Add Helm job for OpenSearch index creation#36
Conversation
Add a Kubernetes Job to the Helm chart that uses cURL to PUT the OpenSearch index mapping. The index definition is stored in a ConfigMap and includes mappings for all resource fields used by the query service. - Add indexing-configmap.yaml with OpenSearch index JSON - Add job.yaml that mounts ConfigMap and runs cURL PUT - Add indexingJob.enabled value (defaults to true) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughThis PR introduces OpenSearch indexing job support to the Helm chart by adding configuration values, Kubernetes templates for a ConfigMap and Job, and an OpenSearch index schema. The Job conditionally creates or verifies an index in OpenSearch upon deployment. ChangesOpenSearch Indexing Job Setup
Sequence DiagramsequenceDiagram
participant Helm as Helm Deployment
participant ConfigMap as ConfigMap<br/>(Index Schema)
participant Job as Kubernetes Job
participant OpenSearch as OpenSearch API
Helm->>ConfigMap: Create ConfigMap with index schema
Helm->>Job: Deploy Job (when enabled)
Job->>Job: Mount ConfigMap at /config
Job->>OpenSearch: HEAD /index-name (check if exists)
alt Index exists (HTTP 200)
OpenSearch-->>Job: 200 OK
Job->>Job: Log "Index exists"
else Index missing (HTTP 404)
OpenSearch-->>Job: 404 Not Found
Job->>OpenSearch: PUT /index-name with schema from ConfigMap
OpenSearch-->>Job: 201 Created
Job->>Job: Log "Index created successfully"
else Unexpected response
OpenSearch-->>Job: Other HTTP status
Job->>Job: Log error and exit with failure
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Comment |
There was a problem hiding this comment.
Pull request overview
This pull request introduces automated OpenSearch index setup functionality to the LFX V2 Indexer Service Helm chart. The implementation adds a Kubernetes Job that creates and configures the OpenSearch index during deployment, streamlining the initial setup process.
Key changes:
- Added an
indexingJobconfiguration option underopensearchin values.yaml to enable/disable automated index creation - Introduced a Kubernetes Job template that uses curl to create the OpenSearch index via REST API
- Created a ConfigMap template containing index settings and field mappings for the OpenSearch resources index
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 9 comments.
| File | Description |
|---|---|
| charts/lfx-v2-indexer-service/values.yaml | Adds indexingJob.enabled configuration option for controlling automated index setup |
| charts/lfx-v2-indexer-service/templates/job.yaml | New Kubernetes Job for executing OpenSearch index creation using curl |
| charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml | New ConfigMap containing index settings and mappings definition |
| charts/lfx-v2-indexer-service/Chart.yaml | Bumps chart version from 0.4.12 to 0.5.0 reflecting the new feature |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| apiVersion: batch/v1 | ||
| kind: Job | ||
| metadata: | ||
| name: opensearch-index-setup |
There was a problem hiding this comment.
The Job name is hardcoded and doesn't include the Release name, which could cause conflicts if multiple releases of this chart are installed in the same namespace. Consider using a template that includes the release name, such as {{ include "lfx-v2-indexer-service.fullname" . }}-index-setup or {{ .Release.Name }}-opensearch-index-setup to ensure uniqueness across releases.
| name: opensearch-index-setup | |
| name: {{ include "lfx-v2-indexer-service.fullname" . }}-opensearch-index-setup |
There was a problem hiding this comment.
Already addressed — both the Job and ConfigMap names use {{ .Release.Name }} for uniqueness across releases.
| ttlSecondsAfterFinished: 300 | ||
| backoffLimit: 3 |
There was a problem hiding this comment.
The Job's ttlSecondsAfterFinished (300 seconds) and backoffLimit (3) are hardcoded. Consider making these values configurable through values.yaml (e.g., opensearch.indexingJob.ttlSecondsAfterFinished and opensearch.indexingJob.backoffLimit) to allow users to adjust cleanup timing and retry behavior based on their operational requirements.
| ttlSecondsAfterFinished: 300 | |
| backoffLimit: 3 | |
| ttlSecondsAfterFinished: {{ .Values.opensearch.indexingJob.ttlSecondsAfterFinished | default 300 }} | |
| backoffLimit: {{ .Values.opensearch.indexingJob.backoffLimit | default 3 }} |
There was a problem hiding this comment.
Already addressed — ttlSecondsAfterFinished, backoffLimit, and activeDeadlineSeconds are all configurable via opensearch.indexingJob in values.yaml.
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: opensearch-index-config |
There was a problem hiding this comment.
The ConfigMap name is hardcoded and doesn't include the Release name, which could cause conflicts if multiple releases of this chart are installed in the same namespace. Consider using a template that includes the release name, such as {{ include "lfx-v2-indexer-service.fullname" . }}-index-config or {{ .Release.Name }}-opensearch-index-config to ensure uniqueness across releases.
| name: opensearch-index-config | |
| name: {{ include "lfx-v2-indexer-service.fullname" . }}-opensearch-index-config |
There was a problem hiding this comment.
Already addressed — the ConfigMap name uses {{ .Release.Name }}-opensearch-index-config.
| volumes: | ||
| - name: index-config | ||
| configMap: | ||
| name: opensearch-index-config |
There was a problem hiding this comment.
The ConfigMap reference uses a hardcoded name that should match the ConfigMap resource name. If the ConfigMap name is updated to include the Release name (as recommended), this reference must also be updated to use the same templated name to ensure proper binding.
| name: opensearch-index-config | |
| name: {{ .Release.Name }}-opensearch-index-config |
There was a problem hiding this comment.
Already addressed — the ConfigMap volume reference in the Job matches the ConfigMap name, both using {{ .Release.Name }}.
| "number_of_shards": 1, | ||
| "number_of_replicas": 1 |
There was a problem hiding this comment.
The index settings (number_of_shards and number_of_replicas) are hardcoded in the ConfigMap. Consider making these configurable through values.yaml to allow users to adjust shard and replica counts based on their cluster size and requirements without modifying the ConfigMap template directly.
| "number_of_shards": 1, | |
| "number_of_replicas": 1 | |
| "number_of_shards": {{ .Values.opensearch.indexingJob.numberOfShards | default 1 }}, | |
| "number_of_replicas": {{ .Values.opensearch.indexingJob.numberOfReplicas | default 1 }} |
There was a problem hiding this comment.
Addressed — the index JSON was moved to files/opensearch-resources-index.json. The shard/replica settings were removed; OpenSearch defaults are appropriate for our deployment.
| - name: curl | ||
| image: curlimages/curl:8.11.1 | ||
| volumeMounts: | ||
| - name: index-config | ||
| mountPath: /config | ||
| readOnly: true |
There was a problem hiding this comment.
The Job container doesn't define a securityContext, while the main application deployment includes one with allowPrivilegeEscalation: false. For consistency and security best practices, consider adding a similar securityContext to the Job container to run with minimal privileges.
There was a problem hiding this comment.
Fixed in commit 1a85468 — added securityContext: allowPrivilegeEscalation: false to the Job container, consistent with the main Deployment.
| name: opensearch-index-config | ||
| containers: | ||
| - name: curl | ||
| image: curlimages/curl:8.11.1 |
There was a problem hiding this comment.
The curl image and version are hardcoded in the Job template. Consider making the image repository and tag configurable through values.yaml (e.g., opensearch.indexingJob.image and opensearch.indexingJob.imageTag) to allow users to specify alternative images or pin specific versions according to their organization's policies.
| image: curlimages/curl:8.11.1 | |
| image: {{ default "curlimages/curl" .Values.opensearch.indexingJob.image }}:{{ default "8.11.1" .Values.opensearch.indexingJob.imageTag }} |
There was a problem hiding this comment.
Already addressed — the curl image is configurable via opensearch.indexingJob.image.repository and opensearch.indexingJob.image.tag in values.yaml.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI Agents
In @charts/lfx-v2-indexer-service/templates/job.yaml:
- Around line 21-33: The curl invocation in the Job's container command block
should be made to fail on HTTP 4xx/5xx responses; update the multi-line shell
command where curl is run (the command list under the curl container in
job.yaml) to include the --fail (or -f) flag (e.g., change "curl -X PUT ..." to
"curl --fail -X PUT ..." or "curl -f -X PUT ...") so the Kubernetes Job exits
non‑zero on HTTP errors and the failure is surfaced; ensure quoting/escaping in
the same command string is preserved.
🧹 Nitpick comments (2)
charts/lfx-v2-indexer-service/templates/job.yaml (1)
21-26: Consider adding resource limits for the Job container.While Jobs are typically short-lived, defining resource limits is a best practice to prevent resource exhaustion in the cluster.
🔎 Suggested resource limits
containers: - name: curl image: curlimages/curl:8.11.1 + resources: + limits: + cpu: "100m" + memory: "64Mi" + requests: + cpu: "50m" + memory: "32Mi" volumeMounts: - name: index-config mountPath: /config readOnly: truecharts/lfx-v2-indexer-service/templates/indexing-configmap.yaml (1)
11-18: Consider making shard and replica counts configurable.The index settings are hardcoded with 1 shard and 1 replica, which may not be suitable for all deployment environments (development vs. production). Consider making these values configurable through
values.yaml.🔎 Suggested enhancement
In
values.yaml, add:opensearch: # ... existing config ... indexingJob: enabled: true shards: 1 replicas: 1Then in the ConfigMap:
{ "settings": { "index": { - "number_of_shards": 1, - "number_of_replicas": 1 + "number_of_shards": {{ .Values.opensearch.indexingJob.shards | default 1 }}, + "number_of_replicas": {{ .Values.opensearch.indexingJob.replicas | default 1 }} } },
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Jira integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (4)
charts/lfx-v2-indexer-service/Chart.yamlcharts/lfx-v2-indexer-service/templates/indexing-configmap.yamlcharts/lfx-v2-indexer-service/templates/job.yamlcharts/lfx-v2-indexer-service/values.yaml
🧰 Additional context used
🪛 YAMLlint (1.37.1)
charts/lfx-v2-indexer-service/templates/job.yaml
[error] 3-3: syntax error: expected the node content, but found '-'
(syntax)
charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml
[error] 3-3: syntax error: expected the node content, but found '-'
(syntax)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Agent
- GitHub Check: MegaLinter
🔇 Additional comments (7)
charts/lfx-v2-indexer-service/Chart.yaml (1)
9-9: LGTM! Appropriate version bump for new features.The minor version bump from 0.4.12 to 0.5.0 correctly follows semantic versioning for the addition of the new indexing job feature.
charts/lfx-v2-indexer-service/templates/job.yaml (3)
3-3: Static analysis false positive - syntax is valid.The yamllint error flagging line 3 is a false positive. The
{{- ifsyntax is valid Helm template syntax and will be properly rendered during chart processing.
5-12: Good Job configuration with TTL cleanup.The Job configuration follows best practices:
- Short TTL (5 minutes) for automatic cleanup
- Reasonable backoff limit
- Appropriate for one-time index setup
30-33: Confirm this is intentional: OpenSearch cluster does not require authentication.The curl command lacks authentication headers, and no authentication configuration exists in the Helm chart (values.yaml contains no credentials, secrets, or auth settings). Since the OpenSearch URL points to an internal Kubernetes service endpoint, this appears intentional for internal cluster communication. If the deployment environment requires authentication, credentials must be added to the curl command or injected via secrets.
charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml (3)
3-3: Static analysis false positive - syntax is valid.The yamllint error is a false positive. The
{{- ifsyntax is valid Helm template syntax.
19-64: Well-structured index mappings.The explicit field type mappings are comprehensive and follow OpenSearch best practices:
- Appropriate use of
keywordtype for exact matching (IDs, references)- Boolean types for flags
search_as_you_typefor the name field to support autocomplete functionality
39-40: Thesearch_as_you_typefield type is widely supported in OpenSearch v2.x and v3.x (current releases), where it functions as a native autocomplete field type. No specific OpenSearch version constraint is documented in this repository; assuming a supported modern version is in use, this field type is compatible and no action is required.
andrest50
left a comment
andrest50
left a comment
There was a problem hiding this comment.
This looks good! I just left one comment.
| name: opensearch-index-config | ||
| namespace: {{ .Release.Namespace }} | ||
| data: | ||
| resources-index.json: | |
There was a problem hiding this comment.
This index json content doesn't quite match what we should be actually using, which is https://github.com/linuxfoundation/lfx-architecture-scratch/blob/main/2024-12%20ReBAC%20Demo/opensearch-resources-index.json. But on that note, could we have this json content in a file instead and then have it read into the k8 template? I think that would be better.
There was a problem hiding this comment.
Thanks for the feedback! I realized I hadn't pulled the repo for a while and was using an outdated index.
I've moved the index JSON to it's own file and have it being included now with .Files.Get. I also update the job to not attempt to create the index if it already exists.
There was a problem hiding this comment.
Both concerns are fully addressed — the index JSON was updated (commit 8971941) to match the correct schema and moved to files/opensearch-resources-index.json which is read via .Files.Get.
- Extract index mapping to separate JSON file for better maintainability - Add idempotent index creation that skips if index already exists - Change restartPolicy to OnFailure for better retry behavior - Add proper error handling with set -e and curl -f flags 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In @charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml:
- Line 8: The ConfigMap is using a hardcoded name "opensearch-index-config"
which can collide across releases; change the metadata name to use the
release-aware template, e.g. replace the value with {{ include
"lfx-v2-indexer-service.fullname" . }}-opensearch-index-config, and update any
references to that ConfigMap (e.g., the configMapRef/name in the Job that
currently points to "opensearch-index-config") to the same templated name so
both creation and consumption match.
In @charts/lfx-v2-indexer-service/templates/job.yaml:
- Line 8: The Job currently uses a hardcoded name "opensearch-index-setup" which
can collide across releases; update the metadata name to use the chart's
fullname template by replacing the literal name with a templated name that
appends "-opensearch-index-setup", e.g. use the Helm helper include
"lfx-v2-indexer-service.fullname" combined with "-opensearch-index-setup" in the
job metadata name so each release gets a unique job name.
- Line 19: The job's ConfigMap reference currently uses the literal name
"opensearch-index-config" but the chart templates create the ConfigMap with a
release-scoped templated name; update the reference so it uses the same
templated name as the ConfigMap (for example, the chart's fullname template plus
the "-opensearch-index-config" suffix or the .Release.Name-based template used
elsewhere) to ensure the job binds to the correct ConfigMap.
🧹 Nitpick comments (4)
charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml (1)
11-12: Index settings (shards, replicas) are not configurable.The loaded JSON file contains only mappings but no
settingssection, preventing users from customizingnumber_of_shardsandnumber_of_replicasfor different cluster sizes. Consider either:
- Adding a
settingssection toopensearch-resources-index.jsonwith templated values, or- Constructing the complete index configuration dynamically in this ConfigMap using values from
values.yaml.Example: Add settings section to JSON
In
opensearch-resources-index.json, add a settings block at the top level:{ "settings": { "number_of_shards": {{ .Values.opensearch.indexingJob.numberOfShards | default 1 }}, "number_of_replicas": {{ .Values.opensearch.indexingJob.numberOfReplicas | default 1 }} }, "mappings": { ... } }However, this requires the JSON file to become a template (moved to
templates/with.tplextension).charts/lfx-v2-indexer-service/files/opensearch-resources-index.json (2)
1-2: Missingsettingssection limits index configurability.The JSON defines only
mappingsbut nosettingssection. This prevents configuring shard count, replica count, refresh intervals, and analysis settings. Consider adding asettingsblock to allow operational tuning.Example settings section
{ "settings": { "number_of_shards": 1, "number_of_replicas": 1, "refresh_interval": "1s" }, "mappings": { ... } }Note: If you want these to be Helm-configurable, this file would need to become a template (see related comment on
indexing-configmap.yaml).
18-18: Consider searchability requirements for email fields.Email fields (
created_by_emails,updated_by_emails,deleted_by_emails) are typed askeyword, which means exact-match only. If you need to support partial email searches (e.g., finding all documents by domain@example.com), consider usingtextwith an email analyzer or a multi-field mapping.Example multi-field mapping
"created_by_emails": { "type": "text", "fields": { "keyword": { "type": "keyword" } } }This allows both full-text search on
created_by_emailsand exact matching oncreated_by_emails.keyword.Also applies to: 22-22, 26-26
charts/lfx-v2-indexer-service/templates/job.yaml (1)
36-36: Add timeouts to curl commands to prevent indefinite hangs.The curl commands on lines 36 and 43 lack
--max-timeor--connect-timeoutflags, which could cause the Job to hang indefinitely if OpenSearch is unresponsive.🔎 Proposed fix
# Check if index already exists - HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X HEAD "${OPENSEARCH_URL}/${INDEX_NAME}") + HTTP_CODE=$(curl --max-time 30 --connect-timeout 10 -s -o /dev/null -w "%{http_code}" -X HEAD "${OPENSEARCH_URL}/${INDEX_NAME}") if [ "$HTTP_CODE" = "200" ]; then echo "Index '${INDEX_NAME}' already exists, skipping creation" exit 0 elif [ "$HTTP_CODE" = "404" ]; then echo "Index '${INDEX_NAME}' does not exist, creating..." - curl -f -X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ + curl --max-time 30 --connect-timeout 10 -f -X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ -H 'Content-Type: application/json' \ -d @/config/resources-index.jsonAlso applies to: 43-43
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Jira integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (3)
charts/lfx-v2-indexer-service/files/opensearch-resources-index.jsoncharts/lfx-v2-indexer-service/templates/indexing-configmap.yamlcharts/lfx-v2-indexer-service/templates/job.yaml
🧰 Additional context used
🪛 YAMLlint (1.37.1)
charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml
[error] 3-3: syntax error: expected the node content, but found '-'
(syntax)
charts/lfx-v2-indexer-service/templates/job.yaml
[error] 3-3: syntax error: expected the node content, but found '-'
(syntax)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: MegaLinter
🔇 Additional comments (2)
charts/lfx-v2-indexer-service/templates/job.yaml (1)
31-50: Script logic is well-designed.The implementation correctly handles:
- Error propagation with
set -e- Idempotent index creation with HEAD check
- Proper HTTP error handling with
curl -f- Clear error messages for debugging
charts/lfx-v2-indexer-service/files/opensearch-resources-index.json (1)
1-48: The reference schema URL returns a 404 error and cannot be verified.The reference at https://github.com/linuxfoundation/lfx-architecture-scratch/blob/main/2024-12%20ReBAC%20Demo/opensearch-resources-index.json is no longer accessible. Confirm whether this reference has moved, been deleted, or if an updated reference exists. If available, provide the correct URL to complete the schema validation, or verify the current schema through your project's documentation or schema governance process.
Ensures unique resource names across multiple Helm releases. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (3)
charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml (1)
12-12: Consider validating file existence.If the file
files/opensearch-resources-index.jsonis missing, the chart will render with empty content for this ConfigMap entry, potentially causing the Job to fail silently or with confusing errors.💡 Optional: Add validation with Helm's required function
- {{ .Files.Get "files/opensearch-resources-index.json" | nindent 4 }} + {{ .Files.Get "files/opensearch-resources-index.json" | required "files/opensearch-resources-index.json must exist" | nindent 4 }}This will fail the chart render early with a clear error message if the file is missing.
charts/lfx-v2-indexer-service/templates/job.yaml (2)
11-12: Consider making Job parameters configurable.The
ttlSecondsAfterFinishedandbackoffLimitvalues are hardcoded. Making them configurable would allow users to adjust cleanup timing and retry behavior for their specific environments.♻️ Make Job parameters configurable via values.yaml
- ttlSecondsAfterFinished: 300 - backoffLimit: 3 + ttlSecondsAfterFinished: {{ .Values.opensearch.indexingJob.ttlSecondsAfterFinished | default 300 }} + backoffLimit: {{ .Values.opensearch.indexingJob.backoffLimit | default 3 }}Then add to
values.yaml:opensearch: indexingJob: ttlSecondsAfterFinished: 300 backoffLimit: 3
21-26: Consider adding resource limits.The container doesn't define CPU/memory requests or limits. While this is a short-lived Job, setting modest resource constraints is good practice for cluster resource management.
💡 Optional: Add resource constraints
- name: curl image: curlimages/curl:8.11.1 + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi volumeMounts:Adjust values based on observed usage patterns.
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Jira integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
charts/lfx-v2-indexer-service/templates/indexing-configmap.yamlcharts/lfx-v2-indexer-service/templates/job.yaml
🧰 Additional context used
🪛 YAMLlint (1.37.1)
charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml
[error] 3-3: syntax error: expected the node content, but found '-'
(syntax)
charts/lfx-v2-indexer-service/templates/job.yaml
[error] 3-3: syntax error: expected the node content, but found '-'
(syntax)
🔇 Additional comments (6)
charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml (2)
3-3: YAMLlint syntax error is a false positive.The YAMLlint error flagging line 3 is expected—YAMLlint doesn't parse Helm template directives. The
{{- ifsyntax is correct for Helm templates.
3-13: ConfigMap structure looks good.The conditional rendering, templated naming with
.Release.Nameprefix, and file loading via.Files.Getare all properly implemented. The ConfigMap name matches the reference injob.yamlline 19.charts/lfx-v2-indexer-service/templates/job.yaml (4)
3-3: YAMLlint syntax error is a false positive.Same as in
indexing-configmap.yaml—YAMLlint doesn't understand Helm template syntax.
7-9: Job metadata properly configured.The templated Job name with
.Release.Nameprefix ensures uniqueness across releases in the same namespace.
16-19: Volume configuration looks good.The ConfigMap reference matches the templated name from
indexing-configmap.yamlline 8.
27-50: Command logic is well-implemented.The idempotency check via HEAD request (lines 35-36) prevents duplicate index creation, and the conditional logic properly handles all cases:
- Existing index (200): skip creation
- Missing index (404): create with
curl -fflag for proper error handling- Unexpected responses: fail with clear error message
The
set -eon line 31 ensures the Job fails on any command error.
Support optional basic auth for OpenSearch via existingSecret reference or direct username/password values. Also makes job configuration (backoffLimit, ttlSecondsAfterFinished, image, resources) configurable. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @charts/lfx-v2-indexer-service/templates/job.yaml:
- Around line 68-83: Bump the curl image tag in your Helm values to a secure
release by updating the curlimages/curl image tag from 8.11.1 to 8.12.0 (or
later) in values.yaml (the key that controls the image used by the job template
referencing the curl container), then re-render/validate the chart (helm
template / CI) to ensure the job.yaml template picks up the new tag and no other
references remain to 8.11.1.
🧹 Nitpick comments (1)
charts/lfx-v2-indexer-service/templates/job.yaml (1)
32-66: Consider simplifying the authentication pattern.The current implementation uses nested conditionals—AUTH_OPTS is defined at shell runtime (line 65) only when auth is enabled, and then template-time conditionals (lines 69, 76) determine whether to use it. While correct, this pattern could be more maintainable.
♻️ Alternative: Define AUTH_OPTS unconditionally in shell script
- {{- if .Values.opensearch.auth.enabled }} - env: + env: + {{- if .Values.opensearch.auth.enabled }} - name: OPENSEARCH_USERNAME {{- if .Values.opensearch.auth.existingSecret }} valueFrom: @@ -61,9 +61,9 @@ set -e OPENSEARCH_URL="{{ .Values.opensearch.url | trimSuffix "/" }}" INDEX_NAME="{{ .Values.opensearch.index }}" - {{- if .Values.opensearch.auth.enabled }} + {{ if .Values.opensearch.auth.enabled }} AUTH_OPTS="-u ${OPENSEARCH_USERNAME}:${OPENSEARCH_PASSWORD}" - {{- end }} + {{ else }} + AUTH_OPTS="" + {{ end }} # Check if index already exists - HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X HEAD "${OPENSEARCH_URL}/${INDEX_NAME}") + HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" ${AUTH_OPTS} -X HEAD "${OPENSEARCH_URL}/${INDEX_NAME}") if [ "$HTTP_CODE" = "200" ]; then @@ -73,7 +73,7 @@ elif [ "$HTTP_CODE" = "404" ]; then echo "Index '${INDEX_NAME}' does not exist, creating..." - curl -f {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ + curl -f ${AUTH_OPTS} -X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ -H 'Content-Type: application/json' \ -d @/config/resources-index.jsonThis eliminates the template-time conditionals in the curl commands by ensuring AUTH_OPTS is always defined (empty string when auth is disabled).
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Jira integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
charts/lfx-v2-indexer-service/templates/job.yamlcharts/lfx-v2-indexer-service/values.yaml
🧰 Additional context used
🪛 YAMLlint (1.37.1)
charts/lfx-v2-indexer-service/templates/job.yaml
[error] 3-3: syntax error: expected the node content, but found '-'
(syntax)
🔇 Additional comments (3)
charts/lfx-v2-indexer-service/templates/job.yaml (1)
3-3: The static analysis syntax error is a false positive.YAMLlint doesn't recognize Helm template directives. The
{{- if .Values.opensearch.indexingJob.enabled }}syntax is valid Helm templating and will be processed correctly during chart rendering.charts/lfx-v2-indexer-service/values.yaml (2)
28-38: Well-structured authentication configuration.The auth configuration properly supports both the existingSecret pattern (recommended) and direct credentials (fallback). Comments clearly document the precedence and structure.
Note: When using direct credentials (username/password fields), they will be visible in the values file and rendered into Kubernetes resources. For production deployments, strongly prefer the existingSecret approach.
39-57: Review the enabled-by-default behavior for production deployments.The indexingJob configuration has sensible defaults (backoffLimit: 3, ttlSecondsAfterFinished: 300, restartPolicy: OnFailure). However,
enabled: truemeans the index creation job will run automatically on every chart installation or upgrade.Consider whether this default behavior is appropriate:
- Current behavior: Job runs automatically, creating the index if it doesn't exist (idempotent)
- Alternative: Default to
false, requiring explicit opt-inIf the index creation is essential for the service to function, the current default makes sense. Otherwise, you may want to default to
falseto prevent unexpected job executions.Additionally,
resources: {}means no CPU/memory limits or requests are set. For a short-lived Job this is usually acceptable, but consider adding defaults in resource-constrained environments:resources: requests: cpu: "50m" memory: "64Mi" limits: cpu: "100m" memory: "128Mi"
| # Check if index already exists | ||
| HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X HEAD "${OPENSEARCH_URL}/${INDEX_NAME}") | ||
|
|
||
| if [ "$HTTP_CODE" = "200" ]; then | ||
| echo "Index '${INDEX_NAME}' already exists, skipping creation" | ||
| exit 0 | ||
| elif [ "$HTTP_CODE" = "404" ]; then | ||
| echo "Index '${INDEX_NAME}' does not exist, creating..." | ||
| curl -f {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ | ||
| -H 'Content-Type: application/json' \ | ||
| -d @/config/resources-index.json | ||
| echo "Index '${INDEX_NAME}' created successfully" | ||
| else | ||
| echo "Unexpected response checking index: HTTP ${HTTP_CODE}" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cd charts/lfx-v2-indexer-service && find . -type f -name "*.yaml" -o -name "*.yml" | head -20Repository: linuxfoundation/lfx-v2-indexer-service
Length of output: 193
🏁 Script executed:
cat -n charts/lfx-v2-indexer-service/templates/job.yaml | sed -n '60,90p'Repository: linuxfoundation/lfx-v2-indexer-service
Length of output: 1524
🏁 Script executed:
cat charts/lfx-v2-indexer-service/values.yamlRepository: linuxfoundation/lfx-v2-indexer-service
Length of output: 4563
🏁 Script executed:
#!/bin/bash
# Check if the image tag exists on Docker Hub
echo "Checking Docker Hub for curlimages/curl:8.11.1..."
DOCKER_RESPONSE=$(curl -s "https://hub.docker.com/v2/repositories/curlimages/curl/tags/8.11.1/")
echo "$DOCKER_RESPONSE" | jq -r '.name // "NOT_FOUND"'
# Also check available tags to verify repository access
echo -e "\nRecent available tags (first 5):"
curl -s "https://hub.docker.com/v2/repositories/curlimages/curl/tags/?page_size=5" | jq -r '.results[].name'Repository: linuxfoundation/lfx-v2-indexer-service
Length of output: 276
🌐 Web query:
curl 8.11.1 CVE security advisory vulnerability
💡 Result:
curl 8.11.1 had multiple security advisories fixed in curl 8.12.0 (released Feb 5, 2025). Summary of CVEs affecting 8.11.1:
-
CVE-2025-0167 — netrc / default credential leak: under a rare .netrc “default” condition curl could pass a password to a redirected-to host. Severity: Low. Fix in 8.12.0. [1]
-
CVE-2025-0725 — gzip integer overflow: an integer overflow when doing automatic gzip decompression with very old zlib (<=1.2.0.3) could lead to buffer overflow. Affects 7.10.5..8.11.1. Severity: Low (but high impact if you use ancient zlib). Fix in 8.12.0. [2]
-
CVE-2025-0665 — eventfd double close: libcurl could close the same eventfd twice in specific threaded-resolver/eventfd builds (64-bit), causing reliability/resource issues. Affected: 8.11.1. Severity: Low. Fix in 8.12.0. [3]
Recommended action: upgrade curl/libcurl to 8.12.0 (or later) or apply the vendor patches; if you cannot upgrade immediately follow the per-advisory mitigations (avoid netrc+redirects, avoid CURLOPT_ACCEPT_ENCODING with ancient zlib, disable eventfd) until patched. [1][2][3]
Sources:
[1] curl CVE-2025-0167 advisory.
[2] curl CVE-2025-0725 advisory.
[3] curl CVE-2025-0665 advisory.
Upgrade curl image to version 8.12.0 or later to address known security advisories.
The index creation logic is well-structured with proper idempotency checks (HEAD before PUT) and appropriate error handling for different HTTP response codes. However, curlimages/curl:8.11.1 has three low-severity security advisories that were fixed in 8.12.0 (released February 5, 2025):
- CVE-2025-0167: netrc/default credential leak under specific redirect conditions
- CVE-2025-0725: gzip integer overflow with very old zlib versions
- CVE-2025-0665: eventfd double close in specific threaded-resolver builds
Update the image tag in values.yaml from 8.11.1 to 8.12.0 or later.
🤖 Prompt for AI Agents
In @charts/lfx-v2-indexer-service/templates/job.yaml around lines 68 - 83, Bump
the curl image tag in your Helm values to a secure release by updating the
curlimages/curl image tag from 8.11.1 to 8.12.0 (or later) in values.yaml (the
key that controls the image used by the job template referencing the curl
container), then re-render/validate the chart (helm template / CI) to ensure the
job.yaml template picks up the new tag and no other references remain to 8.11.1.
There was a problem hiding this comment.
The image version is configurable via opensearch.indexingJob.image.tag in values.yaml — operators can pin to 8.12.0 or later per their policy. The default tag will be bumped in a follow-up.
There was a problem hiding this comment.
@bramwelt, understood — good point that operators can override the tag via opensearch.indexingJob.image.tag. Acknowledged that the default will be bumped in a follow-up.
Would you like me to open a GitHub issue to track bumping the default curlimages/curl image tag from 8.11.1 to 8.12.0 (or later) in values.yaml?
…r-service into bramwelt/indexer-job
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@charts/lfx-v2-indexer-service/values.yaml`:
- Around line 35-38: The values.yaml exposes plaintext OpenSearch credentials
via the username and password fields—remove or disable these fields and enforce
secret-only auth via existingSecret: delete or set username/password to null in
values.yaml, update chart templates/hooks that currently read .Values.username
or .Values.password to instead require .Values.existingSecret (e.g., fail or
render a clear error if existingSecret is not provided), and add a values schema
or README note documenting that credentials must come from an existing
Kubernetes Secret referenced by existingSecret rather than inline values.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: d9200bf8-421a-4339-93e2-c5f96b443a75
📒 Files selected for processing (1)
charts/lfx-v2-indexer-service/values.yaml
| # username is the OpenSearch username (ignored if existingSecret is set) | ||
| username: "" | ||
| # password is the OpenSearch password (ignored if existingSecret is set) | ||
| password: "" |
There was a problem hiding this comment.
Avoid inline OpenSearch credentials in chart values.
Line 35-Line 38 introduce plaintext username/password fields in values.yaml, which are commonly committed to VCS in GitOps workflows. That creates a real secret exposure risk; prefer secret-only auth via existingSecret.
Suggested hardening diff
auth:
# enabled controls whether authentication is used
enabled: false
# existingSecret is the name of an existing secret containing credentials
# The secret should have 'username' and 'password' keys
existingSecret: ""
- # username is the OpenSearch username (ignored if existingSecret is set)
- username: ""
- # password is the OpenSearch password (ignored if existingSecret is set)
- password: ""
+ # WARNING: avoid inline credentials in values files (GitOps/VCS leak risk).
+ # Prefer `existingSecret` and leave inline credentials unset.
+ username: null
+ password: null📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # username is the OpenSearch username (ignored if existingSecret is set) | |
| username: "" | |
| # password is the OpenSearch password (ignored if existingSecret is set) | |
| password: "" | |
| # username is the OpenSearch username (ignored if existingSecret is set) | |
| # WARNING: avoid inline credentials in values files (GitOps/VCS leak risk). | |
| # Prefer `existingSecret` and leave inline credentials unset. | |
| username: null | |
| # password is the OpenSearch password (ignored if existingSecret is set) | |
| # WARNING: avoid inline credentials in values files (GitOps/VCS leak risk). | |
| # Prefer `existingSecret` and leave inline credentials unset. | |
| password: null |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@charts/lfx-v2-indexer-service/values.yaml` around lines 35 - 38, The
values.yaml exposes plaintext OpenSearch credentials via the username and
password fields—remove or disable these fields and enforce secret-only auth via
existingSecret: delete or set username/password to null in values.yaml, update
chart templates/hooks that currently read .Values.username or .Values.password
to instead require .Values.existingSecret (e.g., fail or render a clear error if
existingSecret is not provided), and add a values schema or README note
documenting that credentials must come from an existing Kubernetes Secret
referenced by existingSecret rather than inline values.
There was a problem hiding this comment.
The username and password fields default to empty strings and are only used as a fallback when existingSecret is not set — existingSecret is the recommended path and is documented as such in values.yaml. Keeping the empty-string defaults avoids rendering errors for users who set credentials via other means. No change needed here.
There was a problem hiding this comment.
@bramwelt, understood — the empty-string defaults serve as safe fallback values to prevent rendering errors, while existingSecret is the documented preferred path. That's a reasonable Helm convention. I'll note this for future reviews.
✏️ Learnings added
Learnt from: bramwelt
Repo: linuxfoundation/lfx-v2-indexer-service PR: 36
File: charts/lfx-v2-indexer-service/values.yaml:35-38
Timestamp: 2026-05-07T20:24:05.161Z
Learning: In `charts/lfx-v2-indexer-service/values.yaml`, the `opensearch.auth.username` and `opensearch.auth.password` fields intentionally default to empty strings (not null). They act as a fallback when `existingSecret` is not set, and empty strings are preferred over null to avoid Helm template rendering errors. The `existingSecret` field is the recommended authentication path and is documented as such in the values file.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # auth configures authentication for OpenSearch | ||
| auth: | ||
| # enabled controls whether authentication is used | ||
| enabled: false | ||
| # existingSecret is the name of an existing secret containing credentials | ||
| # The secret should have 'username' and 'password' keys | ||
| existingSecret: "" | ||
| # username is the OpenSearch username (ignored if existingSecret is set) | ||
| username: "" | ||
| # password is the OpenSearch password (ignored if existingSecret is set) | ||
| password: "" |
There was a problem hiding this comment.
opensearch.auth is intentionally scoped at the top level so it can be wired to the Deployment in a future iteration when the app config gains OpenSearch auth support. Scoping it under indexingJob would require a breaking rename later. No change for now.
| # indexingJob is the configuration for the OpenSearch index creation job | ||
| indexingJob: | ||
| # enabled is a boolean to determine if the indexing job should be created | ||
| enabled: true | ||
| # backoffLimit is the number of retries before marking the job as failed |
There was a problem hiding this comment.
The chart version is dynamically replaced during the CI build — Chart.yaml always shows 0.0.1 in source and is updated to the real semver at build time. The PR description was stale; no manual version bump is needed here.
| apiVersion: batch/v1 | ||
| kind: Job | ||
| metadata: | ||
| name: {{ .Release.Name }}-opensearch-index-setup | ||
| namespace: {{ .Release.Namespace }} | ||
| spec: | ||
| ttlSecondsAfterFinished: {{ $job.ttlSecondsAfterFinished }} | ||
| backoffLimit: {{ $job.backoffLimit }} | ||
| {{- if $job.activeDeadlineSeconds }} | ||
| activeDeadlineSeconds: {{ $job.activeDeadlineSeconds }} | ||
| {{- end }} |
There was a problem hiding this comment.
Fixed in commit 1a85468 — converted both the Job and ConfigMap to Helm hooks (post-install,post-upgrade) with before-hook-creation,hook-succeeded delete policy. The ConfigMap uses weight 0 and the Job uses weight 1 to ensure the ConfigMap is always created before the Job runs.
| # Check if index already exists | ||
| HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X HEAD "${OPENSEARCH_URL}/${INDEX_NAME}") | ||
|
|
||
| if [ "$HTTP_CODE" = "200" ]; then | ||
| echo "Index '${INDEX_NAME}' already exists, skipping creation" | ||
| exit 0 | ||
| elif [ "$HTTP_CODE" = "404" ]; then | ||
| echo "Index '${INDEX_NAME}' does not exist, creating..." | ||
| curl -f {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ | ||
| -H 'Content-Type: application/json' \ | ||
| -d @/config/resources-index.json | ||
| echo "Index '${INDEX_NAME}' created successfully" | ||
| else | ||
| echo "Unexpected response checking index: HTTP ${HTTP_CODE}" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
The Kubernetes Job backoffLimit already provides retry behaviour at the pod level — each failed pod attempt triggers a new pod. Combined with activeDeadlineSeconds this gives a time-bounded retry window. A shell-level retry loop would duplicate this and complicate failure visibility. No change needed.
| {{- if .Values.opensearch.auth.enabled }} | ||
| AUTH_OPTS="-u ${OPENSEARCH_USERNAME}:${OPENSEARCH_PASSWORD}" | ||
| {{- end }} | ||
|
|
||
| # Check if index already exists | ||
| HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X HEAD "${OPENSEARCH_URL}/${INDEX_NAME}") | ||
|
|
||
| if [ "$HTTP_CODE" = "200" ]; then | ||
| echo "Index '${INDEX_NAME}' already exists, skipping creation" | ||
| exit 0 | ||
| elif [ "$HTTP_CODE" = "404" ]; then | ||
| echo "Index '${INDEX_NAME}' does not exist, creating..." | ||
| curl -f {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ |
There was a problem hiding this comment.
Fixed in commit 1a85468 — removed the AUTH_OPTS intermediate variable and inlined the credentials directly as -u "${OPENSEARCH_USERNAME}:${OPENSEARCH_PASSWORD}" in both curl calls, ensuring proper quoting.
| namespace: {{ .Release.Namespace }} | ||
| data: | ||
| resources-index.json: | | ||
| {{ .Files.Get "files/opensearch-resources-index.json" | nindent 4 }} |
There was a problem hiding this comment.
Fixed in commit 1a85468 — moved the template expression to column 0 using {{- trimming so nindent 4 alone handles the indentation, rendering the JSON cleanly without extra leading whitespace.
| { | ||
| "mappings": { | ||
| "properties": { | ||
| "object_ref": { "type": "keyword" }, |
There was a problem hiding this comment.
Mappings-only is intentional — OpenSearch's default shard/replica counts are appropriate for our deployment and we don't need to manage them via Helm values at this stage. The PR description was outdated; it previously referenced settings from an old index definition that was replaced in commit 8971941.
| name: {{ .Release.Name }}-opensearch-index-config | ||
| namespace: {{ .Release.Namespace }} |
There was a problem hiding this comment.
The Job and ConfigMap use {{ .Release.Name }}/{{ .Release.Namespace }} intentionally — this is the correct Helm idiom for new resources. The Deployment and PDB using hardcoded names is pre-existing technical debt and out of scope for this PR. Standardising chart-wide naming is tracked separately.
-X HEAD causes curl to wait for a response body that never arrives, hanging the job indefinitely. --head correctly skips body reading. Generated with [Claude Code](https://claude.ai/code) Signed-off-by: Andres Tobon <andrest2455@gmail.com>
- Add access_check_object, access_check_relation - Add history_check_object, history_check_relation - Add scheduled_start_time, scheduled_end_time - Change access_check_query/history_check_query to text with keyword sub-field (ignore_above: 256) - Add doc_values: false, max_shingle_size: 3 to all search_as_you_type fields 🤖 Generated with [Claude Code](https://claude.com/claude-code) Issue: LFXV2-1698 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
| {{- if .Values.opensearch.auth.enabled }} | ||
| AUTH_OPTS="-u ${OPENSEARCH_USERNAME}:${OPENSEARCH_PASSWORD}" | ||
| {{- end }} | ||
|
|
||
| # Check if index already exists | ||
| HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}--head "${OPENSEARCH_URL}/${INDEX_NAME}") | ||
|
|
||
| if [ "$HTTP_CODE" = "200" ]; then | ||
| echo "Index '${INDEX_NAME}' already exists, skipping creation" | ||
| exit 0 | ||
| elif [ "$HTTP_CODE" = "404" ]; then | ||
| echo "Index '${INDEX_NAME}' does not exist, creating..." | ||
| curl -f {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ |
There was a problem hiding this comment.
Fixed in commit 1a85468 — removed AUTH_OPTS and inlined credentials as -u "${OPENSEARCH_USERNAME}:${OPENSEARCH_PASSWORD}" directly in both curl calls.
| name: {{ .Release.Name }}-opensearch-index-config | ||
| namespace: {{ .Release.Namespace }} |
There was a problem hiding this comment.
The Job and ConfigMap use {{ .Release.Name }}/{{ .Release.Namespace }} intentionally — this is correct Helm practice for new resources. The Deployment/PDB hardcoding is pre-existing technical debt out of scope for this PR.
| # auth configures authentication for OpenSearch | ||
| auth: | ||
| # enabled controls whether authentication is used | ||
| enabled: false | ||
| # existingSecret is the name of an existing secret containing credentials | ||
| # The secret should have 'username' and 'password' keys | ||
| existingSecret: "" | ||
| # username is the OpenSearch username (ignored if existingSecret is set) | ||
| username: "" | ||
| # password is the OpenSearch password (ignored if existingSecret is set) | ||
| password: "" |
There was a problem hiding this comment.
opensearch.auth is at the top level intentionally for future wiring to the Deployment once the app config gains OpenSearch auth support. No change needed now.
| { | ||
| "mappings": { | ||
| "properties": { | ||
| "object_ref": { "type": "keyword" }, |
There was a problem hiding this comment.
Mappings-only is intentional — OpenSearch defaults for shards/replicas are appropriate. The PR description referencing settings was outdated (old index definition replaced in commit 8971941).
| # indexingJob is the configuration for the OpenSearch index creation job | ||
| indexingJob: | ||
| # enabled is a boolean to determine if the indexing job should be created | ||
| enabled: true | ||
| # backoffLimit is the number of retries before marking the job as failed | ||
| backoffLimit: 3 | ||
| # ttlSecondsAfterFinished is how long to keep the job after completion |
There was a problem hiding this comment.
Chart version is dynamically replaced by the CI build — Chart.yaml always shows 0.0.1 in source. No manual bump needed.
- Convert Job and ConfigMap to Helm hooks (post-install/post-upgrade)
with before-hook-creation,hook-succeeded delete policy; ConfigMap
uses weight 0, Job uses weight 1 to ensure ordering
- Add securityContext.allowPrivilegeEscalation: false to Job container
- Remove AUTH_OPTS shell variable; inline credentials directly as
-u "${OPENSEARCH_USERNAME}:${OPENSEARCH_PASSWORD}" to avoid
unquoted variable expansion
- Fix nindent formatting in ConfigMap to remove leading whitespace
before Files.Get template call
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Issue: LFXV2-1698
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
Review comment resolution summary (commit 1a85468)Code changes made
Already addressed in previous commits (outdated threads)Threads 1–5, 7: Job/ConfigMap names, ttl/backoff configurability, curl image configurability, shard/replica settings, and ConfigMap ref — all addressed in earlier commits. Thread 8 (andrest50): Index JSON updated and moved to No change — design decisions
|
| namespace: {{ .Release.Namespace }} | ||
| annotations: | ||
| "helm.sh/hook": post-install,post-upgrade | ||
| "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded |
| # enabled is a boolean to determine if the indexing job should be created | ||
| enabled: true |
This pull request adds support for automated OpenSearch index setup in the Helm chart for the LFX V2 Indexer Service. The main changes introduce a Kubernetes Job and ConfigMap to create and configure the OpenSearch index, making the deployment process more streamlined and configurable.
OpenSearch Index Setup Automation
indexingJobconfiguration section underopensearchinvalues.yamlto enable or disable automated index setup.job.yaml) that runs a container to set up the OpenSearch index using the configuration from the ConfigMap.indexing-configmap.yaml) that defines the index settings and mappings for OpenSearch, including shard/replica counts and field types.Issue: LFXV2-1698