Fix: Update pvc/pv and initiate configs when deploy

[ptthanh1511]

Summary by CodeRabbit

• New Features

  • Added support for initializing configuration files and persistent storage using new ConfigMap and Job resources.
  • Introduced new global and persistence-related configuration options for greater flexibility in deployment.

• Improvements

  • Persistence settings are now more granular and customizable, with separate sections for PersistentVolume and PersistentVolumeClaim.
  • Default values for images, secrets, and database settings have been updated.
  • Enhanced deployment startup logic to ensure required configuration files are available before launching the application.

• Documentation

  • Updated README to reflect new parameters, improved structure, and revised defaults.
  • Removed usage examples and troubleshooting sections from the documentation.

[tuhoanganh]

Check lại giúp anh đoạn này đã tạo thành secret chưa nhé

[ptthanh1511]

Password gen vào configmap thành file cấu hình được tacgui đọc. Em đang chưa xem phương án encrypt được ✌️

[coderabbitai]

Walkthrough

This change set restructures the persistence configuration for the Tacgui Helm chart by introducing separate persistent volume claim and persistent volume sections, updates default values for several parameters, and adds new templates for managing configuration initialization using Kubernetes Jobs and ConfigMaps. Documentation is updated to reflect these changes, and some usage and troubleshooting content is removed.

Changes

Cohort / File(s)	Change Summary
Documentation Update kubernetes/tacgui/README.md	Updated documentation to add global.basePath, revise and reorganize persistence parameters, update default values for image tag, pull secrets, and external database, and remove usage/troubleshooting/license sections.
Persistent Volume and Claim Restructuring kubernetes/tacgui/values.yaml, kubernetes/tacgui/templates/persistentVolumeClaim.yml, kubernetes/tacgui/templates/persistentVolume.yml	Introduced new persistentVolumeClaim and persistentVolume sections, updated claim and volume templates to use new parameters, added conditional logic for annotations, access modes, storage class, volume mode, and volume name, and set new defaults for size and access modes.
Config Initialization Workflow kubernetes/tacgui/templates/configMaps/initConfigs.yml, kubernetes/tacgui/templates/jobInitConfigs.yml	Added a ConfigMap template for initial TACACS+ configuration and a Job template to copy this configuration into the persistent volume, both rendered conditionally based on new Helm values.
Deployment Template Enhancements kubernetes/tacgui/templates/deployment.yml	Added an init container to wait for configuration files, made command and args dynamic, added conditional volume mounts for persistent data and backups, and included the new persistent volume claim in pod volumes.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Helm
    participant Kubernetes
    participant PV (PersistentVolume)
    participant PVC (PersistentVolumeClaim)
    participant Job (InitConfigs)
    participant ConfigMap (InitConfigs)
    participant Deployment

    User->>Helm: Install/Upgrade Chart
    Helm->>Kubernetes: Create PersistentVolume (if enabled)
    Helm->>Kubernetes: Create PersistentVolumeClaim (if enabled)
    Helm->>Kubernetes: Create ConfigMap with TACACS+ config (if enabled)
    Helm->>Kubernetes: Create Job to copy config to PVC (if enabled)
    Job->>PVC: Copy tac_plus.cfg from ConfigMap to PVC
    Helm->>Kubernetes: Deploy application with init container
    Deployment->>PVC: Init container waits for config files
    Deployment->>PVC: Main container starts after config is present

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Note

🔌 MCP (Model Context Protocol) integration is now available in Early Access!

Pro users can now connect to remote MCP servers under the Integrations page to get reviews and chat conversations that understand additional development context.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/tacgui

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🔭 Outside diff range comments (2)

kubernetes/tacgui/values.yaml (1)

6-20: Parameter name drift – chart will not resolve global.storageClassName.

Both persistentVolumeClaim.yml and persistentVolume.yml reference .Values.global.storageClassName, but values.yaml still exposes global.storageClass.
Introduce the new key or revert the templates to the old one – otherwise rendered objects will miss storageClassName, breaking PVC/PV binding.

 global:
   imageRegistry: ""
   ...
-  storageClass: ""
+  storageClassName: ""

kubernetes/tacgui/README.md (1)

78-88: Duplicate configuration entry in the image parameters table

The parameter appears at Lines 78 and 87 with slightly different descriptions.
Drop one of them to avoid confusing users.

♻️ Duplicate comments (2)

kubernetes/tacgui/templates/persistentVolume.yml (1)

36-40: Wrong values key for storageClass fallback.

Use .Values.global.storageClass (as defined in values.yaml) or rename the key in values.yaml to storageClassName to match the templates.

kubernetes/tacgui/templates/persistentVolumeClaim.yml (1)

34-38: Same storageClass key mismatch as elsewhere.

Replace .Values.global.storageClassName with .Values.global.storageClass or rename the key in values.yaml.

🧹 Nitpick comments (6)

kubernetes/tacgui/templates/deployment.yml (1)

109-118: Trailing whitespace & style-only – low impact.

Two trailing-space lines flagged by YAML-lint; trim to avoid noisy pre-commit hooks.

kubernetes/tacgui/templates/persistentVolumeClaim.yml (1)

39-43: Redundant conditional duplicates volumeMode.

The else if .Values.persistentVolumeClaim.existingClaim branch echoes the same expression; collapse to a single check to keep the template clean.

kubernetes/tacgui/templates/configMaps/initConfigs.yml (2)

7-10: Label block indentation trips YAML linters

The labels: value is emitted via nindent 4, but the subsequent if .Values.commonLabels block is already indented 4 spaces, so the inner mapping appears 2 levels deeper than expected.
YAML parsers used by Helm ignore this, but many linters complain (see YAML-lint warnings).
Consider:

-  labels: {{- include "common.labels.standard" . | nindent 4 }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 6 }}

(or move the labels: key into the included helper) to silence false-positive lint noise.

---

26-34: Trim superfluous trailing spaces inside literal lines

Lines 27-28 & 32 contain trailing blanks that bloat the diff every time an editor auto-strips them.
They’re inside the literal block, so you can remove them safely.

kubernetes/tacgui/README.md (2)

79-80: Table cell breaks across lines

The description for configurationConfigMap spans two physical lines, so Markdown renders the table incorrectly.
Join the text onto a single line.

---

181-181: Call-out: changed default for service.externalTrafficPolicy

Switching from Cluster to Local alters client-IP preservation and can affect load-balancer health checks.
Highlight this in the upgrade notes to avoid surprises.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 167417d and e43aba7.

📒 Files selected for processing (7)

• kubernetes/tacgui/README.md (4 hunks)
• kubernetes/tacgui/templates/configMaps/initConfigs.yml (1 hunks)
• kubernetes/tacgui/templates/deployment.yml (3 hunks)
• kubernetes/tacgui/templates/jobInitConfigs.yml (1 hunks)
• kubernetes/tacgui/templates/persistentVolume.yml (1 hunks)
• kubernetes/tacgui/templates/persistentVolumeClaim.yml (1 hunks)
• kubernetes/tacgui/values.yaml (6 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

kubernetes/tacgui/templates/persistentVolumeClaim.yml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[warning] 9-9: wrong indentation: expected 2 but found 6

(indentation)

---

[warning] 10-10: wrong indentation: expected 2 but found 4

(indentation)

---

[error] 49-49: no new line character at the end of file

(new-line-at-end-of-file)

kubernetes/tacgui/templates/configMaps/initConfigs.yml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[warning] 9-9: wrong indentation: expected 2 but found 6

(indentation)

---

[warning] 10-10: wrong indentation: expected 2 but found 4

(indentation)

---

[error] 11-11: trailing spaces

(trailing-spaces)

---

[error] 27-27: trailing spaces

(trailing-spaces)

---

[error] 28-28: trailing spaces

(trailing-spaces)

---

[error] 32-32: trailing spaces

(trailing-spaces)

---

[error] 70-70: no new line character at the end of file

(new-line-at-end-of-file)

kubernetes/tacgui/templates/jobInitConfigs.yml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

kubernetes/tacgui/templates/persistentVolume.yml

[error] 5-5: duplication of key "metadata" in mapping

(key-duplicates)

---

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[warning] 9-9: wrong indentation: expected 2 but found 6

(indentation)

---

[warning] 10-10: wrong indentation: expected 2 but found 4

(indentation)

---

[warning] 59-59: too many blank lines (1 > 0)

(empty-lines)

kubernetes/tacgui/templates/deployment.yml

[error] 109-109: trailing spaces

(trailing-spaces)

---

[error] 117-117: trailing spaces

(trailing-spaces)

🔇 Additional comments (3)

kubernetes/tacgui/values.yaml (1)

110-113: initConfigs defaults to true – double-check upgrade path.

Enabling the Job/ConfigMap workflow by default will create extra resources on upgrade and may restart pods unexpectedly.
Confirm this is acceptable for existing installations or flip the default to false.

kubernetes/tacgui/templates/configMaps/initConfigs.yml (1)

1-1: Consider including pre-upgrade in the hook list

On Helm upgrades the ConfigMap won’t be regenerated, which may leave stale defaults on disk while the Job copies files from an older revision.
If you intend the config to be refreshable, append ,pre-upgrade to the hook annotation.

kubernetes/tacgui/README.md (1)

126-140: Possible doc/code mismatch for persistentVolumeClaim.enabled default

README shows the default as false, while the PR summary says PVC is now enabled by default.
Please double-check values.yaml and align the documentation.

[coderabbitai]

🛠️ Refactor suggestion

Add a hook-delete policy to avoid orphaned ConfigMaps

Helm hooks stay around after a successful install/upgrade unless explicitly cleaned up.
Add the recommended annotation so repeated installs/upgrades don’t fail with “already exists”:

 "helm.sh/hook-weight": "-5"
+"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	annotations:
	"helm.sh/hook": pre-install
	"helm.sh/hook-weight": "-5"
	{{- if .Values.commonAnnotations }}
	{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
	{{- end }}
	annotations:
	"helm.sh/hook": pre-install
	"helm.sh/hook-weight": "-5"
	"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
	{{- if .Values.commonAnnotations }}
	{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
	{{- end }}

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 11-11: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In kubernetes/tacgui/templates/configMaps/initConfigs.yml around lines 11 to 16,
add the annotation "helm.sh/hook-delete-policy" with the value
"before-hook-creation" to the annotations section. This will ensure Helm cleans
up the ConfigMap hooks before creating new ones, preventing errors about
resources already existing during repeated installs or upgrades.

[coderabbitai]

⚠️ Potential issue

initContainers: emitted with no items – renders invalid YAML when both feature flags are off.

Wrap the whole block in a conditional or build the list first.

-      initContainers:
-      {{- if ... }}
+      {{- if or (and .Values.initConfigs .Values.persistentVolumeClaim.enabled) .Values.initContainers }}
+      initContainers:
+      {{- if and .Values.initConfigs (.Values.persistentVolumeClaim.enabled) }}
         - name: check-configuration
         ...
       {{- end }}
       {{- if .Values.initContainers }}
         {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
       {{- end }}
+      {{- end }}

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In kubernetes/tacgui/templates/deployment.yml around lines 64 to 79, the
initContainers key is rendered even when no init containers are defined, causing
invalid YAML. To fix this, wrap the entire initContainers block in a conditional
that checks if either .Values.initConfigs with
.Values.persistentVolumeClaim.enabled or .Values.initContainers is set, so
initContainers is only emitted when there are actual items to include.

[coderabbitai]

🛠️ Refactor suggestion

Avoid chmod 777 and world-writable backups.

Granting full RWX to everyone on configuration files defeats basic defence-in-depth.
Use the container’s UID/GID (or 0640/0750) instead.

-chmod 777 /tmp/tacplus-data/tac_plus.cfg_test && \
-chmod 777 /tmp/tacplus-data/tac_plus.cfg && \
+chmod 640 /tmp/tacplus-data/tac_plus.cfg_test && \
+chmod 640 /tmp/tacplus-data/tac_plus.cfg && \
 ...
-chmod 777 /tmp/tacplus-data/backups
+chmod 750 /tmp/tacplus-data/backups

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	cp /tmp/tac_plus.cfg /tmp/tacplus-data/tac_plus.cfg_test && \
	cp /tmp/tac_plus.cfg /tmp/tacplus-data/tac_plus.cfg && \
	chmod 777 /tmp/tacplus-data/tac_plus.cfg_test && \
	chmod 777 /tmp/tacplus-data/tac_plus.cfg && \
	mkdir -p /tmp/tacplus-data/backups && \
	chmod 777 /tmp/tacplus-data/backups
	cp /tmp/tac_plus.cfg /tmp/tacplus-data/tac_plus.cfg_test && \
	cp /tmp/tac_plus.cfg /tmp/tacplus-data/tac_plus.cfg && \
	chmod 640 /tmp/tacplus-data/tac_plus.cfg_test && \
	chmod 640 /tmp/tacplus-data/tac_plus.cfg && \
	mkdir -p /tmp/tacplus-data/backups && \
	chmod 750 /tmp/tacplus-data/backups

🤖 Prompt for AI Agents

In kubernetes/tacgui/templates/jobInitConfigs.yml around lines 27 to 32, the use
of chmod 777 on configuration files and backup directories makes them
world-writable, which is insecure. Replace chmod 777 with more restrictive
permissions such as 0640 for files and 0750 for directories, and ensure
ownership is set to the container's UID/GID to maintain proper access control
without exposing files to all users.

[coderabbitai]

⚠️ Potential issue

Duplicate metadata: key breaks rendering.

Line 5 repeats metadata: causing invalid YAML.
Delete the second occurrence.

-4 metadata:
-5 metadata:
+4 metadata:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	metadata:
	metadata:
	name: {{ include "common.names.fullname" . }}-pv
	labels: {{- include "common.labels.standard" . | nindent 4 }}
	{{- if .Values.commonLabels }}
	{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
	{{- end }}
	{{- if or .Values.persistentVolume.annotations .Values.commonAnnotations }}
	metadata:
	name: {{ include "common.names.fullname" . }}-pv
	labels: {{- include "common.labels.standard" . | nindent 4 }}
	{{- if .Values.commonLabels }}
	{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
	{{- end }}
	{{- if or .Values.persistentVolume.annotations .Values.commonAnnotations }}

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 5-5: duplication of key "metadata" in mapping

(key-duplicates)

---

[warning] 9-9: wrong indentation: expected 2 but found 6

(indentation)

---

[warning] 10-10: wrong indentation: expected 2 but found 4

(indentation)

🤖 Prompt for AI Agents

In kubernetes/tacgui/templates/persistentVolume.yml around lines 4 to 11, there
is a duplicate `metadata:` key on line 5 that breaks YAML rendering. Remove the
second `metadata:` line so that the metadata block is defined only once,
ensuring valid YAML structure.

[coderabbitai]

⚠️ Potential issue

annotations not allowed under spec for PersistentVolume.

Move these annotations to the already-present metadata.annotations block or drop them; the current placement makes the PV object invalid.

🤖 Prompt for AI Agents

In kubernetes/tacgui/templates/persistentVolume.yml around lines 41 to 44, the
annotations are incorrectly placed under the spec section of the
PersistentVolume, which is invalid. Move the annotations block from under spec
to the metadata.annotations section where annotations are allowed, or remove
them if not needed, to ensure the PersistentVolume object is valid.

[tuhoanganh]

@ptthanh1511 Resolve request change để anh review lại đi