Skip to content

fix(minio): source local-dev MinIO credentials from a Secret#2588

Merged
devantler merged 2 commits into
mainfrom
claude/minio-local-dev-secret
Jul 11, 2026
Merged

fix(minio): source local-dev MinIO credentials from a Secret#2588
devantler merged 2 commits into
mainfrom
claude/minio-local-dev-secret

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Engineer

Why

The local-dev MinIO manifests embed their root credential in plain workload specs — the exact pattern Kubescape C-0012 exists to catch, and the single residual NSA finding depressing the CI compliance score.

What

Moves the credential into a Secret that the Deployment and bucket-provisioning Job reference, fixing the finding at the root instead of excepting it. No behaviour change: the well-known local-dev value is unchanged and prod never deploys this overlay. Both overlays validate clean (537 files each).

Fixes #2585. Part of #2447.

The Deployment and bucket-provisioning Job embedded the root credential as
plaintext env values and an inline mc argument — Kubescape C-0012's exact
target and the one residual NSA finding in the CI scan. The credential now
lives in a minio-root-credentials Secret both workloads reference via
secretKeyRef; the value is unchanged (this MinIO exists only in the
throwaway Docker test-bed).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 2 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: dd1a3b1d-16c1-4cfe-be77-dc8ae245311f

📥 Commits

Reviewing files that changed from the base of the PR and between f632473 and 7db0acb.

📒 Files selected for processing (4)
  • k8s/providers/docker/infrastructure/controllers/minio/deployment.yaml
  • k8s/providers/docker/infrastructure/controllers/minio/job.yaml
  • k8s/providers/docker/infrastructure/controllers/minio/kustomization.yaml
  • k8s/providers/docker/infrastructure/controllers/minio/secret.yaml

Comment @coderabbitai help to get the list of available commands.

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Chef's kiss.

Reviewed commit: 558b838dc9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@devantler devantler marked this pull request as ready for review July 11, 2026 16:21

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 558b838dc9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread k8s/providers/docker/infrastructure/controllers/minio/secret.yaml Outdated
@devantler devantler marked this pull request as draft July 11, 2026 16:31
@devantler

Copy link
Copy Markdown
Contributor Author

@coderabbitai review\n\nDisclosure: This review request was authored by Codex after addressing the latest review thread.

@devantler

Copy link
Copy Markdown
Contributor Author

@codex review\n\nDisclosure: This review request was authored by Codex after addressing the latest review thread.

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

@devantler Sounds good, I'll review the changes now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Keep it up!

Reviewed commit: 7db0acb50a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@devantler devantler marked this pull request as ready for review July 11, 2026 18:11
@devantler

Copy link
Copy Markdown
Contributor Author

@coderabbitai run pre-merge checks

🤖 Generated by the Daily AI Engineer

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor
✅ Actions performed

Running Pre-merge checks. Results will be posted in the summary comment once complete.

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Pre-merge checks are not enabled. To use pre-merge checks, please enable them in CodeRabbit settings.

@devantler devantler added this pull request to the merge queue Jul 11, 2026
Merged via the queue into main with commit d11891a Jul 11, 2026
16 checks passed
@devantler devantler deleted the claude/minio-local-dev-secret branch July 11, 2026 18:42
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jul 11, 2026
@botantler-1

botantler-1 Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 1.112.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@botantler-1 botantler-1 Bot added the released label Jul 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

fix(minio): source local-dev MinIO credentials from a Secret (Kubescape C-0012)

1 participant