Harden deployment pipeline and manifests

[TylrDn]

Summary

• remove unsafe os.chdir usage in example serializer
• pin GitHub Actions to SHAs and configure kubectl/helm with kubeconfig
• pin vLLM image and add S3 credential support in Helm and Knative manifests
• document observability and add RBAC and NetworkPolicy examples

Testing

• PYTHONPATH=. pytest (fails: ModuleNotFoundError: No module named 'serializer')
• PYTHONPATH=. python examples/tensorizer/serialize_and_load.py --local-only (fails: ProxyError: Unable to connect to proxy)

---

https://chatgpt.com/codex/tasks/task_e_68b258c4e4d88323bc6b8a983da4b21f

Summary by Sourcery

Harden the deployment pipeline and manifests by pinning actions and images, adding secure S3 credential support, and tightening cluster security measures

New Features:

• Add optional S3 credential injection in Helm and Knative deployments
• Provide Kubernetes RBAC and NetworkPolicy sample manifests

Bug Fixes:

• Replace unsafe os.chdir usage in the example serializer with a directory-parameterized HTTP handler

Enhancements:

• Pin GitHub Actions steps and Docker image tags to specific SHAs and versions
• Set up kubectl and Helm in the CI workflow and configure kubeconfig from secrets
• Bump default vLLM image to version 0.2.2 and update Knative service accordingly
• Switch ArgoCD target revision from HEAD to main

Documentation:

• Clarify Prometheus scraping and log collection steps in the observability guide

Summary by CodeRabbit

• New Features
  • Added optional S3 credentials injection via environment variables in deployments.
  • Introduced Kubernetes NetworkPolicy for controlled ingress/egress.
  • Added ServiceAccount, Role, and RoleBinding for scoped cluster access.
• Bug Fixes
  • Improved example file server to avoid changing working directory, enhancing thread safety.
• Documentation
  • Expanded observability guidance for Prometheus, Grafana, and Loki; added local demo instructions.
• Chores
  • Pinned CI actions to specific commits; updated security and login steps.
  • Upgraded container image to v0.2.2.
  • Adjusted GitOps tracking to the main branch.

[sourcery-ai]

Reviewer's Guide

This PR hardens the deployment pipeline and manifests by pinning CI steps and container images to immutable SHAs or specific versions, configuring kubectl and Helm via a base64-encoded kubeconfig, replacing unsafe directory changes in example code, adding optional S3 credential support, and enhancing Kubernetes security and observability through RBAC, NetworkPolicy, and updated documentation.

Class diagram for updated serve_file function in serializer example

classDiagram
    class serve_file {
        +serve_file(path: str, port: int) threading.Thread
        -directory: str
        -handler: SimpleHTTPRequestHandler
        -server: ThreadingHTTPServer
    }
    class SimpleHTTPRequestHandler
    class ThreadingHTTPServer
    serve_file --> SimpleHTTPRequestHandler : uses
    serve_file --> ThreadingHTTPServer : uses

Loading

File-Level Changes

Change	Details	Files
Harden CI/CD pipeline and GitOps configuration	Pin GitHub Actions steps to immutable SHAs (checkout, buildx, trivy, login) Add setup-kubectl and setup-helm actions with specific versions and configure kubeconfig via base64 secret Update ArgoCD application to track 'main' branch instead of HEAD	.github/workflows/build-and-deploy.yml gitops/argocd/app.yaml
Pin container images in Helm and Knative manifests	Update Helm values.yaml image tag to v0.2.2 Use vLLM v0.2.2 image in Knative service	helm/tensorizer-vllm/values.yaml k8s/knative-service.yaml
Add optional S3 credential support in deployments	Introduce s3.secretName in Helm values Inject AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars in Helm deployment template Inject AWS credentials in Knative service env section	helm/tensorizer-vllm/values.yaml helm/tensorizer-vllm/templates/deployment.yaml k8s/knative-service.yaml
Replace unsafe os.chdir usage with directory-aware HTTP handler	Remove os.chdir Instantiate ThreadingHTTPServer with directory-aware SimpleHTTPRequestHandler via partial	examples/tensorizer/serialize_and_load.py
Introduce Kubernetes RBAC and NetworkPolicy manifests	Add ServiceAccount, Role, and RoleBinding in rbac.yaml Define NetworkPolicy for ingress/egress in networkpolicy.yaml	k8s/rbac.yaml k8s/networkpolicy.yaml
Clarify observability documentation	Specify Prometheus scraping on port 8000 for vLLM service Adjust list numbering and references in observability.md	docs/observability.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The PR pins GitHub Actions to SHAs, adds kubectl/Helm setup and kubeconfig configuration, updates image tags, introduces S3 credential wiring via Helm/Kubernetes, adds RBAC and NetworkPolicy manifests, refines an example HTTP server to avoid chdir, updates Argo CD to track main, and adjusts observability docs.

Changes

Cohort / File(s)	Summary of Changes
CI workflow hardening and tooling .github/workflows/build-and-deploy.yml	Pinned action versions to SHAs; added setup for kubectl (v1.28.3) and Helm (v3.12.3); configured kubeconfig from secret; updated Trivy and Docker login actions; reformatted Helm upgrade step.
Helm chart S3 support and image pin helm/tensorizer-vllm/templates/deployment.yaml, helm/tensorizer-vllm/values.yaml	Added conditional env vars for AWS credentials from a Secret when .Values.s3.secretName is set; introduced s3.secretName in values; changed default image to vllm/vllm:0.2.2.
Kubernetes manifests updates k8s/knative-service.yaml, k8s/networkpolicy.yaml, k8s/rbac.yaml	Knative Service image pinned to vllm/vllm:0.2.2 and added AWS credential env from Secret; added NetworkPolicy allowing ingress 8000 and egress 443; added ServiceAccount, Role (pods get/list), and RoleBinding.
GitOps tracking change gitops/argocd/app.yaml	Set spec.source.targetRevision to main instead of HEAD.
Example server behavior fix examples/tensorizer/serialize_and_load.py	Switched to partial(SimpleHTTPRequestHandler, directory=...) with ThreadingHTTPServer to serve from target directory without changing process CWD.
Observability docs tweaks docs/observability.md	Updated deep-dive bullets: Prometheus scrape on 8000, Loki logs with app=vllm, and local demo via observability/ Docker Compose example.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant Helm as Helm
  participant K8s as Kubernetes Cluster
  participant Sec as K8s Secrets
  participant S3 as S3

  Dev->>GH: Push to main
  GH->>GH: Checkout (pinned SHA), Buildx, Trivy scan
  GH->>GH: Setup kubectl v1.28.3, Helm v3.12.3
  GH->>GH: Configure kubeconfig from secret
  GH->>Helm: helm upgrade --install tensorizer-vllm
  Helm->>K8s: Apply Deployment/Service (image vllm:0.2.2)
  alt .Values.s3.secretName set
    K8s->>Sec: Mount Secret refs
    note right of K8s: Inject AWS_ACCESS_KEY_ID<br/>AWS_SECRET_ACCESS_KEY
    K8s->>S3: Access artifacts over HTTPS (443)
  end
  note over K8s: NetworkPolicy allows ingress 8000, egress 443

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Harden deployment pipeline and manifests #3 — Mirrors workflow pinning, Helm/Knative S3 env wiring, RBAC/NetworkPolicy, and example server change across the same files.
• docs: add CoreWeave full stack examples #1 — Touches identical paths and functions (workflow, Helm deployment template, example HTTP server, docs, Knative service), indicating overlapping implementation.

Poem

Hop, hop, deploy I go,
Helm in paw and secrets stow.
Pins on actions, steady tread,
Charts unfurl, to clusters spread.
Ports admit and egress flow—
S3 whispers, logs now glow.
Thump! The main branch leads the show.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f2b0c32 and bd74c8b.

📒 Files selected for processing (9)

• .github/workflows/build-and-deploy.yml (1 hunks)
• docs/observability.md (1 hunks)
• examples/tensorizer/serialize_and_load.py (2 hunks)
• gitops/argocd/app.yaml (1 hunks)
• helm/tensorizer-vllm/templates/deployment.yaml (1 hunks)
• helm/tensorizer-vllm/values.yaml (1 hunks)
• k8s/knative-service.yaml (1 hunks)
• k8s/networkpolicy.yaml (1 hunks)
• k8s/rbac.yaml (1 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/validate-and-secure-tensorized-model-deployment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Ensure the new RBAC service account is actually used by your deployment by setting serviceAccountName in the Helm deployment spec.
• Consider tightening the NetworkPolicy namespaceSelector from {} to only the required namespace or pod labels to avoid granting overly permissive access.
• Address the pytest import error by adding an init.py to the serializer module or updating the CI PYTHONPATH so the examples/tensorizer package can be discovered.

Prompt for AI Agents

Please address the comments from this code review:
## Overall Comments
- Ensure the new RBAC service account is actually used by your deployment by setting serviceAccountName in the Helm deployment spec.
- Consider tightening the NetworkPolicy namespaceSelector from {} to only the required namespace or pod labels to avoid granting overly permissive access.
- Address the pytest import error by adding an __init__.py to the serializer module or updating the CI PYTHONPATH so the examples/tensorizer package can be discovered.

## Individual Comments

### Comment 1
<location> `k8s/networkpolicy.yaml:12` </location>
<code_context>
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector: {}
</code_context>

<issue_to_address>
Ingress policy allows traffic from any namespace, which may be overly permissive.

Restrict ingress to trusted namespaces to minimize exposure and enhance security.

Suggested implementation:

```
    - from:
        - namespaceSelector:
            matchLabels:
              team: trusted
      ports:
        - protocol: TCP
          port: 8000

```

You will need to ensure that the trusted namespaces in your cluster are labeled with `team: trusted` for this policy to work as intended. Adjust the label key/value as needed to match your organization's labeling conventions.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 suggestion (security): Ingress policy allows traffic from any namespace, which may be overly permissive.

Restrict ingress to trusted namespaces to minimize exposure and enhance security.

Suggested implementation:

    - from:
        - namespaceSelector:
            matchLabels:
              team: trusted
      ports:
        - protocol: TCP
          port: 8000

You will need to ensure that the trusted namespaces in your cluster are labeled with team: trusted for this policy to work as intended. Adjust the label key/value as needed to match your organization's labeling conventions.