fix(minio): source local-dev MinIO credentials from a Secret#2588
Conversation
The Deployment and bucket-provisioning Job embedded the root credential as plaintext env values and an inline mc argument — Kubescape C-0012's exact target and the one residual NSA finding in the CI scan. The credential now lives in a minio-root-credentials Secret both workloads reference via secretKeyRef; the value is unchanged (this MinIO exists only in the throwaway Docker test-bed). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Warning Review limit reachedYou’ve reached a temporary PR review limit under our Fair Usage Limits Policy. Next review available in: 2 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (4)
Comment |
@codex review |
|
Codex Review: Didn't find any major issues. Chef's kiss. Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 558b838dc9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@coderabbitai review\n\nDisclosure: This review request was authored by Codex after addressing the latest review thread. |
|
@codex review\n\nDisclosure: This review request was authored by Codex after addressing the latest review thread. |
|
✅ Action performedReview finished.
|
|
Codex Review: Didn't find any major issues. Keep it up! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
|
@coderabbitai run pre-merge checks
|
✅ Actions performedRunning Pre-merge checks. Results will be posted in the summary comment once complete. |
|
ℹ️ Pre-merge checks are not enabled. To use pre-merge checks, please enable them in CodeRabbit settings. |
|
🎉 This PR is included in version 1.112.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Why
The local-dev MinIO manifests embed their root credential in plain workload specs — the exact pattern Kubescape C-0012 exists to catch, and the single residual NSA finding depressing the CI compliance score.
What
Moves the credential into a Secret that the Deployment and bucket-provisioning Job reference, fixing the finding at the root instead of excepting it. No behaviour change: the well-known local-dev value is unchanged and prod never deploys this overlay. Both overlays validate clean (537 files each).
Fixes #2585. Part of #2447.