Skip to content

refactor: name patch fragments by intent and codify patch naming rules#2474

Draft
devantler wants to merge 2 commits into
mainfrom
claude/patch-naming-conventions
Draft

refactor: name patch fragments by intent and codify patch naming rules#2474
devantler wants to merge 2 commits into
mainfrom
claude/patch-naming-conventions

Conversation

@devantler

@devantler devantler commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Why

Patch files — both the Kustomize overlay patches and the Talos machine-config patches — were named after the resource they patch (helm-release-patch.yaml ×12, sysctls.yaml, kubelet.yaml), which says nothing about what a patch actually does; some files bundled several documents, and three k8s patches lived loose outside a patches/ directory.

What

Codifies the maintainer-directed convention and applies it everywhere: patches hold one resource/document per file and are named by intent like CR-folder files (<verb>-<purpose>.yaml). K8s patches live under patches/ (23 renamed, 3 moved, 3 no-op patches deleted); Talos patches keep their talos*/ layout and get intent names too, with the three multi-document files split one-document-per-file (rule count and the ENOBUFS warning preserved). The naming CI validator enforces all of it. Overlays render byte-identical and Talos config content is verified preserved doc-for-doc — no behavior change.

🤖 Generated with Claude Code

Patch fragments now follow the CR-folder naming convention: they live under
a patches/ directory, hold one resource per file, and are named
<verb>-<purpose>.yaml — no Kind-led names, no redundant -patch suffix (the
flux-kustomization prefix stays, per the Flux CR rule). Talos machine-config
patches (talos/, talos-local/) are explicitly exempt from all naming and
file-structure conventions. validate-naming.py enforces the new rules
(checks 7-8); three no-op patches (two empty spec: {} placeholders and a
Corefile patch identical to the base) are dropped. All five affected
overlays render byte-identical before and after.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This pull request updates naming guidance, validation logic, and references across docs and Kubernetes overlays to use intent-based patch filenames. It also removes obsolete patch manifests, rewires provider kustomization entries to new patch files, and adds/splits multiple Talos machine-config and network-rule manifests. Talos volume encryption is split into separate state and ephemeral configs, and several comment references are updated to match the new filenames.

Sequence Diagram(s)

Not applicable.

Compact metadata

  • Related issues: None specified
  • Related PRs: None specified
  • Suggested labels: documentation, refactor, talos, kustomize
  • Suggested reviewers: platform maintainers
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: intent-based patch fragment naming and enforced naming rules.
Description check ✅ Passed The description clearly matches the changeset, describing the naming refactor, file moves, deletions, and validator updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
⚔️ Resolve merge conflicts
  • Resolve merge conflict in branch claude/patch-naming-conventions

Comment @coderabbitai help to get the list of available commands.

Talos machine-config patches now follow the same intent-naming convention
as CR folders and k8s patches: <verb>-<purpose>.yaml, one YAML document per
file. The multi-document files are split (disk-encryption into its two
VolumeConfigs; each role's ingress-firewall into one NetworkRuleConfig per
file, preserving the consolidated rule COUNT and the ENOBUFS warning), all
non-comment config lines are verified preserved doc-for-doc, and
validate-naming.py check 9 enforces the rules in CI. ksail globs the
talos*/ directories, so no config reference changes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Assistant

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

@devantler: Sure, I'll review the changes now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
talos/workers/allow-cilium-wireguard-ingress.yaml (1)

1-15: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Consider consolidating with allow-cni-vxlan-ingress.yaml.

This rule (udp/51871) and allow-cni-vxlan-ingress.yaml (udp/8472) share identical protocol (udp) and subnet set (10.0.0.0/16 only). Per the repo's own consolidation convention, these should be merged into a single rule's ports list to minimize total rule count.

♻️ Example merge
-# Cilium WireGuard transparent encryption (encryption.type: wireguard).
-# Tunnels VXLAN-encapsulated pod traffic between nodes through cilium_wg0.
-# Default port is UDP 51871; Talos's NetworkDefaultActionConfig: block
-# would otherwise drop inter-node WireGuard packets and break pod-to-pod
-# traffic the moment encryption is enabled.
+# Cilium VXLAN (8472) and WireGuard transparent encryption (51871,
+# encryption.type: wireguard) cluster-internal only on worker nodes.
+# Talos's NetworkDefaultActionConfig: block would otherwise drop
+# inter-node tunnel traffic.
 apiVersion: v1alpha1
 kind: NetworkRuleConfig
-name: cilium-wireguard-ingress
+name: cni-tunnel-ingress
 portSelector:
   ports:
+    - 8472
     - 51871
   protocol: udp
 ingress:
   - subnet: 10.0.0.0/16
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@talos/workers/allow-cilium-wireguard-ingress.yaml` around lines 1 - 15, The
WireGuard ingress rule duplicates the same udp protocol and subnet allowlist
already used by allow-cni-vxlan-ingress.yaml, so consolidate them to reduce rule
count. Update the NetworkRuleConfig in cilium-wireguard-ingress to share the
same ingress definition and combine the port entries with the existing
allow-cni-vxlan-ingress rule, keeping the identifying symbols
cilium-wireguard-ingress and portSelector/ingress aligned with the repo’s
consolidation pattern.
talos/workers/allow-cilium-health-ingress.yaml (1)

1-12: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Consider consolidating with allow-cilium-mutual-auth-ingress.yaml.

Both this rule (tcp/4240) and allow-cilium-mutual-auth-ingress.yaml (tcp/4250) share the exact same protocol (tcp) and subnet set (10.0.0.0/16 only). Per the repo's own consolidation rule, matching protocol+subnet rules should be merged into one rule's ports list rather than kept as separate NetworkRuleConfig files, to keep the total rule count low.

♻️ Example merge
-# Cilium health checks (4240) cluster-internal only on worker nodes. Pairs
-# with cluster/block-ingress-by-default.yaml.
+# Cilium health checks (4240) and SPIRE mutual-auth handshakes (4250)
+# cluster-internal only on worker nodes. Pairs with
+# cluster/block-ingress-by-default.yaml.
 apiVersion: v1alpha1
 kind: NetworkRuleConfig
-name: cilium-health-ingress
+name: cilium-health-and-mutual-auth-ingress
 portSelector:
   ports:
     - 4240
+    - 4250
   protocol: tcp
 ingress:
   - subnet: 10.0.0.0/16

If the two rules are kept separate for documentation clarity (the mutual-auth file carries substantial incident-history commentary), it'd be worth a short note explaining the deliberate exception to the consolidation rule.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@talos/workers/allow-cilium-health-ingress.yaml` around lines 1 - 12, The
cilium health ingress rule duplicates the same tcp protocol and subnet set used
by allow-cilium-mutual-auth-ingress.yaml, so it should be consolidated rather
than kept as a separate NetworkRuleConfig. Update the relevant NetworkRuleConfig
entries so the shared tcp/10.0.0.0/16 allowance is represented in one rule with
both ports in the ports list, and remove the redundant standalone rule; if you
intentionally keep them separate for documentation, add a brief note in the
cilium-health-ingress or allow-cilium-mutual-auth-ingress file explaining the
exception.
talos/workers/allow-kubelet-ingress.yaml (1)

1-17: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Consider consolidating with allow-hubble-peer-ingress.yaml.

This rule (tcp/10250) and allow-hubble-peer-ingress.yaml (tcp/4244) share identical protocol (tcp) and the exact same two-subnet set (10.0.0.0/16 + 10.244.0.0/16). Per the repo's stated consolidation convention, these should be merged into one rule's ports list to keep the total rule count low.

♻️ Example merge
-# kubelet (10250) cluster-internal only on worker nodes. Pairs with
-# cluster/block-ingress-by-default.yaml.
+# Hubble peer (4244) and kubelet (10250) cluster-internal only on worker
+# nodes. Pairs with cluster/block-ingress-by-default.yaml.
 apiVersion: v1alpha1
 kind: NetworkRuleConfig
-name: kubelet-ingress
+name: hubble-peer-and-kubelet-ingress
 portSelector:
   ports:
+    - 4244
     - 10250
   protocol: tcp
 ingress:
   # Node CIDR covers cross-node scrapes: Cilium masquerades pod->node-IP
   # traffic to the source node IP. Same-node scrapes (e.g. the local
   # metrics-server replica hitting its own kubelet) are NOT masqueraded, so
   # the kubelet sees the raw pod IP and the pod CIDR must be allowed too.
   - subnet: 10.0.0.0/16
   - subnet: 10.244.0.0/16
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@talos/workers/allow-kubelet-ingress.yaml` around lines 1 - 17, Merge the
kubelet-ingress NetworkRuleConfig with allow-hubble-peer-ingress.yaml by reusing
the same ingress subnet set and consolidating the tcp ports into one rule’s
ports list, since both rules are identical except for the port. Update the
NetworkRuleConfig definitions that currently live in kubelet-ingress and
allow-hubble-peer-ingress so the shared subnets remain in a single rule and the
portSelector includes both 10250 and 4244. Keep the existing symbol names
kubelet-ingress and allow-hubble-peer-ingress as the location anchors while
reducing the total number of rules.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/validate-naming.py`:
- Around line 112-119: The `count_docs` helper in `validate-naming.py` uses the
ambiguous loop variable name `l`, which triggers Ruff’s `E741` lint error.
Rename that inner loop variable in the `any(...)` expression to a clearer name,
keeping the same document-counting logic and preserving the behavior of
`count_docs`.

---

Outside diff comments:
In `@talos/workers/allow-cilium-health-ingress.yaml`:
- Around line 1-12: The cilium health ingress rule duplicates the same tcp
protocol and subnet set used by allow-cilium-mutual-auth-ingress.yaml, so it
should be consolidated rather than kept as a separate NetworkRuleConfig. Update
the relevant NetworkRuleConfig entries so the shared tcp/10.0.0.0/16 allowance
is represented in one rule with both ports in the ports list, and remove the
redundant standalone rule; if you intentionally keep them separate for
documentation, add a brief note in the cilium-health-ingress or
allow-cilium-mutual-auth-ingress file explaining the exception.

In `@talos/workers/allow-cilium-wireguard-ingress.yaml`:
- Around line 1-15: The WireGuard ingress rule duplicates the same udp protocol
and subnet allowlist already used by allow-cni-vxlan-ingress.yaml, so
consolidate them to reduce rule count. Update the NetworkRuleConfig in
cilium-wireguard-ingress to share the same ingress definition and combine the
port entries with the existing allow-cni-vxlan-ingress rule, keeping the
identifying symbols cilium-wireguard-ingress and portSelector/ingress aligned
with the repo’s consolidation pattern.

In `@talos/workers/allow-kubelet-ingress.yaml`:
- Around line 1-17: Merge the kubelet-ingress NetworkRuleConfig with
allow-hubble-peer-ingress.yaml by reusing the same ingress subnet set and
consolidating the tcp ports into one rule’s ports list, since both rules are
identical except for the port. Update the NetworkRuleConfig definitions that
currently live in kubelet-ingress and allow-hubble-peer-ingress so the shared
subnets remain in a single rule and the portSelector includes both 10250 and
4244. Keep the existing symbol names kubelet-ingress and
allow-hubble-peer-ingress as the location anchors while reducing the total
number of rules.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 7e39c7d3-7696-48f8-bdee-9c6afb37c8d4

📥 Commits

Reviewing files that changed from the base of the PR and between 07f7ad2 and be0625f.

📒 Files selected for processing (43)
  • AGENTS.md
  • docs/dr/spire-server-ha.md
  • docs/runtime-security.md
  • docs/rwx-storage.md
  • k8s/bases/infrastructure/cluster-policies/best-practices/verify-ksail-images.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/image-verification.yaml
  • k8s/providers/hetzner/infrastructure/cluster-policies/restrict-storage-to-baseline-workers.yaml
  • k8s/providers/hetzner/infrastructure/controllers/cilium/patches/enforce-wireguard-strict-mode.yaml
  • scripts/validate-naming.py
  • talos-local/cluster/disable-default-cni-and-kube-proxy.yaml
  • talos-local/cluster/enable-dex-oidc.yaml
  • talos/cluster/authenticate-ghcr-pulls.yaml
  • talos/cluster/block-ingress-by-default.yaml
  • talos/cluster/disable-default-cni-and-kube-proxy.yaml
  • talos/cluster/enable-apparmor.yaml
  • talos/cluster/enable-audit-logging.yaml
  • talos/cluster/enable-dex-oidc.yaml
  • talos/cluster/enable-user-namespaces.yaml
  • talos/cluster/encrypt-ephemeral-volume.yaml
  • talos/cluster/encrypt-state-volume.yaml
  • talos/cluster/evict-pods-before-oom.yaml
  • talos/cluster/gc-terminated-pods-sooner.yaml
  • talos/cluster/harden-kernel-sysctls.yaml
  • talos/cluster/use-platform-hostname.yaml
  • talos/cluster/verify-first-party-images.yaml
  • talos/control-planes/allow-internal-node-ingress.yaml
  • talos/control-planes/allow-internal-nodepod-ingress.yaml
  • talos/control-planes/allow-internal-udp-ingress.yaml
  • talos/control-planes/allow-public-ingress.yaml
  • talos/control-planes/ingress-firewall.yaml
  • talos/workers/allow-apid-ingress.yaml
  • talos/workers/allow-cilium-health-ingress.yaml
  • talos/workers/allow-cilium-mutual-auth-ingress.yaml
  • talos/workers/allow-cilium-wireguard-ingress.yaml
  • talos/workers/allow-cni-vxlan-ingress.yaml
  • talos/workers/allow-hubble-peer-ingress.yaml
  • talos/workers/allow-kubelet-ingress.yaml
  • talos/workers/allow-node-exporter-ingress.yaml
  • talos/workers/allow-nodeport-ingress.yaml
  • talos/workers/ingress-firewall.yaml
  • talos/workers/label-nodes.yaml
  • talos/workers/load-kvm-modules.yaml
  • talos/workers/mount-longhorn-data.yaml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • devantler-tech/actions (auto-detected)
  • devantler-tech/aws (auto-detected)
  • devantler-tech/reusable-workflows (auto-detected)
  • devantler-tech/ksail (auto-detected)
  • devantler-tech/ascoachingogvaner (auto-detected)
  • devantler-tech/wedding-app (auto-detected)
  • devantler-tech/agent-skills (auto-detected)
💤 Files with no reviewable changes (2)
  • talos/control-planes/ingress-firewall.yaml
  • talos/workers/ingress-firewall.yaml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (5)
talos/**/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Talos machine-config patches must contain one YAML document per file and use intent-describing verb-purpose.yaml filenames; they are Talos config fragments, not Kubernetes manifests.

Files:

  • talos/workers/allow-cilium-health-ingress.yaml
  • talos/workers/allow-hubble-peer-ingress.yaml
  • talos/workers/allow-kubelet-ingress.yaml
  • talos/workers/allow-node-exporter-ingress.yaml
  • talos/control-planes/allow-internal-udp-ingress.yaml
  • talos/workers/allow-cni-vxlan-ingress.yaml
  • talos/workers/allow-apid-ingress.yaml
  • talos/cluster/enable-dex-oidc.yaml
  • talos/control-planes/allow-internal-nodepod-ingress.yaml
  • talos/workers/allow-cilium-mutual-auth-ingress.yaml
  • talos/cluster/verify-first-party-images.yaml
  • talos/cluster/authenticate-ghcr-pulls.yaml
  • talos/control-planes/allow-public-ingress.yaml
  • talos/cluster/encrypt-state-volume.yaml
  • talos/control-planes/allow-internal-node-ingress.yaml
  • talos/workers/allow-cilium-wireguard-ingress.yaml
  • talos/cluster/gc-terminated-pods-sooner.yaml
  • talos/workers/allow-nodeport-ingress.yaml
  • talos/workers/mount-longhorn-data.yaml
  • talos/cluster/encrypt-ephemeral-volume.yaml
k8s/bases/**

📄 CodeRabbit inference engine (AGENTS.md)

Do not modify base manifests under k8s/bases/ directly from overlays; make changes via Kustomize patches: in overlays instead.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/image-verification.yaml
  • k8s/bases/infrastructure/cluster-policies/best-practices/verify-ksail-images.yaml
k8s/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/**: Keep Kubernetes manifests organized as a GitOps/Kustomize repository: use hierarchical base → provider overlay → cluster overlay structure, and respect Flux dependency order (bootstrapinfrastructure-controllersinfrastructureapps).
For Kubernetes resources, use one resource per file, keep directories kebab-case, and name files after the resource Kind (with documented exceptions for CR folders and patches/ folders).
Flux Kustomization CR manifests must be named flux-kustomization*.yaml, while the Kustomize build file must remain exactly kustomization.yaml.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/image-verification.yaml
  • k8s/bases/infrastructure/cluster-policies/best-practices/verify-ksail-images.yaml
  • k8s/providers/hetzner/infrastructure/controllers/cilium/patches/enforce-wireguard-strict-mode.yaml
  • k8s/providers/hetzner/infrastructure/cluster-policies/restrict-storage-to-baseline-workers.yaml
k8s/bases/infrastructure/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**: Under k8s/bases/infrastructure/, use the component-folder-first layout: keep a component's HelmRelease/HelmRepository and its own CRs together in a folder named after the component, and split CRs into plural-Kind folders only for dependency or cluster-scoped reasons.
Place cluster-scoped or cross-cutting infrastructure resources in the appropriate plural-Kind folders (for example cluster-policies/, cluster-roles/, external-secrets/, limit-ranges/, vertical-pod-autoscalers/).

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/image-verification.yaml
  • k8s/bases/infrastructure/cluster-policies/best-practices/verify-ksail-images.yaml
k8s/**/patches/**

📄 CodeRabbit inference engine (AGENTS.md)

Patch fragments must live under a patches/ directory, use intent-describing filenames (verb-purpose.yaml), avoid a -patch suffix, and still follow one-resource-per-file.

Files:

  • k8s/providers/hetzner/infrastructure/controllers/cilium/patches/enforce-wireguard-strict-mode.yaml
🧠 Learnings (2)
📚 Learning: 2026-07-01T21:13:36.950Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2359
File: k8s/bases/apps/actual-budget/helm-release.yaml:62-111
Timestamp: 2026-07-01T21:13:36.950Z
Learning: When reviewing Kustomize/Helm YAML in this repo, keep the base vs provider overlay split: `k8s/bases/apps/**` and `k8s/bases/infrastructure/**` should contain each app’s full, environment-agnostic configuration (including base-level postRenderer Kustomize patches such as deployment strategy, topology spread, probes, and env injection). `k8s/providers/{docker,hetzner}/**` should only add small provider-specific deltas (e.g., `interval`, `persistence.size`) via patch files (like `k8s/providers/<provider>/apps/<app>/patches/helm-release-patch.yaml`). If configuration is identical across providers (e.g., OIDC/OAuth env vars where `${domain}` is resolved per cluster via envsubst), it belongs in the base and must not be duplicated into provider overlays.

Applied to files:

  • k8s/bases/infrastructure/cluster-security-exceptions/image-verification.yaml
  • k8s/bases/infrastructure/cluster-policies/best-practices/verify-ksail-images.yaml
  • k8s/providers/hetzner/infrastructure/controllers/cilium/patches/enforce-wireguard-strict-mode.yaml
  • k8s/providers/hetzner/infrastructure/cluster-policies/restrict-storage-to-baseline-workers.yaml
📚 Learning: 2026-07-04T13:30:04.759Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2446
File: k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml:38-125
Timestamp: 2026-07-04T13:30:04.759Z
Learning: For Kubescape ClusterSecurityException (apiVersion kubescape.io/v1beta1) and the mirrored Headlamp exception config, do NOT pin `spec.match.resources[].name` (and Headlamp `attributes.name`) to a single literal value when the identifier includes a generated hash. These fields are compared using `regexCompare`, so match such resources with an anchored regular expression that covers the stable prefix and the hash pattern (e.g., `^crossplane:provider:provider-upjet-github-[0-9a-f]+:system$`) rather than the current hash, so the exception remains valid across provider re-installs/revisions.

Applied to files:

  • k8s/bases/infrastructure/cluster-security-exceptions/image-verification.yaml
🪛 ast-grep (0.44.1)
scripts/validate-naming.py

[warning] 113-113: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(path, encoding="utf-8", errors="replace")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)

🪛 Ruff (0.15.20)
scripts/validate-naming.py

[error] 118-118: Ambiguous variable name: l

(E741)


[warning] 174-174: Use list.extend to create a transformed list

(PERF401)

🔀 Multi-repo context devantler-tech/ksail, devantler-tech/actions, devantler-tech/aws, devantler-tech/reusable-workflows, devantler-tech/ascoachingogvaner, devantler-tech/wedding-app, devantler-tech/agent-skills

Linked repositories findings

devantler-tech/ksail

  • docs/src/content/docs/guides/talos-native-patches.mdx still documents deprecated/generated Talos patch filenames as talos/cluster/image-verification.yaml, talos/cluster/disable-cdi.yaml, and ingress firewall files talos/cluster/ingress-firewall-default-action.yaml, talos/control-planes/ingress-firewall-rules.yaml, talos/workers/ingress-firewall-rules.yaml. Those examples are now inconsistent with the PR’s renamed intent-based patch files and Talos file split conventions. [::devantler-tech/ksail::]
  • docs/src/content/docs/distributions/talos.mdx still shows the old illustrative layout with disable-default-cni.yaml, image-verification.yaml, node-labels.yaml, storage.yaml, and ingress-firewall-rules.yaml; this is relevant because the PR updates naming guidance and some actual Talos filenames (for example the new default CNI disable file and renamed Talos patches). [::devantler-tech/ksail::]
  • pkg/fsutil/generator/talos/generator.go, pkg/fsutil/scaffolder/scaffolder_talos.go, and related tests still reference image-verification.yaml and disable-default-cni.yaml directly. If the PR’s naming changes are meant to affect generated/scaffolded Talos files, these are the primary code-path references to reconcile. [::devantler-tech/ksail::]

Other repositories

  • No relevant matches were found in devantler-tech/actions, devantler-tech/aws, devantler-tech/reusable-workflows, devantler-tech/ascoachingogvaner, devantler-tech/wedding-app, or devantler-tech/agent-skills. [::devantler-tech/actions::] [::devantler-tech/aws::] [::devantler-tech/reusable-workflows::] [::devantler-tech/ascoachingogvaner::] [::devantler-tech/wedding-app::] [::devantler-tech/agent-skills::]
🔇 Additional comments (28)
AGENTS.md (2)

209-221: 📐 Maintainability & Code Quality

Naming-convention text matches guidelines; flag cross-repo drift.

The rewritten rules correctly match the talos/**/*.yaml guideline (one doc per file, intent-based verb-purpose.yaml names, k8s-specific rules exempted) and the k8s/**/patches/** guideline (patches/ placement, no -patch suffix).

However, linked-repo research on devantler-tech/ksail shows its docs (talos-native-patches.mdx, talos.mdx) and generator/scaffolder code still reference deprecated names like image-verification.yaml, disable-default-cni.yaml, and ingress-firewall-rules.yaml, which conflict with the intent-based, one-doc-per-file conventions formalized here. If ksail scaffolds clusters using this repo's conventions, those references should be reconciled.

Source: Linked repositories


259-259: LGTM!

docs/dr/spire-server-ha.md (1)

128-128: LGTM!

docs/runtime-security.md (1)

27-33: LGTM!

docs/rwx-storage.md (1)

73-77: LGTM!

talos/control-planes/allow-internal-nodepod-ingress.yaml (1)

1-23: LGTM!

talos/control-planes/allow-internal-udp-ingress.yaml (1)

1-21: LGTM!

talos/control-planes/allow-public-ingress.yaml (1)

1-27: LGTM!

k8s/bases/infrastructure/cluster-policies/best-practices/verify-ksail-images.yaml (1)

6-6: LGTM!

k8s/bases/infrastructure/cluster-security-exceptions/image-verification.yaml (1)

6-6: LGTM!

k8s/providers/hetzner/infrastructure/controllers/cilium/patches/enforce-wireguard-strict-mode.yaml (1)

84-84: LGTM!

Also applies to: 101-101

talos/cluster/verify-first-party-images.yaml (1)

36-36: LGTM!

talos/control-planes/allow-internal-node-ingress.yaml (1)

1-27: LGTM!

talos/cluster/gc-terminated-pods-sooner.yaml (1)

22-22: 🎯 Functional Correctness

talos/cluster/enable-audit-logging.yaml already exists.

			> Likely an incorrect or invalid review comment.
k8s/providers/hetzner/infrastructure/cluster-policies/restrict-storage-to-baseline-workers.yaml (1)

7-7: 🎯 Functional Correctness

Drop this comment
talos/workers/label-nodes.yaml exists, so the path is not dangling.

			> Likely an incorrect or invalid review comment.
scripts/validate-naming.py (2)

121-193: LGTM!


209-228: LGTM!

talos/cluster/authenticate-ghcr-pulls.yaml (1)

1-53: LGTM!

talos/cluster/enable-dex-oidc.yaml (1)

1-25: LGTM!

talos/cluster/encrypt-ephemeral-volume.yaml (1)

1-24: LGTM!

talos/cluster/encrypt-state-volume.yaml (1)

1-22: LGTM!

talos/workers/allow-node-exporter-ingress.yaml (1)

1-18: LGTM!

talos/workers/allow-nodeport-ingress.yaml (1)

1-13: LGTM!

talos/workers/mount-longhorn-data.yaml (1)

11-13: 🎯 Functional Correctness

label-nodes.yaml is present at talos/workers/label-nodes.yaml; the cross-reference is accurate.

			> Likely an incorrect or invalid review comment.
talos/workers/allow-apid-ingress.yaml (1)

1-16: LGTM!

talos/workers/allow-cilium-mutual-auth-ingress.yaml (1)

1-23: LGTM! (See the consolidation note left on allow-cilium-health-ingress.yaml regarding merging this rule's port into that file.)

talos/workers/allow-cni-vxlan-ingress.yaml (1)

1-12: LGTM! (See the consolidation note left on allow-cilium-wireguard-ingress.yaml regarding merging this rule's port into that file.)

talos/workers/allow-hubble-peer-ingress.yaml (1)

1-13: LGTM!

Comment on lines +112 to +119
def count_docs(path):
"""Count YAML documents with any non-comment content (kind-less included)."""
with open(path, encoding="utf-8", errors="replace") as f:
text = f.read()
return sum(
1 for chunk in re.split(r"(?m)^---[ \t]*$", text)
if any(l.strip() and not l.lstrip().startswith("#") for l in chunk.splitlines())
)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Ambiguous variable name l flagged by Ruff.

Rename the loop variable to avoid the E741 lint error.

🧹 Proposed fix
     return sum(
         1 for chunk in re.split(r"(?m)^---[ \t]*$", text)
-        if any(l.strip() and not l.lstrip().startswith("#") for l in chunk.splitlines())
+        if any(line.strip() and not line.lstrip().startswith("#") for line in chunk.splitlines())
     )
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
def count_docs(path):
"""Count YAML documents with any non-comment content (kind-less included)."""
with open(path, encoding="utf-8", errors="replace") as f:
text = f.read()
return sum(
1 for chunk in re.split(r"(?m)^---[ \t]*$", text)
if any(l.strip() and not l.lstrip().startswith("#") for l in chunk.splitlines())
)
def count_docs(path):
"""Count YAML documents with any non-comment content (kind-less included)."""
with open(path, encoding="utf-8", errors="replace") as f:
text = f.read()
return sum(
1 for chunk in re.split(r"(?m)^---[ \t]*$", text)
if any(line.strip() and not line.lstrip().startswith("#") for line in chunk.splitlines())
)
🧰 Tools
🪛 ast-grep (0.44.1)

[warning] 113-113: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(path, encoding="utf-8", errors="replace")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)

🪛 Ruff (0.15.20)

[error] 118-118: Ambiguous variable name: l

(E741)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/validate-naming.py` around lines 112 - 119, The `count_docs` helper
in `validate-naming.py` uses the ambiguous loop variable name `l`, which
triggers Ruff’s `E741` lint error. Rename that inner loop variable in the
`any(...)` expression to a clearer name, keeping the same document-counting
logic and preserving the behavior of `count_docs`.

Source: Linters/SAST tools

@github-project-automation github-project-automation Bot moved this from 🫴 Ready to 🏃🏻‍♂️ In Progress in 🌊 Project Board Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: 🏃🏻‍♂️ In Progress

Development

Successfully merging this pull request may close these issues.

1 participant