chore(release): v0.3.0#44
Conversation
Cut a release from main (26 commits since v0.2.5, all additive/backward-compatible): - richer query rules: rewriting, mirroring, caching, chaining (#19) - mysql_hostgroup_attributes (#20) - bootstrap proxysql.cnf moves from ConfigMap to Secret (#21) - service annotations, session affinity, TCP keepalive sysctls (#28) - optional Fluent Bit logging sidecar with query-log shipping (#29) - auto-populate proxysql_servers peers when spec list empty (#39) - backend example flavors + operator documentation set CRD changes are additive only (new optional fields) -> minor bump. proxysql-operator: 0.2.5 -> 0.3.0 (version + appVersion) proxysql-cluster: 0.1.0 -> 0.2.0 (changed since v0.2.5; appVersion/ProxySQL 3.0 unchanged) proxysql: unchanged (0.1.0)
📝 WalkthroughWalkthroughVersion metadata bumped in two Helm charts: ChangesHelm Chart Version Bumps
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@charts/proxysql-cluster/Chart.yaml`:
- Line 5: The test Pod in the test connection template violates the PSA
restricted security context by running with runAsUser set to 65534 instead of
the required uid 999. Update the securityContext in the test Pod specification
to set runAsUser to 999 to match the PSA restricted profile that is properly
implemented in the main StatefulSet and other resources. This ensures
consistency across all Pod specifications and compliance with the restricted
security context.
In `@charts/proxysql-operator/Chart.yaml`:
- Around line 5-6: The podSecurityContext in values.yaml is missing required
fields for PSA restricted profile compliance. Add runAsUser: 999 and runAsGroup:
999 to the existing podSecurityContext configuration alongside the existing
runAsNonRoot, readOnlyRootFilesystem, capability drops, and seccomp settings.
Additionally, add fsGroup: 999 to podSecurityContext if the operator writes to
mounted volumes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
Run ID: 107e5d69-9152-44f6-965a-cbfb7c61d419
📒 Files selected for processing (2)
charts/proxysql-cluster/Chart.yamlcharts/proxysql-operator/Chart.yaml
| description: ProxySQL control-plane (StatefulSet, persistent) for operator-managed ProxySQL Clusters | ||
| type: application | ||
| version: 0.1.0 | ||
| version: 0.2.0 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Check pod specifications in proxysql-cluster templates for PSA restricted compliance
# Find all template files
fd -e yaml -e yml 'charts/proxysql-cluster/templates' | while read file; do
echo "=== File: $file ==="
cat "$file"
echo ""
doneRepository: ProxySQL/proxysql-on-k8s
Length of output: 506
🏁 Script executed:
#!/bin/bash
# Description: Check pod specifications in proxysql-cluster templates for PSA restricted compliance
# Find all template files using corrected fd syntax
fd . 'charts/proxysql-cluster/templates' -e yaml -e yml | while read file; do
echo "=== File: $file ==="
cat "$file"
echo ""
doneRepository: ProxySQL/proxysql-on-k8s
Length of output: 11711
🏁 Script executed:
cat charts/proxysql-cluster/values.yamlRepository: ProxySQL/proxysql-on-k8s
Length of output: 3881
Chart version bump to 0.2.0 is correct.
The version field update from 0.1.0 to 0.2.0 appropriately signals a minor version release.
Pod specifications in the main StatefulSet properly implement PSA restricted security context: the defaults in values.yaml set runAsNonRoot=true, uid/gid=999, readOnlyRootFilesystem=true, all capabilities dropped, and seccomp profile set to RuntimeDefault. Values overrides flow correctly through all templates, and label/selector consistency is preserved across all resources.
However, the test Pod in charts/proxysql-cluster/templates/tests/test-connection.yaml violates the uid requirement by using runAsUser: 65534 instead of the required 999. Update this to match the PSA restricted profile.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@charts/proxysql-cluster/Chart.yaml` at line 5, The test Pod in the test
connection template violates the PSA restricted security context by running with
runAsUser set to 65534 instead of the required uid 999. Update the
securityContext in the test Pod specification to set runAsUser to 999 to match
the PSA restricted profile that is properly implemented in the main StatefulSet
and other resources. This ensures consistency across all Pod specifications and
compliance with the restricted security context.
Source: Coding guidelines
| version: 0.3.0 | ||
| appVersion: "0.3.0" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Check pod specifications in proxysql-operator templates for PSA restricted compliance
# Find all template files
fd -e yaml -e yml 'charts/proxysql-operator/templates' | while read file; do
echo "=== File: $file ==="
cat "$file"
echo ""
doneRepository: ProxySQL/proxysql-on-k8s
Length of output: 510
🏁 Script executed:
#!/bin/bash
# List all template files in the proxysql-operator templates directory
fd . 'charts/proxysql-operator/templates' -e yaml -e ymlRepository: ProxySQL/proxysql-on-k8s
Length of output: 335
🏁 Script executed:
#!/bin/bash
# Read the deployment.yaml to check pod specifications
cat 'charts/proxysql-operator/templates/deployment.yaml'Repository: ProxySQL/proxysql-on-k8s
Length of output: 3176
🏁 Script executed:
#!/bin/bash
# Find values files for proxysql-operator chart
fd . 'charts/proxysql-operator' -name 'values*.yaml' -o -name 'values*.yml'Repository: ProxySQL/proxysql-on-k8s
Length of output: 299
🏁 Script executed:
#!/bin/bash
# Find values files for proxysql-operator chart
find 'charts/proxysql-operator' -name 'values*.yaml'Repository: ProxySQL/proxysql-on-k8s
Length of output: 105
🏁 Script executed:
#!/bin/bash
# Read values.yaml to check security context configuration
cat 'charts/proxysql-operator/values.yaml'Repository: ProxySQL/proxysql-on-k8s
Length of output: 1683
PSA restricted pod security context is incomplete in charts/proxysql-operator/values.yaml.
The chart's podSecurityContext is missing required runAsUser: 999 and runAsGroup: 999 fields mandated by the PSA restricted profile. While the template correctly delegates security context to values and the existing configuration includes runAsNonRoot: true, readOnlyRootFilesystem: true, capability drops, and seccomp set to RuntimeDefault, the uid/gid specification must be added to achieve full PSA restricted compliance.
Add the following to podSecurityContext in charts/proxysql-operator/values.yaml:
podSecurityContext:
runAsNonRoot: true
runAsUser: 999
runAsGroup: 999
seccompProfile:
type: RuntimeDefaultAlso add fsGroup: 999 if the operator writes to mounted volumes.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@charts/proxysql-operator/Chart.yaml` around lines 5 - 6, The
podSecurityContext in values.yaml is missing required fields for PSA restricted
profile compliance. Add runAsUser: 999 and runAsGroup: 999 to the existing
podSecurityContext configuration alongside the existing runAsNonRoot,
readOnlyRootFilesystem, capability drops, and seccomp settings. Additionally,
add fsGroup: 999 to podSecurityContext if the operator writes to mounted
volumes.
Source: Coding guidelines
Release-prep version bump so we can tag v0.3.0 from
main(26 commits since v0.2.5, all additive/backward-compatible).Charts bumped:
proxysql-operator: 0.2.5 → 0.3.0 (version + appVersion)proxysql-cluster: 0.1.0 → 0.2.0 (changed since v0.2.5)proxysql: unchangedWhat's in v0.3.0 (highlights): richer query rules (#19), mysql_hostgroup_attributes (#20), proxysql.cnf → Secret (#21), networking knobs — annotations/session-affinity/TCP keepalive (#28), Fluent Bit logging sidecar (#29), proxysql_servers peer auto-populate (#39), example flavors + operator docs. CRD changes are additive only.
After merge, tag
v0.3.0on main →release.yamlpublishes the image (ghcr) + charts (helm repo) + a GitHub Release.Cut to let ProxySQL SaaS consume a published operator instead of building from a local clone.
Summary by CodeRabbit