Skip to content

feat(proxyd): support envsubst for config #571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cjorge-graphops merged 7 commits into from
Sep 15, 2025
Merged

feat(proxyd): support envsubst for config #571

cjorge-graphops merged 7 commits into from
Sep 15, 2025

Conversation

@cjorge-graphops
Copy link
Contributor

@cjorge-graphops cjorge-graphops commented Sep 15, 2025
edited by coderabbitai bot
Loading

  • tighten up containers security
  • revamp dashboard and support Grafana Operator

Summary by CodeRabbit

  • New Features

    • Secret-driven config rendering via envsubst with an init container and required variables support.
    • Expanded runtime configuration: env/envFrom/envRaw, ulimit control, and stricter pod security defaults.
    • Optional Grafana Operator integration to auto-publish bundled dashboards.
    • Overhauled Grafana dashboard: global SRE overview with datasource selectors, logs (Loki), and new KPIs.

  • Documentation

    • Added guidance for envsubst-based templating and computed variables.
    • Expanded values reference (dashboards operator, env options, WS config, service accounts).

  • Chores

    • Bumped Helm chart version to 0.7.0.

@coderabbitai
Copy link

coderabbitai bot commented Sep 15, 2025
edited
Loading

Caution

Review failed

The pull request is closed.

Walkthrough

Bumps proxyd chart to 0.7.0. Introduces envsubst-driven config templating via an initContainer, new environment/ulimit options, and tightened security. Adds Grafana Operator dashboard templating and overhauls the bundled Grafana dashboard. Expands values and README to document new fields and behavior.

Changes

Cohort / File(s) Summary
Version bump
charts/proxyd/Chart.yaml		 Chart version updated from 0.6.15 to 0.7.0; appVersion unchanged.
Docs: features and values
charts/proxyd/README.md, charts/proxyd/README.md.gotmpl		 Documents envsubst-based secret-driven config rendering, initContainer usage, new values (env/envFrom/envRaw, ulimitNoFile, podSecurityContext.seccompProfile, serviceAccount fields, WS settings), and Grafana Operator dashboards; adds examples and computed template variables notes.
Deployment templating and runtime
charts/proxyd/templates/proxyd/deployment.yaml		 Adds conditional envsubst initContainer rendering /config/config.toml from template; introduces env/envFrom/envRaw for main and init containers; supports ulimitNoFile; adjusts volumes for template vs direct config; tightens securityContext; updates command/args wiring.
Grafana Operator integration
charts/proxyd/templates/dashboards-operator.yaml		 New template rendering GrafanaDashboard CRs from files under dashboards/* when grafana.operatorDashboards.enabled is true; supports labels, annotations, instanceSelector, folder/UID, uid, resyncPeriod, suspend, extraSpec.
Values expansion
charts/proxyd/values.yaml		 Adds grafana.operatorDashboards block; introduces proxyd.ulimitNoFile, proxyd.env, proxyd.envFrom, proxyd.envRaw, proxyd.configTemplating.envsubst (enabled, requiredVars), proxyd.initContainer (image, env, envRaw, envFrom), and podSecurityContext.seccompProfile.
Dashboard overhaul
charts/proxyd/dashboards/proxyd.json		 Replaces dashboard with a global SRE overview; adds/changes templating variables (datasource, loki_datasource, chain/network/namespace/instance/replica), panels, rows, and metadata (id, uid, title, tags, schema/time range).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant U as User (Helm install/upgrade)
  participant H as Helm (proxyd chart)
  participant K as Kubernetes
  participant I as InitContainer (envsubst)
  participant P as Proxyd Container

  U->>H: helm upgrade --install
  H->>K: Create Deployment (envsubst enabled?)
  alt envsubst enabled
    K-->>I: Start initContainer render-config
    I->>I: Validate TEMPLATE_PATH and REQUIRED_VARS
    I->>I: Render /config/config.toml via envsubst
    I-->>K: Exit 0 on success
    K-->>P: Start main container
    P->>P: Apply ulimit (nofile)
    P->>P: exec proxyd /config/config.toml
  else envsubst disabled
    K-->>P: Start main container with ConfigMap-mounted config
    P->>P: exec proxyd /config/config.toml
  end
Loading 
sequenceDiagram
  autonumber
  participant H as Helm (proxyd chart)
  participant K as Kubernetes
  participant GO as Grafana Operator
  participant G as Grafana

  H->>K: Create GrafanaDashboard CRs (if enabled)
  K-->>GO: Reconcile GrafanaDashboard
  GO->>G: Provision/Update dashboards from JSON payloads
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

Suggested labels

type:feature

Suggested reviewers

  • i0n
  • calinah
✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/proxyd-secure
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8086ca1 and 8b447ab.

📒 Files selected for processing (7)
  • charts/proxyd/Chart.yaml (1 hunks)
  • charts/proxyd/README.md (5 hunks)
  • charts/proxyd/README.md.gotmpl (1 hunks)
  • charts/proxyd/dashboards/proxyd.json (10 hunks)
  • charts/proxyd/templates/dashboards-operator.yaml (1 hunks)
  • charts/proxyd/templates/proxyd/deployment.yaml (1 hunks)
  • charts/proxyd/values.yaml (4 hunks)

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  • Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
  • Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@cjorge-graphops cjorge-graphops merged commit 605fa4d into main Sep 15, 2025
1 of 2 checks passed
@cjorge-graphops cjorge-graphops deleted the feat/proxyd-secure branch September 15, 2025 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cjorge-graphops