Add Kubernetes manifests

[ralf-berger]

Closes #1

[coderabbitai]

Summary by CodeRabbit

• New Features

  • Introduced Kubernetes deployment for the application, including API, UI, worker, MongoDB, Redis, and xAPI service.
  • Added Ingress with TLS support and HTTPS redirection, exposing /, /api, and /data routes.
  • Implemented health checks for services and persistent storage for databases.
  • Centralized configuration via ConfigMaps/Secrets with image overrides.

• Chores

  • Added Kustomize bases and labels for consistent resource management.
  • Updated container entrypoint to support MONGO_URL and require essential Mongo settings when not provided.

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 1-add-kubernetes-manifests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 53

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.k8s/base/redis/kustomization.yaml (1)

15-21: Fix YAML indentation for vars; consider migrating from vars to replacements

Vars work but are deprecated in favor of replacements. First, fix indentation:

 vars:
-- name: LEARNINGLOCKER_REDIS_SERVICE
-  objref:
-    apiVersion: v1
-    kind: Service
-    name: redis
+  - name: LEARNINGLOCKER_REDIS_SERVICE
+    objref:
+      apiVersion: v1
+      kind: Service
+      name: redis

I can provide a replacements stanza to replace $(LEARNINGLOCKER_REDIS_SERVICE) usages if you want to drop vars.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6b6132f and e90cbb6.

📒 Files selected for processing (23)

• .k8s/base/api/deployment.yaml (1 hunks)
• .k8s/base/api/kustomization.yaml (1 hunks)
• .k8s/base/api/service.yaml (1 hunks)
• .k8s/base/ingress.yaml (1 hunks)
• .k8s/base/kustomization.yaml (1 hunks)
• .k8s/base/mongo/deployment.yaml (1 hunks)
• .k8s/base/mongo/kustomization.yaml (1 hunks)
• .k8s/base/mongo/pvc.yaml (1 hunks)
• .k8s/base/mongo/service.yaml (1 hunks)
• .k8s/base/redis/deployment.yaml (1 hunks)
• .k8s/base/redis/kustomization.yaml (1 hunks)
• .k8s/base/redis/pvc.yaml (1 hunks)
• .k8s/base/redis/service.yaml (1 hunks)
• .k8s/base/ui/deployment.yaml (1 hunks)
• .k8s/base/ui/kustomization.yaml (1 hunks)
• .k8s/base/ui/service.yaml (1 hunks)
• .k8s/base/worker/deployment.yaml (1 hunks)
• .k8s/base/worker/kustomization.yaml (1 hunks)
• .k8s/base/xapi-service/deployment.yaml (1 hunks)
• .k8s/base/xapi-service/kustomization.yaml (1 hunks)
• .k8s/base/xapi-service/pvc.yaml (1 hunks)
• .k8s/base/xapi-service/service.yaml (1 hunks)
• bin/entrypoint (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

.k8s/base/worker/deployment.yaml

[MEDIUM] 1-23: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[LOW] 1-23: CPU limits should be set

(CKV_K8S_11)

---

[LOW] 1-23: CPU requests should be set

(CKV_K8S_10)

---

[LOW] 1-23: Apply security context to your containers

(CKV_K8S_30)

---

[LOW] 1-23: The default namespace should not be used

(CKV_K8S_21)

---

[LOW] 1-23: Minimize the admission of containers with the NET_RAW capability

(CKV_K8S_28)

---

[LOW] 1-23: Image should use digest

(CKV_K8S_43)

---

[LOW] 1-23: Image Tag should be fixed - not latest or blank

(CKV_K8S_14)

---

[LOW] 1-23: Liveness Probe Should be Configured

(CKV_K8S_8)

---

[LOW] 1-23: Memory limits should be set

(CKV_K8S_13)

---

[LOW] 1-23: Memory requests should be set

(CKV_K8S_12)

---

[LOW] 1-23: Minimize the admission of containers with capabilities assigned

(CKV_K8S_37)

---

[LOW] 1-23: Apply security context to your pods and containers

(CKV_K8S_29)

---

[LOW] 1-23: Use read-only filesystem for containers where possible

(CKV_K8S_22)

---

[LOW] 1-23: Readiness Probe Should be Configured

(CKV_K8S_9)

---

[MEDIUM] 1-23: Minimize the admission of root containers

(CKV_K8S_23)

---

[LOW] 1-23: Containers should run as a high UID to avoid host conflict

(CKV_K8S_40)

---

[LOW] 1-23: Ensure that the seccomp profile is set to docker/default or runtime/default

(CKV_K8S_31)

---

[LOW] 1-23: Prefer using secrets as files over secrets as environment variables

(CKV_K8S_35)

---

[LOW] 1-23: Ensure that Service Account Tokens are only mounted where necessary

(CKV_K8S_38)

.k8s/base/redis/deployment.yaml

[MEDIUM] 1-31: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[LOW] 1-31: CPU limits should be set

(CKV_K8S_11)

---

[LOW] 1-31: CPU requests should be set

(CKV_K8S_10)

---

[LOW] 1-31: Apply security context to your containers

(CKV_K8S_30)

---

[LOW] 1-31: The default namespace should not be used

(CKV_K8S_21)

---

[LOW] 1-31: Minimize the admission of containers with the NET_RAW capability

(CKV_K8S_28)

---

[LOW] 1-31: Image should use digest

(CKV_K8S_43)

---

[LOW] 1-31: Image Tag should be fixed - not latest or blank

(CKV_K8S_14)

---

[LOW] 1-31: Memory limits should be set

(CKV_K8S_13)

---

[LOW] 1-31: Memory requests should be set

(CKV_K8S_12)

---

[LOW] 1-31: Minimize the admission of containers with capabilities assigned

(CKV_K8S_37)

---

[LOW] 1-31: Apply security context to your pods and containers

(CKV_K8S_29)

---

[LOW] 1-31: Use read-only filesystem for containers where possible

(CKV_K8S_22)

---

[LOW] 1-31: Readiness Probe Should be Configured

(CKV_K8S_9)

---

[MEDIUM] 1-31: Minimize the admission of root containers

(CKV_K8S_23)

---

[LOW] 1-31: Containers should run as a high UID to avoid host conflict

(CKV_K8S_40)

---

[LOW] 1-31: Ensure that the seccomp profile is set to docker/default or runtime/default

(CKV_K8S_31)

---

[LOW] 1-31: Ensure that Service Account Tokens are only mounted where necessary

(CKV_K8S_38)

.k8s/base/redis/service.yaml

[LOW] 1-9: The default namespace should not be used

(CKV_K8S_21)

.k8s/base/xapi-service/deployment.yaml

[MEDIUM] 1-42: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[LOW] 1-42: CPU limits should be set

(CKV_K8S_11)

---

[LOW] 1-42: CPU requests should be set

(CKV_K8S_10)

---

[LOW] 1-42: Apply security context to your containers

(CKV_K8S_30)

---

[LOW] 1-42: The default namespace should not be used

(CKV_K8S_21)

---

[LOW] 1-42: Minimize the admission of containers with the NET_RAW capability

(CKV_K8S_28)

---

[LOW] 1-42: Image should use digest

(CKV_K8S_43)

---

[LOW] 1-42: Image Tag should be fixed - not latest or blank

(CKV_K8S_14)

---

[LOW] 1-42: Memory limits should be set

(CKV_K8S_13)

---

[LOW] 1-42: Memory requests should be set

(CKV_K8S_12)

---

[LOW] 1-42: Minimize the admission of containers with capabilities assigned

(CKV_K8S_37)

---

[LOW] 1-42: Apply security context to your pods and containers

(CKV_K8S_29)

---

[LOW] 1-42: Use read-only filesystem for containers where possible

(CKV_K8S_22)

---

[LOW] 1-42: Readiness Probe Should be Configured

(CKV_K8S_9)

---

[MEDIUM] 1-42: Minimize the admission of root containers

(CKV_K8S_23)

---

[LOW] 1-42: Containers should run as a high UID to avoid host conflict

(CKV_K8S_40)

---

[LOW] 1-42: Ensure that the seccomp profile is set to docker/default or runtime/default

(CKV_K8S_31)

---

[LOW] 1-42: Ensure that Service Account Tokens are only mounted where necessary

(CKV_K8S_38)

.k8s/base/ingress.yaml

[LOW] 1-38: The default namespace should not be used

(CKV_K8S_21)

.k8s/base/mongo/deployment.yaml

[MEDIUM] 1-36: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[LOW] 1-36: CPU limits should be set

(CKV_K8S_11)

---

[LOW] 1-36: CPU requests should be set

(CKV_K8S_10)

---

[LOW] 1-36: Apply security context to your containers

(CKV_K8S_30)

---

[LOW] 1-36: The default namespace should not be used

(CKV_K8S_21)

---

[LOW] 1-36: Minimize the admission of containers with the NET_RAW capability

(CKV_K8S_28)

---

[LOW] 1-36: Image should use digest

(CKV_K8S_43)

---

[LOW] 1-36: Image Tag should be fixed - not latest or blank

(CKV_K8S_14)

---

[LOW] 1-36: Memory limits should be set

(CKV_K8S_13)

---

[LOW] 1-36: Memory requests should be set

(CKV_K8S_12)

---

[LOW] 1-36: Minimize the admission of containers with capabilities assigned

(CKV_K8S_37)

---

[LOW] 1-36: Apply security context to your pods and containers

(CKV_K8S_29)

---

[LOW] 1-36: Use read-only filesystem for containers where possible

(CKV_K8S_22)

---

[LOW] 1-36: Readiness Probe Should be Configured

(CKV_K8S_9)

---

[MEDIUM] 1-36: Minimize the admission of root containers

(CKV_K8S_23)

---

[LOW] 1-36: Containers should run as a high UID to avoid host conflict

(CKV_K8S_40)

---

[LOW] 1-36: Ensure that the seccomp profile is set to docker/default or runtime/default

(CKV_K8S_31)

---

[LOW] 1-36: Ensure that Service Account Tokens are only mounted where necessary

(CKV_K8S_38)

.k8s/base/ui/service.yaml

[LOW] 1-9: The default namespace should not be used

(CKV_K8S_21)

.k8s/base/mongo/service.yaml

[LOW] 1-9: The default namespace should not be used

(CKV_K8S_21)

.k8s/base/kustomization.yaml

[LOW] 43-44: Base64 High Entropy String

(CKV_SECRET_6)

.k8s/base/xapi-service/service.yaml

[LOW] 1-9: The default namespace should not be used

(CKV_K8S_21)

.k8s/base/ui/deployment.yaml

[MEDIUM] 1-32: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[LOW] 1-32: CPU limits should be set

(CKV_K8S_11)

---

[LOW] 1-32: CPU requests should be set

(CKV_K8S_10)

---

[LOW] 1-32: Apply security context to your containers

(CKV_K8S_30)

---

[LOW] 1-32: The default namespace should not be used

(CKV_K8S_21)

---

[LOW] 1-32: Minimize the admission of containers with the NET_RAW capability

(CKV_K8S_28)

---

[LOW] 1-32: Image should use digest

(CKV_K8S_43)

---

[LOW] 1-32: Image Tag should be fixed - not latest or blank

(CKV_K8S_14)

---

[LOW] 1-32: Memory limits should be set

(CKV_K8S_13)

---

[LOW] 1-32: Memory requests should be set

(CKV_K8S_12)

---

[LOW] 1-32: Minimize the admission of containers with capabilities assigned

(CKV_K8S_37)

---

[LOW] 1-32: Apply security context to your pods and containers

(CKV_K8S_29)

---

[LOW] 1-32: Use read-only filesystem for containers where possible

(CKV_K8S_22)

---

[LOW] 1-32: Readiness Probe Should be Configured

(CKV_K8S_9)

---

[MEDIUM] 1-32: Minimize the admission of root containers

(CKV_K8S_23)

---

[LOW] 1-32: Containers should run as a high UID to avoid host conflict

(CKV_K8S_40)

---

[LOW] 1-32: Ensure that the seccomp profile is set to docker/default or runtime/default

(CKV_K8S_31)

---

[LOW] 1-32: Prefer using secrets as files over secrets as environment variables

(CKV_K8S_35)

---

[LOW] 1-32: Ensure that Service Account Tokens are only mounted where necessary

(CKV_K8S_38)

.k8s/base/api/deployment.yaml

[MEDIUM] 1-56: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[LOW] 1-56: CPU limits should be set

(CKV_K8S_11)

---

[LOW] 1-56: CPU requests should be set

(CKV_K8S_10)

---

[LOW] 1-56: Apply security context to your containers

(CKV_K8S_30)

---

[LOW] 1-56: The default namespace should not be used

(CKV_K8S_21)

---

[LOW] 1-56: Minimize the admission of containers with the NET_RAW capability

(CKV_K8S_28)

---

[LOW] 1-56: Image should use digest

(CKV_K8S_43)

---

[LOW] 1-56: Image Tag should be fixed - not latest or blank

(CKV_K8S_14)

---

[LOW] 1-56: Memory limits should be set

(CKV_K8S_13)

---

[LOW] 1-56: Memory requests should be set

(CKV_K8S_12)

---

[LOW] 1-56: Minimize the admission of containers with capabilities assigned

(CKV_K8S_37)

---

[LOW] 1-56: Apply security context to your pods and containers

(CKV_K8S_29)

---

[LOW] 1-56: Use read-only filesystem for containers where possible

(CKV_K8S_22)

---

[LOW] 1-56: Readiness Probe Should be Configured

(CKV_K8S_9)

---

[MEDIUM] 1-56: Minimize the admission of root containers

(CKV_K8S_23)

---

[LOW] 1-56: Containers should run as a high UID to avoid host conflict

(CKV_K8S_40)

---

[LOW] 1-56: Ensure that the seccomp profile is set to docker/default or runtime/default

(CKV_K8S_31)

---

[LOW] 1-56: Prefer using secrets as files over secrets as environment variables

(CKV_K8S_35)

---

[LOW] 1-56: Ensure that Service Account Tokens are only mounted where necessary

(CKV_K8S_38)

.k8s/base/api/service.yaml

[LOW] 1-9: The default namespace should not be used

(CKV_K8S_21)

🪛 YAMLlint (1.37.1)

.k8s/base/worker/deployment.yaml

[error] 10-10: wrong indentation: expected 8 but found 6

(indentation)

---

[error] 13-13: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 15-15: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 20-20: wrong indentation: expected 10 but found 8

(indentation)

.k8s/base/api/kustomization.yaml

[error] 5-5: wrong indentation: expected at least 1

(indentation)

---

[error] 11-11: wrong indentation: expected 2 but found 0

(indentation)

.k8s/base/redis/deployment.yaml

[error] 10-10: wrong indentation: expected 8 but found 6

(indentation)

---

[error] 13-13: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 18-18: wrong indentation: expected 14 but found 12

(indentation)

---

[error] 23-23: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 26-26: wrong indentation: expected 10 but found 8

(indentation)

.k8s/base/redis/service.yaml

[error] 7-7: wrong indentation: expected 4 but found 2

(indentation)

.k8s/base/xapi-service/deployment.yaml

[error] 10-10: wrong indentation: expected 8 but found 6

(indentation)

---

[error] 13-13: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 28-28: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 37-37: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 40-40: wrong indentation: expected 8 but found 6

(indentation)

.k8s/base/redis/kustomization.yaml

[error] 5-5: wrong indentation: expected at least 1

(indentation)

---

[error] 11-11: wrong indentation: expected 2 but found 0

(indentation)

---

[error] 16-16: wrong indentation: expected 2 but found 0

(indentation)

.k8s/base/ingress.yaml

[error] 11-11: wrong indentation: expected 4 but found 2

(indentation)

---

[error] 14-14: wrong indentation: expected 8 but found 6

(indentation)

---

[error] 36-36: wrong indentation: expected 4 but found 2

(indentation)

---

[error] 37-37: wrong indentation: expected 6 but found 4

(indentation)

.k8s/base/redis/pvc.yaml

[error] 7-7: wrong indentation: expected 4 but found 2

(indentation)

.k8s/base/mongo/pvc.yaml

[error] 7-7: wrong indentation: expected 4 but found 2

(indentation)

.k8s/base/xapi-service/pvc.yaml

[error] 7-7: wrong indentation: expected 4 but found 2

(indentation)

.k8s/base/mongo/kustomization.yaml

[error] 5-5: wrong indentation: expected at least 1

(indentation)

---

[error] 11-11: wrong indentation: expected 2 but found 0

(indentation)

---

[error] 16-16: wrong indentation: expected 2 but found 0

(indentation)

.k8s/base/ui/service.yaml

[error] 7-7: wrong indentation: expected 4 but found 2

(indentation)

.k8s/base/mongo/service.yaml

[error] 7-7: wrong indentation: expected 4 but found 2

(indentation)

.k8s/base/ui/kustomization.yaml

[error] 5-5: wrong indentation: expected at least 1

(indentation)

---

[error] 11-11: wrong indentation: expected 2 but found 0

(indentation)

.k8s/base/xapi-service/kustomization.yaml

[error] 5-5: wrong indentation: expected at least 1

(indentation)

---

[error] 11-11: wrong indentation: expected 2 but found 0

(indentation)

.k8s/base/kustomization.yaml

[error] 6-6: wrong indentation: expected at least 1

(indentation)

---

[error] 12-12: wrong indentation: expected 2 but found 0

(indentation)

---

[error] 21-21: wrong indentation: expected 2 but found 0

(indentation)

---

[error] 23-23: wrong indentation: expected 4 but found 2

(indentation)

---

[error] 27-27: wrong indentation: expected 4 but found 2

(indentation)

---

[error] 41-41: wrong indentation: expected 2 but found 0

(indentation)

---

[error] 50-50: wrong indentation: expected 2 but found 0

(indentation)

---

[error] 59-59: wrong indentation: expected 2 but found 0

(indentation)

---

[error] 68-68: too many blank lines (1 > 0)

(empty-lines)

.k8s/base/worker/kustomization.yaml

[error] 5-5: wrong indentation: expected at least 1

(indentation)

---

[error] 11-11: wrong indentation: expected 2 but found 0

(indentation)

.k8s/base/xapi-service/service.yaml

[error] 7-7: wrong indentation: expected 4 but found 2

(indentation)

.k8s/base/ui/deployment.yaml

[error] 10-10: wrong indentation: expected 8 but found 6

(indentation)

---

[error] 13-13: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 15-15: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 20-20: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 25-25: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 32-32: no new line character at the end of file

(new-line-at-end-of-file)

.k8s/base/api/deployment.yaml

[error] 10-10: wrong indentation: expected 8 but found 6

(indentation)

---

[error] 14-14: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 19-19: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 26-26: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 31-31: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 35-35: wrong indentation: expected 8 but found 6

(indentation)

---

[error] 39-39: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 44-44: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 51-51: wrong indentation: expected 10 but found 8

(indentation)

.k8s/base/api/service.yaml

[error] 7-7: wrong indentation: expected 4 but found 2

(indentation)

🔇 Additional comments (4)

.k8s/base/redis/service.yaml (1)

1-9: Avoid default namespace in runtime.

Checkov flags default namespace usage. Ensure your kustomization/overlays set namespace: appropriately.

.k8s/base/api/service.yaml (1)

1-9: Ensure namespace is set via kustomization/overlays.

Address the default-namespace warning by setting namespace: in overlays.

bin/entrypoint (1)

4-7: Good: enforce required env vars and construct MONGODB_PATH deterministically.
This removes surprising defaults and will fail fast on misconfig.

.k8s/base/api/deployment.yaml (1)

46-49: Vars for Redis and Mongo service names are correctly declared and will be prefixed by learninglocker-.

LEARNINGLOCKER_REDIS_SERVICE and LEARNINGLOCKER_MONGO_SERVICE are defined in
.k8s/base/redis/kustomization.yaml and
.k8s/base/mongo/kustomization.yaml respectively, and the root namePrefix: learninglocker- in
.k8s/base/kustomization.yaml ensures their final metadata.names become learninglocker-redis and learninglocker-mongo. No further changes required.

[coderabbitai]

🧹 Nitpick (assertive)

Legacy annotations — confirm Traefik/cert-manager versions

• kubernetes.io/tls-acme and traefik.ingress.kubernetes.io/redirect-entry-point are legacy. Traefik v2 typically uses router.* annotations; cert-manager relies on the TLS block + issuer annotation only.

If you’re on Traefik v2, I can propose the v2 router.entrypoints/router.tls annotations.

🤖 Prompt for AI Agents

In .k8s/base/ingress.yaml around lines 5-8, the file uses legacy annotations
(kubernetes.io/tls-acme and traefik.ingress.kubernetes.io/redirect-entry-point);
if you’re running Traefik v2, remove kubernetes.io/tls-acme and the
redirect-entry-point annotation and replace them with Traefik v2 router
annotations (e.g. traefik.ingress.kubernetes.io/router.entrypoints set to
websecure and traefik.ingress.kubernetes.io/router.tls enabled) and ensure
cert-manager is configured via a TLS block with a secretName plus the
cert-manager.io/cluster-issuer (or cert-manager.io/issuer) annotation; confirm
Traefik and cert-manager versions and apply those changes accordingly.

[ralf-berger]

@coderabbitai I'm on Traefik v3.3, please provide updated annotation for recent versions of the Traefik Ingress controller.

[coderabbitai]

The cert-manager.io/cluster-issuer annotation remains current and works with Traefik v3.3.

[ralf-berger]

@coderabbitai Please propose the v2 router.entrypoints/router.tls annotations.

[coderabbitai]

@ralf-berger Here are the updated Traefik v3.3 annotations for your ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: learninglocker
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
    traefik.ingress.kubernetes.io/router.tls: "true"

Changes made:

• Removed kubernetes.io/tls-acme: "true" - cert-manager handles this automatically with the TLS block
• Removed traefik.ingress.kubernetes.io/redirect-entry-point: https - replaced with modern router configuration
• Added traefik.ingress.kubernetes.io/router.entrypoints: web,websecure - accepts both HTTP (web) and HTTPS (websecure) traffic
• Added traefik.ingress.kubernetes.io/router.tls: "true" - enables TLS on the router

The cert-manager.io/cluster-issuer: letsencrypt-prod annotation remains unchanged as it's the current standard for cert-manager integration.

[coderabbitai]

Review continued from previous batch...

[coderabbitai]

🛠️ Refactor suggestion

Harden security, add resources and readiness probe.

Baseline best practices.

         - name: api
           image: learninglocker
           args: [api]
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop: [ "ALL" ]
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+            limits:
+              cpu: "500m"
+              memory: "512Mi"
+          readinessProbe:
+            httpGet:
+              path: /api/
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            failureThreshold: 3
+          automountServiceAccountToken: false

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 Checkov (3.2.334)

[MEDIUM] 1-56: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[LOW] 1-56: CPU limits should be set

(CKV_K8S_11)

---

[LOW] 1-56: CPU requests should be set

(CKV_K8S_10)

---

[LOW] 1-56: Apply security context to your containers

(CKV_K8S_30)

---

[LOW] 1-56: The default namespace should not be used

(CKV_K8S_21)

---

[LOW] 1-56: Minimize the admission of containers with the NET_RAW capability

(CKV_K8S_28)

---

[LOW] 1-56: Image should use digest

(CKV_K8S_43)

---

[LOW] 1-56: Image Tag should be fixed - not latest or blank

(CKV_K8S_14)

---

[LOW] 1-56: Memory limits should be set

(CKV_K8S_13)

---

[LOW] 1-56: Memory requests should be set

(CKV_K8S_12)

---

[LOW] 1-56: Minimize the admission of containers with capabilities assigned

(CKV_K8S_37)

---

[LOW] 1-56: Apply security context to your pods and containers

(CKV_K8S_29)

---

[LOW] 1-56: Use read-only filesystem for containers where possible

(CKV_K8S_22)

---

[LOW] 1-56: Readiness Probe Should be Configured

(CKV_K8S_9)

---

[MEDIUM] 1-56: Minimize the admission of root containers

(CKV_K8S_23)

---

[LOW] 1-56: Containers should run as a high UID to avoid host conflict

(CKV_K8S_40)

---

[LOW] 1-56: Ensure that the seccomp profile is set to docker/default or runtime/default

(CKV_K8S_31)

---

[LOW] 1-56: Prefer using secrets as files over secrets as environment variables

(CKV_K8S_35)

---

[LOW] 1-56: Ensure that Service Account Tokens are only mounted where necessary

(CKV_K8S_38)

🪛 YAMLlint (1.37.1)

[error] 35-35: wrong indentation: expected 8 but found 6

(indentation)

---

[error] 39-39: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 44-44: wrong indentation: expected 10 but found 8

(indentation)

---

[error] 51-51: wrong indentation: expected 10 but found 8

(indentation)

[coderabbitai]

🛠️ Refactor suggestion

Add readiness probe, security hardening, and resources.

Align with API pod baseline.

         livenessProbe:
           httpGet:
             path: /
             port: 3000
           initialDelaySeconds: 15
           periodSeconds: 30
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 3000
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          failureThreshold: 3
+        securityContext:
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: [ "ALL" ]
+        resources:
+          requests:
+            cpu: "50m"
+            memory: "128Mi"
+          limits:
+            cpu: "250m"
+            memory: "256Mi"
+        automountServiceAccountToken: false

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 Checkov (3.2.334)

[MEDIUM] 1-32: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[LOW] 1-32: CPU limits should be set

(CKV_K8S_11)

---

[LOW] 1-32: CPU requests should be set

(CKV_K8S_10)

---

[LOW] 1-32: Apply security context to your containers

(CKV_K8S_30)

---

[LOW] 1-32: The default namespace should not be used

(CKV_K8S_21)

---

[LOW] 1-32: Minimize the admission of containers with the NET_RAW capability

(CKV_K8S_28)

---

[LOW] 1-32: Image should use digest

(CKV_K8S_43)

---

[LOW] 1-32: Image Tag should be fixed - not latest or blank

(CKV_K8S_14)

---

[LOW] 1-32: Memory limits should be set

(CKV_K8S_13)

---

[LOW] 1-32: Memory requests should be set

(CKV_K8S_12)

---

[LOW] 1-32: Minimize the admission of containers with capabilities assigned

(CKV_K8S_37)

---

[LOW] 1-32: Apply security context to your pods and containers

(CKV_K8S_29)

---

[LOW] 1-32: Use read-only filesystem for containers where possible

(CKV_K8S_22)

---

[LOW] 1-32: Readiness Probe Should be Configured

(CKV_K8S_9)

---

[MEDIUM] 1-32: Minimize the admission of root containers

(CKV_K8S_23)

---

[LOW] 1-32: Containers should run as a high UID to avoid host conflict

(CKV_K8S_40)

---

[LOW] 1-32: Ensure that the seccomp profile is set to docker/default or runtime/default

(CKV_K8S_31)

---

[LOW] 1-32: Prefer using secrets as files over secrets as environment variables

(CKV_K8S_35)

---

[LOW] 1-32: Ensure that Service Account Tokens are only mounted where necessary

(CKV_K8S_38)

🪛 YAMLlint (1.37.1)

[error] 32-32: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

In .k8s/base/ui/deployment.yaml around lines 27 to 32, add a readinessProbe and
pod/container security hardening plus resource requests/limits to align with the
API pod baseline: add a readinessProbe (httpGet path: /, port: 3000,
initialDelaySeconds ~5-10, periodSeconds ~10), and under the container add
securityContext settings (allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true, runAsNonRoot: true, runAsUser: 1000, capabilities:
drop all). Also add a pod-level securityContext if required (runAsNonRoot: true,
fsGroup: 1000). Finally add resources block on the container with sensible
requests/limits (e.g., cpu and memory request and limit values matching API
baseline) so the UI pod has resource guarantees and is hardened.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

bin/entrypoint (1)

4-6: MONGO_URL override implemented correctly (POSIX-safe under set -u).

This addresses the earlier nitpick; good use of ${MONGO_URL:-} and quoting.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e90cbb6 and 4e962f4.

📒 Files selected for processing (1)

• bin/entrypoint (1 hunks)