[MOSIP-43631] updated helm charts

[bhumi46]

Summary by CodeRabbit

• Chores

  • Updated ignore configuration for Chart.lock file.

• Infrastructure Updates

  • Enhanced pod lifecycle management with graceful shutdown settings and termination grace period.
  • Updated container base image to Alpine Linux with latest runtime and dependencies.
  • Improved container security with non-root user implementation.

[coderabbitai]

Walkthrough

Updates Helm chart configuration for graceful pod shutdown with lifecycle hooks and termination grace period. Upgrades admin-UI container images and refactors uitest-admin Docker build to use Alpine Linux base with non-root user and updated package management.

Changes

Cohort / File(s)	Summary
Admin-UI Helm configuration helm/admin-ui/.gitignore	Added Chart.lock to ignored files
Admin-UI pod lifecycle and termination helm/admin-ui/templates/deployment.yaml, helm/admin-ui/values.yaml	Added terminationGracePeriodSeconds (60s default) and lifecycleHooks.preStop with 30s sleep for graceful shutdown; updated volumePermissions.image from bitnami/bitnami-shell:10 to mosipid/os-shell:12-debian-12-r46
UITest Docker build and runtime uitest-admin/Dockerfile	Replaced base image to eclipse-temurin:21-jre-alpine; switched package manager from apt-get to apk; refactored non-root user setup (addgroup/adduser); added build-time ARGs for SOURCE, COMMIT_HASH, COMMIT_ID, BUILD_TIME; updated kubectl installation for Alpine; adjusted file permissions and ownership for new user context

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Areas requiring extra attention:

• UITest Dockerfile user/group management: Verify non-root user UID/GID assignments are correct and ownership changes properly cascade to all affected files (entrypoint, resources, home directory)
• Alpine package changes: Confirm all dependencies (Chromium, ChromeDriver, libs) are correctly specified for Alpine Linux and compatible with the temurin:21-jre-alpine base
• Graceful shutdown flow: Verify the 30s preStop sleep coordinated with 60s termination grace period provides adequate time for connections to drain

Poem

🐰 A Helm chart with grace, a Docker restart,
Alpine base swift, a non-root restart smart,
Thirty seconds to sleep, then sixty to say,
Gentle shutdown and build args—hip-hop hooray! 🚀

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title claims to update helm charts, but the changeset includes significant non-helm changes: Dockerfile modifications with base image replacement, package manager switches, and user setup changes.	Update the title to accurately reflect all major changes, such as 'MOSIP-43631 Update helm charts and Dockerfile configuration' to capture both helm and Docker modifications.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

helm/admin-ui/values.yaml (1)

228-228: Minor: Typo in comment.

Line 228 reads "Termination grace perios" but should be "Termination grace period".

Apply this diff to fix the typo:

-## Termination grace perios : the maximum amount of time (in seconds) Kubernetes will wait for a container to gracefully shut down
+## Termination grace period: the maximum amount of time (in seconds) Kubernetes will wait for a container to gracefully shut down

uitest-admin/Dockerfile (1)

47-49: Inconsistent COPY --chown syntax between commands.

Line 47 uses numeric UID:GID (1001:1001) while lines 48–49 use username:group notation. While functionally equivalent, standardize for clarity and consistency.

Apply this diff to standardize on numeric UID:GID notation:

-COPY --chown=${container_user}:${container_user_group} ./src/main/resources/ ${work_dir}/resources/
-COPY --chown=${container_user_uid}:${container_user_gid} ./target/*.jar ${work_dir}
+COPY --chown=${container_user_uid}:${container_user_gid} ./src/main/resources/ ${work_dir}/resources/
+COPY --chown=${container_user_uid}:${container_user_gid} ./target/*.jar ${work_dir}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7d7c30a and a2a1071.

📒 Files selected for processing (4)

• helm/admin-ui/.gitignore (1 hunks)
• helm/admin-ui/templates/deployment.yaml (1 hunks)
• helm/admin-ui/values.yaml (2 hunks)
• uitest-admin/Dockerfile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: uitest-admin / build-dockers
• GitHub Check: build-admin-ui / npm-build
• GitHub Check: Analyze (java-kotlin)

🔇 Additional comments (7)

helm/admin-ui/.gitignore (1)

2-2: Helm lock file exclusion follows best practices.

Ignoring Chart.lock prevents unnecessary VCS noise from auto-generated lock files and reduces merge conflicts.

helm/admin-ui/values.yaml (2)

220-229: Graceful shutdown lifecycle is well-structured.

The preStop sleep (30s) + terminationGracePeriodSeconds (60s) pattern provides orderly connection draining before force termination. This aligns with best practices for stateful service shutdown.

---

328-329: I need to verify the image existence using alternative methods since the API endpoint returned authentication error.

Let me search for more specific information about the mosipid organization:

Let me search for more context about the MOSIP project and whether "mosipid" is a legitimate source:

Let me search for MOSIP project documentation to understand the context better:

Verify volumePermissions image availability before deploying.

The image reference has been changed to mosipid/os-shell:12-debian-12-r46. While the mosipid Docker Hub organization exists, the specific image mosipid/os-shell:12-debian-12-r46 could not be verified to be publicly available. The Docker Hub API returned authentication errors, and this image does not appear in public documentation. Ensure:

1. This image exists in your registry or is publicly accessible
2. It is compatible with the previous bitnami/bitnami-shell:10 usage
3. If this is a private or internal image, proper pull credentials are configured in the Kubernetes deployment

helm/admin-ui/templates/deployment.yaml (1)

36-36: Termination grace period properly parameterized.

The template correctly sources terminationGracePeriodSeconds from values with a sensible default, aligning with the lifecycle preStop hook defined in values.yaml. Pod spec placement is correct.

uitest-admin/Dockerfile (3)

5-23: Alpine migration is clean; kubectl fetch is robust.

Switching to Alpine with apk and dynamic kubectl stable fetch is a solid optimization. Package list looks complete for testing (chromium, xvfb, fonts). Cleanup of temp kubectl version file is good.

---

34-45: Non-root user creation follows Alpine best practices.

The addgroup/adduser flow with explicit UID/GID is the correct approach for Alpine and improves security posture.

---

51-53: The code is correctly implemented; no issues found.

The verification confirms that the original review comment's concerns are unfounded:

1. entrypoint.sh exists: Found at uitest-admin/entrypoint.sh in the build context.
2. Proper COPY: Line 47 explicitly copies ./entrypoint.sh to ${work_dir}/entrypoint.sh with --chmod=771, ensuring it is executable.
3. Path resolution: WORKDIR is set to /home/${container_user}/ (line 51) and the ENTRYPOINT invokes ./entrypoint.sh (line 53), which correctly resolves to the copied file location.

The entrypoint is present, executable, and will be found at runtime. No action needed.

Likely an incorrect or invalid review comment.