Skip to content

fix(drupal): centralize template validation#662

Open
mberlofa wants to merge 2 commits into
mainfrom
fix/drupal-template-standards
Open

fix(drupal): centralize template validation#662
mberlofa wants to merge 2 commits into
mainfrom
fix/drupal-template-standards

Conversation

@mberlofa

@mberlofa mberlofa commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add a centralized drupal.validate helper and templates/validate.yaml entrypoint
  • run existing database, replica, backup, and autoscaling validations through the central entrypoint
  • add fail-fast validation for ingress without hosts and reserved selector-label overrides

Validation

  • helm unittest charts/drupal
  • helm lint --strict charts/drupal
  • make template-standards-check CHART=drupal
  • make standards-check CHART=drupal
  • make validate-chart CHART=drupal TIMEOUT=900: FULLY VALIDATED (17 layers)
  • make site-sync-check CHART=drupal
  • make release-check REPO=charts
  • make attribution-check REPO=charts

Site PR: helmforgedev/site#341
Issue: #633

Summary by CodeRabbit

  • New Features

    • Added chart validation checks that run during deployment rendering.
    • Enforced required ingress hosts when ingress is enabled.
    • Prevented custom pod labels from overriding reserved selector labels.
  • Tests

    • Expanded validation coverage with cases for missing ingress hosts, label conflicts, and nullable pod labels.
    • Updated validation checks to run against the dedicated validation template.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Standards Check (GR-079) — PASS

Every changed chart fully passes standards-check.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: b43b9d81-ef2a-4c4c-be95-82be2122a468

📥 Commits

Reviewing files that changed from the base of the PR and between ad8595c and ada9814.

📒 Files selected for processing (3)
  • charts/drupal/templates/_helpers.tpl
  • charts/drupal/templates/validate.yaml
  • charts/drupal/tests/validation_test.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • charts/drupal/templates/_helpers.tpl

📝 Walkthrough

Walkthrough

Adds a new drupal.validate Helm named template that runs existing validation helpers and new checks for ingress hosts and reserved podLabels labels. A new validate.yaml template invokes it, and the validation tests now target that entrypoint.

Changes

Validation template and coverage

Layer / File(s) Summary
drupal.validate template definition
charts/drupal/templates/_helpers.tpl
Adds drupal.validate template that forces evaluation of database mode, replica count, backup, and autoscaling helpers, and validates ingress.hosts non-emptiness when ingress is enabled and that podLabels don't override reserved selector labels.
Validation template entrypoint
charts/drupal/templates/validate.yaml
Adds a new template file that includes drupal.validate with the chart context.
Test coverage for validation rules
charts/drupal/tests/validation_test.yaml
Switches test target to templates/validate.yaml and adds cases for empty ingress hosts, podLabels overriding component label, and null podLabels.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: centralizing Drupal template validation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/drupal-template-standards

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🟢 Security Scan: drupal

Framework Score
MITRE + NSA + SOC2 83.333336%

✅ Security posture acceptable.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
charts/drupal/tests/validation_test.yaml (1)

47-53: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Test coverage only covers one of the three reserved labels.

Only app.kubernetes.io/component override is tested; app.kubernetes.io/name and app.kubernetes.io/instance overrides aren't exercised. Given the near-identical logic, adding two more cases would fully cover the validation branches.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/drupal/tests/validation_test.yaml` around lines 47 - 53, The
validation tests for reserved pod label overrides only cover one branch, so add
two more negative test cases in the same validation suite to exercise the other
reserved labels. Extend the existing failedTemplate coverage around the
podLabels validation logic to assert that overriding app.kubernetes.io/name and
app.kubernetes.io/instance also returns the expected error messages, alongside
the current app.kubernetes.io/component case.
charts/drupal/templates/_helpers.tpl (1)

386-395: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider deduplicating the reserved-label checks.

The three hasKey/fail blocks are structurally identical aside from the key name. A loop over the reserved keys would reduce duplication and make adding future reserved labels (e.g., if app.kubernetes.io/component handling changes) a one-line change.

♻️ Proposed DRY refactor
 {{- $podLabels := .Values.podLabels | default dict -}}
-{{- if hasKey $podLabels "app.kubernetes.io/name" -}}
-{{- fail "podLabels must not override selector label app.kubernetes.io/name" -}}
-{{- end -}}
-{{- if hasKey $podLabels "app.kubernetes.io/instance" -}}
-{{- fail "podLabels must not override selector label app.kubernetes.io/instance" -}}
-{{- end -}}
-{{- if hasKey $podLabels "app.kubernetes.io/component" -}}
-{{- fail "podLabels must not override selector label app.kubernetes.io/component" -}}
-{{- end -}}
+{{- range list "app.kubernetes.io/name" "app.kubernetes.io/instance" "app.kubernetes.io/component" }}
+{{- if hasKey $podLabels . -}}
+{{- fail (printf "podLabels must not override selector label %s" .) -}}
+{{- end -}}
+{{- end -}}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/drupal/templates/_helpers.tpl` around lines 386 - 395, The
reserved-label validation in the _helpers.tpl logic is duplicated across three
nearly identical hasKey/fail checks. Refactor the podLabels guard to iterate
over the reserved selector keys used by the label helpers
(app.kubernetes.io/name, app.kubernetes.io/instance,
app.kubernetes.io/component) and fail with the same message when any are
present, so future reserved labels can be added in one place.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@charts/drupal/templates/_helpers.tpl`:
- Around line 386-395: The reserved-label validation in the _helpers.tpl logic
is duplicated across three nearly identical hasKey/fail checks. Refactor the
podLabels guard to iterate over the reserved selector keys used by the label
helpers (app.kubernetes.io/name, app.kubernetes.io/instance,
app.kubernetes.io/component) and fail with the same message when any are
present, so future reserved labels can be added in one place.

In `@charts/drupal/tests/validation_test.yaml`:
- Around line 47-53: The validation tests for reserved pod label overrides only
cover one branch, so add two more negative test cases in the same validation
suite to exercise the other reserved labels. Extend the existing failedTemplate
coverage around the podLabels validation logic to assert that overriding
app.kubernetes.io/name and app.kubernetes.io/instance also returns the expected
error messages, alongside the current app.kubernetes.io/component case.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 4b705251-d751-4df7-a272-bace6f73e63e

📥 Commits

Reviewing files that changed from the base of the PR and between 870b4c7 and ce2e833.

📒 Files selected for processing (3)
  • charts/drupal/templates/_helpers.tpl
  • charts/drupal/templates/validate.yaml
  • charts/drupal/tests/validation_test.yaml

@mberlofa mberlofa force-pushed the fix/drupal-template-standards branch from ad8595c to ada9814 Compare July 5, 2026 20:48
@mberlofa

mberlofa commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Addressed both CodeRabbit review-summary nitpicks.

Changes:

  • Refactored reserved podLabels validation to iterate over the reserved selector label keys instead of duplicating three hasKey/fail blocks.
  • Added negative validation coverage for overriding app.kubernetes.io/name and app.kubernetes.io/instance, alongside the existing component case.

Validation:

  • make validate-chart CHART=drupal passed after rebasing on current origin/main
  • Result: drupal: FULLY VALIDATED (17 layers), including all k3d GR-027 scenarios
  • make release-check REPO=charts passed with only the expected post-merge release confirmation warning
  • make attribution-check REPO=charts passed
  • git diff --check passed

Note: these CodeRabbit items were posted in the review summary/body, not as active review threads, so there are no thread IDs to reply to or resolve for them.

@github-actions github-actions Bot added the size:M label Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant