feat(deployment): Add support for root database credentials in Helm templates.

[junhaoliao]

Description

Note

This PR is part of the ongoing work for #1309. More PRs will be submitted until the Helm chart is complete and fully functional.

This PR updates the CLP Helm chart to include support for root database credentials. The changes include:

• Database secret: Added root_username and root_password fields to database-secret.yaml.
• Database StatefulSet: Updated the environment variable in the container to use root_password for relevant operations.
• DB table creator job: Added CLP_DB_ROOT_USER and CLP_DB_ROOT_PASS environment variables for root-level access during table creation.
• Default values: Added root credentials to values.yaml with default values "root" / "root-pass".

These changes allow the chart to support operations requiring root-level database access, matching the Docker Compose orchestration.

Checklist

• The PR satisfies the contribution guidelines.
• This is a breaking change and that has been indicated in the PR title, OR this isn't a
  breaking change.
• Necessary docs have been updated, OR no docs need to be updated.

Validation performed

junhao@ASUS-X870E:~/workspace/2-clp$ cd tools/deployment/package-helm/
junhao@ASUS-X870E:~/workspace/2-clp/tools/deployment/package-helm$ ./test.sh 
Deleting cluster "clp-test" ...
Deleted nodes: ["clp-test-control-plane"]
Creating cluster "clp-test" ...
 ✓ Ensuring node image (kindest/node:v1.34.0) 🖼
 ✓ Preparing nodes 📦  
 ✓ Writing configuration 📜
 ✓ Starting control-plane 🕹️ 
 ✓ Installing CNI 🔌 
 ✓ Installing StorageClass 💾 
Set kubectl context to "kind-clp-test"
You can now use your cluster with:

kubectl cluster-info --context kind-clp-test

Thanks for using kind! 😊
Error: uninstall: Release not loaded: test: release: not found
I1210 08:27:35.838412  174262 warnings.go:110] "Warning: spec.SessionAffinity is ignored for headless services"
I1210 08:27:35.839204  174262 warnings.go:110] "Warning: spec.SessionAffinity is ignored for headless services"
NAME: test
LAST DEPLOYED: Wed Dec 10 08:27:35 2025
NAMESPACE: default
STATUS: deployed
REVISION: 1
DESCRIPTION: Install complete
TEST SUITE: None

# wait for 40s

# observed no failure in the pods
junhao@ASUS-X870E:~/workspace/2-clp/tools/deployment/package-helm$ kubectl get pods
NAME                                           READY   STATUS      RESTARTS   AGE
test-clp-database-0                            1/1     Running     0          40s
test-clp-db-table-creator-dw5k4                0/1     Completed   0          40s
test-clp-queue-0                               1/1     Running     0          40s
test-clp-redis-0                               1/1     Running     0          40s
test-clp-results-cache-0                       1/1     Running     0          40s
test-clp-results-cache-indices-creator-w96gp   0/1     Completed   0          40s

junhao@ASUS-X870E:~/workspace/2-clp/tools/deployment/package-helm$ kubectl exec -it test-clp-database-0 -- mysql -u clp-user -p"pass" -e "SELECT 1;"
+---+
| 1 |
+---+
| 1 |
+---+
junhao@ASUS-X870E:~/workspace/2-clp/tools/deployment/package-helm$ kubectl exec -it test-clp-database-0 -- mysql -u root -p"pass" -e "SELECT 1;"
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
command terminated with exit code 1
junhao@ASUS-X870E:~/workspace/2-clp/tools/deployment/package-helm$ kubectl exec -it test-clp-database-0 -- mysql -u root -p"root-pass" -e "SELECT 1;"
+---+
| 1 |
+---+
| 1 |
+---+

Summary by CodeRabbit

Release Notes

• Chores
  • Updated deployment version to 0.1.2-dev.3.
  • Enhanced database credential management in deployment configuration.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request updates the Helm chart to introduce support for root database credentials. It adds root_username and root_password configuration values, exposes them in the database secret template, updates the database StatefulSet to reference the root password key, and provides root credential environment variables to the db-table-creator job. The chart version is also bumped to 0.1.2-dev.3.

Changes

Cohort / File(s)	Change Summary
Version bump tools/deployment/package-helm/Chart.yaml	Updates chart version from 0.1.2-dev.2 to 0.1.2-dev.3
Configuration values tools/deployment/package-helm/values.yaml	Adds root_username and root_password fields under credentials.database
Secret and template updates tools/deployment/package-helm/templates/database-secret.yaml, tools/deployment/package-helm/templates/database-statefulset.yaml	Expands Kubernetes Secret template with root_username and root_password entries in stringData; updates StatefulSet MYSQL_ROOT_PASSWORD environment variable to reference root_password secret key instead of password
Job environment variables tools/deployment/package-helm/templates/db-table-creator-job.yaml	Adds two new environment variables (CLP_DB_ROOT_USER from root_username, CLP_DB_ROOT_PASS from root_password) sourced from the database secret

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Verify that all configuration value references (root_username, root_password) are correctly sourced from values.yaml throughout templates
• Confirm secret key names (root_username, root_password) are consistently used across templates
• Check that environment variable names (CLP_DB_ROOT_USER, CLP_DB_ROOT_PASS) match expected application requirements

Possibly related issues

• Integrate root database credentials with Helm chart deployment #1697: Implements Helm-side integration of root database credentials by adding root_username/root_password configuration values, exposing them in the database secret, updating the StatefulSet root password reference, and providing CLP_DB_ROOT_USER and CLP_DB_ROOT_PASS environment variables to db-table-creator

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and concisely describes the main change: adding root database credentials support to Helm templates. The title accurately reflects the primary objective of the changeset across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 423d089 and f620156.

📒 Files selected for processing (5)

• tools/deployment/package-helm/Chart.yaml (1 hunks)
• tools/deployment/package-helm/templates/database-secret.yaml (1 hunks)
• tools/deployment/package-helm/templates/database-statefulset.yaml (1 hunks)
• tools/deployment/package-helm/templates/db-table-creator-job.yaml (1 hunks)
• tools/deployment/package-helm/values.yaml (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: junhaoliao
Repo: y-scope/clp PR: 1655
File: components/clp-package-utils/clp_package_utils/controller.py:183-189
Timestamp: 2025-11-28T15:12:53.530Z
Learning: In the y-scope/clp project, root database credentials (root username and password) are required configuration items for all deployments. The `credentials[ClpDbUserType.ROOT]` entry is guaranteed to exist and can be accessed directly without optional handling.

📚 Learning: 2025-11-28T15:12:53.530Z

Learnt from: junhaoliao
Repo: y-scope/clp PR: 1655
File: components/clp-package-utils/clp_package_utils/controller.py:183-189
Timestamp: 2025-11-28T15:12:53.530Z
Learning: In the y-scope/clp project, root database credentials (root username and password) are required configuration items for all deployments. The `credentials[ClpDbUserType.ROOT]` entry is guaranteed to exist and can be accessed directly without optional handling.

Applied to files:

• tools/deployment/package-helm/templates/db-table-creator-job.yaml
• tools/deployment/package-helm/values.yaml
• tools/deployment/package-helm/templates/database-statefulset.yaml
• tools/deployment/package-helm/templates/database-secret.yaml

🪛 YAMLlint (1.37.1)

tools/deployment/package-helm/templates/db-table-creator-job.yaml

[error] 50-50: too many spaces inside braces

(braces)

---

[error] 50-50: too many spaces inside braces

(braces)

---

[error] 55-55: too many spaces inside braces

(braces)

---

[error] 55-55: too many spaces inside braces

(braces)

tools/deployment/package-helm/templates/database-secret.yaml

[error] 12-12: too many spaces inside braces

(braces)

---

[error] 12-12: too many spaces inside braces

(braces)

---

[error] 13-13: too many spaces inside braces

(braces)

---

[error] 13-13: too many spaces inside braces

(braces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: package-image
• GitHub Check: build (macos-15)

🔇 Additional comments (5)

tools/deployment/package-helm/Chart.yaml (1)

3-3: Version bump is appropriate for this feature addition.

The chart version increment from 0.1.2-dev.2 to 0.1.2-dev.3 is consistent with introducing root credentials support.

tools/deployment/package-helm/values.yaml (1)

55-56: Root credentials configuration properly integrated.

The new root_username and root_password fields are correctly nested under credentials.database with sensible development defaults. Based on learnings, root credentials are required configuration items in this project, and this addition aligns with that requirement.

tools/deployment/package-helm/templates/database-statefulset.yaml (1)

47-51: Root password now correctly sourced from dedicated secret key.

The change from key: "password" to key: "root_password" is logically correct—MYSQL_ROOT_PASSWORD should use root credentials rather than regular application user password. This separation improves security and clarity.

tools/deployment/package-helm/templates/database-secret.yaml (1)

12-13: Root credentials properly exposed in database secret.

The new stringData entries correctly source root_username and root_password from the updated values.yaml structure. The template syntax is consistent with existing entries.

Note: YAMLlint warnings about "too many spaces inside braces" on these lines are false positives; the Helm/Jinja2 template syntax {{ .Values... | quote }} is valid and identical to the pattern used in lines 10–11.

tools/deployment/package-helm/templates/db-table-creator-job.yaml (1)

47-56: Root credentials properly exposed to db-table-creator job.

The new CLP_DB_ROOT_USER and CLP_DB_ROOT_PASS environment variables are correctly sourced from the same secret and follow the established valueFrom.secretKeyRef pattern. This enables the table creation job to perform root-level database operations as required during setup.

Note: YAMLlint warnings about "too many spaces inside braces" are false positives from the linter not recognizing Helm template syntax.

Please verify that the db-table-creator job implementation (Python code) consumes these new CLP_DB_ROOT_USER and CLP_DB_ROOT_PASS environment variables for root-level access during table creation, as mentioned in the PR description.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}