buildbuddy k8s self hosted executor updates #2264

Merged

mfreeman451 merged 2 commits from refs/pull/2264/head into main

2025-10-03 06:09:45 +00:00

mfreeman451 commented

2025-10-03 05:49:19 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1689
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1689
Original created: 2025-10-03T05:49:19Z
Original updated: 2025-10-03T06:09:48Z
Original head: carverauto/serviceradar:k8s/build_budddy_executors
Original base: main
Original merged: 2025-10-03T06:09:45Z by @mfreeman451

PR Type

Enhancement

Description

Add BuildBuddy executor deployment script with secret management
Create comprehensive README with setup and troubleshooting guide
Implement Kubernetes secret-based API key handling
Provide automated deployment with Helm configuration

Diagram Walkthrough

flowchart LR
  A["Kubernetes Secret"] --> B["deploy.sh Script"]
  B --> C["Helm Deployment"]
  C --> D["BuildBuddy Executor Pods"]
  E["values.yaml Config"] --> C

File Walkthrough

Relevant files

Enhancement

deploy.sh

Automated BuildBuddy executor deployment script

k8s/buildbuddy/deploy.sh

Creates automated deployment script for BuildBuddy executor
Implements Kubernetes secret validation and API key extraction
Provides Helm upgrade command with dynamic API key injection
Includes error handling and deployment status feedback

+33/-0

Documentation

README.md

Comprehensive BuildBuddy executor documentation

k8s/buildbuddy/README.md

Documents complete BuildBuddy executor setup process
Provides configuration details and resource specifications
Includes troubleshooting guide for common issues
Details both automated and manual deployment options

+116/-0

Imported from GitHub pull request. Original GitHub pull request: #1689 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1689 Original created: 2025-10-03T05:49:19Z Original updated: 2025-10-03T06:09:48Z Original head: carverauto/serviceradar:k8s/build_budddy_executors Original base: main Original merged: 2025-10-03T06:09:45Z by @mfreeman451 --- ### **PR Type** Enhancement ___ ### **Description** - Add BuildBuddy executor deployment script with secret management - Create comprehensive README with setup and troubleshooting guide - Implement Kubernetes secret-based API key handling - Provide automated deployment with Helm configuration ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Kubernetes Secret"] --> B["deploy.sh Script"] B --> C["Helm Deployment"] C --> D["BuildBuddy Executor Pods"] E["values.yaml Config"] --> C ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>deploy.sh</strong><dd><code>Automated BuildBuddy executor deployment script</code>                    </dd></summary> <hr> k8s/buildbuddy/deploy.sh <ul><li>Creates automated deployment script for BuildBuddy executor<br> <li> Implements Kubernetes secret validation and API key extraction<br> <li> Provides Helm upgrade command with dynamic API key injection<br> <li> Includes error handling and deployment status feedback</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1689/files#diff-0fcfcde0cf89f05eea8a1d969c31f99c1e7fdfad917801bbc933bab7365a9ce9">+33/-0</a>    </td> </tr> </table></td></tr><tr><td><strong>Documentation</strong></td><td><table> <tr> <td> <details> <summary><strong>README.md</strong><dd><code>Comprehensive BuildBuddy executor documentation</code>                    </dd></summary> <hr> k8s/buildbuddy/README.md <ul><li>Documents complete BuildBuddy executor setup process<br> <li> Provides configuration details and resource specifications<br> <li> Includes troubleshooting guide for common issues<br> <li> Details both automated and manual deployment options</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1689/files#diff-b9a22507afd694c735354f80d644288a1bad09fcc380eab7e7ca1b5b61e1cd1b">+116/-0</a>  </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-10-03 05:49:40 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1689#issuecomment-3364353868
Original created: 2025-10-03T05:49:40Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Secret exposure risk Description: The script reads the API key from a Kubernetes secret and injects it into a Helm command via --set, which may expose the key in shell history or process arguments and in Helm release metadata; prefer passing via environment valueFrom secretKeyRef or a Kubernetes Secret values file with --values to avoid exposure. deploy.sh [18-31] Referred Code `# Get API key from secret API_KEY=$(kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o jsonpath='{.data.api-key}' \| base64 -d) if [ -z "$API_KEY" ]; then echo "Error: API key is empty in secret" exit 1 fi echo "Deploying BuildBuddy executor..." helm upgrade "$RELEASE_NAME" buildbuddy/buildbuddy-executor \ -n "$NAMESPACE" \ -f "$(dirname "$0")/values.yaml" \ --set config.executor.api_key="$API_KEY"`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	No custom compliance provided Follow the guide to enable custom compliance check.
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1689#issuecomment-3364353868 Original created: 2025-10-03T05:49:40Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td rowspan=1>⚪</td> <td><details><summary><strong>Secret exposure risk </strong></summary><br> <b>Description:</b> The script reads the API key from a Kubernetes secret and injects it into a Helm command <br>via --set, which may expose the key in shell history or process arguments and in Helm <br>release metadata; prefer passing via environment valueFrom secretKeyRef or a Kubernetes <br>Secret values file with --values to avoid exposure.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1689/files#diff-0fcfcde0cf89f05eea8a1d969c31f99c1e7fdfad917801bbc933bab7365a9ce9R18-R31'>deploy.sh [18-31]</a></strong><br> <details open><summary>Referred Code</summary> ```shell # Get API key from secret API_KEY=$(kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o jsonpath='{.data.api-key}' | base64 -d) if [ -z "$API_KEY" ]; then echo "Error: API key is empty in secret" exit 1 fi echo "Deploying BuildBuddy executor..." helm upgrade "$RELEASE_NAME" buildbuddy/buildbuddy-executor \ -n "$NAMESPACE" \ -f "$(dirname "$0")/values.yaml" \ --set config.executor.api_key="$API_KEY" ``` </details></details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary>🎫 <strong>No ticket provided </summary></strong> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>No custom compliance provided</strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/'>guide</a> to enable custom compliance check. </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2025-10-03 05:50:37 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1689#issuecomment-3364356179
Original created: 2025-10-03T05:50:37Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Use Helm to manage secrets directly Replace the `deploy.sh` script, which insecurely passes the API key via a command-line argument, with a direct reference to the Kubernetes secret within the Helm configuration. This is a more secure and standard practice that simplifies deployment. Examples: k8s/buildbuddy/deploy.sh [19-30] `API_KEY=$(kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o jsonpath='{.data.api-key}' \| base64 -d) if [ -z "$API_KEY" ]; then echo "Error: API key is empty in secret" exit 1 fi echo "Deploying BuildBuddy executor..." helm upgrade "$RELEASE_NAME" buildbuddy/buildbuddy-executor \ -n "$NAMESPACE" \ ... (clipped 2 lines)` Solution Walkthrough: Before: `# k8s/buildbuddy/deploy.sh # Get API key from secret by decoding it API_KEY=$(kubectl get secret "buildbuddy-api-key" -n "buildbuddy" -o jsonpath='{.data.api-key}' \| base64 -d) if [ -z "$API_KEY" ]; then echo "Error: API key is empty in secret" exit 1 fi # Pass the plaintext API key as a command-line argument helm upgrade "buildbuddy" buildbuddy/buildbuddy-executor \ --set config.executor.api_key="$API_KEY"` After: `# The deploy.sh script is removed. # The values.yaml file is configured to reference the secret. # values.yaml config: executor: # The upstream chart likely supports referencing an existing secret. # This avoids exposing the key. apiKeyExistingSecret: buildbuddy-api-key # The deployment command becomes a standard Helm command, # without the need for a custom script. helm upgrade "buildbuddy" buildbuddy/buildbuddy-executor \ -n "buildbuddy" \ -f "k8s/buildbuddy/values.yaml"` Suggestion importance[1-10]: 9 __ Why: The suggestion addresses a significant security and complexity issue in the deployment script, proposing a more secure, idiomatic, and maintainable Helm-native pattern for secret management that greatly improves the PR's quality.	High
Possible issue	Make Helm deployment command idempotent Add the `--install` flag to the `helm upgrade` command. This makes the deployment script idempotent, allowing it to perform an initial install if the release doesn't exist or an upgrade if it does. k8s/buildbuddy/deploy.sh [27-30] `-helm upgrade "$RELEASE_NAME" buildbuddy/buildbuddy-executor \ +helm upgrade --install "$RELEASE_NAME" buildbuddy/buildbuddy-executor \ -n "$NAMESPACE" \ -f "$(dirname "$0")/values.yaml" \ --set config.executor.api_key="$API_KEY"` Apply / Chat Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies a bug that would cause the script to fail on its first run and provides the standard fix, making the script idempotent and aligning it with the documentation.	High
Security	Avoid exposing secrets on command-line To prevent exposing the API key in the process list or shell history, pass it to Helm via standard input instead of using the `--set` command-line flag. k8s/buildbuddy/deploy.sh [18-30] # Get API key from secret API_KEY=$(kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o jsonpath='{.data.api-key}' \| base64 -d) if [ -z "$API_KEY" ]; then echo "Error: API key is empty in secret" exit 1 fi echo "Deploying BuildBuddy executor..." -helm upgrade "$RELEASE_NAME" buildbuddy/buildbuddy-executor \ +# Pipe the secret to helm to avoid exposing it in the process list +printf 'config:\n executor:\n api_key: %s\n' "$API_KEY" \| helm upgrade "$RELEASE_NAME" buildbuddy/buildbuddy-executor \ -n "$NAMESPACE" \ -f "$(dirname "$0")/values.yaml" \ - --set config.executor.api_key="$API_KEY" + -f - Apply / Chat Suggestion importance[1-10]: 8 __ Why: This suggestion correctly identifies a security risk of exposing a secret `API_key` on the command line and proposes a more secure, standard alternative, significantly improving the script's security posture.	Medium
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1689#issuecomment-3364356179 Original created: 2025-10-03T05:50:37Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Use Helm to manage secrets directly</summary> ___ **Replace the <code>deploy.sh</code> script, which insecurely passes the API key via a <br>command-line argument, with a direct reference to the Kubernetes secret within <br>the Helm configuration. This is a more secure and standard practice that <br>simplifies deployment.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1689/files#diff-0fcfcde0cf89f05eea8a1d969c31f99c1e7fdfad917801bbc933bab7365a9ce9R19-R30">k8s/buildbuddy/deploy.sh [19-30]</a> </summary> ```bash API_KEY=$(kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o jsonpath='{.data.api-key}' | base64 -d) if [ -z "$API_KEY" ]; then echo "Error: API key is empty in secret" exit 1 fi echo "Deploying BuildBuddy executor..." helm upgrade "$RELEASE_NAME" buildbuddy/buildbuddy-executor \ -n "$NAMESPACE" \ ... (clipped 2 lines) ``` </details> ### Solution Walkthrough: #### Before: ```bash # k8s/buildbuddy/deploy.sh # Get API key from secret by decoding it API_KEY=$(kubectl get secret "buildbuddy-api-key" -n "buildbuddy" -o jsonpath='{.data.api-key}' | base64 -d) if [ -z "$API_KEY" ]; then echo "Error: API key is empty in secret" exit 1 fi # Pass the plaintext API key as a command-line argument helm upgrade "buildbuddy" buildbuddy/buildbuddy-executor \ --set config.executor.api_key="$API_KEY" ``` #### After: ```bash # The deploy.sh script is removed. # The values.yaml file is configured to reference the secret. # values.yaml config: executor: # The upstream chart likely supports referencing an existing secret. # This avoids exposing the key. apiKeyExistingSecret: buildbuddy-api-key # The deployment command becomes a standard Helm command, # without the need for a custom script. helm upgrade "buildbuddy" buildbuddy/buildbuddy-executor \ -n "buildbuddy" \ -f "k8s/buildbuddy/values.yaml" ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: The suggestion addresses a significant security and complexity issue in the deployment script, proposing a more secure, idiomatic, and maintainable Helm-native pattern for secret management that greatly improves the PR's quality. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Make Helm deployment command idempotent</summary> ___ **Add the <code>--install</code> flag to the <code>helm upgrade</code> command. This makes the deployment <br>script idempotent, allowing it to perform an initial install if the release <br>doesn't exist or an upgrade if it does.** [k8s/buildbuddy/deploy.sh [27-30]](https://github.com/carverauto/serviceradar/pull/1689/files#diff-0fcfcde0cf89f05eea8a1d969c31f99c1e7fdfad917801bbc933bab7365a9ce9R27-R30) ```diff -helm upgrade "$RELEASE_NAME" buildbuddy/buildbuddy-executor \ +helm upgrade --install "$RELEASE_NAME" buildbuddy/buildbuddy-executor \ -n "$NAMESPACE" \ -f "$(dirname "$0")/values.yaml" \ --set config.executor.api_key="$API_KEY" ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: This suggestion correctly identifies a bug that would cause the script to fail on its first run and provides the standard fix, making the script idempotent and aligning it with the documentation. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>Security</td> <td> <details><summary>Avoid exposing secrets on command-line</summary> ___ **To prevent exposing the API key in the process list or shell history, pass it to <br>Helm via standard input instead of using the <code>--set</code> command-line flag.** [k8s/buildbuddy/deploy.sh [18-30]](https://github.com/carverauto/serviceradar/pull/1689/files#diff-0fcfcde0cf89f05eea8a1d969c31f99c1e7fdfad917801bbc933bab7365a9ce9R18-R30) ```diff # Get API key from secret API_KEY=$(kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o jsonpath='{.data.api-key}' | base64 -d) if [ -z "$API_KEY" ]; then echo "Error: API key is empty in secret" exit 1 fi echo "Deploying BuildBuddy executor..." -helm upgrade "$RELEASE_NAME" buildbuddy/buildbuddy-executor \ +# Pipe the secret to helm to avoid exposing it in the process list +printf 'config:\n executor:\n api_key: %s\n' "$API_KEY" | helm upgrade "$RELEASE_NAME" buildbuddy/buildbuddy-executor \ -n "$NAMESPACE" \ -f "$(dirname "$0")/values.yaml" \ - --set config.executor.api_key="$API_KEY" + -f - ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: This suggestion correctly identifies a security risk of exposing a secret `API_key` on the command line and proposes a more secure, standard alternative, significantly improving the script's security posture. </details></details></td><td align=center>Medium </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>