Skip to content

feat(helm): vulnProcessing CronJob annotations passthrough#75

Closed
yaroslavmokflmg wants to merge 1 commit into
mainfrom
hotfix/vulnprocessing-cronjob-annotations
Closed

feat(helm): vulnProcessing CronJob annotations passthrough#75
yaroslavmokflmg wants to merge 1 commit into
mainfrom
hotfix/vulnprocessing-cronjob-annotations

Conversation

@yaroslavmokflmg

@yaroslavmokflmg yaroslavmokflmg commented Jul 10, 2026

Copy link
Copy Markdown

Adds vulnProcessing.annotations passthrough on the fleet-vulnprocessing CronJob.

Context: today three tenants went Degraded after the vuln-persistence disks were deleted directly in GCP. While recovering, the built-in Argo CD CronJob health check surfaced: one failed run marks the CronJob Degraded until the next success (argoproj/argo-cd#24429), which degrades the whole tenant app and fails sync operations. This passthrough lets the tenant chart set argocd.argoproj.io/ignore-healthcheck: "true" — consistent with the existing bind-job workaround for fleetdm#22940.

Consumer change follows in openframe-saas-tenant after this chart is released.

Summary by CodeRabbit

  • New Features
    • Added support for configuring annotations on the vulnerability processing CronJob.
    • Included guidance for preventing Argo CD from marking the CronJob as degraded after a failed run.

The built-in Argo CD CronJob health check marks the resource Degraded
after a single failed run until the next success (argo-cd fleetdm#24429),
which degrades the whole tenant Application and fails sync operations.
Expose an annotations passthrough so consumers can set
argocd.argoproj.io/ignore-healthcheck.
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

The Helm chart adds an annotations map to the vulnerability-processing configuration, defaulting to empty. The CronJob template conditionally renders configured annotations under metadata.annotations, serializing and indenting the values for YAML output. Comments document an Argo CD healthcheck-ignore annotation option.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding annotations passthrough for the vulnProcessing CronJob.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch hotfix/vulnprocessing-cronjob-annotations

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/fleet/templates/vulnprocessing/cronjob.yaml`:
- Around line 12-15: Wrap the annotations block under the Helm `with
.Values.vulnProcessing.annotations` directive with matching OPENFRAME sentinel
comments, using a unique slug, a concise reason, and the applicable
`openframe/docs/<doc>.md` reference before the block, then close it afterward.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 053eb043-e658-4999-84a9-ff0390343c3e

📥 Commits

Reviewing files that changed from the base of the PR and between 8b5cadc and 751409b.

📒 Files selected for processing (2)
  • charts/fleet/templates/vulnprocessing/cronjob.yaml
  • charts/fleet/values.yaml

Comment on lines +12 to +15
{{- with .Values.vulnProcessing.annotations }}
annotations:
{{- toYaml . | trim | nindent 4 }}
{{- end }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add OPENFRAME sentinel comments around the fork-added annotations block.

Per the coding guidelines, fork edits in YAML files must be wrapped in # >>> OPENFRAME(<slug>): <why> — openframe/docs/<doc>.md / # <<< OPENFRAME(<slug>) sentinel comments. Other fork additions in this file (e.g., lines 17–23, 41–78, 81–87) follow this convention, but the new annotations block does not.

As per coding guidelines: **/*.yaml: Fork edits in YAML configuration files must be wrapped in sentinel comments with the format # >>> OPENFRAME(<slug>): <why> — openframe/docs/<doc>.md followed by fork code, then # <<< OPENFRAME(<slug>).

📝 Proposed fix
+  # >>> OPENFRAME(vuln-persistence): fork-added CronJob annotations passthrough — openframe/docs/helm-chart.md
   {{- with .Values.vulnProcessing.annotations }}
   annotations:
     {{- toYaml . | trim | nindent 4 }}
   {{- end }}
+  # <<< OPENFRAME(vuln-persistence)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{{- with .Values.vulnProcessing.annotations }}
annotations:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
# >>> OPENFRAME(vuln-persistence): fork-added CronJob annotations passthrough — openframe/docs/helm-chart.md
{{- with .Values.vulnProcessing.annotations }}
annotations:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
# <<< OPENFRAME(vuln-persistence)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/fleet/templates/vulnprocessing/cronjob.yaml` around lines 12 - 15,
Wrap the annotations block under the Helm `with
.Values.vulnProcessing.annotations` directive with matching OPENFRAME sentinel
comments, using a unique slug, a concise reason, and the applicable
`openframe/docs/<doc>.md` reference before the block, then close it afterward.

Source: Coding guidelines

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant