docs(flowker): add v2.1 upgrade guide

[gandalf-at-lerian]

Summary

• Adds the retroactive minor upgrade guide for from to .
• Patch-only upgrade docs remain ignored, per task scope.

Requested by: @guimoreirar

[coderabbitai]

Walkthrough

This pull request adds a new Helm chart upgrade document (charts/flowker/docs/UPGRADE-2.1.md) describing the Flowker 2.0.0 → 2.1.0-beta.6 upgrade: version and port changes, Mongo config consolidation, multi-tenant and audit DB options, operational knobs, values.yaml impacts, migration steps, and helm commands.

Changes

Flowker Upgrade Documentation

Layer / File(s)	Summary
Title and navigation charts/flowker/docs/UPGRADE-2.1.md	Document title and topic navigation for the 2.0.x → 2.1.x upgrade.
Port & Mongo configuration charts/flowker/docs/UPGRADE-2.1.md	Describes service port default change (4000 → 4021) and consolidates Mongo env vars into flowker.secrets.MONGO_URI, listing removed legacy keys and pool-size default update.
Multi-tenant and audit DB config charts/flowker/docs/UPGRADE-2.1.md	Adds opt-in multi-tenant settings and audit Postgres configuration including configMap keys and the audit password secret.
Operational configuration knobs charts/flowker/docs/UPGRADE-2.1.md	Documents new knobs for deployment mode, plugin authentication, SSRF/private network allowance, fault injection, and lib-commons telemetry.
values.yaml impact and touched files charts/flowker/docs/UPGRADE-2.1.md	Summarizes counts of added/removed/changed values and enumerates which chart files are touched in this upgrade.
Migration steps and verification charts/flowker/docs/UPGRADE-2.1.md	Numbered migration steps including removing legacy Mongo overrides, handling service port change, multi-tenant/audit DB defaults, and rollout/pod/log verification commands.
Helm preview and upgrade commands charts/flowker/docs/UPGRADE-2.1.md	Notes downstream callers pinned to old port; provides helm diff upgrade preview (helm-diff plugin) and final helm upgrade command for 2.1.0-beta.6.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/flowker/docs/UPGRADE-2.1.md`:
- Around line 21-52: Add a clear distinction between required and optional new
config values by annotating each key (e.g., flowker.secrets.MONGO_URI,
flowker.secrets.AUDIT_DB_PASSWORD,
flowker.configmap.AUDIT_DB_HOST/AUDIT_DB_NAME/AUDIT_DB_PORT) as "required" if
needed for core functionality or migration, and group feature flags (e.g.,
flowker.configmap.MULTI_TENANT_ENABLED,
flowker.configmap.FAULT_INJECTION_ENABLED,
flowker.configmap.SKIP_LIB_COMMONS_TELEMETRY,
flowker.configmap.SSRF_ALLOW_PRIVATE) into a separate "optional / feature flags"
subsection; explicitly call out connection-related values (MONGO_URI,
MULTI_TENANT_REDIS_HOST/PORT/PASSWORD, AUDIT_DB_*) and migration path
(flowker.configmap.AUDIT_MIGRATIONS_PATH) as required for successful upgrade
steps, and include a short note on defaults and when each optional flag must be
set.
- Line 3: The header line containing the concatenated topic links
("**[Overview](`#overview`)**- **[Version changes](`#version-changes`)**...") should
be split into a readable list; update the string in UPGRADE-2.1.md by replacing
the single concatenated line with either a bulleted list or separate lines so
each link is on its own line (e.g., "- **[Overview](`#overview`)**", "- **[Version
changes](`#version-changes`)**", etc.), preserving the existing Markdown link text
and anchors and removing the run-together hyphens so links render clearly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 99d11e54-7c64-4fc4-859e-5356d0d4e9b2

📥 Commits

Reviewing files that changed from the base of the PR and between 3766751 and 7c73711.

📒 Files selected for processing (1)

• charts/flowker/docs/UPGRADE-2.1.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify which new values are required versus optional.

The "Added values" section lists many new configuration options, but the documentation doesn't clearly indicate which values are required for a successful upgrade versus which are optional feature flags. Consider adding annotations or a separate subsection to distinguish required values (e.g., MONGO_URI in secrets) from optional feature configurations (e.g., MULTI_TENANT_ENABLED, FAULT_INJECTION_ENABLED).

This would help users prioritize their configuration review during migration step 3.

🧰 Tools

🪛 Betterleaks (1.2.0)

[high] 49-49: Detected a MongoDB connection string with embedded credentials, potentially exposing direct database access and sensitive application data.

(mongodb-connection-string)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/flowker/docs/UPGRADE-2.1.md` around lines 21 - 52, Add a clear
distinction between required and optional new config values by annotating each
key (e.g., flowker.secrets.MONGO_URI, flowker.secrets.AUDIT_DB_PASSWORD,
flowker.configmap.AUDIT_DB_HOST/AUDIT_DB_NAME/AUDIT_DB_PORT) as "required" if
needed for core functionality or migration, and group feature flags (e.g.,
flowker.configmap.MULTI_TENANT_ENABLED,
flowker.configmap.FAULT_INJECTION_ENABLED,
flowker.configmap.SKIP_LIB_COMMONS_TELEMETRY,
flowker.configmap.SSRF_ALLOW_PRIVATE) into a separate "optional / feature flags"
subsection; explicitly call out connection-related values (MONGO_URI,
MULTI_TENANT_REDIS_HOST/PORT/PASSWORD, AUDIT_DB_*) and migration path
(flowker.configmap.AUDIT_MIGRATIONS_PATH) as required for successful upgrade
steps, and include a short note on defaults and when each optional flag must be
set.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/flowker/docs/UPGRADE-2.1.md`:
- Around line 57-62: The docs currently embed concrete credentials in the
example secret values (e.g., MONGO_URI containing "flowker:lerian" and
AUDIT_DB_PASSWORD: "lerian"); update these examples to use explicit placeholders
instead (for example replace username/password in MONGO_URI with <MONGO_USER>
and <MONGO_PASSWORD> or ${MONGO_USER}:${MONGO_PASSWORD} and set
AUDIT_DB_PASSWORD to a placeholder like <AUDIT_DB_PASSWORD>) and ensure
MONGO_TLS_CA_CERT remains empty or is shown as <BASE64_CA_CERT> to avoid
insecure copy/paste; edit the example block that defines flowker.secrets
(symbols: MONGO_URI, MONGO_TLS_CA_CERT, AUDIT_DB_PASSWORD) accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e2f21b6d-b078-49ae-a76a-c88ae3e9da6c

📥 Commits

Reviewing files that changed from the base of the PR and between 7c73711 and b995b17.

📒 Files selected for processing (1)

• charts/flowker/docs/UPGRADE-2.1.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove embedded credential examples from secret values.

At Line 60 and Line 109, the docs include concrete credential values (flowker:lerian, AUDIT_DB_PASSWORD: "lerian"). Please switch these to explicit placeholders to avoid insecure copy/paste into real environments.

🔐 Suggested doc-safe replacement

 flowker:
   secrets:
-    MONGO_URI: "mongodb://flowker:lerian@flowker-mongodb:27017/flowker?authSource=flowker"
+    MONGO_URI: "mongodb://<mongo_user>:<mongo_password>`@flowker-mongodb`:27017/flowker?authSource=flowker"
     MONGO_TLS_CA_CERT: ""
@@
 flowker:
   configmap:
@@
   secrets:
-    AUDIT_DB_PASSWORD: "lerian"
+    AUDIT_DB_PASSWORD: "<set-in-your-secret-store>"

Also applies to: 99-110

🧰 Tools

🪛 Betterleaks (1.3.1)

[high] 60-60: Detected a MongoDB connection string with embedded credentials, potentially exposing direct database access and sensitive application data.

(mongodb-connection-string)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/flowker/docs/UPGRADE-2.1.md` around lines 57 - 62, The docs currently
embed concrete credentials in the example secret values (e.g., MONGO_URI
containing "flowker:lerian" and AUDIT_DB_PASSWORD: "lerian"); update these
examples to use explicit placeholders instead (for example replace
username/password in MONGO_URI with <MONGO_USER> and <MONGO_PASSWORD> or
${MONGO_USER}:${MONGO_PASSWORD} and set AUDIT_DB_PASSWORD to a placeholder like
<AUDIT_DB_PASSWORD>) and ensure MONGO_TLS_CA_CERT remains empty or is shown as
<BASE64_CA_CERT> to avoid insecure copy/paste; edit the example block that
defines flowker.secrets (symbols: MONGO_URI, MONGO_TLS_CA_CERT,
AUDIT_DB_PASSWORD) accordingly.