carverauto/serviceradar

Fork 0

k8s fixes for db event writer #2672

Merged

mfreeman451 merged 3 commits from refs/pull/2672/head into staging

2026-01-14 21:21:27 +00:00

mfreeman451 commented

2026-01-14 19:37:39 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2302
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2302
Original created: 2026-01-14T19:37:39Z
Original updated: 2026-01-14T21:21:29Z
Original head: carverauto/serviceradar:chore/fix-db-event-writer-crashing
Original base: staging
Original merged: 2026-01-14T21:21:27Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Bug fix, Enhancement

Description

Fix db-event-writer CNPG mTLS connection failures by using correct client certificates
Wire CNPG_CERT_FILE and CNPG_KEY_FILE environment variables in Helm and demo manifests
Update entrypoint defaults to prefer cnpg-client certificate bundle instead of service cert
Add documentation and specification for CNPG client certificate authentication

Diagram Walkthrough

flowchart LR
  A["db-event-writer entrypoint"] -->|"uses cnpg-client certs"| B["CNPG connection"]
  C["Helm deployment"] -->|"sets env vars"| A
  D["Demo kustomize"] -->|"sets env vars"| A
  E["Cert generation"] -->|"creates cnpg-client bundle"| F["Certificate store"]
  F -->|"mounted to"| A
  B -->|"mTLS success"| G["CNPG database"]

File Walkthrough

Relevant files

Bug fix

5 files

entrypoint-db-event-writer.sh `Update default certificate paths to cnpg-client bundle`	+2/-2
db-event-writer.yaml `Add CNPG client certificate environment variables`	+4/-0
serviceradar-db-event-writer.yaml `Wire CNPG TLS configuration environment variables`	+10/-0
serviceradar-db-event-writer-config.yaml `Update config to reference cnpg-client certificate paths`	+2/-2
cert-scripts-configmap.yaml `Add cnpg-client certificate generation to cert script`	+1/-0

Documentation

4 files

agents.md `Document CNPG client certificate requirement for db-event-writer`	+3/-0
proposal.md `Add change proposal for CNPG mTLS fix`	+13/-0
spec.md `Add specification for CNPG client certificate authentication`	+13/-0
tasks.md `Add implementation tasks for CNPG mTLS fix`	+7/-0

Imported from GitHub pull request. Original GitHub pull request: #2302 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2302 Original created: 2026-01-14T19:37:39Z Original updated: 2026-01-14T21:21:29Z Original head: carverauto/serviceradar:chore/fix-db-event-writer-crashing Original base: staging Original merged: 2026-01-14T21:21:27Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Bug fix, Enhancement ___ ### **Description** - Fix db-event-writer CNPG mTLS connection failures by using correct client certificates - Wire CNPG_CERT_FILE and CNPG_KEY_FILE environment variables in Helm and demo manifests - Update entrypoint defaults to prefer cnpg-client certificate bundle instead of service cert - Add documentation and specification for CNPG client certificate authentication ___ ### Diagram Walkthrough ```mermaid flowchart LR A["db-event-writer entrypoint"] -->|"uses cnpg-client certs"| B["CNPG connection"] C["Helm deployment"] -->|"sets env vars"| A D["Demo kustomize"] -->|"sets env vars"| A E["Cert generation"] -->|"creates cnpg-client bundle"| F["Certificate store"] F -->|"mounted to"| A B -->|"mTLS success"| G["CNPG database"] ``` <details><summary><h3>File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Bug fix</strong></td><td><details><summary>5 files</summary><table> <tr> <td><strong>entrypoint-db-event-writer.sh</strong><dd><code>Update default certificate paths to cnpg-client bundle</code>      </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2302/files#diff-a76a07ca0b18c5d7d9cf0ba3f1a3f9330307be7acd0ca3d7a6be7b67c84f81af">+2/-2</a>      </td> </tr> <tr> <td><strong>db-event-writer.yaml</strong><dd><code>Add CNPG client certificate environment variables</code>                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2302/files#diff-e4f899d11e5720f7049aa6fd632bd6993739410051bf65bc6fc8469739e5d2e4">+4/-0</a>      </td> </tr> <tr> <td><strong>serviceradar-db-event-writer.yaml</strong><dd><code>Wire CNPG TLS configuration environment variables</code>                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2302/files#diff-b198b2f2d63cd46b28ae65eb30f77e483c3218b91a913ae7e19b6d515e0e6eda">+10/-0</a>    </td> </tr> <tr> <td><strong>serviceradar-db-event-writer-config.yaml</strong><dd><code>Update config to reference cnpg-client certificate paths</code>  </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2302/files#diff-57ddd4cb03c5c669ff6dc5b3b60334e9205d01ae95a2b5316c147ed2114ebe49">+2/-2</a>      </td> </tr> <tr> <td><strong>cert-scripts-configmap.yaml</strong><dd><code>Add cnpg-client certificate generation to cert script</code>        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2302/files#diff-6cfdb89093e1dc013b04ac606d8bfd64e3079419d3b6c94c3eed6b12531bafbb">+1/-0</a>      </td> </tr> </table></details></td></tr><tr><td><strong>Documentation</strong></td><td><details><summary>4 files</summary><table> <tr> <td><strong>agents.md</strong><dd><code>Document CNPG client certificate requirement for db-event-writer</code></dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2302/files#diff-af8d04277f2353629065b0cc5fad3e44bd3e7c20339bd125e0812104bdbeff28">+3/-0</a>      </td> </tr> <tr> <td><strong>proposal.md</strong><dd><code>Add change proposal for CNPG mTLS fix</code>                                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2302/files#diff-d74196d55c047ce7dd90a06e9758a042ca9acbb812945a32a9c1c6a2feb4e59c">+13/-0</a>    </td> </tr> <tr> <td><strong>spec.md</strong><dd><code>Add specification for CNPG client certificate authentication</code></dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2302/files#diff-dc7c8816b5bd40c288d24c25cecada7cda7413e5c53566f00cf965743c5f72c8">+13/-0</a>    </td> </tr> <tr> <td><strong>tasks.md</strong><dd><code>Add implementation tasks for CNPG mTLS fix</code>                              </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2302/files#diff-03589507583777099008dd7b5275ed3f078250893311806bfb3cb3d2986302e2">+7/-0</a>      </td> </tr> </table></details></td></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2026-01-14 19:38:13 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2302#issuecomment-3751278356
Original created: 2026-01-14T19:38:13Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2302#issuecomment-3751278356 Original created: 2026-01-14T19:38:13Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td>🟢</td><td><details><summary><strong>No security concerns identified</strong></summary> No security vulnerabilities detected by AI analysis. Human verification advised for critical code. </details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary>🎫 <strong>No ticket provided </strong></summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td rowspan=6>🟢</td><td> <details><summary><strong>Generic: Comprehensive Audit Trails</strong></summary><br> **Objective:** To create a detailed and reliable record of critical system actions for security analysis <br>and compliance.<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Meaningful Naming and Self-Documenting Code</strong></summary><br> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code <br>self-documenting<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Robust Error Handling and Edge Case Management</strong></summary><br> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful <br>degradation<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Secure Error Handling</strong></summary><br> **Objective:** To prevent the leakage of sensitive system information through error messages while <br>providing sufficient detail for internal debugging.<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Secure Logging Practices</strong></summary><br> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive <br>information like PII, PHI, or cardholder data.<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Security-First Input Validation and Data Handling</strong></summary><br> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent <br>vulnerabilities<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2026-01-14 19:39:20 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2302#issuecomment-3751285133
Original created: 2026-01-14T19:39:20Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Verify certificate files exist before start Add a pre-start check in the entrypoint script to verify that the CNPG client certificate and key files exist and are readable, exiting with an error if they are not. docker/compose/entrypoint-db-event-writer.sh [57-58] `CNPG_CERT_FILE_VALUE="${CNPG_CERT_FILE:-$CNPG_CERT_DIR_VALUE/cnpg-client.pem}" CNPG_KEY_FILE_VALUE="${CNPG_KEY_FILE:-$CNPG_CERT_DIR_VALUE/cnpg-client-key.pem}" +if [ ! -r "$CNPG_CERT_FILE_VALUE" ] \|\| [ ! -r "$CNPG_KEY_FILE_VALUE" ]; then + echo "ERROR: CNPG client cert/key not found or not readable at $CNPG_CERT_FILE_VALUE and $CNPG_KEY_FILE_VALUE" + exit 1 +fi` Apply / Chat Suggestion importance[1-10]: 7 __ Why: This is a good practice for improving robustness and debuggability by adding explicit checks for certificate files, which helps to fail fast with a clear error message instead of an obscure TLS error later.	Medium
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2302#issuecomment-3751285133 Original created: 2026-01-14T19:39:20Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Verify certificate files exist before start</summary> ___ **Add a pre-start check in the entrypoint script to verify that the CNPG client <br>certificate and key files exist and are readable, exiting with an error if they <br>are not.** [docker/compose/entrypoint-db-event-writer.sh [57-58]](https://github.com/carverauto/serviceradar/pull/2302/files#diff-a76a07ca0b18c5d7d9cf0ba3f1a3f9330307be7acd0ca3d7a6be7b67c84f81afR57-R58) ```diff CNPG_CERT_FILE_VALUE="${CNPG_CERT_FILE:-$CNPG_CERT_DIR_VALUE/cnpg-client.pem}" CNPG_KEY_FILE_VALUE="${CNPG_KEY_FILE:-$CNPG_CERT_DIR_VALUE/cnpg-client-key.pem}" +if [ ! -r "$CNPG_CERT_FILE_VALUE" ] || [ ! -r "$CNPG_KEY_FILE_VALUE" ]; then + echo "ERROR: CNPG client cert/key not found or not readable at $CNPG_CERT_FILE_VALUE and $CNPG_KEY_FILE_VALUE" + exit 1 +fi ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: This is a good practice for improving robustness and debuggability by adding explicit checks for certificate files, which helps to fail fast with a clear error message instead of an obscure TLS error later. </details></details></td><td align=center>Medium </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>