feat(helm): vulnProcessing CronJob annotations passthrough#75
feat(helm): vulnProcessing CronJob annotations passthrough#75yaroslavmokflmg wants to merge 1 commit into
Conversation
The built-in Argo CD CronJob health check marks the resource Degraded after a single failed run until the next success (argo-cd fleetdm#24429), which degrades the whole tenant Application and fails sync operations. Expose an annotations passthrough so consumers can set argocd.argoproj.io/ignore-healthcheck.
WalkthroughThe Helm chart adds an 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@charts/fleet/templates/vulnprocessing/cronjob.yaml`:
- Around line 12-15: Wrap the annotations block under the Helm `with
.Values.vulnProcessing.annotations` directive with matching OPENFRAME sentinel
comments, using a unique slug, a concise reason, and the applicable
`openframe/docs/<doc>.md` reference before the block, then close it afterward.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 053eb043-e658-4999-84a9-ff0390343c3e
📒 Files selected for processing (2)
charts/fleet/templates/vulnprocessing/cronjob.yamlcharts/fleet/values.yaml
| {{- with .Values.vulnProcessing.annotations }} | ||
| annotations: | ||
| {{- toYaml . | trim | nindent 4 }} | ||
| {{- end }} |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Add OPENFRAME sentinel comments around the fork-added annotations block.
Per the coding guidelines, fork edits in YAML files must be wrapped in # >>> OPENFRAME(<slug>): <why> — openframe/docs/<doc>.md / # <<< OPENFRAME(<slug>) sentinel comments. Other fork additions in this file (e.g., lines 17–23, 41–78, 81–87) follow this convention, but the new annotations block does not.
As per coding guidelines: **/*.yaml: Fork edits in YAML configuration files must be wrapped in sentinel comments with the format # >>> OPENFRAME(<slug>): <why> — openframe/docs/<doc>.md followed by fork code, then # <<< OPENFRAME(<slug>).
📝 Proposed fix
+ # >>> OPENFRAME(vuln-persistence): fork-added CronJob annotations passthrough — openframe/docs/helm-chart.md
{{- with .Values.vulnProcessing.annotations }}
annotations:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
+ # <<< OPENFRAME(vuln-persistence)📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| {{- with .Values.vulnProcessing.annotations }} | |
| annotations: | |
| {{- toYaml . | trim | nindent 4 }} | |
| {{- end }} | |
| # >>> OPENFRAME(vuln-persistence): fork-added CronJob annotations passthrough — openframe/docs/helm-chart.md | |
| {{- with .Values.vulnProcessing.annotations }} | |
| annotations: | |
| {{- toYaml . | trim | nindent 4 }} | |
| {{- end }} | |
| # <<< OPENFRAME(vuln-persistence) |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@charts/fleet/templates/vulnprocessing/cronjob.yaml` around lines 12 - 15,
Wrap the annotations block under the Helm `with
.Values.vulnProcessing.annotations` directive with matching OPENFRAME sentinel
comments, using a unique slug, a concise reason, and the applicable
`openframe/docs/<doc>.md` reference before the block, then close it afterward.
Source: Coding guidelines
Adds
vulnProcessing.annotationspassthrough on the fleet-vulnprocessing CronJob.Context: today three tenants went Degraded after the vuln-persistence disks were deleted directly in GCP. While recovering, the built-in Argo CD CronJob health check surfaced: one failed run marks the CronJob Degraded until the next success (argoproj/argo-cd#24429), which degrades the whole tenant app and fails sync operations. This passthrough lets the tenant chart set
argocd.argoproj.io/ignore-healthcheck: "true"— consistent with the existing bind-job workaround for fleetdm#22940.Consumer change follows in openframe-saas-tenant after this chart is released.
Summary by CodeRabbit