Skip to content

Allow to use proLicense when set in secret#84

Open
anthosz wants to merge 9 commits into
bunkerity:devfrom
anthosz:pre-license
Open

Allow to use proLicense when set in secret#84
anthosz wants to merge 9 commits into
bunkerity:devfrom
anthosz:pre-license

Conversation

@anthosz

@anthosz anthosz commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

When proLicense is set in secret, it's not take into account, here is a fix

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@anthosz, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 56 minutes and 11 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: fbe954ae-97a3-4f3b-844a-20057773dce5

📥 Commits

Reviewing files that changed from the base of the PR and between ac32484 and ab22fea.

📒 Files selected for processing (1)
  • charts/bunkerweb/values.yaml

Walkthrough

PRO_LICENSE_KEY now resolves from settings.existingSecret first, with scheduler.proLicenseKey as fallback. The settings secret comments in values.yaml were reordered and reworded.

Changes

PRO_LICENSE_KEY Secret Resolution in Scheduler Deployment

Layer / File(s) Summary
PRO_LICENSE_KEY priority resolution and template fix
charts/bunkerweb/templates/scheduler-deployment.yaml
Lines 89–96 switch PRO_LICENSE_KEY to a priority chain: settings.existingSecret injects pro-license-key through secretKeyRef with optional: true, otherwise scheduler.proLicenseKey is used. Line 149 adjusts the closing {{- end }} near topologySpreadConstraints.
Settings secret comments
charts/bunkerweb/values.yaml
Lines 58–61 reorder the secret-key comments and update the note about the optional Pro licence key for non-PRO deployments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related issues

Poem

🔑 A secret first, then fallback text,
The scheduler now knows what comes next.
A note in values, crisp and clear,
Keeps the licence path in view right here.

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Title check ⚠️ Warning The title is relevant, but it does not use the required component: description or Conventional Commits format. Rewrite it as scheduler: use secret-sourced pro licence key or another component-prefixed title under 70 characters.
✅ Passed checks (1 passed)
Check name Status Explanation
Description check ✅ Passed The description is directly related and correctly describes the secret-sourced pro licence fix.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/bunkerweb/templates/scheduler-deployment.yaml`:
- Around line 85-93: The secretKeyRef block for the PRO_LICENSE_KEY environment
variable that references the pro-license-key from the existingSecret is missing
the optional: true field. When existingSecret is configured but does not contain
the pro-license-key, the Pod will fail to start. Add optional: true to the
secretKeyRef block (alongside name and key) to make this secret reference
optional, allowing non-PRO deployments where the license key is not required to
function properly. This follows the same pattern already used in
mcp-deployment.yaml for optional secret references.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9b4b662e-4b05-4869-a426-373dcc362a5e

📥 Commits

Reviewing files that changed from the base of the PR and between 163db9e and 442b204.

📒 Files selected for processing (1)
  • charts/bunkerweb/templates/scheduler-deployment.yaml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (3)
**/*.yaml

📄 CodeRabbit inference engine (CLAUDE.md)

Always run ./scripts/validate-chart.sh before committing to test template rendering across many configuration combinations

Files:

  • charts/bunkerweb/templates/scheduler-deployment.yaml
charts/bunkerweb/templates/*.yaml

📄 CodeRabbit inference engine (CLAUDE.md)

Use the existingSecret pattern to allow users to reference pre-created Kubernetes Secrets instead of embedding credentials in values.yaml, injecting sensitive values (DB URI, Redis password, admin credentials, API keys) via secretKeyRef

Files:

  • charts/bunkerweb/templates/scheduler-deployment.yaml
charts/bunkerweb/templates/**/*.yaml

⚙️ CodeRabbit configuration file

charts/bunkerweb/templates/**/*.yaml: These are Helm v3 Go-templated Kubernetes manifests (mixing {{- ... -}} actions with K8s YAML). Apply rules to the RENDERED Kubernetes intent, not to the Go template control blocks:

  • Every component is gated by .Values.<component>.enabled (or eq .Values.bunkerweb.kind "<Kind>"). Preserve that guard; do not render workloads unconditionally.
  • Pod/container securityContext should prefer runAsNonRoot: true, allowPrivilegeEscalation: false, dropped capabilities, seccompProfile: RuntimeDefault, and a read-only root filesystem where the component tolerates it.
  • Declare resource requests/limits and sensible livenessProbe/readinessProbe where the component supports them.
  • Pin images to explicit tags or digests; never :latest. Image tag should track the chart appVersion for BunkerWeb components.
  • Sensitive values (database URI, Redis password, admin creds, API keys) must be injected via secretKeyRef and honour the existingSecret pattern — never rendered as plaintext env values.
  • Use nindent/indent correctly so helper output stays valid YAML; do not break toYaml | nindent blocks.
  • RBAC (clusterrole.yaml) must stay least-privilege; flag new * verbs/resources or cluster-wide grants without justification.
  • NetworkPolicy changes must not silently widen ingress/egress beyond the components that need it.

Files:

  • charts/bunkerweb/templates/scheduler-deployment.yaml
🔇 Additional comments (2)
charts/bunkerweb/templates/scheduler-deployment.yaml (2)

135-135: LGTM!


85-93: Please validate chart rendering across value combinations before merge.

Run ./scripts/validate-chart.sh for this YAML template change to catch Helm rendering/indentation regressions across supported configurations.

As per coding guidelines, "Always run ./scripts/validate-chart.sh before committing to test template rendering across many configuration combinations".

Source: Coding guidelines

Comment thread charts/bunkerweb/templates/scheduler-deployment.yaml Outdated
@TheophileDiot TheophileDiot linked an issue Jun 22, 2026 that may be closed by this pull request
@TheophileDiot TheophileDiot requested a review from Copilot June 22, 2026 13:18
@TheophileDiot TheophileDiot self-assigned this Jun 22, 2026
@TheophileDiot TheophileDiot added the enhancement New feature or request label Jun 22, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the BunkerWeb scheduler Helm template to allow providing the PRO license key via settings.existingSecret (using the pro-license-key secret key), instead of only via scheduler.proLicenseKey.

Changes:

  • Add valueFrom.secretKeyRef wiring for PRO_LICENSE_KEY when settings.existingSecret is set.
  • Keep existing direct value support via scheduler.proLicenseKey.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread charts/bunkerweb/templates/scheduler-deployment.yaml
@TheophileDiot TheophileDiot changed the base branch from main to dev June 22, 2026 14:13

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/bunkerweb/templates/scheduler-deployment.yaml`:
- Around line 85-92: The documentation in charts/bunkerweb/values.yaml for the
existingSecret configuration does not clarify that the pro-licence-key is
optional for non-PRO deployments, which contradicts the template's optional:
true setting in scheduler-deployment.yaml. Update the existingSecret
documentation in values.yaml to explicitly state that pro-licence-key is
optional and only required when using BunkerWeb PRO features, while other keys
like mariadb-password, api-token, api-username, api-password, and database-uri
remain required. This will align the documentation with the actual template
behavior and set proper user expectations.
🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 24a7a757-3e7d-4128-bfcb-ee0d5fc68b22

📥 Commits

Reviewing files that changed from the base of the PR and between 442b204 and 9de52ef.

📒 Files selected for processing (1)
  • charts/bunkerweb/templates/scheduler-deployment.yaml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (3)
**/*.yaml

📄 CodeRabbit inference engine (CLAUDE.md)

Always run ./scripts/validate-chart.sh before committing to test template rendering across many configuration combinations

Files:

  • charts/bunkerweb/templates/scheduler-deployment.yaml
charts/bunkerweb/templates/*.yaml

📄 CodeRabbit inference engine (CLAUDE.md)

Use the existingSecret pattern to allow users to reference pre-created Kubernetes Secrets instead of embedding credentials in values.yaml, injecting sensitive values (DB URI, Redis password, admin credentials, API keys) via secretKeyRef

Files:

  • charts/bunkerweb/templates/scheduler-deployment.yaml
charts/bunkerweb/templates/**/*.yaml

⚙️ CodeRabbit configuration file

charts/bunkerweb/templates/**/*.yaml: These are Helm v3 Go-templated Kubernetes manifests (mixing {{- ... -}} actions with K8s YAML). Apply rules to the RENDERED Kubernetes intent, not to the Go template control blocks:

  • Every component is gated by .Values.<component>.enabled (or eq .Values.bunkerweb.kind "<Kind>"). Preserve that guard; do not render workloads unconditionally.
  • Pod/container securityContext should prefer runAsNonRoot: true, allowPrivilegeEscalation: false, dropped capabilities, seccompProfile: RuntimeDefault, and a read-only root filesystem where the component tolerates it.
  • Declare resource requests/limits and sensible livenessProbe/readinessProbe where the component supports them.
  • Pin images to explicit tags or digests; never :latest. Image tag should track the chart appVersion for BunkerWeb components.
  • Sensitive values (database URI, Redis password, admin creds, API keys) must be injected via secretKeyRef and honour the existingSecret pattern — never rendered as plaintext env values.
  • Use nindent/indent correctly so helper output stays valid YAML; do not break toYaml | nindent blocks.
  • RBAC (clusterrole.yaml) must stay least-privilege; flag new * verbs/resources or cluster-wide grants without justification.
  • NetworkPolicy changes must not silently widen ingress/egress beyond the components that need it.

Files:

  • charts/bunkerweb/templates/scheduler-deployment.yaml
🧠 Learnings (1)
📚 Learning: 2026-06-22T08:57:01.786Z
Learnt from: anthosz
Repo: bunkerity/bunkerweb-helm PR: 84
File: charts/bunkerweb/templates/scheduler-deployment.yaml:85-93
Timestamp: 2026-06-22T08:57:01.786Z
Learning: In the bunkerweb Helm chart, when `.Values.settings.existingSecret` is set, the documented contract in `charts/bunkerweb/values.yaml` means all referenced secret keys (e.g., `pro-license-key`, `database-uri`, etc.) are mandatory. Therefore, any `secretKeyRef` entries in chart templates that read these keys (such as `charts/bunkerweb/templates/scheduler-deployment.yaml`) must not use `optional: true`; they should fail fast if the key is missing.

Applied to files:

  • charts/bunkerweb/templates/scheduler-deployment.yaml
🔇 Additional comments (1)
charts/bunkerweb/templates/scheduler-deployment.yaml (1)

137-137: LGTM!

Comment thread charts/bunkerweb/templates/scheduler-deployment.yaml
@bunkerity bunkerity deleted a comment from coderabbitai Bot Jun 22, 2026
@bunkerity bunkerity deleted a comment from coderabbitai Bot Jun 24, 2026
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Cannot run autofix: This PR has merge conflicts.

Please resolve the conflicts with the base branch and try again.

Alternatively, use @coderabbitai resolve merge conflict to automatically resolve the conflicts.

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

An unexpected error occurred while generating fixes: Connect Timeout Error (attempted address: api.github.com:443, timeout: 10000ms)

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
charts/bunkerweb/templates/scheduler-deployment.yaml (1)

96-99: 🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Do not render PRO_LICENSE_KEY as plaintext.

Line 98 injects a sensitive key via value, which exposes it in rendered manifests/release metadata. Keep this env var secret-backed only (existingSecret or a chart-managed Secret).

As per path instructions, "Sensitive values (database URI, Redis password, admin creds, API keys) must be injected via secretKeyRef and honour the existingSecret pattern — never rendered as plaintext env values."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/bunkerweb/templates/scheduler-deployment.yaml` around lines 96 - 99,
The scheduler deployment template is rendering `PRO_LICENSE_KEY` directly as
plaintext through the `value` field, which should be avoided. Update the
`scheduler-deployment.yaml` env block to source `PRO_LICENSE_KEY` from a secret
via `secretKeyRef`, following the same `existingSecret`/chart-managed Secret
pattern used for other sensitive settings. Keep the conditional logic around
`.Values.scheduler.proLicenseKey`, but replace the direct value injection with a
secret-backed reference in the scheduler container spec.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@charts/bunkerweb/templates/scheduler-deployment.yaml`:
- Around line 96-99: The scheduler deployment template is rendering
`PRO_LICENSE_KEY` directly as plaintext through the `value` field, which should
be avoided. Update the `scheduler-deployment.yaml` env block to source
`PRO_LICENSE_KEY` from a secret via `secretKeyRef`, following the same
`existingSecret`/chart-managed Secret pattern used for other sensitive settings.
Keep the conditional logic around `.Values.scheduler.proLicenseKey`, but replace
the direct value injection with a secret-backed reference in the scheduler
container spec.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b7a9ee79-a3bb-4e7f-b5b2-2b7940a924d1

📥 Commits

Reviewing files that changed from the base of the PR and between 9de52ef and 215cedc.

📒 Files selected for processing (1)
  • charts/bunkerweb/templates/scheduler-deployment.yaml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (3)
**/*.yaml

📄 CodeRabbit inference engine (CLAUDE.md)

Always run ./scripts/validate-chart.sh before committing to test template rendering across many configuration combinations

Files:

  • charts/bunkerweb/templates/scheduler-deployment.yaml
charts/bunkerweb/templates/*.yaml

📄 CodeRabbit inference engine (CLAUDE.md)

Use the existingSecret pattern to allow users to reference pre-created Kubernetes Secrets instead of embedding credentials in values.yaml, injecting sensitive values (DB URI, Redis password, admin credentials, API keys) via secretKeyRef

Files:

  • charts/bunkerweb/templates/scheduler-deployment.yaml
charts/bunkerweb/templates/**/*.yaml

⚙️ CodeRabbit configuration file

charts/bunkerweb/templates/**/*.yaml: These are Helm v3 Go-templated Kubernetes manifests (mixing {{- ... -}} actions with K8s YAML). Apply rules to the RENDERED Kubernetes intent, not to the Go template control blocks:

  • Every component is gated by .Values.<component>.enabled (or eq .Values.bunkerweb.kind "<Kind>"). Preserve that guard; do not render workloads unconditionally.
  • Pod/container securityContext should prefer runAsNonRoot: true, allowPrivilegeEscalation: false, dropped capabilities, seccompProfile: RuntimeDefault, and a read-only root filesystem where the component tolerates it.
  • Declare resource requests/limits and sensible livenessProbe/readinessProbe where the component supports them.
  • Pin images to explicit tags or digests; never :latest. Image tag should track the chart appVersion for BunkerWeb components.
  • Sensitive values (database URI, Redis password, admin creds, API keys) must be injected via secretKeyRef and honour the existingSecret pattern — never rendered as plaintext env values.
  • Use nindent/indent correctly so helper output stays valid YAML; do not break toYaml | nindent blocks.
  • RBAC (clusterrole.yaml) must stay least-privilege; flag new * verbs/resources or cluster-wide grants without justification.
  • NetworkPolicy changes must not silently widen ingress/egress beyond the components that need it.

Files:

  • charts/bunkerweb/templates/scheduler-deployment.yaml
🧠 Learnings (1)
📚 Learning: 2026-06-22T08:57:01.786Z
Learnt from: anthosz
Repo: bunkerity/bunkerweb-helm PR: 84
File: charts/bunkerweb/templates/scheduler-deployment.yaml:85-93
Timestamp: 2026-06-22T08:57:01.786Z
Learning: In the bunkerweb Helm chart, when `.Values.settings.existingSecret` is set, the documented contract in `charts/bunkerweb/values.yaml` means all referenced secret keys (e.g., `pro-license-key`, `database-uri`, etc.) are mandatory. Therefore, any `secretKeyRef` entries in chart templates that read these keys (such as `charts/bunkerweb/templates/scheduler-deployment.yaml`) must not use `optional: true`; they should fail fast if the key is missing.

Applied to files:

  • charts/bunkerweb/templates/scheduler-deployment.yaml
🔇 Additional comments (3)
charts/bunkerweb/templates/scheduler-deployment.yaml (3)

89-96: optional: true on pro-license-key conflicts with the documented secret contract (already raised).

Line 95 makes pro-license-key optional even when settings.existingSecret is set.

Based on learnings, when .Values.settings.existingSecret is configured, referenced keys like pro-license-key are mandatory and should fail fast if missing.

Source: Learnings


26-29: LGTM!

Also applies to: 111-114, 146-149


89-99: 📐 Maintainability & Code Quality

Run chart validation for this YAML template change.

Please run ./scripts/validate-chart.sh and attach the output.

As per coding guidelines, "**/*.yaml: Always run ./scripts/validate-chart.sh before committing to test template rendering across many configuration combinations".

Source: Coding guidelines

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/bunkerweb/values.yaml`:
- Line 61: The comment in values.yaml uses the misspelled secret key name and
should match the public-facing key used by the scheduler template and generated
docs. Update the comment near the pro license key setting to use the exact
symbol pro-license-key consistently so users know the correct secret name to
provide. Keep the wording aligned with the chart’s configuration schema and any
references in the scheduler template/docs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b3fe166e-db60-413b-a3cf-599e3a5d76fc

📥 Commits

Reviewing files that changed from the base of the PR and between 215cedc and ac32484.

📒 Files selected for processing (1)
  • charts/bunkerweb/values.yaml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (3)
**/*.yaml

📄 CodeRabbit inference engine (CLAUDE.md)

Always run ./scripts/validate-chart.sh before committing to test template rendering across many configuration combinations

Files:

  • charts/bunkerweb/values.yaml
charts/bunkerweb/*.yaml

📄 CodeRabbit inference engine (CLAUDE.md)

Use conditional rendering with .Values..enabled to gate component deployment (Scheduler, Controller, UI, API, MariaDB, Redis, Prometheus, Grafana)

Files:

  • charts/bunkerweb/values.yaml
charts/bunkerweb/values.yaml

⚙️ CodeRabbit configuration file

charts/bunkerweb/values.yaml: values.yaml is the chart's public configuration schema and the source for generated docs:

  • Keep key paths and naming consistent with the existing structure (settings, service, bunkerweb, scheduler, controller, ui, api, mariadb, redis, prometheus, grafana, ingressClass, gatewayClass, networkPolicy).
  • Defaults must be production-safe: keep the shipped defaults (notably api.enabled: false and networkPolicy.enabled: false) unless a change is justified. Note controller.enabled and ui.enabled ship as true by default — preserve that posture rather than assuming components are off. Do not flip secure defaults without justification.
  • Secrets must default to empty and support the existingSecret pattern rather than carrying real credentials.
  • Every new key needs a short explanatory comment; when a new BunkerWeb feature is added under scheduler.features, update the bunkerweb.featureEnvs helper AND regenerate docs/values.md via python3 scripts/generate-docs.py in the same PR.
  • Image repository/tag fields should not default to latest.

Files:

  • charts/bunkerweb/values.yaml

Comment thread charts/bunkerweb/values.yaml Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

secret pro-license-key ignored

4 participants