Dev

[dudizimber]

fix #123

Summary by CodeRabbit

• New Features

  • Enhanced Grafana authentication by enabling user sign-up and expanding allowed email domains.
  • Refined sign-in settings with updated identity scopes and improved role management for more flexible user permissions.
  • Introduced new access control configurations for unauthorized user management in VictoriaMetrics.
  • Updated ingress settings to allow HTTP traffic in VictoriaMetrics.
  • Expanded API endpoint access for VMUser to include Prometheus write API.

• Refactor

  • Standardized naming conventions for container restart alerts to ensure consistency in monitoring configurations.

• Chores

  • Adjusted maximum pods per node setting in the GKE cluster configuration.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
falkordb-dbaas	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Feb 20, 2025 3:27pm

[coderabbitai]

Warning

Rate limit exceeded

@dudizimber has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 24 minutes and 56 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between aa2ab0d and 949c4f1.

📒 Files selected for processing (1)

• argocd/ctrl_plane/dev/victoriametrics.yaml (1 hunks)

Walkthrough

This pull request updates Grafana configuration manifests in both development and production environments, revises an observability rule, and modifies the Victoriametrics configuration. The allowed domains in both Grafana files now include "falkordb.cloud" and "falkordb.com," and user sign-up is enabled. The production manifest introduces additional authentication attributes, such as updated OAuth scopes, role management policies, and group permissions. The observability rule file has been renamed for consistency, and the Victoriametrics configuration has been significantly altered, including the addition of a new access control field.

Changes

File(s)	Change Summary
argocd/ctrl_plane/{dev,prod}/manifests/grafana.yaml	- Allowed Domains: Updated from "falkordb.cloud" to "falkordb.cloud,falkordb.com". - Sign-up: Changed allow_sign_up from "false" to "true". - Production Only: Updated OAuth scopes; added role_attribute_path, skip_org_role_sync, hosted_domain, allow_assign_grafana_admin, allowed_groups, and auto_login. - Development Only: Added ingress annotation for kubernetes.io/ingress.class set to "gce".
observability/rules/containerrestarts.rules.yml	- Renamed rule and group from container_restarts to containerrestarts.
argocd/ctrl_plane/{dev,prod}/victoriametrics.yaml	- Development Only: Commented-out lines for unauthorizedUserAccessSpec added. - Production Only: Added unauthorizedUserAccessSpec under vmauth with specific properties; updated ingress annotation kubernetes.io/ingress.allow-http from "false" to "true".
tofu/gcp/observability_stack/control_plane/infra/main.tf	- Parameter Update: Changed default_max_pods_per_node from 110 to 25.
argocd/kustomize/vmuser/vmuser.yaml	- Added path "/prometheus/api/v1/write" to targetRefs in VMUser specification.

Possibly related PRs

• add ingress and sso to argocd and grafana #113: The changes in the main PR regarding the grafana.yaml manifest, specifically the updates to authentication configuration and allowed domains, are directly related to the modifications in the retrieved PR that also involve the grafana.yaml file, particularly the enhancements to Google authentication settings and allowed domains.
• Dev #116: The changes in the main PR related to the grafana.yaml file, specifically updates to authentication settings and allowed domains, are directly connected to similar modifications in the retrieved PR's grafana.yaml, which also includes updates to authentication configurations and allowed domains.

Suggested reviewers

• AviAvni

Poem

I'm a rabbit, hopping through config lands so bright,
Updating domains and sign-ups with all my might.
New OAuth paths and roles adorn the production ground,
While ingress annotations in dev are happily found.
With a twitch of my nose, these changes delight!

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

observability/rules/containerrestarts.rules.yml (1)

5-8: Ensure Consistent Naming Convention for the Container Restart Rule

The metadata name has been updated to "k8s.rules.containerrestarts" on line 5, while the group name on line 8 still reads "k8s.rules.container_restarts". For clarity and consistency—and as noted in the PR summary—please verify if the group name should also be updated to match the new naming convention.

argocd/ctrl_plane/prod/manifests/grafana.yaml (1)

74-84: Update Grafana Google Authentication Configuration

The authentication configuration has been comprehensively updated:

• Scopes (line 74): Now include openid, email, profile, and an additional cloud identity scope.
• Allowed Domains (line 77): Expanded to "falkordb.cloud,falkordb.com".
• Sign-up (line 78): Enabled by setting allow_sign_up to "true".
• Role Management Attributes (lines 79-84): New fields such as role_attribute_path, skip_org_role_sync, hosted_domain, allow_assign_grafana_admin, allowed_groups, and auto_login have been introduced.

One point to verify is the logical expression in the role_attribute_path (line 79). Its current structure:

role_attribute_path: email=="david.zimberknopf@falkordb.com" && 'Admin' || contains(groups[*], 'devops@falkordb.com') && 'Admin' || 'Viewer'

relies on the operator precedence of && and ||. Consider adding explicit parentheses to ensure that the intended evaluation order is maintained.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2c996f3 and 94ea3bc.

📒 Files selected for processing (3)

• argocd/ctrl_plane/dev/manifests/grafana.yaml (1 hunks)
• argocd/ctrl_plane/prod/manifests/grafana.yaml (1 hunks)
• observability/rules/containerrestarts.rules.yml (1 hunks)

🔇 Additional comments (1)

argocd/ctrl_plane/dev/manifests/grafana.yaml (1)

77-78: Align Development Grafana Configuration with Production Standards

The allowed_domains field has been updated to "falkordb.cloud,falkordb.com" and allow_sign_up is now set to "true" in the development manifest. These changes mirror the production configuration improvements—just ensure that such access policies are appropriate within the development environment.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 94ea3bc and 1d4a186.

📒 Files selected for processing (3)

• argocd/ctrl_plane/dev/victoriametrics.yaml (1 hunks)
• argocd/ctrl_plane/prod/victoriametrics.yaml (1 hunks)
• tofu/gcp/observability_stack/control_plane/infra/main.tf (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (4)

argocd/ctrl_plane/prod/victoriametrics.yaml (2)

93-93: New Field: unauthorizedUserAccessSpec Added

The addition of unauthorizedUserAccessSpec: [] under the vmauth spec enhances flexibility for future unauthorized access configurations. Ensure that an empty default is appropriate and that it aligns with the system’s intended access control mechanisms.

---

96-98: Ingress Allow-HTTP Annotation Update

The change of the ingress annotation kubernetes.io/ingress.allow-http from "false" to "true" now permits HTTP traffic. This update may expose the service if TLS termination is not enforced upstream. Please verify that allowing HTTP in production is intentional and in line with security policies.

argocd/ctrl_plane/dev/victoriametrics.yaml (2)

93-93: New Field: unauthorizedUserAccessSpec Added in Dev

Adding unauthorizedUserAccessSpec: [] under the vmauth spec in the dev manifest ensures consistency with production for future unauthorized access configuration. Confirm that an empty array is the desired default.

---

94-98: Ingress Allow-HTTP Discrepancy Verification in Dev

In the dev configuration, the ingress annotation kubernetes.io/ingress.allow-http remains "false", which differs from the production setting. Please confirm that this discrepancy is intentional to reflect different environment requirements.

[coderabbitai]

⚠️ Potential issue

Critical Parameter Change: Verify the new default_max_pods_per_node value.

Changing default_max_pods_per_node from the previously expected value (likely 110) to 25 drastically reduces the number of pods that can be scheduled on each node. Given the overall infrastructure requirements, especially considering updated Grafana configurations that might influence workload behavior, please confirm that this lower threshold is intentional and sufficient for your expected workloads. It may be beneficial to add documentation or comments explaining the rationale behind this change.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

argocd/ctrl_plane/prod/victoriametrics.yaml (1)

93-98: Verify Access Control Configuration Enhancement.
The new unauthorizedUserAccessSpec field under the vmauth section—featuring discover_backend_ips: true and a URL mapping with src_paths and an array for url_prefix—adds enhanced granularity for backend IP discovery and request routing. Please verify that the type (an array for url_prefix) and the configuration align with the downstream consumers’ expectations and overall security policies.

argocd/ctrl_plane/dev/victoriametrics.yaml (1)

93-98: Validate Development Access Control Enhancements.
The new unauthorizedUserAccessSpec field with discover_backend_ips: true and the defined URL mapping now targets the development endpoint (https://vmauth.observability.dev.internal.falkordb.cloud). Confirm that this configuration is intended for the development setup and that it does not inadvertently expose sensitive operations.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d4a186 and ebde929.

📒 Files selected for processing (2)

• argocd/ctrl_plane/dev/victoriametrics.yaml (1 hunks)
• argocd/ctrl_plane/prod/victoriametrics.yaml (1 hunks)

🔇 Additional comments (2)

argocd/ctrl_plane/prod/victoriametrics.yaml (1)

103-103: Review Ingress HTTP Setting in Production.
Changing kubernetes.io/ingress.allow-http from "false" to "true" enables HTTP traffic. Ensure that this change has been thoroughly assessed for security implications in the production environment and that it meets the operational requirements.

argocd/ctrl_plane/dev/victoriametrics.yaml (1)

104-104: Confirm Ingress HTTP Configuration for Development.
The ingress annotation kubernetes.io/ingress.allow-http remains set to "false" in the development configuration, which differs from the production setting. Please confirm that this discrepancy is intentional, reflecting differing security or testing requirements between environments.