Node updated for Hub v0.8.31+

[brucetony]

Node templates and images were updated to now support Hub >= v0.8.31

Summary by CodeRabbit

• Chores

  • Updated Keycloak dependency to version 7.1.9

• New Features

  • Migrated Hub authentication from robot-based to client-based credentials (including updated secret key name expected: clientSecret)
  • Bumped container images for storage-service, hub-adapter, pod-orchestrator, message-broker, and UI
  • Added NGINX Ingress buffer size annotations for improved request handling

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Switches the Helm chart’s Hub authentication from robot-based to client-based credentials across multiple templates, updates secret keys and env var names, bumps several service image tags, adds two NGINX ingress annotations, and updates the keycloakx dependency version.

Changes

Cohort / File(s)	Summary
Dependency & Chart charts/flame-node/Chart.yaml	Bumped Helm dependency keycloakx from 7.1.1 → 7.1.9.
Auth helpers & Secret charts/flame-node/templates/_helpers.tpl, charts/flame-node/templates/secret.yaml	Renamed temporary helper var for existing secret and switched secret data key from robotSecret → clientSecret; helper output/behavior unchanged.
Hub adapter charts/flame-node/templates/hub-adapter/deployment.yaml	Renamed env vars: AUTOSTART→AUTOSTART__ENABLED, AUTOSTART_INTERVAL→AUTOSTART__INTERVAL; switched hub creds from robot to client (HUB_ROBOT_USER/HUB_ROBOT_SECRET → HUB_NODE_CLIENT_ID/HUB_NODE_CLIENT_SECRET) and secret key robotSecret→clientSecret.
Message broker charts/flame-node/templates/message-broker/deployment.yml	Replaced HUB_AUTH_ROBOT_ID/HUB_AUTH_ROBOT_SECRET_FILE with HUB_AUTH_CLIENT_ID/HUB_AUTH_CLIENT_SECRET_FILE; volume mount filename and secret item key changed from robot_secret.txt/robotSecret → client_secret.txt/clientSecret.
Pod orchestrator charts/flame-node/templates/pod-orchestrator/deployment.yaml	Renamed env vars: HUB_ROBOT_USER→HUB_CLIENT_ID (value source -> .Values.hub.auth.clientID) and HUB_ROBOT_SECRET→HUB_CLIENT_SECRET (secret key clientSecret). Secret name reference unchanged.
Storage service charts/flame-node/templates/storage-service/deployment.yaml	Changed auth flow/env: HUB__AUTH__FLOW "robot"→"client", HUB__AUTH__ID → require .Values.hub.auth.clientID, and secret key robotSecret → clientSecret.
Ingress charts/flame-node/templates/ui/ingress.yaml	Added two fixed NGINX annotations: nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" and nginx.ingress.kubernetes.io/client-body-buffer-size: "32k", while preserving user-provided annotations.
Values & Images charts/flame-node/values.yaml	Replaced hub.auth.robotUser/robotSecret with hub.auth.clientID/clientSecret and updated docs to expect clientSecret; removed messageBroker robot env entries; bumped image tags for storageService, hubAdapter, podOrchestrator, messageBroker, and ui.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• feat(hub): use kubernetes secrets to store credentials #107: Similar Helm chart changes moving Hub credentials into Kubernetes Secrets and renaming secret keys from robot→client.
• feat: replace robot with client authentication/authroization #111: Implements the same robot-to-client credential migration across Helm templates and env var/secret mappings.

Suggested labels

hub

Poem

🐰 From robot keys hidden beneath the floor,
I hopped and swapped them for a client door.
Buffers widened, images nudged ahead,
Secrets renamed — now neatly tucked in bed.
Hoppy deploys and carrot-code galore! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Node updated for Hub v0.8.31+' accurately summarizes the main objective of the PR, which updates node templates and images for Hub version compatibility.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch new-hub-po

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (5)

charts/flame-node/templates/secret.yaml (1)

20-24: Hardcoded default credentials in secrets.

These base64-encoded credentials (admin, flame_user, flame_password, postgres_db) are committed to the repository. While these may be intended as development defaults, consider:

1. Adding a clear comment that these must be overridden in production
2. Documenting in values.yaml that users should provide their own secrets via existingSecret references for production deployments

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/flame-node/templates/secret.yaml` around lines 20 - 24, The secret
template contains hardcoded base64 credentials (data.superPassword,
data.DB_USER, data.DB_PASSWORD, data.DB_DATABASE); update the template to remove
committed defaults and instead reference values (e.g.
.Values.secrets.superPassword, .Values.secrets.DB_USER, etc.) and/or an
existingSecret reference (existingSecret) so production can supply secrets, and
add a clear comment near those keys stating "MUST be overridden in production"
and document in values.yaml that users must provide their own secrets or set
existingSecret for production deployments.

charts/flame-node/templates/ui/ingress.yaml (1)

6-11: Hardcoded NGINX-specific annotations assume NGINX Ingress Controller.

The buffer size annotations are NGINX Ingress Controller-specific. If users deploy with a different ingress controller (Traefik, HAProxy, etc.), these annotations will be ignored. Consider making these configurable via values.yaml to support different ingress controllers and allow tuning.

♻️ Optional: Make buffer sizes configurable

   annotations:
-    nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
-    nginx.ingress.kubernetes.io/client-body-buffer-size: "32k"
+    {{- if .Values.ingress.nginx.enabled | default true }}
+    nginx.ingress.kubernetes.io/proxy-buffer-size: {{ .Values.ingress.nginx.proxyBufferSize | default "128k" | quote }}
+    nginx.ingress.kubernetes.io/client-body-buffer-size: {{ .Values.ingress.nginx.clientBodyBufferSize | default "32k" | quote }}
+    {{- end }}
     {{- with .Values.ingress.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/flame-node/templates/ui/ingress.yaml` around lines 6 - 11, The chart
currently hardcodes NGINX-specific annotations in the annotations block (see
annotations: and the existing {{- with .Values.ingress.annotations }} usage),
which should be configurable; update values.yaml to expose either
controller-specific keys (e.g., ingress.nginx.bufferSize and
ingress.nginx.clientBodyBufferSize) or a generic ingress.controllerAnnotations
map, then change templates/ui/ingress.yaml to render NGINX annotations only when
those values are set or when .Values.ingress.controller == "nginx", and merge
them with the existing .Values.ingress.annotations so users can supply
Traefik/HAProxy annotations instead; ensure the template uses conditional logic
(if/with) to avoid emitting empty or irrelevant controller annotations.

charts/flame-node/templates/_helpers.tpl (1)

47-57: Comment and fallback secret name still reference "robot" terminology.

The helper variable was renamed to $clientSecretName, but the comment on line 48 ("Return the secret containing the hub robot secret") and the fallback secret name on line 55 (hub-robot-secret) still use "robot" terminology. Consider updating for consistency with the new client-based authentication model.

Note: Changing the fallback secret name would be a breaking change for existing deployments, so keeping it as-is may be intentional for backward compatibility.

📝 Suggested comment update (non-breaking)

 {{/*
-Return the secret containing the hub robot secret
+Return the secret containing the hub client credentials
 */}}
 {{- define "hub.secretName" -}}
 {{- $clientSecretName := .Values.hub.auth.existingSecret -}}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/flame-node/templates/_helpers.tpl` around lines 47 - 57, Update the
comment and, optionally, the fallback secret name in the "hub.secretName" helper
to reflect the client-based auth naming: change the comment that currently reads
"Return the secret containing the hub robot secret" to reference the hub client
secret, and if you choose to rename the fallback for consistency, replace the
literal "hub-robot-secret" used in the else branch with "hub-client-secret"; if
you must preserve backward compatibility, leave the fallback string unchanged
but still update the comment; locate the logic by the define "hub.secretName"
and the variable $clientSecretName.

charts/flame-node/templates/hub-adapter/deployment.yaml (1)

46-56: Consider pinning the curl image tag for reproducibility.

The initContainer uses curlimages/curl:latest which can lead to inconsistent behavior across deployments if the image is updated. Pin to a specific version for consistency.

📌 Proposed fix

       initContainers:
         - name: wait-for-keycloak
-          image: curlimages/curl:latest
+          image: curlimages/curl:8.18.0
           imagePullPolicy: IfNotPresent

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/flame-node/templates/hub-adapter/deployment.yaml` around lines 46 -
56, The initContainer "wait-for-keycloak" currently uses the floating tag
curlimages/curl:latest; change it to a pinned, specific version (for example
curlimages/curl:8.4.0 or another vetted semver) to ensure reproducible
deployments; update the image reference in the deployment template where
"wait-for-keycloak" and image: curlimages/curl:latest appear and verify
imagePullPolicy remains IfNotPresent.

charts/flame-node/values.yaml (1)

490-491: Replace release TODO with tracked issue/reference.

Keeping a TODO in default chart values makes release intent ambiguous. Prefer a concrete issue link or remove the TODO once validated.

If you want, I can draft a small follow-up patch to replace this with a version-compatibility note plus issue reference.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/flame-node/values.yaml` around lines 490 - 491, Replace the transient
TODO comment above the "tag: 0.4.0" entry with a concrete reference or remove
it: either replace the TODO with a short compatibility note plus a tracked
issue/PR URL (e.g., "See ISSUE-1234 for upgrade validation") or delete the TODO
entirely now that the version is validated; update the comment immediately above
the tag key so the value "tag: 0.4.0" remains but no ambiguous TODO remains in
the chart defaults.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/flame-node/templates/pod-orchestrator/deployment.yaml`:
- Around line 112-118: Update the required message for the HUB_CLIENT_ID
environment variable to reference the client ID instead of "robot ID": in the
deployment template where the env var name HUB_CLIENT_ID is set (and next to
HUB_CLIENT_SECRET and include "hub.secretName"), replace the required message "A
robot ID for the Hub is required." with a consistent message like "A client ID
for the Hub is required." so the error text matches the HUB_CLIENT_ID variable.

In `@charts/flame-node/values.yaml`:
- Around line 98-101: Remove the unused legacy auth keys by deleting
HUB_AUTH_ROBOT_ID and HUB_AUTH_ROBOT_SECRET from values.yaml so only the
actively used hub auth fields remain; update the values schema/comments to
reflect that templates reference .Values.hub.auth.clientID and
.Values.hub.auth.clientSecret (and the optional hub.auth.existingSecret) to
avoid confusion and misconfiguration.

---

Nitpick comments:
In `@charts/flame-node/templates/_helpers.tpl`:
- Around line 47-57: Update the comment and, optionally, the fallback secret
name in the "hub.secretName" helper to reflect the client-based auth naming:
change the comment that currently reads "Return the secret containing the hub
robot secret" to reference the hub client secret, and if you choose to rename
the fallback for consistency, replace the literal "hub-robot-secret" used in the
else branch with "hub-client-secret"; if you must preserve backward
compatibility, leave the fallback string unchanged but still update the comment;
locate the logic by the define "hub.secretName" and the variable
$clientSecretName.

In `@charts/flame-node/templates/hub-adapter/deployment.yaml`:
- Around line 46-56: The initContainer "wait-for-keycloak" currently uses the
floating tag curlimages/curl:latest; change it to a pinned, specific version
(for example curlimages/curl:8.4.0 or another vetted semver) to ensure
reproducible deployments; update the image reference in the deployment template
where "wait-for-keycloak" and image: curlimages/curl:latest appear and verify
imagePullPolicy remains IfNotPresent.

In `@charts/flame-node/templates/secret.yaml`:
- Around line 20-24: The secret template contains hardcoded base64 credentials
(data.superPassword, data.DB_USER, data.DB_PASSWORD, data.DB_DATABASE); update
the template to remove committed defaults and instead reference values (e.g.
.Values.secrets.superPassword, .Values.secrets.DB_USER, etc.) and/or an
existingSecret reference (existingSecret) so production can supply secrets, and
add a clear comment near those keys stating "MUST be overridden in production"
and document in values.yaml that users must provide their own secrets or set
existingSecret for production deployments.

In `@charts/flame-node/templates/ui/ingress.yaml`:
- Around line 6-11: The chart currently hardcodes NGINX-specific annotations in
the annotations block (see annotations: and the existing {{- with
.Values.ingress.annotations }} usage), which should be configurable; update
values.yaml to expose either controller-specific keys (e.g.,
ingress.nginx.bufferSize and ingress.nginx.clientBodyBufferSize) or a generic
ingress.controllerAnnotations map, then change templates/ui/ingress.yaml to
render NGINX annotations only when those values are set or when
.Values.ingress.controller == "nginx", and merge them with the existing
.Values.ingress.annotations so users can supply Traefik/HAProxy annotations
instead; ensure the template uses conditional logic (if/with) to avoid emitting
empty or irrelevant controller annotations.

In `@charts/flame-node/values.yaml`:
- Around line 490-491: Replace the transient TODO comment above the "tag: 0.4.0"
entry with a concrete reference or remove it: either replace the TODO with a
short compatibility note plus a tracked issue/PR URL (e.g., "See ISSUE-1234 for
upgrade validation") or delete the TODO entirely now that the version is
validated; update the comment immediately above the tag key so the value "tag:
0.4.0" remains but no ambiguous TODO remains in the chart defaults.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c19b0fd7-0816-4176-83c2-5de389392d5f

📥 Commits

Reviewing files that changed from the base of the PR and between 5097fa6 and b204fc3.

📒 Files selected for processing (9)

• charts/flame-node/Chart.yaml
• charts/flame-node/templates/_helpers.tpl
• charts/flame-node/templates/hub-adapter/deployment.yaml
• charts/flame-node/templates/message-broker/deployment.yml
• charts/flame-node/templates/pod-orchestrator/deployment.yaml
• charts/flame-node/templates/secret.yaml
• charts/flame-node/templates/storage-service/deployment.yaml
• charts/flame-node/templates/ui/ingress.yaml
• charts/flame-node/values.yaml