Skip to content

chore(fix): Resolve Snyk IaC Findings for RHDH Helm Chart (with and without Orchestrator)#166

Merged
rm3l merged 18 commits intoredhat-developer:mainfrom
Fortune-Ndlovu:address-snyk-findings
Jun 20, 2025
Merged

chore(fix): Resolve Snyk IaC Findings for RHDH Helm Chart (with and without Orchestrator)#166
rm3l merged 18 commits intoredhat-developer:mainfrom
Fortune-Ndlovu:address-snyk-findings

Conversation

@Fortune-Ndlovu
Copy link
Copy Markdown
Member

@Fortune-Ndlovu Fortune-Ndlovu commented Jun 4, 2025
edited
Loading

Description of the change

This PR addresses all reported Snyk Infrastructure-as-Code (IaC) findings for the RHDH Helm Chart in both configurations:

Validation

  • snyk iac test shows 0 issues for both:
    • output/backstage
    • output/backstage-orchestrator
  • Helm chart renders and deploys successfully in both configurations

Existing or Associated Issue(s)

https://issues.redhat.com/browse/RHIDP-7490

Additional Information

Checklist

  • Chart version bumped in Chart.yaml according to semver.
  • Variables are documented in the values.yaml and added to the README.md. The pre-commit utility can be used to generate the necessary content. Use pre-commit run -a to apply changes.
  • JSON Schema template updated and re-generated the raw schema via pre-commit hook.
  • List tests pass for Chart using the Chart Testing tool and the ct lint command.

@Fortune-Ndlovu
Resolve SNYK-CC-K8S-6, SNYK-CC-K8S-9, SNYK-CC-K8S-10
7b02ab8 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@openshift-ci openshift-ci Bot requested review from davidfestal and kadel June 4, 2025 12:35
@Fortune-Ndlovu Fortune-Ndlovu changed the title chore: Resolve SNYK-CC-K8S-6, SNYK-CC-K8S-9, SNYK-CC-K8S-10 chore: address-snyk-findings Jun 4, 2025
@Fortune-Ndlovu
Resolve Low issues
08cd415 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@Fortune-Ndlovu Fortune-Ndlovu changed the title chore: address-snyk-findings WIP chore: address-snyk-findings Jun 5, 2025
@Fortune-Ndlovu
fix indent
bd17011 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@Fortune-Ndlovu
fix containerSecurityContext
0b6217b 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@Fortune-Ndlovu
fix imagePullPolicy in test-connection
6132dc0 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@Fortune-Ndlovu Fortune-Ndlovu changed the title WIP chore: address-snyk-findings chore(fix): Resolve Snyk IaC Findings for RHDH Helm Chart (with and without Orchestrator) Jun 5, 2025
@Fortune-Ndlovu
add pull_request to trigger and test PR behavior
ec9333d 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@Fortune-Ndlovu
Copy link
Copy Markdown
Member Author

Fortune-Ndlovu commented Jun 5, 2025

/cc @rm3l

@openshift-ci openshift-ci Bot requested a review from rm3l June 5, 2025 17:49
@Fortune-Ndlovu
remove pull_request to trigger and test PR behavior
2acfa6e 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@Fortune-Ndlovu
bump chart version
0a802f8 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
rm3l
rm3l reviewed Jun 6, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@rm3l rm3l left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Fortune-Ndlovu Could you look into the CI failures reported? It looks like the DB container might fail to start: https://github.com/redhat-developer/rhdh-chart/actions/runs/15486926807/job/43603618835?pr=166#step:13:4901
Thanks.

@Fortune-Ndlovu
Remove readOnlyRootFilesystem: true from PostgreSQL only
1cb5638 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@Fortune-Ndlovu
Copy link
Copy Markdown
Member Author

Fortune-Ndlovu commented Jun 6, 2025

@rm3l, the root cause was that we had enabled readOnlyRootFilesystem: true for the Bitnami PostgreSQL container to satisfy Snyk IaC best practices. However, the PostgreSQL image requires write access to internal paths like /var/lib/pgsql/passwd during startup.

This resulted in a CrashLoopBackOff and prevented Backstage from connecting to the DB, which in turn caused multiple plugins (like healthcheck) to fail initialization.

I have removed the readOnlyRootFilesystem setting specifically for PostgreSQL to allow it to boot successfully, while retaining it for the rest of the containers where it's safe and beneficial.

rm3l
rm3l requested changes Jun 10, 2025
View reviewed changes
Comment thread charts/backstage/values.yaml Outdated
Comment thread charts/backstage/templates/sonataflows.yaml Outdated
@Fortune-Ndlovu
disable container security context
abe8dfc 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@Fortune-Ndlovu
remove runAsUser and runAsGroup
ee97742 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@Fortune-Ndlovu
Chart version bumped
dd5b342 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@Fortune-Ndlovu Fortune-Ndlovu requested a review from rm3l June 16, 2025 15:40
rm3l
rm3l requested changes Jun 17, 2025
View reviewed changes
Comment thread charts/backstage/values.yaml
@Fortune-Ndlovu
Dont set runAsUser as ocp usually randomly assigns a high UID to each…
d4c5f38 
… pod and does not allow hardcoding UIDs by default.

Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@Fortune-Ndlovu
Remove all runAsNonRoot: true settings for now to get your tests pass…
ed2d816 
…ing.

Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
rm3l
rm3l reviewed Jun 19, 2025
View reviewed changes
Comment thread charts/backstage/values.yaml
Comment thread charts/backstage/values.yaml
Comment thread charts/backstage/values.yaml
Comment thread charts/backstage/values.yaml Outdated
Comment thread charts/backstage/templates/sonataflows.yaml
Comment thread charts/backstage/templates/sonataflows.yaml
Comment thread charts/backstage/templates/tests/test-connection.yaml Outdated
@Fortune-Ndlovu
fixup
eb69721 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@Fortune-Ndlovu
imagePullPolicy below image
4b05bae 
Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Jun 19, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Fortune-Ndlovu Fortune-Ndlovu requested a review from rm3l June 19, 2025 14:25
rm3l
rm3l approved these changes Jun 20, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@rm3l rm3l left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label Jun 20, 2025
@rm3l rm3l merged commit 229e4f9 into redhat-developer:main Jun 20, 2025
7 of 8 checks passed
@rm3l rm3l mentioned this pull request Oct 16, 2025
Closed
5 tasks
@rhdh-qodo-merge rhdh-qodo-merge Bot mentioned this pull request Apr 19, 2026
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rm3l rm3l rm3l approved these changes

@davidfestal davidfestal Awaiting requested review from davidfestal

@kadel kadel Awaiting requested review from kadel

Assignees

@rm3l rm3l

Labels

lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Fortune-Ndlovu @rm3l