Skip to content

fix(envoy-gateway): align template standards#663

Open
mberlofa wants to merge 4 commits into
mainfrom
fix/envoy-gateway-template-standards
Open

fix(envoy-gateway): align template standards#663
mberlofa wants to merge 4 commits into
mainfrom
fix/envoy-gateway-template-standards

Conversation

@mberlofa

@mberlofa mberlofa commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • fix certgen Job pod labels to use selector labels plus component only
  • add security.networkPolicy.extraEgress support with schema and unit coverage
  • add centralized envoy-gateway.validate entrypoint for rate limiting, external Redis auth, ExternalSecrets, and reserved pod-label validations

Validation

  • helm unittest charts/envoy-gateway
  • helm lint --strict charts/envoy-gateway
  • make template-standards-check CHART=envoy-gateway
  • make standards-check CHART=envoy-gateway
  • make validate-chart CHART=envoy-gateway TIMEOUT=900: FULLY VALIDATED (20 layers)
  • make site-sync-check CHART=envoy-gateway
  • make release-check REPO=charts
  • make attribution-check REPO=charts

Site PR: helmforgedev/site#342
Issue: #633

Summary by CodeRabbit

  • New Features
    • Added security.networkPolicy.extraEgress to append additional egress rules to the controller NetworkPolicy.
    • Added fail-fast Helm chart validations for incompatible rate-limiting and external Redis/external secrets settings.
  • Bug Fixes
    • Updated certgen Job pod label behavior to use the chart’s selector labels.
    • Prevented podLabels from overriding reserved selector label keys.
  • Tests
    • Expanded validation, certgen label, and security extra egress test coverage.
  • Documentation
    • Corrected wording for security.networkPolicies in the README.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Standards Check (GR-079) — PASS

Every changed chart fully passes standards-check.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ee176efe-9926-45cd-b824-d4c34c7329e0

📥 Commits

Reviewing files that changed from the base of the PR and between bed1861 and 4d4a1a1.

📒 Files selected for processing (4)
  • charts/envoy-gateway/README.md
  • charts/envoy-gateway/templates/_helpers.tpl
  • charts/envoy-gateway/values.schema.json
  • charts/envoy-gateway/values.yaml
✅ Files skipped from review due to trivial changes (1)
  • charts/envoy-gateway/README.md
🚧 Files skipped from review as they are similar to previous changes (3)
  • charts/envoy-gateway/values.yaml
  • charts/envoy-gateway/templates/_helpers.tpl
  • charts/envoy-gateway/values.schema.json

📝 Walkthrough

Walkthrough

This PR adds chart validation for externalSecrets/rateLimiting and podLabels, updates certgen Job labels to selector labels, and adds security.networkPolicy.extraEgress to the controller NetworkPolicy with schema, values, and test coverage.

Changes

Chart validation and network policy changes

Layer / File(s) Summary
Values validation helper and entrypoint
charts/envoy-gateway/templates/_helpers.tpl, charts/envoy-gateway/templates/validate.yaml
Adds envoy-gateway.validate helper with fail conditions for external secrets and rate-limiting dependencies and podLabels overriding selector keys, wired via validate.yaml.
Validation test coverage
charts/envoy-gateway/tests/validation_test.yaml
Adds Helm tests for validation failures and passing cases covering rate limiting, external Redis auth, external secrets, and reserved podLabels keys.
Certgen job selector labels fix
charts/envoy-gateway/templates/certgen-job.yaml, charts/envoy-gateway/tests/certgen_test.yaml
Certgen Job pod template labels now use envoy-gateway.selectorLabels instead of envoy-gateway.labels, with a test asserting the chart label is excluded.
NetworkPolicy extraEgress support
charts/envoy-gateway/values.schema.json, charts/envoy-gateway/values.yaml, charts/envoy-gateway/templates/networkpolicy.yaml, charts/envoy-gateway/README.md, charts/envoy-gateway/tests/security_test.yaml
Adds security.networkPolicy.extraEgress to values and schema, renders it into the controller NetworkPolicy egress list, updates the related README wording, and validates the appended egress rule in tests.

Estimated code review effort: 2 (Simple) | ~15 minutes

Related PRs: None identified.

Suggested labels: helm-chart, validation, networkpolicy

Suggested reviewers: None identified.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is broad, but it matches the PR’s goal of bringing the Helm templates in line with chart standards.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/envoy-gateway-template-standards

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🟢 Security Scan: envoy-gateway

Framework Score
MITRE + NSA + SOC2 71.6306%

✅ Security posture acceptable.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 44963f8e12

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread charts/envoy-gateway/templates/_helpers.tpl Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
charts/envoy-gateway/templates/_helpers.tpl (1)

252-261: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Reserved keys hardcoded separately from selectorLabels.

The reserved key list (app.kubernetes.io/name, /instance, /component) is duplicated here rather than derived from envoy-gateway.selectorLabels. If that helper's key set changes later, this validation will silently drift out of sync.

♻️ Suggested approach
-{{- $podLabels := .Values.podLabels | default dict -}}
-{{- if hasKey $podLabels "app.kubernetes.io/name" -}}
-{{- fail "podLabels must not override selector label app.kubernetes.io/name" -}}
-{{- end -}}
-{{- if hasKey $podLabels "app.kubernetes.io/instance" -}}
-{{- fail "podLabels must not override selector label app.kubernetes.io/instance" -}}
-{{- end -}}
-{{- if hasKey $podLabels "app.kubernetes.io/component" -}}
-{{- fail "podLabels must not override selector label app.kubernetes.io/component" -}}
-{{- end -}}
+{{- $podLabels := .Values.podLabels | default dict -}}
+{{- $selectorLabels := include "envoy-gateway.selectorLabels" . | fromYaml -}}
+{{- range $key, $_ := $selectorLabels -}}
+{{- if hasKey $podLabels $key -}}
+{{- fail (printf "podLabels must not override selector label %s" $key) -}}
+{{- end -}}
+{{- end -}}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/envoy-gateway/templates/_helpers.tpl` around lines 252 - 261, The
podLabels validation in the _helpers.tpl helper is hardcoding reserved selector
keys instead of reusing the same source as selectorLabels, so it can drift if
those keys change. Update the validation logic to derive the reserved-key checks
from the envoy-gateway.selectorLabels helper (or its shared key set) and keep
the hasKey/fail behavior in sync with that single source of truth.
charts/envoy-gateway/values.schema.json (1)

636-652: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Confusing naming: networkPolicies (bool) vs networkPolicy (object).

Having both security.networkPolicies (enable flag) and security.networkPolicy (extension object) as near-identical sibling keys is easy to mistype/misread. Consider nesting the flag under the same object (e.g. security.networkPolicy.enabled + security.networkPolicy.extraEgress) or renaming one of them for clarity.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/envoy-gateway/values.schema.json` around lines 636 - 652, The schema
currently defines two confusing sibling keys, networkPolicies as a boolean flag
and networkPolicy as an object, which are easy to mistype or misread. Update the
schema in values.schema.json to use clearer, consistent naming by either nesting
the enable flag under networkPolicy as an enabled property with extraEgress, or
renaming one of the symbols so the boolean and extension object are not nearly
identical siblings. Keep the descriptions and defaults aligned with the new
shape so consumers can tell which key controls enablement versus rule
extensions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/envoy-gateway/templates/validate.yaml`:
- Around line 1-2: The YAML lint failure comes from using a Go template comment
as the first line in the validate template, which makes the parser see template
syntax before valid YAML. Update the top of envoy-gateway.validate’s template to
use a plain YAML comment for the SPDX header, matching the other templates, and
keep the include of envoys-gateway.validate unchanged so yamllint can parse the
file cleanly.

---

Nitpick comments:
In `@charts/envoy-gateway/templates/_helpers.tpl`:
- Around line 252-261: The podLabels validation in the _helpers.tpl helper is
hardcoding reserved selector keys instead of reusing the same source as
selectorLabels, so it can drift if those keys change. Update the validation
logic to derive the reserved-key checks from the envoy-gateway.selectorLabels
helper (or its shared key set) and keep the hasKey/fail behavior in sync with
that single source of truth.

In `@charts/envoy-gateway/values.schema.json`:
- Around line 636-652: The schema currently defines two confusing sibling keys,
networkPolicies as a boolean flag and networkPolicy as an object, which are easy
to mistype or misread. Update the schema in values.schema.json to use clearer,
consistent naming by either nesting the enable flag under networkPolicy as an
enabled property with extraEgress, or renaming one of the symbols so the boolean
and extension object are not nearly identical siblings. Keep the descriptions
and defaults aligned with the new shape so consumers can tell which key controls
enablement versus rule extensions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 7f81c52f-bb24-43af-9f32-3c2fd20a9bcc

📥 Commits

Reviewing files that changed from the base of the PR and between 870b4c7 and 44963f8.

📒 Files selected for processing (9)
  • charts/envoy-gateway/templates/_helpers.tpl
  • charts/envoy-gateway/templates/certgen-job.yaml
  • charts/envoy-gateway/templates/networkpolicy.yaml
  • charts/envoy-gateway/templates/validate.yaml
  • charts/envoy-gateway/tests/certgen_test.yaml
  • charts/envoy-gateway/tests/security_test.yaml
  • charts/envoy-gateway/tests/validation_test.yaml
  • charts/envoy-gateway/values.schema.json
  • charts/envoy-gateway/values.yaml

Comment thread charts/envoy-gateway/templates/validate.yaml Outdated
@mberlofa mberlofa force-pushed the fix/envoy-gateway-template-standards branch from 559049c to bbf8b0f Compare July 4, 2026 13:56

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/envoy-gateway/templates/validate.yaml`:
- Around line 1-2: The validate.yaml template still needs a yamllint exception
because the bare include directive in envoy-gateway.validate will be flagged by
strict YAML parsing. Update the validate.yaml template to either exclude it from
yamllint or add a file-level yamllint disable marker as the first line, keeping
the existing envoy-gateway.validate include intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ac5626bc-8f50-4bc6-9de2-6d6c315f4014

📥 Commits

Reviewing files that changed from the base of the PR and between 559049c and bbf8b0f.

📒 Files selected for processing (9)
  • charts/envoy-gateway/templates/_helpers.tpl
  • charts/envoy-gateway/templates/certgen-job.yaml
  • charts/envoy-gateway/templates/networkpolicy.yaml
  • charts/envoy-gateway/templates/validate.yaml
  • charts/envoy-gateway/tests/certgen_test.yaml
  • charts/envoy-gateway/tests/security_test.yaml
  • charts/envoy-gateway/tests/validation_test.yaml
  • charts/envoy-gateway/values.schema.json
  • charts/envoy-gateway/values.yaml
🚧 Files skipped from review as they are similar to previous changes (8)
  • charts/envoy-gateway/templates/networkpolicy.yaml
  • charts/envoy-gateway/tests/certgen_test.yaml
  • charts/envoy-gateway/templates/certgen-job.yaml
  • charts/envoy-gateway/tests/validation_test.yaml
  • charts/envoy-gateway/tests/security_test.yaml
  • charts/envoy-gateway/values.yaml
  • charts/envoy-gateway/values.schema.json
  • charts/envoy-gateway/templates/_helpers.tpl

Comment thread charts/envoy-gateway/templates/validate.yaml
@mberlofa mberlofa force-pushed the fix/envoy-gateway-template-standards branch from bbf8b0f to bed1861 Compare July 5, 2026 07:14
@mberlofa

mberlofa commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Reviewed all CodeRabbit feedback in review threads and review-summary comments.

Changes:

  • Derived the reserved podLabels keys from envoy-gateway.controller.selectorLabels instead of hardcoding the selector label keys separately.
  • Clarified security.networkPolicies vs security.networkPolicy descriptions in values.yaml, values.schema.json, and README.

Compatibility note:

  • I did not rename or nest security.networkPolicies under security.networkPolicy.enabled because that would be a breaking values contract change for existing consumers. The safer fix here is to keep the existing public keys and make the enablement vs extension roles explicit.

Validation:

  • make validate-chart CHART=envoy-gateway passed after the change
  • Result: envoy-gateway: FULLY VALIDATED (20 layers), including all k3d GR-027 scenarios
  • make release-check REPO=charts passed with only the expected post-merge release confirmation warning
  • make attribution-check REPO=charts passed
  • git diff --check passed

Note: these two CodeRabbit items were posted in the review summary/body, not as active review threads, so there are no thread IDs to reply to or resolve for them. Existing CodeRabbit inline threads are already resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant