Skip to content

fix(authelia): align template standards#647

Merged
mberlofa merged 3 commits into
mainfrom
fix/authelia-template-standards
Jul 6, 2026
Merged

fix(authelia): align template standards#647
mberlofa merged 3 commits into
mainfrom
fix/authelia-template-standards

Conversation

@mberlofa

@mberlofa mberlofa commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add the canonical authelia.validate helper and validate.yaml gate
  • centralize fail-fast validation for database mode, backup, ingress hosts, Gateway parentRefs, and selector label overrides
  • disable the Authelia NTP startup check by default for Kubernetes startup stability
  • make dual-stack CI compatible with single-stack k3d and point ExternalSecrets CI at the HelmForge fake ClusterSecretStore
  • add helm-unittest coverage for validation failures and the NTP startup-check default

Validation

  • make template-standards-check CHART=authelia
  • helm unittest charts/authelia
  • helm lint --strict charts/authelia
  • make standards-check CHART=authelia
  • make validate-chart CHART=authelia TIMEOUT=1200: FULLY VALIDATED (18 layers)
  • make site-sync-check CHART=authelia
  • make release-check REPO=charts
  • make attribution-check REPO=charts

Site PR: helmforgedev/site#327
Issue: #633

Summary by CodeRabbit

  • New Features
    • Added fail-fast Helm chart validation with clear error messages for common misconfigurations (database mode, S3 backup settings, ingress/gateway requirements, and restricted label overrides).
  • Bug Fixes
    • Increased tolerated NTP clock drift during startup checks (max_desync from 3s to 30s). Startup checks remain enabled.
  • CI/Chart Improvements
    • Updated the dual-stack CI scenario to rely on PreferDualStack only (no explicit IPv4/IPv6 family lists) while keeping persistence disabled.
    • Adjusted External Secrets mappings to use the test ClusterSecretStore and direct remoteRef key references.
  • Tests
    • Updated secret rendering assertions for the new NTP drift window and added a validation test suite.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Standards Check (GR-079) — PASS

Every changed chart fully passes standards-check.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 8ec42aed-84eb-497c-b434-e5d3abe08443

📥 Commits

Reviewing files that changed from the base of the PR and between e627ba4 and 25e5e97.

📒 Files selected for processing (2)
  • charts/authelia/templates/_helpers.tpl
  • charts/authelia/tests/validation_test.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • charts/authelia/templates/_helpers.tpl

📝 Walkthrough

Walkthrough

This PR adds chart validation, updates the NTP startup drift tolerance, and adjusts two Authelia CI scenario files.

Changes

Configuration Validation, NTP, and CI Scenarios

Layer / File(s) Summary
Validation helper and template wiring
charts/authelia/templates/_helpers.tpl, charts/authelia/templates/validate.yaml, charts/authelia/tests/validation_test.yaml
Adds authelia.validate checks for database, backup, ingress, gateway, and podLabels settings, renders it from validate.yaml, and verifies validation messages plus default no-document rendering.
NTP startup drift update
charts/authelia/values.yaml, charts/authelia/tests/secret_test.yaml
Changes config.ntp.max_desync to 30s and adds a secret rendering test for the updated NTP configuration.
Dual-stack CI scenario
charts/authelia/ci/dual-stack.yaml
Removes the explicit service.ipFamilies list while keeping service.ipFamilyPolicy: PreferDualStack.
External-secrets CI scenario
charts/authelia/ci/external-secrets.yaml
Updates the secret store reference and rewrites the remote secret keys to use test/token directly.

Estimated code review effort: 2 (Simple) | ~15 minutes

Possibly related PRs

  • helmforgedev/charts#642: Adds the same pattern of Helm validation scaffolding with a *.validate helper, templates/validate.yaml, and validation tests.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main goal of aligning the Authelia chart with template standards.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/authelia-template-standards

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🟢 Security Scan: authelia

Framework Score
MITRE + NSA + SOC2 90.31987%

✅ Security posture acceptable.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
charts/authelia/tests/validation_test.yaml (1)

1-79: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add missing test cases for untested validation branches.

Coverage gaps vs. authelia.validate in _helpers.tpl: invalid database.type value (Line 36-38), database.type=mysql with postgresql.enabled=true (Line 42-44), missing external host for mysql mode (Line 48-50), and gateway.parentRefs[i].name missing (Line 73-77) are not exercised here.

➕ Example additional test cases
  - it: should fail when mysql mode enables postgresql subchart
    set:
      database.type: mysql
      postgresql.enabled: true
    asserts:
      - failedTemplate:
          errorMessage: "database.type=mysql cannot be used with postgresql.enabled=true"

  - it: should fail with an invalid database type
    set:
      database.type: mongodb
    asserts:
      - failedTemplate:
          errorMessage: "database.type must be one of: sqlite, postgres, mysql (got mongodb)"

  - it: should fail when a gateway parentRef has no name
    set:
      gateway.enabled: true
      gateway.parentRefs:
        - sectionName: http
    asserts:
      - failedTemplate:
          errorMessage: "gateway.parentRefs[0].name is required when gateway.enabled is true"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/authelia/tests/validation_test.yaml` around lines 1 - 79, Add test
coverage in validation_test.yaml for the missing branches in authelia.validate
from _helpers.tpl: add a case for an invalid database.type value, a case for
database.type=mysql with postgresql.enabled=true, a case for mysql mode missing
database.external.host, and a case where gateway.parentRefs[0].name is absent.
Use the existing validation test patterns and failedTemplate assertions,
matching the error messages produced by authelia.validate, gateway.enabled, and
database.type handling.
charts/authelia/templates/_helpers.tpl (1)

45-50: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Duplicate fail message across postgres/mysql branches.

Lines 46 and 49 emit the identical error string. Could be consolidated into a single check using a common condition, but this is purely cosmetic.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/authelia/templates/_helpers.tpl` around lines 45 - 50, There are two
duplicate fail checks in the helper template for postgres and mysql that emit
the same message; consolidate them into one common condition in _helpers.tpl
using the shared dbType/database.external.host logic and the postgres/mysql
subchart enabled flags, so the failure path is defined once and the existing
message is preserved.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/authelia/values.yaml`:
- Around line 79-81: The default NTP startup check is being disabled in the
chart’s values, which turns off a security safeguard for all deployments. Change
the default in values.yaml back to the safer setting and keep the disablement
limited to dev/CI-specific overrides instead; use the disable_startup_check
setting as the point to adjust the default and ensure production installations
retain the check unless explicitly overridden.

---

Nitpick comments:
In `@charts/authelia/templates/_helpers.tpl`:
- Around line 45-50: There are two duplicate fail checks in the helper template
for postgres and mysql that emit the same message; consolidate them into one
common condition in _helpers.tpl using the shared dbType/database.external.host
logic and the postgres/mysql subchart enabled flags, so the failure path is
defined once and the existing message is preserved.

In `@charts/authelia/tests/validation_test.yaml`:
- Around line 1-79: Add test coverage in validation_test.yaml for the missing
branches in authelia.validate from _helpers.tpl: add a case for an invalid
database.type value, a case for database.type=mysql with
postgresql.enabled=true, a case for mysql mode missing database.external.host,
and a case where gateway.parentRefs[0].name is absent. Use the existing
validation test patterns and failedTemplate assertions, matching the error
messages produced by authelia.validate, gateway.enabled, and database.type
handling.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 19e9bf88-1e23-4299-938a-f266214a233e

📥 Commits

Reviewing files that changed from the base of the PR and between 0d8168f and 7dee1b7.

📒 Files selected for processing (7)
  • charts/authelia/ci/dual-stack.yaml
  • charts/authelia/ci/external-secrets.yaml
  • charts/authelia/templates/_helpers.tpl
  • charts/authelia/templates/validate.yaml
  • charts/authelia/tests/secret_test.yaml
  • charts/authelia/tests/validation_test.yaml
  • charts/authelia/values.yaml

Comment thread charts/authelia/values.yaml Outdated
@mberlofa mberlofa force-pushed the fix/authelia-template-standards branch from bcbe378 to e627ba4 Compare July 4, 2026 17:44
@mberlofa

mberlofa commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Addressed the remaining valid CodeRabbit review-body nitpicks.

Changes:

  • Consolidated the duplicated external database host validation into one shared condition while preserving the existing failure message.
  • Added validation coverage for database.type=mysql with postgresql.enabled=true.
  • Added validation coverage for missing external MySQL host when no matching MySQL subchart is enabled.
  • Added validation coverage for gateway.parentRefs[0].name being absent.

Validation:

  • helm unittest charts/authelia -f 'tests/validation_test.yaml' passed
  • make validate-chart CHART=authelia passed
  • Result: authelia: FULLY VALIDATED (18 layers), including all k3d GR-027 scenarios
  • make release-check REPO=charts passed with only the expected post-merge release confirmation warning
  • make attribution-check REPO=charts passed
  • git diff --check passed

Skipped item:

  • The suggested invalid database.type unit test is not applicable with the normal chart validation path because values.schema.json rejects unsupported values before the template fail branch is reached.

Note: these nitpicks were posted in the review summary/body, not as active review threads, so there are no thread IDs to reply to or resolve for them. The NTP inline thread was already confirmed by CodeRabbit and is resolved.

@mberlofa mberlofa merged commit d500cf1 into main Jul 6, 2026
17 checks passed
@mberlofa mberlofa deleted the fix/authelia-template-standards branch July 6, 2026 08:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant