Skip to content

Add Fider app with CNPG database cluster#39

Open
3uzbcqje wants to merge 5 commits into
mainfrom
fider-deployment
Open

Add Fider app with CNPG database cluster#39
3uzbcqje wants to merge 5 commits into
mainfrom
fider-deployment

Conversation

@3uzbcqje

@3uzbcqje 3uzbcqje commented Jun 20, 2026

Copy link
Copy Markdown
Collaborator

Deploys Fider (feedback platform) via the devopscoop/app Helm chart backed by a CloudNativePG PostgreSQL database.

Apps added

App Chart Namespace Phase
cnpg-operator cloudnative-pg v0.28.2 cnpg-system core
fider-db cluster v0.7.0 fider post
fider devopscoop/app v0.8.2 fider post

Post-deploy

After fider-db syncs, extract the auto-generated password and create the SOPS-encrypted fider secret:

kubectl get secret -n fider fider-db-fider -o jsonpath='{.data.password}' | base64 -d

Then merge secrets/fider-secrets.yaml into secrets/secrets.enc.yaml via sops with the real DATABASE_URL and other values.

Summary by CodeRabbit

  • New Features

    • Added deployment support for a new feedback app and its database.
    • Configured the app with HTTPS ingress, environment settings, and runtime resources.
    • Added support for a new operator deployment in the cluster.
  • Bug Fixes

    • Created the required cluster namespaces to allow the new services to run successfully.
    • Added secure application secrets needed for database and email connectivity.

@3uzbcqje 3uzbcqje requested a review from arterro as a code owner June 20, 2026 00:40
@coderabbitai

coderabbitai Bot commented Jun 20, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds Argo CD application configs and Helm values for a new CloudNative-PG operator, a dedicated Fider PostgreSQL cluster, and the Fider feedback application with Ingress/TLS, alongside new Kubernetes namespaces and a SOPS-encrypted secret for Fider credentials.

Changes

Fider Application Stack

Layer / File(s) Summary
Namespace registration and CNPG operator
secrets/namespaces.yaml, applications/cnpg-operator/config.json, applications/cnpg-operator/values.yaml
Adds cnpg-system and fider namespaces and an Argo CD app config for the cloudnative-pg chart (revision 0.28.3) plus a values.yaml with comparison comments.
Fider PostgreSQL cluster via CNPG
applications/fider-db/config.json, applications/fider-db/values.yaml
Adds Argo CD app config and Helm values provisioning a single-instance PostgreSQL cluster for Fider with 1Gi storage, resource limits, initdb settings, and backups disabled.
Fider application deployment and secrets
applications/fider/config.json, applications/fider/values.yaml, secrets/fider-secrets.enc.yaml
Adds Argo CD app config (chart revision 0.11.0) and Helm values for the Fider app with Ingress/TLS on feedback.prod.equal.vote, env vars sourced from a SOPS-encrypted Secret, service/probes, and the new encrypted Secret manifest itself.

Estimated code review effort: 2 (Simple) | ~12 minutes

Sequence Diagram(s)

sequenceDiagram
  participant ArgoCD
  participant CNPGOperator
  participant FiderDBCluster
  participant FiderApp
  participant Ingress

  ArgoCD->>CNPGOperator: Deploy cloudnative-pg chart (cnpg-system)
  ArgoCD->>FiderDBCluster: Deploy fider-db cluster (post phase)
  CNPGOperator->>FiderDBCluster: Provision PostgreSQL instance
  ArgoCD->>FiderApp: Deploy fider chart (post phase)
  FiderApp->>FiderDBCluster: Connect via DATABASE_URL secret
  FiderApp->>Ingress: Expose via feedback.prod.equal.vote (TLS)
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding the Fider app with a CloudNativePG-backed database cluster.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fider-deployment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@applications/fider-db/values.yaml`:
- Around line 20-21: In the backups section of the values.yaml file for
fider-db, the enabled field is currently set to false. Change the enabled field
under backups from false to true to activate the database backup functionality
and ensure the deployment follows the standard backup policy for data
protection.

In `@secrets/fider-secrets.yaml`:
- Around line 13-27: The file fider-secrets.yaml contains a valid Kubernetes
Secret manifest with placeholder credentials (CHANGEME values) that could be
accidentally applied to a cluster, creating an immediate security risk. Rename
this file to fider-secrets.example.yaml to clearly mark it as a template rather
than a deployable configuration. Keep the example file in the repository for
reference purposes, but ensure that only SOPS-encrypted real secret manifests
are committed to the deploy paths and can be applied to clusters.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 35a4fff7-b7fc-4f02-8cc5-51f1ac503b1c

📥 Commits

Reviewing files that changed from the base of the PR and between b30a815 and 451ee71.

📒 Files selected for processing (8)
  • applications/cnpg-operator/config.json
  • applications/cnpg-operator/values.yaml
  • applications/fider-db/config.json
  • applications/fider-db/values.yaml
  • applications/fider/config.json
  • applications/fider/values.yaml
  • secrets/fider-secrets.yaml
  • secrets/namespaces.yaml

Comment on lines +20 to +21
backups:
enabled: false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Enable database backups before release.

Line 20-21 disables backups entirely for the Fider primary datastore. That leaves no recovery path for data corruption, operator error, or node/storage loss. Please switch this deployment to your standard backup policy before merge.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@applications/fider-db/values.yaml` around lines 20 - 21, In the backups
section of the values.yaml file for fider-db, the enabled field is currently set
to false. Change the enabled field under backups from false to true to activate
the database backup functionality and ensure the deployment follows the standard
backup policy for data protection.

Comment thread secrets/fider-secrets.yaml Outdated
Comment on lines +13 to +27
---
apiVersion: v1
kind: Secret
metadata:
name: fider
namespace: fider
type: Opaque
stringData:
DATABASE_URL: "postgres://fider:CHANGEME@fider-db-rw.fider.svc.cluster.local:5432/fider?sslmode=disable"
JWT_SECRET: "CHANGEME-generate-a-strong-random-string-here"
EMAIL_NOREPLY: "noreply@example.com"
EMAIL_SMTP_HOST: "smtp.example.com"
EMAIL_SMTP_PORT: "587"
EMAIL_SMTP_USERNAME: "user@example.com"
EMAIL_SMTP_PASSWORD: "CHANGEME"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not keep an apply-able Secret manifest with placeholder credentials.

Lines 21-27 define a valid Kubernetes Secret with default/guessable values (CHANGEME). If this file is ever synced by mistake, it creates immediate auth/session compromise risk. Convert this file to a non-deployable template (for example, .example.yaml) and only commit SOPS-encrypted real secret manifests in deploy paths.

🧰 Tools
🪛 Checkov (3.3.1)

[medium] 21-22: Basic Auth Credentials

(CKV_SECRET_4)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@secrets/fider-secrets.yaml` around lines 13 - 27, The file fider-secrets.yaml
contains a valid Kubernetes Secret manifest with placeholder credentials
(CHANGEME values) that could be accidentally applied to a cluster, creating an
immediate security risk. Rename this file to fider-secrets.example.yaml to
clearly mark it as a template rather than a deployable configuration. Keep the
example file in the repository for reference purposes, but ensure that only
SOPS-encrypted real secret manifests are committed to the deploy paths and can
be applied to clusters.

Source: Linters/SAST tools

@3uzbcqje 3uzbcqje force-pushed the fider-deployment branch 3 times, most recently from 79be37b to 0cd485b Compare June 20, 2026 00:48
- applications/cnpg-operator: CloudNativePG operator (core phase, cnpg-system namespace)
- applications/fider-db: CNPG PostgreSQL cluster for Fider (post phase, fider namespace)
- applications/fider: Fider using devopscoop/app chart (post phase, fider namespace)
- secrets/namespaces.yaml: add cnpg-system and fider namespaces
- secrets/fider-secrets.yaml: template for SOPS-encrypted fider secrets
3uzbcqje added 3 commits June 19, 2026 18:20
- Change domain from feedback.example.com to feedback.prod.equal.vote
- Set replicaCount to 1
- Add encrypted fider secret with generated JWT_SECRET (SOPS + Azure Key Vault)
EMAIL_NOREPLY, EMAIL_SMTP_HOST, EMAIL_SMTP_PORT, EMAIL_SMTP_USERNAME are now inline env vars. Updated encrypted fider-secrets.enc.yaml to only hold DATABASE_URL, JWT_SECRET, and EMAIL_SMTP_PASSWORD.
The encrypted secrets/fider-secrets.enc.yaml replaces it.
@3uzbcqje

3uzbcqje commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator Author

@ArendPeter look in the values.yaml file in this PR. I need all of the email settings.

Set EMAIL_SMTP_PASSWORD to the SendGrid API key and point the SMTP
env vars at smtp.sendgrid.net (username apikey, noreply@bettervoting.com).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
applications/fider/values.yaml (1)

5-7: 🩺 Stability & Availability | 🔵 Trivial | 🏗️ Heavy lift

Pin the Fider image instead of deploying stable.

Using a mutable tag lets production change outside Git review/Argo diffs. Prefer a tested Fider version tag or digest so rollouts are reproducible.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@applications/fider/values.yaml` around lines 5 - 7, The Fider image tag is
currently mutable via the image configuration, which can cause non-reproducible
deployments. Update the image settings in the values configuration to use a
pinned, tested Fider version tag or digest instead of stable, keeping the
repository entry unchanged and ensuring the deployment remains deterministic
through Git/Argo diffs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@applications/fider/values.yaml`:
- Around line 36-46: The Fider SMTP settings are missing the STARTTLS flag
needed for SendGrid on port 587. Update the EMAIL_SMTP_* entries in the
values.yaml block alongside EMAIL_SMTP_HOST and EMAIL_SMTP_PORT to include
EMAIL_SMTP_ENABLE_STARTTLS enabled for this configuration, so the Fider
deployment uses STARTTLS when sending mail through SendGrid.

---

Nitpick comments:
In `@applications/fider/values.yaml`:
- Around line 5-7: The Fider image tag is currently mutable via the image
configuration, which can cause non-reproducible deployments. Update the image
settings in the values configuration to use a pinned, tested Fider version tag
or digest instead of stable, keeping the repository entry unchanged and ensuring
the deployment remains deterministic through Git/Argo diffs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 94fa03c1-2c15-4979-ae33-9448ee872bc2

📥 Commits

Reviewing files that changed from the base of the PR and between 451ee71 and 8394a82.

📒 Files selected for processing (8)
  • applications/cnpg-operator/config.json
  • applications/cnpg-operator/values.yaml
  • applications/fider-db/config.json
  • applications/fider-db/values.yaml
  • applications/fider/config.json
  • applications/fider/values.yaml
  • secrets/fider-secrets.enc.yaml
  • secrets/namespaces.yaml
✅ Files skipped from review due to trivial changes (3)
  • applications/cnpg-operator/values.yaml
  • applications/cnpg-operator/config.json
  • secrets/namespaces.yaml
🚧 Files skipped from review as they are similar to previous changes (3)
  • applications/fider-db/config.json
  • applications/fider/config.json
  • applications/fider-db/values.yaml

Comment on lines +36 to +46
- name: EMAIL_SMTP_HOST
value: "smtp.sendgrid.net"
- name: EMAIL_SMTP_PORT
value: "587"
- name: EMAIL_SMTP_USERNAME
value: "apikey"
- name: EMAIL_SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: fider
key: EMAIL_SMTP_PASSWORD

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== files =="
git ls-files 'applications/fider/*' | sed -n '1,120p'

echo
echo "== search for SMTP env vars =="
rg -n "EMAIL_SMTP_ENABLE_STARTTLS|EMAIL_SMTP_|smtp.sendgrid.net|SendGrid|STARTTLS" applications/fider -S || true

echo
echo "== outline values file =="
wc -l applications/fider/values.yaml
cat -n applications/fider/values.yaml | sed -n '1,140p'

Repository: Equal-Vote/argocd

Length of output: 2720


🌐 Web query:

Fider EMAIL_SMTP_ENABLE_STARTTLS SendGrid port 587 documentation

💡 Result:

To configure Fider to send emails via SendGrid using port 587 with STARTTLS, you should set the following environment variables [1]: EMAIL_SMTP_HOST=smtp.sendgrid.net EMAIL_SMTP_PORT=587 EMAIL_SMTP_USERNAME=apiKey EMAIL_SMTP_PASSWORD=<your_sendgrid_api_key> EMAIL_SMTP_ENABLE_STARTTLS=true EMAIL_NOREPLY=<your_verified_sender_email> The variable EMAIL_SMTP_ENABLE_STARTTLS is recognized by Fider to enable the STARTTLS command during the SMTP handshake [2][3]. When set to 'true', Fider will attempt to upgrade an insecure connection to a secure one using TLS, which is standard for port 587 [2]. Technical Notes: - Fider's SMTP implementation specifically supports STARTTLS [2][4]. - If you encounter issues (such as timeouts or 'EOF' errors), ensure that your SendGrid settings allow the connection and that any URL click/open tracking features in your SendGrid dashboard are not interfering with the outgoing mail process [1][5]. - The Fider codebase handles the STARTTLS upgrade by checking the server's capabilities after the HELO/EHLO command and initiating the TLS handshake if enabled [2][3]. - Ensure that your EMAIL_NOREPLY address is a verified sender address within your SendGrid account to prevent authentication or relay errors.

Citations:


Add EMAIL_SMTP_ENABLE_STARTTLS for SendGrid on port 587. Fider's SMTP config for port 587 should enable STARTTLS; without it, email delivery can fail.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@applications/fider/values.yaml` around lines 36 - 46, The Fider SMTP settings
are missing the STARTTLS flag needed for SendGrid on port 587. Update the
EMAIL_SMTP_* entries in the values.yaml block alongside EMAIL_SMTP_HOST and
EMAIL_SMTP_PORT to include EMAIL_SMTP_ENABLE_STARTTLS enabled for this
configuration, so the Fider deployment uses STARTTLS when sending mail through
SendGrid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants