fix(authelia): align template standards#647
Conversation
Standards Check (GR-079) — PASSEvery changed chart fully passes standards-check. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThis PR adds chart validation, updates the NTP startup drift tolerance, and adjusts two Authelia CI scenario files. ChangesConfiguration Validation, NTP, and CI Scenarios
Estimated code review effort: 2 (Simple) | ~15 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
🟢 Security Scan:
|
| Framework | Score |
|---|---|
| MITRE + NSA + SOC2 | 90.31987% |
✅ Security posture acceptable.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
charts/authelia/tests/validation_test.yaml (1)
1-79: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAdd missing test cases for untested validation branches.
Coverage gaps vs.
authelia.validatein_helpers.tpl: invaliddatabase.typevalue (Line 36-38),database.type=mysqlwithpostgresql.enabled=true(Line 42-44), missing external host for mysql mode (Line 48-50), andgateway.parentRefs[i].namemissing (Line 73-77) are not exercised here.➕ Example additional test cases
- it: should fail when mysql mode enables postgresql subchart set: database.type: mysql postgresql.enabled: true asserts: - failedTemplate: errorMessage: "database.type=mysql cannot be used with postgresql.enabled=true" - it: should fail with an invalid database type set: database.type: mongodb asserts: - failedTemplate: errorMessage: "database.type must be one of: sqlite, postgres, mysql (got mongodb)" - it: should fail when a gateway parentRef has no name set: gateway.enabled: true gateway.parentRefs: - sectionName: http asserts: - failedTemplate: errorMessage: "gateway.parentRefs[0].name is required when gateway.enabled is true"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@charts/authelia/tests/validation_test.yaml` around lines 1 - 79, Add test coverage in validation_test.yaml for the missing branches in authelia.validate from _helpers.tpl: add a case for an invalid database.type value, a case for database.type=mysql with postgresql.enabled=true, a case for mysql mode missing database.external.host, and a case where gateway.parentRefs[0].name is absent. Use the existing validation test patterns and failedTemplate assertions, matching the error messages produced by authelia.validate, gateway.enabled, and database.type handling.charts/authelia/templates/_helpers.tpl (1)
45-50: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueDuplicate fail message across postgres/mysql branches.
Lines 46 and 49 emit the identical error string. Could be consolidated into a single check using a common condition, but this is purely cosmetic.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@charts/authelia/templates/_helpers.tpl` around lines 45 - 50, There are two duplicate fail checks in the helper template for postgres and mysql that emit the same message; consolidate them into one common condition in _helpers.tpl using the shared dbType/database.external.host logic and the postgres/mysql subchart enabled flags, so the failure path is defined once and the existing message is preserved.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@charts/authelia/values.yaml`:
- Around line 79-81: The default NTP startup check is being disabled in the
chart’s values, which turns off a security safeguard for all deployments. Change
the default in values.yaml back to the safer setting and keep the disablement
limited to dev/CI-specific overrides instead; use the disable_startup_check
setting as the point to adjust the default and ensure production installations
retain the check unless explicitly overridden.
---
Nitpick comments:
In `@charts/authelia/templates/_helpers.tpl`:
- Around line 45-50: There are two duplicate fail checks in the helper template
for postgres and mysql that emit the same message; consolidate them into one
common condition in _helpers.tpl using the shared dbType/database.external.host
logic and the postgres/mysql subchart enabled flags, so the failure path is
defined once and the existing message is preserved.
In `@charts/authelia/tests/validation_test.yaml`:
- Around line 1-79: Add test coverage in validation_test.yaml for the missing
branches in authelia.validate from _helpers.tpl: add a case for an invalid
database.type value, a case for database.type=mysql with
postgresql.enabled=true, a case for mysql mode missing database.external.host,
and a case where gateway.parentRefs[0].name is absent. Use the existing
validation test patterns and failedTemplate assertions, matching the error
messages produced by authelia.validate, gateway.enabled, and database.type
handling.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 19e9bf88-1e23-4299-938a-f266214a233e
📒 Files selected for processing (7)
charts/authelia/ci/dual-stack.yamlcharts/authelia/ci/external-secrets.yamlcharts/authelia/templates/_helpers.tplcharts/authelia/templates/validate.yamlcharts/authelia/tests/secret_test.yamlcharts/authelia/tests/validation_test.yamlcharts/authelia/values.yaml
bcbe378 to
e627ba4
Compare
|
Addressed the remaining valid CodeRabbit review-body nitpicks. Changes:
Validation:
Skipped item:
Note: these nitpicks were posted in the review summary/body, not as active review threads, so there are no thread IDs to reply to or resolve for them. The NTP inline thread was already confirmed by CodeRabbit and is resolved. |
Summary
Validation
Site PR: helmforgedev/site#327
Issue: #633
Summary by CodeRabbit
max_desyncfrom 3s to 30s). Startup checks remain enabled.PreferDualStackonly (no explicit IPv4/IPv6 family lists) while keeping persistence disabled.ClusterSecretStoreand directremoteRefkey references.