Skip to content

fix(kubernetes-mcp-server): align template standards#669

Open
mberlofa wants to merge 1 commit into
mainfrom
fix/kubernetes-mcp-server-template-standards
Open

fix(kubernetes-mcp-server): align template standards#669
mberlofa wants to merge 1 commit into
mainfrom
fix/kubernetes-mcp-server-template-standards

Conversation

@mberlofa

@mberlofa mberlofa commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • align kubernetes-mcp-server template standards: immutable selector labels, guarded ingressClassName, centralized validate helper, and numbered NOTES
  • add NetworkPolicy egress isolation whenever networkPolicy.enabled=true, with built-in DNS and HTTPS allowances plus configurable networkPolicy.dnsEgressPeers defaulting to kube-system/kube-dns
  • keep networkPolicy.extraEgress additive for API server or proxy rules, and sync values schema defaults plus unit coverage for selector label overrides, existingClaim scaling, scoped DNS egress, and baseline egress

Validation

  • helm template test charts/kubernetes-mcp-server --set networkPolicy.enabled=true --set 'networkPolicy.extraEgress[0].ports[0].port=6443'
  • helm unittest charts/kubernetes-mcp-server: 20 tests, 7 suites
  • make template-standards-check CHART=kubernetes-mcp-server
  • node scripts/charts/validate-chart.js --chart kubernetes-mcp-server --no-k3d
  • make validate-chart CHART=kubernetes-mcp-server TIMEOUT=900: FULLY VALIDATED (16 layers)
  • make site-sync-check CHART=kubernetes-mcp-server
  • make release-check REPO=charts
  • make attribution-check REPO=charts

Issue: #633
Site PR: helmforgedev/site#347

Summary by CodeRabbit

  • New Features
    • Added networkPolicy.extraEgress and networkPolicy.dnsEgressPeers to extend/shape egress rules beyond built-in DNS/HTTPS allowances.
  • Bug Fixes
    • ingress.ingressClassName is now rendered only when explicitly set (non-empty).
    • Aligned pod template labels with the Deployment selector labels.
  • Documentation
    • Updated chart README and Helm NOTES with expanded production safety, exposure, and troubleshooting guidance; refreshed image tag to v0.0.63.
  • Tests
    • Expanded validation, ingress, and network policy assertions (including egress ordering and appended extra egress rules).

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Standards Check (GR-079) — PASS

Every changed chart fully passes standards-check.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates chart validation, ingress, and NetworkPolicy rendering, bumps the default image tag to v0.0.63, and expands the chart README, NOTES, values schema, and tests to match the new behavior.

Changes

Chart validation, networking, and image updates

Layer / File(s) Summary
Validation helper and wiring
charts/kubernetes-mcp-server/templates/_helpers.tpl, charts/kubernetes-mcp-server/templates/validate.yaml, charts/kubernetes-mcp-server/tests/validation_test.yaml
Adds kubernetes-mcp-server.validate for write-access, replicaCount/persistence, and podLabels checks, and routes template validation through it.
Pod labels and ingress rendering
charts/kubernetes-mcp-server/templates/deployment.yaml, charts/kubernetes-mcp-server/templates/ingress.yaml, charts/kubernetes-mcp-server/tests/templates_test.yaml, charts/kubernetes-mcp-server/README.md
Switches pod template labels to selector labels, renders ingressClassName only when set, and updates tests plus README coverage for those behaviors.
NetworkPolicy extraEgress support
charts/kubernetes-mcp-server/templates/networkpolicy.yaml, charts/kubernetes-mcp-server/values.yaml, charts/kubernetes-mcp-server/values.schema.json, charts/kubernetes-mcp-server/tests/networkpolicy_test.yaml
Adds extraEgress, conditional Egress policy type, built-in DNS/HTTPS egress rules, and matching values/schema/test updates.
Image tag and NOTES updates
charts/kubernetes-mcp-server/README.md, charts/kubernetes-mcp-server/values.schema.json, charts/kubernetes-mcp-server/templates/NOTES.txt
Bumps the documented default image tag to v0.0.63 and expands the Helm notes with access, RBAC, configuration, exposure, persistence, troubleshooting, and resources guidance.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Helm
  participant validate_yaml as validate.yaml
  participant ValidateHelper as kubernetes-mcp-server.validate
  participant networkpolicy_yaml as networkpolicy.yaml

  Helm->>validate_yaml: render chart
  validate_yaml->>ValidateHelper: include validation checks
  ValidateHelper-->>validate_yaml: fail or pass
  Helm->>networkpolicy_yaml: render NetworkPolicy
  networkpolicy_yaml->>networkpolicy_yaml: build egress policy and rules
  networkpolicy_yaml-->>Helm: rendered manifest
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the PR’s main goal of aligning the kubernetes-mcp-server chart with template standards.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/kubernetes-mcp-server-template-standards

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🟢 Security Scan: kubernetes-mcp-server

Framework Score
MITRE + NSA + SOC2 74.242424%

✅ Security posture acceptable.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
charts/kubernetes-mcp-server/templates/networkpolicy.yaml (1)

3-3: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Baseline DNS/HTTPS egress unreachable without a dummy extraEgress entry.

The entire egress block (including the "built-in" DNS/HTTPS rules) only renders when $extraEgress is non-empty. There's no independent toggle to enable egress isolation with just the baseline DNS+HTTPS allowances — a user who wants to restrict egress to only DNS/HTTPS (no custom rules) has no way to do so without adding a placeholder entry to extraEgress. This contradicts the values.yaml comment, which implies the baseline rules are a standing allowance that extraEgress merely appends to.

Consider gating the Egress policyType and baseline rules on a dedicated flag (e.g., reuse .Values.networkPolicy.enabled or add an explicit egressEnabled), and treat extraEgress purely as additive.

Also applies to: 16-18, 29-49

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/kubernetes-mcp-server/templates/networkpolicy.yaml` at line 3, The
NetworkPolicy egress section is currently tied to extraEgress being non-empty,
so the built-in DNS/HTTPS allowances never render on their own. Update the
networkpolicy.yaml logic around the networkPolicy template to gate the Egress
policyType and baseline DNS/HTTPS rules with a dedicated flag such as
.Values.networkPolicy.enabled or a new egressEnabled setting, and keep
.Values.networkPolicy.extraEgress purely additive. Make sure the main template
condition and the egress rendering block in the network policy manifest use the
same controlling symbol so baseline egress works without a dummy entry.
charts/kubernetes-mcp-server/tests/validation_test.yaml (1)

29-35: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider adding a symmetric test for app.kubernetes.io/name override.

Only the app.kubernetes.io/instance override branch is covered; the app.kubernetes.io/name fail branch in kubernetes-mcp-server.validate (charts/kubernetes-mcp-server/templates/_helpers.tpl, lines 28-30) has no matching test.

✅ Suggested additional test case
   - it: fails when podLabels override selector labels
     set:
       podLabels:
         app.kubernetes.io/instance: custom
     asserts:
       - failedTemplate:
           errorMessage: "podLabels must not override the selector label app.kubernetes.io/instance"
+  - it: fails when podLabels override the name selector label
+    set:
+      podLabels:
+        app.kubernetes.io/name: custom
+    asserts:
+      - failedTemplate:
+          errorMessage: "podLabels must not override the selector label app.kubernetes.io/name"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/kubernetes-mcp-server/tests/validation_test.yaml` around lines 29 -
35, Add a matching validation test for the other selector label override in
kubernetes-mcp-server.validate so both fail branches are covered. Update
validation_test.yaml alongside the existing failedTemplate case for
podLabels/app.kubernetes.io/instance by adding a symmetric case that sets
podLabels.app.kubernetes.io/name to a custom value and asserts the expected
error message from kubernetes-mcp-server.validate. Keep the test structure
consistent with the current Helm chart validation tests so the new case clearly
exercises the name override path in _helpers.tpl.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/kubernetes-mcp-server/templates/networkpolicy.yaml`:
- Around line 29-37: The egress DNS rule in the NetworkPolicy template is too
broad because the current egress stanza under the $extraEgress block uses
namespaceSelector: {} and allows port 53 to any namespace. Tighten the scope in
templates/networkpolicy.yaml by updating the egress target in this policy to
only match the DNS service pods used by the cluster (for example via a more
specific podSelector and/or namespaceSelector for CoreDNS/kube-dns), while
keeping the existing UDP/TCP 53 ports. Refer to the egress block inside the
NetworkPolicy template so the selector change is applied in the right place.

---

Nitpick comments:
In `@charts/kubernetes-mcp-server/templates/networkpolicy.yaml`:
- Line 3: The NetworkPolicy egress section is currently tied to extraEgress
being non-empty, so the built-in DNS/HTTPS allowances never render on their own.
Update the networkpolicy.yaml logic around the networkPolicy template to gate
the Egress policyType and baseline DNS/HTTPS rules with a dedicated flag such as
.Values.networkPolicy.enabled or a new egressEnabled setting, and keep
.Values.networkPolicy.extraEgress purely additive. Make sure the main template
condition and the egress rendering block in the network policy manifest use the
same controlling symbol so baseline egress works without a dummy entry.

In `@charts/kubernetes-mcp-server/tests/validation_test.yaml`:
- Around line 29-35: Add a matching validation test for the other selector label
override in kubernetes-mcp-server.validate so both fail branches are covered.
Update validation_test.yaml alongside the existing failedTemplate case for
podLabels/app.kubernetes.io/instance by adding a symmetric case that sets
podLabels.app.kubernetes.io/name to a custom value and asserts the expected
error message from kubernetes-mcp-server.validate. Keep the test structure
consistent with the current Helm chart validation tests so the new case clearly
exercises the name override path in _helpers.tpl.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 6182e5c7-6733-407b-82b6-44fc6f482672

📥 Commits

Reviewing files that changed from the base of the PR and between 870b4c7 and 4f4c21e.

📒 Files selected for processing (12)
  • charts/kubernetes-mcp-server/README.md
  • charts/kubernetes-mcp-server/templates/NOTES.txt
  • charts/kubernetes-mcp-server/templates/_helpers.tpl
  • charts/kubernetes-mcp-server/templates/deployment.yaml
  • charts/kubernetes-mcp-server/templates/ingress.yaml
  • charts/kubernetes-mcp-server/templates/networkpolicy.yaml
  • charts/kubernetes-mcp-server/templates/validate.yaml
  • charts/kubernetes-mcp-server/tests/networkpolicy_test.yaml
  • charts/kubernetes-mcp-server/tests/templates_test.yaml
  • charts/kubernetes-mcp-server/tests/validation_test.yaml
  • charts/kubernetes-mcp-server/values.schema.json
  • charts/kubernetes-mcp-server/values.yaml

Comment thread charts/kubernetes-mcp-server/templates/networkpolicy.yaml Outdated
@mberlofa mberlofa force-pushed the fix/kubernetes-mcp-server-template-standards branch from 4f4c21e to 061337f Compare July 4, 2026 12:33

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/kubernetes-mcp-server/values.yaml`:
- Around line 70-82: The network policy configuration currently ties the
built-in DNS/HTTPS egress rules to extraEgress, so networkPolicy.enabled alone
does not emit an egress policy. Update the values handling around networkPolicy,
policyTypes, and the egress block so the default DNS/HTTPS rules are included
whenever networkPolicy.enabled is true, and append extraEgress only if it is
provided. Use the networkPolicy configuration keys and the egress policy
assembly logic to locate the change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 7d53ec09-f399-4465-a8a0-560cf79e3e0d

📥 Commits

Reviewing files that changed from the base of the PR and between 4f4c21e and 061337f.

📒 Files selected for processing (12)
  • charts/kubernetes-mcp-server/README.md
  • charts/kubernetes-mcp-server/templates/NOTES.txt
  • charts/kubernetes-mcp-server/templates/_helpers.tpl
  • charts/kubernetes-mcp-server/templates/deployment.yaml
  • charts/kubernetes-mcp-server/templates/ingress.yaml
  • charts/kubernetes-mcp-server/templates/networkpolicy.yaml
  • charts/kubernetes-mcp-server/templates/validate.yaml
  • charts/kubernetes-mcp-server/tests/networkpolicy_test.yaml
  • charts/kubernetes-mcp-server/tests/templates_test.yaml
  • charts/kubernetes-mcp-server/tests/validation_test.yaml
  • charts/kubernetes-mcp-server/values.schema.json
  • charts/kubernetes-mcp-server/values.yaml
✅ Files skipped from review due to trivial changes (4)
  • charts/kubernetes-mcp-server/templates/ingress.yaml
  • charts/kubernetes-mcp-server/README.md
  • charts/kubernetes-mcp-server/templates/deployment.yaml
  • charts/kubernetes-mcp-server/templates/NOTES.txt
🚧 Files skipped from review as they are similar to previous changes (5)
  • charts/kubernetes-mcp-server/tests/networkpolicy_test.yaml
  • charts/kubernetes-mcp-server/tests/validation_test.yaml
  • charts/kubernetes-mcp-server/templates/networkpolicy.yaml
  • charts/kubernetes-mcp-server/tests/templates_test.yaml
  • charts/kubernetes-mcp-server/templates/_helpers.tpl

Comment thread charts/kubernetes-mcp-server/values.yaml
@mberlofa mberlofa force-pushed the fix/kubernetes-mcp-server-template-standards branch from 061337f to d52cfa8 Compare July 4, 2026 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant