symbols istio.host and ingressController remain the keys used so downstream code
keeps working.
deploy/postgres/ansible/cleanup-postgresql.sh (1)

200-200: ⚡ Quick win

Add -r flag to read commands to prevent backslash interpretation.

Without the -r flag, backslashes in user input will be interpreted as escape sequences, which could cause issues with confirmation strings.

🔧 Proposed fix
-        read -p "Type 'DELETE EVERYTHING' to confirm device wipe: " device_confirm
+        read -r -p "Type 'DELETE EVERYTHING' to confirm device wipe: " device_confirm
         if [[ "$device_confirm" != "DELETE EVERYTHING" ]]; then
             echo "Device wipe cancelled."
             exit 1
         fi
     fi
     
-    read -p "Are you sure you want to proceed with PostgreSQL cleanup? (y/N): " confirm
+    read -r -p "Are you sure you want to proceed with PostgreSQL cleanup? (y/N): " confirm
     if [[ $confirm != [yY] && $confirm != [yY][eE][sS] ]]; then

Also applies to: 207-207

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/postgres/ansible/cleanup-postgresql.sh` at line 200, Update the
interactive prompts that use read (e.g., the lines setting device_confirm and
the similar read around line 207) to add the -r flag so backslashes in user
input are not treated as escape sequences; change instances like read -p "Type
'DELETE EVERYTHING' to confirm device wipe: " device_confirm to read -r -p "..."
device_confirm (and apply the same -r addition to the other read invocation
referenced).
deploy/postgres/ansible/postgresql-setup.yml (1)

403-411: ⚖️ Poor tradeoff

PGPASSWORD environment variable could be visible in process listings.

While these tasks are marked no_log: true, the PGPASSWORD environment variable is exported within shell commands and could be visible in process listings during execution. This is a known limitation of using environment variables for authentication in subprocess commands.

Consider using PostgreSQL's .pgpass file mechanism for production deployments, which is more secure than environment variables. However, this would require additional playbook logic to create and manage the .pgpass file with proper permissions.

Also applies to: 413-421

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/postgres/ansible/postgresql-setup.yml` around lines 403 - 411, The
task that exports PGPASSWORD in the shell ("Test password authentication locally
first") can leak secrets via process listings; replace the inline PGPASSWORD
export with creating and using a temporary .pgpass file instead: write a line
using {{ postgres_host|default('localhost') }}:{{ postgres_port }}:*:postgres:{{
postgres_password }} into a file (e.g., /tmp/pgpass_{{ inventory_hostname }}),
set strict permissions (chmod 600) before invoking psql, run psql pointing to
that file via HOME or PGPASSFILE environment, capture the result into
local_password_test as before, and ensure the .pgpass file is removed after the
check; apply the same change to the similar task at 413-421 and keep no_log:
true for registered variables.
deploy/postgres/ansible/postgresql-cleanup.yml (1)

183-188: 💤 Low value

Incomplete task: checks for backup but doesn't restore it.

The task is named "Restore original pg_hba.conf backup" but only performs a stat check and doesn't actually restore anything. The registered original_backup variable is never used in subsequent tasks.

Either remove this task if restoration is not needed, or complete the restoration logic if it was intended.

🗑️ Option 1: Remove unused task
-    # Restore original pg_hba.conf backup if exists
-    - name: Check for original pg_hba.conf backup
-      stat:
-        path: "{{ postgres_config_dir }}/pg_hba.conf.*~"
-      register: original_backup
-      ignore_errors: yes
-      
     # Final verification
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/postgres/ansible/postgresql-cleanup.yml` around lines 183 - 188, The
current task named "Restore original pg_hba.conf backup" only runs a stat and
registers original_backup but never restores anything; fix by adding a follow-up
task that actually restores the backup when original_backup.stat.exists is true:
locate the backup using the same glob "{{ postgres_config_dir }}/pg_hba.conf.*~"
(or use with_fileglob to capture the actual filename), then move or copy that
backup over "{{ postgres_config_dir }}/pg_hba.conf" (use the command/shell mv or
the copy module with remote_src: yes) and ensure the task uses when:
original_backup.stat.exists and appropriate become: yes and notifies a restart
if needed; alternatively, if no restore is intended, simply remove the stat task
and the original_backup registration.
deploy/postgres/ansible/setup-vm-inventory.sh (1)

70-70: ⚡ Quick win

Add -r flag to all read commands to prevent backslash interpretation.

Without the -r flag, read will interpret backslashes as escape sequences, which can cause issues when users enter file paths or other values containing backslashes. This is especially important for the SSH key path input where backslashes might be present.

🔧 Proposed fix

Replace all read -p with read -r -p:

-    read -p "Do you want to overwrite it? (y/N): " overwrite
+    read -r -p "Do you want to overwrite it? (y/N): " overwrite

Apply the same change to all other read -p commands on lines 83, 92, 106, 123, 127, 136, 145, 153, 162, 172, and 195.

Also applies to: 83-83, 92-92, 106-106, 123-123, 127-127, 136-136, 145-145, 153-153, 162-162, 172-172, 195-195

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/postgres/ansible/setup-vm-inventory.sh` at line 70, Replace every
occurrence of the interactive input commands that use read -p with read -r -p to
prevent backslash interpretation (e.g., the SSH key path prompt and all other
read -p prompts in the script); update each read invocation to add the -r flag
so user-entered backslashes are treated literally.
deploy/postgres/ansible/run-postgresql-playbook.sh (1)

204-204: ⚡ Quick win

Add -r flag to read command.

Without the -r flag, backslashes in user input will be interpreted as escape sequences.

🔧 Proposed fix
-        read -p "Do you want to proceed with PostgreSQL secure setup? (y/N): " -n 1 -r
+        read -r -p "Do you want to proceed with PostgreSQL secure setup? (y/N): " -n 1
         echo

Note: The -r flag should come before -p, and the existing -r at the end is actually part of the REPLY variable pattern check, not the read flags.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/postgres/ansible/run-postgresql-playbook.sh` at line 204, The read
invocation that prompts "Do you want to proceed with PostgreSQL secure setup?
(y/N):" is not correctly using the raw-input flag; move the -r flag into the
read options (before -p) so backslashes in user input are not treated as escapes
and keep the -n 1 option; update the read command invocation (the read prompt
line) to include -r among its flags rather than relying on the trailing -r which
is not a flag there.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/push-trigger.yml:
- Line 64: The guard expression using "!contains(github.ref, 'master') ||
!contains(github.ref, 'main')" is always true; change it to use logical AND so
both contains checks must be false: replace with "if: ${{ !contains(github.ref,
'master') && !contains(github.ref, 'main') }}" (or equivalently "if: ${{
!(contains(github.ref, 'master') || contains(github.ref, 'main')) }}") for the
same if lines shown and replicate this fix for the other occurrences referenced.
- Around line 53-63: The BRANCH_NAME derivation using github.ref breaks on
pull_request events because github.ref becomes refs/pull/<id>/merge; update the
branch resolution logic that sets BRANCH_NAME (used when calling get_db_data.sh)
to be event-aware: if github.event_name == "pull_request" use
github.event.pull_request.head.ref, otherwise strip the prefix from github.ref
as currently done. Modify the step that echoes BRANCH_NAME into $GITHUB_ENV so
it selects the appropriate source based on github.event_name before invoking
get_db_data.sh.
- Around line 50-51: The workflow uses mutable action refs (actions/checkout@v3,
actions/upload-artifact@v4, mosip/kattu/.../docker-build.yml@master); replace
those with immutable pinned refs (use the corresponding action commit SHAs
instead of tags/branch names) and update the checkout step (the actions/checkout
usage) to harden credentials by setting persist-credentials to false and
fetch-depth to 0 so the runner doesn't expose unnecessary token access or
shallow clones; ensure the remote docker-build reusable workflow reference is
replaced with a specific commit SHA as well.

In `@deploy/masterdata-loader/install.sh`:
- Line 33: install.sh invokes ./copy_secret.sh which currently fetches a GitHub
"blob" HTML URL (see deploy/masterdata-loader/copy_secret.sh) causing curl to
return text/html and break the secret copy; fix by updating the helper URL to
the raw file endpoint and use a robust curl invocation. Modify the UTIL_URL
value in deploy/masterdata-loader/copy_secret.sh to point to the
raw.githubusercontent.com raw file (or otherwise construct the raw URL from the
repo/branch/path), and ensure the download uses curl -fsSL (or equivalent) and
validates a shell/plaintext Content-Type before executing; keep install.sh
calling ./copy_secret.sh unchanged but rely on the corrected UTIL_URL and curl
flags in copy_secret.sh.

In `@deploy/masterdata-loader/README.md`:
- Around line 7-9: The fenced code block in README.md currently lacks a language
tag which triggers MD040; update the snippet that shows ./install.sh to use a
bash code fence by adding "bash" after the opening backticks so the block
becomes a bash fenced code block (i.e., replace ``` with ```bash) to satisfy
markdownlint.

In `@deploy/postgres-install.sh`:
- Line 12: The script deploy/postgres-install.sh calls "helm repo update" then
installs "mosip/istio-addons" but never ensures the mosip repo exists; update
the script to check for the mosip repo (e.g., run "helm repo list" and grep for
the "mosip" entry) and if missing add it with "helm repo add mosip
https://mosip.github.io/mosip-helm" before running helm repo update and the helm
install of "mosip/istio-addons" so the install call succeeds in a clean
environment.

In `@deploy/postgres/ansible/check-postgresql-status.sh`:
- Line 36: The check-postgresql-status.sh script currently runs a Debian-only
command ("dpkg -l | grep postgresql") which will fail on RHEL/CentOS; update the
remote check to detect the host OS family (via Ansible facts or /etc/os-release)
and run the appropriate package query per host: use rpm -qa | grep postgresql
for RedHat family and dpkg -l | grep postgresql for Debian family (or consult
ansible_facts['os_family']) and log "No PostgreSQL packages found" only if
neither check finds packages; update the ansible shell invocation that currently
contains the dpkg command to branch based on the detected OS family (refer to
the command in check-postgresql-status.sh).
- Around line 102-118: The ansible shell payload is wrapped in single quotes so
remote shell substitutions like $(hostname), $(date) and $(dpkg -l | grep
postgresql | wc -l) are not expanded; change the invocation in the ansible
"$TARGET_GROUP" -i "$INVENTORY_FILE" -m shell -a block to use double quotes for
the outer string and escape all dollar signs (e.g. \$(...)) so the commands are
evaluated on the remote host, or alternatively replace the inline quoted script
with a here-doc/EOF form passed to -a to preserve expansion; update the echoed
lines that reference $(...) and any $vars accordingly.

In `@deploy/postgres/ansible/postgresql-cleanup.yml`:
- Around line 151-158: The task currently named "Wipe storage device (if
requested)" only zeroes the first 100MB (dd bs=1M count=100) which is
misleading; either rename the task to reflect signature-only behavior (e.g.,
change the task name string "Wipe storage device (if requested)" to "Wipe device
signature (first 100MB)" and leave the wipefs + dd count=100 commands using
postgres_device and wipe_device) or implement a true full-device wipe by
removing the dd count so dd writes until EOF (replace dd if=/dev/zero of="{{
postgres_device }}" bs=1M count=100 with dd if=/dev/zero of="{{ postgres_device
}}" bs=1M status=progress oflag=direct to stream until completion and keep
wipefs -a), and ensure the when condition still uses wipe_device |
default(false) | bool; pick one option and update the task name/commands
accordingly.

In `@deploy/postgres/ansible/postgresql-setup.yml`:
- Around line 324-349: The pg_hba.conf task ("Configure pg_hba.conf for access")
currently hardcodes "0.0.0.0/0" which allows connections from any IP; replace
that CIDR with the playbook variable collected earlier (network_cidr) so access
is limited to the intended range, and add a sensible default or validation
(e.g., fail the play if network_cidr is undefined or use a safe default like
localhost CIDR) to avoid accidental wide-open access; update the host line in
the content block to reference network_cidr (and keep owner/group/mode/notify
unchanged).
- Around line 374-382: The current task "Set PostgreSQL postgres user password
only if needed" embeds '{{ postgres_password }}' in a shell heredoc which can
leak via process listings; instead create a temporary .pgpass file owned by the
postgres user with mode 0600 containing the line "*:{{ postgres_port
}}:postgres:{{ postgres_password }}", set PGPASSFILE to that temp file and run
sudo -u postgres psql -p {{ postgres_port }} -c "ALTER USER postgres PASSWORD
'{{ postgres_password }}';" (or simply run the ALTER command without a heredoc),
then securely remove the temp .pgpass; update the task that registers
password_set_result and keep the when: existing_password_test.rc != 0 condition.

In `@deploy/postgres/ansible/README.md`:
- Line 134: The fenced code block that currently ends/starts with the triple
backticks (```) is missing a language identifier, which triggers markdownlint
MD040; update the fenced code block marker from ``` to include a language tag
such as ```text (or ```bash/```md as appropriate) so the block is explicitly
typed and MD040 is satisfied.
- Line 107: The README line "No plaintext passwords in logs or files" is
inaccurate for generated Kubernetes Secret files because
`/tmp/postgresql-secrets/*.yml` contains base64-encoded secret data that is
reversible; update the README text (the heading/line that mentions "No plaintext
passwords in logs or files") to explicitly state that secrets are base64-encoded
and therefore sensitive plaintext-equivalents, instruct users to treat
`/tmp/postgresql-secrets/*.yml` as sensitive, recommend immediate secure
deletion (e.g., rm -f) and restricted permissions after use, and remove or
reword the misleading absolute claim so it accurately reflects that encoded
secrets must be protected.
- Around line 73-85: The README hardcodes the secret filename
(postgres-postgresql.yml) but the playbook outputs {{ postgres_secret_name
}}.yml when --secret-name is used, causing kubectl apply to fail; update the
README text so the apply step mentions the dynamic filename (use the placeholder
{{ postgres_secret_name }}.yml and call out the --secret-name flag), or show the
safe alternatives: apply the specific generated file by name using the
placeholder or apply all files in /tmp/postgresql-secrets/ (e.g., a glob), and
update the list entries for postgres-postgresql.yml, postgres-setup-config.yml,
and DEPLOYMENT_INSTRUCTIONS.md to reflect the variable output naming.

In `@deploy/postgres/ansible/run-postgresql-playbook.sh`:
- Around line 76-80: In run-postgresql-playbook.sh the python3 bcrypt check
currently runs apt-get (lines showing the python3 import check and sudo apt-get
install) which assumes Debian and sudo; change this to only detect and warn
instead of auto-installing: when the python3 -c "import bcrypt" test fails, emit
a clear warning via the warning function that the python3-bcrypt/py-bcrypt
package is missing and list the OS families supported (Debian/RedHat) with
guidance to install via the appropriate package manager or run the Ansible role
that handles dependencies; do not call apt-get or sudo in the script—either exit
with a non-zero status or rely on the playbook to install the package so
CI/restricted environments are not prompted for sudo.

In `@deploy/postgres/ansible/setup-vm-inventory.sh`:
- Line 16: DEFAULT_PG_PORT is set to "5432" but the hosts.ini template and
README examples use "5433"; update the DEFAULT_PG_PORT variable in
setup-vm-inventory.sh to "5433" so it matches hosts.ini and documentation (and
verify no other scripts or references expect 5432), specifically change the
DEFAULT_PG_PORT definition and run a quick grep for DEFAULT_PG_PORT/port
references to ensure consistency.
- Around line 258-264: The success message prints the wrong runner script name;
update the echo lines that currently reference "./ansible-postgresql.sh" to use
the actual runner "./run-postgresql-playbook.sh" (check the echo string around
"You can now run your PostgreSQL automation scripts:"), and scan for any other
occurrences of "ansible-postgresql.sh" in the same file to replace with
"run-postgresql-playbook.sh" so the README and script messages match.

---

Nitpick comments:
In `@deploy/postgres-istio-addons-values.yaml`:
- Around line 3-5: The istio.host and ingressController values are hard-coded in
postgres-istio-addons-values.yaml, coupling the installer to one environment;
update the YAML to make istio.host and ingressController configurable (e.g.,
replace fixed literals with overridable placeholders or defaults) and modify the
installer script that consumes this file so it can accept environment-specific
overrides (via env vars, CLI flags, or passing a different values file) and
inject those into istio.host and ingressController at runtime; ensure the
symbols istio.host and ingressController remain the keys used so downstream code
keeps working.

In `@deploy/postgres/ansible/cleanup-postgresql.sh`:
- Line 200: Update the interactive prompts that use read (e.g., the lines
setting device_confirm and the similar read around line 207) to add the -r flag
so backslashes in user input are not treated as escape sequences; change
instances like read -p "Type 'DELETE EVERYTHING' to confirm device wipe: "
device_confirm to read -r -p "..." device_confirm (and apply the same -r
addition to the other read invocation referenced).

In `@deploy/postgres/ansible/postgresql-cleanup.yml`:
- Around line 183-188: The current task named "Restore original pg_hba.conf
backup" only runs a stat and registers original_backup but never restores
anything; fix by adding a follow-up task that actually restores the backup when
original_backup.stat.exists is true: locate the backup using the same glob "{{
postgres_config_dir }}/pg_hba.conf.*~" (or use with_fileglob to capture the
actual filename), then move or copy that backup over "{{ postgres_config_dir
}}/pg_hba.conf" (use the command/shell mv or the copy module with remote_src:
yes) and ensure the task uses when: original_backup.stat.exists and appropriate
become: yes and notifies a restart if needed; alternatively, if no restore is
intended, simply remove the stat task and the original_backup registration.

In `@deploy/postgres/ansible/postgresql-setup.yml`:
- Around line 403-411: The task that exports PGPASSWORD in the shell ("Test
password authentication locally first") can leak secrets via process listings;
replace the inline PGPASSWORD export with creating and using a temporary .pgpass
file instead: write a line using {{ postgres_host|default('localhost') }}:{{
postgres_port }}:*:postgres:{{ postgres_password }} into a file (e.g.,
/tmp/pgpass_{{ inventory_hostname }}), set strict permissions (chmod 600) before
invoking psql, run psql pointing to that file via HOME or PGPASSFILE
environment, capture the result into local_password_test as before, and ensure
the .pgpass file is removed after the check; apply the same change to the
similar task at 413-421 and keep no_log: true for registered variables.

In `@deploy/postgres/ansible/run-postgresql-playbook.sh`:
- Line 204: The read invocation that prompts "Do you want to proceed with
PostgreSQL secure setup? (y/N):" is not correctly using the raw-input flag; move
the -r flag into the read options (before -p) so backslashes in user input are
not treated as escapes and keep the -n 1 option; update the read command
invocation (the read prompt line) to include -r among its flags rather than
relying on the trailing -r which is not a flag there.

In `@deploy/postgres/ansible/setup-vm-inventory.sh`:
- Line 70: Replace every occurrence of the interactive input commands that use
read -p with read -r -p to prevent backslash interpretation (e.g., the SSH key
path prompt and all other read -p prompts in the script); update each read
invocation to add the -r flag so user-entered backslashes are treated literally.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5b5c2fae-838d-4607-bf50-aa2f302864b9

📥 Commits

Reviewing files that changed from the base of the PR and between 21ade87 and 2cf84e5.

⛔ Files ignored due to path filters (1)
  • postgres-upgrade/upgrade.csv is excluded by !**/*.csv
📒 Files selected for processing (25)
  • .github/workflows/push-trigger.yml
  • deploy/chart/README.md
  • deploy/chart/istio-addons/.helmignore
  • deploy/chart/istio-addons/Chart.yaml
  • deploy/chart/istio-addons/templates/gateway.yaml
  • deploy/chart/istio-addons/templates/vs.yaml
  • deploy/chart/istio-addons/values.yaml
  • deploy/masterdata-loader/README.md
  • deploy/masterdata-loader/copy_secret.sh
  • deploy/masterdata-loader/install.sh
  • deploy/postgres-install.sh
  • deploy/postgres-istio-addons-values.yaml
  • deploy/postgres/ansible/README.md
  • deploy/postgres/ansible/check-postgresql-status.sh
  • deploy/postgres/ansible/cleanup-postgresql.sh
  • deploy/postgres/ansible/hosts.ini
  • deploy/postgres/ansible/postgresql-cleanup.yml
  • deploy/postgres/ansible/postgresql-setup.yml
  • deploy/postgres/ansible/run-postgresql-playbook.sh
  • deploy/postgres/ansible/setup-vm-inventory.sh
  • helm/postgres-upgrade/templates/postgres-upgrade-job.yaml
  • helm/postgres-upgrade/values.yaml
  • postgres-upgrade/Dockerfile
  • postgres-upgrade/get_db_data.sh
  • postgres-upgrade/repo-list.txt
💤 Files with no reviewable changes (6)
  • deploy/chart/istio-addons/templates/vs.yaml
  • deploy/chart/istio-addons/.helmignore
  • deploy/chart/istio-addons/templates/gateway.yaml
  • deploy/chart/README.md
  • deploy/chart/istio-addons/Chart.yaml
  • deploy/chart/istio-addons/values.yaml

Comment thread .github/workflows/push-trigger.yml
Comment thread .github/workflows/push-trigger.yml
Comment thread .github/workflows/push-trigger.yml Outdated
Comment thread deploy/masterdata-loader/install.sh
Comment thread deploy/masterdata-loader/README.md Outdated
Comment thread deploy/postgres/ansible/README.md
Comment thread deploy/postgres/ansible/README.md Outdated
Comment thread deploy/postgres/ansible/run-postgresql-playbook.sh
Comment thread deploy/postgres/ansible/setup-vm-inventory.sh Outdated
Comment thread deploy/postgres/ansible/setup-vm-inventory.sh
head_ref returns the PR source branch (e.g. port/release-1.3.x-to-develop)
which does not exist in module repos being cloned by get_db_data.sh.
base_ref returns the PR target branch (e.g. develop, release-1.3.x)
which is the correct branch to clone module repos from.

Signed-off-by: ckm007 <chandrakeshavmishra@gmail.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/push-trigger.yml (1)

55-67: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Handle release refs explicitly in branch selection.

Line 59 derives BRANCH_NAME from github.ref, which becomes a tag on release events. Line 66 then passes that to get_db_data.sh (git clone -b $1), so release runs can fail when the tag is not present across all repos in repo-list.txt.

Suggested patch
-          # For PRs use base_ref (target branch); for push/release strip the ref
-          if [ "${{ github.event_name }}" == "pull_request" ]; then
-            echo "BRANCH_NAME=${{ github.base_ref }}" >> $GITHUB_ENV
-          else
-            echo "BRANCH_NAME=$(echo ${{ github.ref }} | sed -e 's,.*/\(.*\),\1,')" >> $GITHUB_ENV
-          fi
+          # PR -> target branch, release -> target_commitish, others -> ref_name
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            BRANCH_NAME="${{ github.base_ref }}"
+          elif [ "${{ github.event_name }}" = "release" ]; then
+            BRANCH_NAME="${{ github.event.release.target_commitish }}"
+          else
+            BRANCH_NAME="${{ github.ref_name }}"
+          fi
+          echo "BRANCH_NAME=${BRANCH_NAME}" >> "$GITHUB_ENV"
           echo "GPG_TTY=$(tty)" >> $GITHUB_ENV
@@
-          bash ./get_db_data.sh ${{ env.BRANCH_NAME }}
+          bash ./get_db_data.sh "${{ env.BRANCH_NAME }}"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/push-trigger.yml around lines 55 - 67, The workflow sets
BRANCH_NAME from github.base_ref for pull_request and from github.ref for
others, but github.ref is a tag on release events which breaks git clone -b in
get_db_data.sh; update the branch-selection logic to explicitly handle release
events by checking github.event_name == "release" and setting BRANCH_NAME to the
release tag (github.event.release.tag_name) before falling back to the existing
sed extraction, so get_db_data.sh / git clone -b receives the correct tag/branch
name.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/push-trigger.yml:
- Around line 55-67: The workflow sets BRANCH_NAME from github.base_ref for
pull_request and from github.ref for others, but github.ref is a tag on release
events which breaks git clone -b in get_db_data.sh; update the branch-selection
logic to explicitly handle release events by checking github.event_name ==
"release" and setting BRANCH_NAME to the release tag
(github.event.release.tag_name) before falling back to the existing sed
extraction, so get_db_data.sh / git clone -b receives the correct tag/branch
name.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0edf87ea-bac3-4ae7-ac78-f865b4609e86

📥 Commits

Reviewing files that changed from the base of the PR and between 2cf84e5 and 3404e9a.

📒 Files selected for processing (1)
  • .github/workflows/push-trigger.yml

ckm007 added 4 commits June 4, 2026 18:06
- push-trigger.yml: fix !contains || condition to != && form so Ready/Upload
  steps correctly skip on master and main branches
- copy_secret.sh: fix blob URL to raw.githubusercontent.com so wget fetches
  the shell script instead of HTML
- masterdata-loader/README.md: add bash language tag to fenced code block
- setup-vm-inventory.sh: fix script reference from ansible-postgresql.sh to
  run-postgresql-playbook.sh

Signed-off-by: ckm007 <chandrakeshavmishra@gmail.com>
- Replace sed-based ref stripping with github.ref_name (cleaner, no shell
  command needed) for non-PR events
- Quote BRANCH_NAME argument passed to get_db_data.sh to prevent word splitting
- Use github.ref_name != 'master/main' instead of github.ref != 'refs/heads/*'
  (simpler and works correctly for both branch and tag refs)
- Add master/main guard to build-upgrade-dockers job so it also skips on
  master and main branches

Signed-off-by: ckm007 <chandrakeshavmishra@gmail.com>
- setup-vm-inventory.sh: align DEFAULT_PG_PORT from 5432 to 5433 to match
  hosts.ini template and documentation
- ansible/README.md: add 'text' language tag to workflow diagram code block

Signed-off-by: ckm007 <chandrakeshavmishra@gmail.com>
mosip/istio-addons and bitnami/postgresql installs would fail with
'repo not found' on a clean environment because helm repo add was
never called. Add both repo registrations before helm repo update,
consistent with deploy/postgres-upgrade.sh.

Signed-off-by: ckm007 <chandrakeshavmishra@gmail.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
deploy/masterdata-loader/copy_secret.sh (1)

6-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin and verify the downloaded utility before execution.

Line 6 currently pulls copy_cm_func.sh from a moving master ref, and Line 10 executes that downloaded content. This creates a supply-chain risk and nondeterministic installs if upstream changes unexpectedly.

Suggested hardening
-  UTIL_URL=https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh
+  UTIL_URL=https://raw.githubusercontent.com/mosip/mosip-infra/<pinned-commit-sha>/deployment/v3/utils/copy_cm_func.sh
+  UTIL_SHA256="<expected_sha256>"
@@
-  wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh
+  wget -q "$UTIL_URL" -O copy_cm_func.sh
+  echo "${UTIL_SHA256}  copy_cm_func.sh" | sha256sum -c -
+  chmod +x copy_cm_func.sh
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/masterdata-loader/copy_secret.sh` around lines 6 - 10, The script
downloads and executes copy_cm_func.sh unsafely via UTIL_URL and wget; change
UTIL_URL to point to a specific immutable commit SHA (raw URL with commit),
download to COPY_UTIL using a robust fetch (e.g., curl/wget with -fSL), verify
the file integrity before execution by checking a pinned SHA256 checksum (store
expected hash in the script) or verifying a signed release, and only then run
chmod +x on COPY_UTIL and execute it; ensure the script exits non‑zero if
checksum/signature verification fails so the file is never executed on mismatch.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/push-trigger.yml:
- Line 68: The branch guard using github.ref_name is incorrect for pull_request
events; update the condition(s) (the three occurrences currently using
github.ref_name) to use github.base_ref when github.event_name == 'pull_request'
and fall back to github.ref_name otherwise — e.g. replace conditions like
"github.ref_name != 'master' && github.ref_name != 'main'" with a combined
expression such as "((github.event_name == 'pull_request' && github.base_ref !=
'master' && github.base_ref != 'main') || (github.event_name != 'pull_request'
&& github.ref_name != 'master' && github.ref_name != 'main'))" so the checks
correctly exclude PRs targeting master/main.

---

Outside diff comments:
In `@deploy/masterdata-loader/copy_secret.sh`:
- Around line 6-10: The script downloads and executes copy_cm_func.sh unsafely
via UTIL_URL and wget; change UTIL_URL to point to a specific immutable commit
SHA (raw URL with commit), download to COPY_UTIL using a robust fetch (e.g.,
curl/wget with -fSL), verify the file integrity before execution by checking a
pinned SHA256 checksum (store expected hash in the script) or verifying a signed
release, and only then run chmod +x on COPY_UTIL and execute it; ensure the
script exits non‑zero if checksum/signature verification fails so the file is
never executed on mismatch.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b6848e44-5098-4d70-bab0-fcf7d78afd0d

📥 Commits

Reviewing files that changed from the base of the PR and between 3404e9a and bbe01da.

📒 Files selected for processing (5)
  • .github/workflows/push-trigger.yml
  • deploy/masterdata-loader/README.md
  • deploy/masterdata-loader/copy_secret.sh
  • deploy/postgres/ansible/README.md
  • deploy/postgres/ansible/setup-vm-inventory.sh
✅ Files skipped from review due to trivial changes (2)
  • deploy/masterdata-loader/README.md
  • deploy/postgres/ansible/README.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • deploy/postgres/ansible/setup-vm-inventory.sh

Comment thread .github/workflows/push-trigger.yml Outdated
github.ref_name on a PR run resolves to the merge ref, not the target
branch, so the master/main guard was not reliable for PRs. Use base_ref
when event is pull_request and fall back to ref_name for push/release.
Applied to all three if conditions: Ready scripts, Upload artifact, and
build-upgrade-dockers job.

Signed-off-by: ckm007 <chandrakeshavmishra@gmail.com>
@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@ckm007 ckm007 closed this Jun 4, 2026
@ckm007 ckm007 reopened this Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants