Add Fider app with CNPG database cluster#39
Conversation
📝 WalkthroughWalkthroughThis PR adds Argo CD application configs and Helm values for a new CloudNative-PG operator, a dedicated Fider PostgreSQL cluster, and the Fider feedback application with Ingress/TLS, alongside new Kubernetes namespaces and a SOPS-encrypted secret for Fider credentials. ChangesFider Application Stack
Estimated code review effort: 2 (Simple) | ~12 minutes Sequence Diagram(s)sequenceDiagram
participant ArgoCD
participant CNPGOperator
participant FiderDBCluster
participant FiderApp
participant Ingress
ArgoCD->>CNPGOperator: Deploy cloudnative-pg chart (cnpg-system)
ArgoCD->>FiderDBCluster: Deploy fider-db cluster (post phase)
CNPGOperator->>FiderDBCluster: Provision PostgreSQL instance
ArgoCD->>FiderApp: Deploy fider chart (post phase)
FiderApp->>FiderDBCluster: Connect via DATABASE_URL secret
FiderApp->>Ingress: Expose via feedback.prod.equal.vote (TLS)
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@applications/fider-db/values.yaml`:
- Around line 20-21: In the backups section of the values.yaml file for
fider-db, the enabled field is currently set to false. Change the enabled field
under backups from false to true to activate the database backup functionality
and ensure the deployment follows the standard backup policy for data
protection.
In `@secrets/fider-secrets.yaml`:
- Around line 13-27: The file fider-secrets.yaml contains a valid Kubernetes
Secret manifest with placeholder credentials (CHANGEME values) that could be
accidentally applied to a cluster, creating an immediate security risk. Rename
this file to fider-secrets.example.yaml to clearly mark it as a template rather
than a deployable configuration. Keep the example file in the repository for
reference purposes, but ensure that only SOPS-encrypted real secret manifests
are committed to the deploy paths and can be applied to clusters.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 35a4fff7-b7fc-4f02-8cc5-51f1ac503b1c
📒 Files selected for processing (8)
applications/cnpg-operator/config.jsonapplications/cnpg-operator/values.yamlapplications/fider-db/config.jsonapplications/fider-db/values.yamlapplications/fider/config.jsonapplications/fider/values.yamlsecrets/fider-secrets.yamlsecrets/namespaces.yaml
| backups: | ||
| enabled: false |
There was a problem hiding this comment.
Enable database backups before release.
Line 20-21 disables backups entirely for the Fider primary datastore. That leaves no recovery path for data corruption, operator error, or node/storage loss. Please switch this deployment to your standard backup policy before merge.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@applications/fider-db/values.yaml` around lines 20 - 21, In the backups
section of the values.yaml file for fider-db, the enabled field is currently set
to false. Change the enabled field under backups from false to true to activate
the database backup functionality and ensure the deployment follows the standard
backup policy for data protection.
| --- | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: fider | ||
| namespace: fider | ||
| type: Opaque | ||
| stringData: | ||
| DATABASE_URL: "postgres://fider:CHANGEME@fider-db-rw.fider.svc.cluster.local:5432/fider?sslmode=disable" | ||
| JWT_SECRET: "CHANGEME-generate-a-strong-random-string-here" | ||
| EMAIL_NOREPLY: "noreply@example.com" | ||
| EMAIL_SMTP_HOST: "smtp.example.com" | ||
| EMAIL_SMTP_PORT: "587" | ||
| EMAIL_SMTP_USERNAME: "user@example.com" | ||
| EMAIL_SMTP_PASSWORD: "CHANGEME" |
There was a problem hiding this comment.
Do not keep an apply-able Secret manifest with placeholder credentials.
Lines 21-27 define a valid Kubernetes Secret with default/guessable values (CHANGEME). If this file is ever synced by mistake, it creates immediate auth/session compromise risk. Convert this file to a non-deployable template (for example, .example.yaml) and only commit SOPS-encrypted real secret manifests in deploy paths.
🧰 Tools
🪛 Checkov (3.3.1)
[medium] 21-22: Basic Auth Credentials
(CKV_SECRET_4)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@secrets/fider-secrets.yaml` around lines 13 - 27, The file fider-secrets.yaml
contains a valid Kubernetes Secret manifest with placeholder credentials
(CHANGEME values) that could be accidentally applied to a cluster, creating an
immediate security risk. Rename this file to fider-secrets.example.yaml to
clearly mark it as a template rather than a deployable configuration. Keep the
example file in the repository for reference purposes, but ensure that only
SOPS-encrypted real secret manifests are committed to the deploy paths and can
be applied to clusters.
Source: Linters/SAST tools
79be37b to
0cd485b
Compare
- applications/cnpg-operator: CloudNativePG operator (core phase, cnpg-system namespace) - applications/fider-db: CNPG PostgreSQL cluster for Fider (post phase, fider namespace) - applications/fider: Fider using devopscoop/app chart (post phase, fider namespace) - secrets/namespaces.yaml: add cnpg-system and fider namespaces - secrets/fider-secrets.yaml: template for SOPS-encrypted fider secrets
0cd485b to
d881f8a
Compare
- Change domain from feedback.example.com to feedback.prod.equal.vote - Set replicaCount to 1 - Add encrypted fider secret with generated JWT_SECRET (SOPS + Azure Key Vault)
EMAIL_NOREPLY, EMAIL_SMTP_HOST, EMAIL_SMTP_PORT, EMAIL_SMTP_USERNAME are now inline env vars. Updated encrypted fider-secrets.enc.yaml to only hold DATABASE_URL, JWT_SECRET, and EMAIL_SMTP_PASSWORD.
The encrypted secrets/fider-secrets.enc.yaml replaces it.
|
@ArendPeter look in the values.yaml file in this PR. I need all of the email settings. |
Set EMAIL_SMTP_PASSWORD to the SendGrid API key and point the SMTP env vars at smtp.sendgrid.net (username apikey, noreply@bettervoting.com). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
applications/fider/values.yaml (1)
5-7: 🩺 Stability & Availability | 🔵 Trivial | 🏗️ Heavy liftPin the Fider image instead of deploying
stable.Using a mutable tag lets production change outside Git review/Argo diffs. Prefer a tested Fider version tag or digest so rollouts are reproducible.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@applications/fider/values.yaml` around lines 5 - 7, The Fider image tag is currently mutable via the image configuration, which can cause non-reproducible deployments. Update the image settings in the values configuration to use a pinned, tested Fider version tag or digest instead of stable, keeping the repository entry unchanged and ensuring the deployment remains deterministic through Git/Argo diffs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@applications/fider/values.yaml`:
- Around line 36-46: The Fider SMTP settings are missing the STARTTLS flag
needed for SendGrid on port 587. Update the EMAIL_SMTP_* entries in the
values.yaml block alongside EMAIL_SMTP_HOST and EMAIL_SMTP_PORT to include
EMAIL_SMTP_ENABLE_STARTTLS enabled for this configuration, so the Fider
deployment uses STARTTLS when sending mail through SendGrid.
---
Nitpick comments:
In `@applications/fider/values.yaml`:
- Around line 5-7: The Fider image tag is currently mutable via the image
configuration, which can cause non-reproducible deployments. Update the image
settings in the values configuration to use a pinned, tested Fider version tag
or digest instead of stable, keeping the repository entry unchanged and ensuring
the deployment remains deterministic through Git/Argo diffs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 94fa03c1-2c15-4979-ae33-9448ee872bc2
📒 Files selected for processing (8)
applications/cnpg-operator/config.jsonapplications/cnpg-operator/values.yamlapplications/fider-db/config.jsonapplications/fider-db/values.yamlapplications/fider/config.jsonapplications/fider/values.yamlsecrets/fider-secrets.enc.yamlsecrets/namespaces.yaml
✅ Files skipped from review due to trivial changes (3)
- applications/cnpg-operator/values.yaml
- applications/cnpg-operator/config.json
- secrets/namespaces.yaml
🚧 Files skipped from review as they are similar to previous changes (3)
- applications/fider-db/config.json
- applications/fider/config.json
- applications/fider-db/values.yaml
| - name: EMAIL_SMTP_HOST | ||
| value: "smtp.sendgrid.net" | ||
| - name: EMAIL_SMTP_PORT | ||
| value: "587" | ||
| - name: EMAIL_SMTP_USERNAME | ||
| value: "apikey" | ||
| - name: EMAIL_SMTP_PASSWORD | ||
| valueFrom: | ||
| secretKeyRef: | ||
| name: fider | ||
| key: EMAIL_SMTP_PASSWORD |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== files =="
git ls-files 'applications/fider/*' | sed -n '1,120p'
echo
echo "== search for SMTP env vars =="
rg -n "EMAIL_SMTP_ENABLE_STARTTLS|EMAIL_SMTP_|smtp.sendgrid.net|SendGrid|STARTTLS" applications/fider -S || true
echo
echo "== outline values file =="
wc -l applications/fider/values.yaml
cat -n applications/fider/values.yaml | sed -n '1,140p'Repository: Equal-Vote/argocd
Length of output: 2720
🌐 Web query:
Fider EMAIL_SMTP_ENABLE_STARTTLS SendGrid port 587 documentation
💡 Result:
To configure Fider to send emails via SendGrid using port 587 with STARTTLS, you should set the following environment variables [1]: EMAIL_SMTP_HOST=smtp.sendgrid.net EMAIL_SMTP_PORT=587 EMAIL_SMTP_USERNAME=apiKey EMAIL_SMTP_PASSWORD=<your_sendgrid_api_key> EMAIL_SMTP_ENABLE_STARTTLS=true EMAIL_NOREPLY=<your_verified_sender_email> The variable EMAIL_SMTP_ENABLE_STARTTLS is recognized by Fider to enable the STARTTLS command during the SMTP handshake [2][3]. When set to 'true', Fider will attempt to upgrade an insecure connection to a secure one using TLS, which is standard for port 587 [2]. Technical Notes: - Fider's SMTP implementation specifically supports STARTTLS [2][4]. - If you encounter issues (such as timeouts or 'EOF' errors), ensure that your SendGrid settings allow the connection and that any URL click/open tracking features in your SendGrid dashboard are not interfering with the outgoing mail process [1][5]. - The Fider codebase handles the STARTTLS upgrade by checking the server's capabilities after the HELO/EHLO command and initiating the TLS handshake if enabled [2][3]. - Ensure that your EMAIL_NOREPLY address is a verified sender address within your SendGrid account to prevent authentication or relay errors.
Citations:
- 1: [BUG] SendGrid Not Sending Email getfider/fider#1148
- 2: https://github.com/getfider/fider/blob/master/app/services/email/smtp/smtp.go
- 3: https://pkg.go.dev/github.com/getfider/fider/app/services/email/smtp
- 4: Cannot get SMTP SSL working getfider/fider#865
- 5: Mailgun alternative? getfider/fider#1108
Add EMAIL_SMTP_ENABLE_STARTTLS for SendGrid on port 587. Fider's SMTP config for port 587 should enable STARTTLS; without it, email delivery can fail.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@applications/fider/values.yaml` around lines 36 - 46, The Fider SMTP settings
are missing the STARTTLS flag needed for SendGrid on port 587. Update the
EMAIL_SMTP_* entries in the values.yaml block alongside EMAIL_SMTP_HOST and
EMAIL_SMTP_PORT to include EMAIL_SMTP_ENABLE_STARTTLS enabled for this
configuration, so the Fider deployment uses STARTTLS when sending mail through
SendGrid.
Deploys Fider (feedback platform) via the
devopscoop/appHelm chart backed by a CloudNativePG PostgreSQL database.Apps added
cnpg-operatorfider-dbfiderPost-deploy
After
fider-dbsyncs, extract the auto-generated password and create the SOPS-encryptedfidersecret:Then merge
secrets/fider-secrets.yamlintosecrets/secrets.enc.yamlviasopswith the realDATABASE_URLand other values.Summary by CodeRabbit
New Features
Bug Fixes