Skip to content

fix(memos): align template standards#671

Open
mberlofa wants to merge 2 commits into
mainfrom
fix/memos-template-standards
Open

fix(memos): align template standards#671
mberlofa wants to merge 2 commits into
mainfrom
fix/memos-template-standards

Conversation

@mberlofa

@mberlofa mberlofa commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • align memos template standards: immutable selector labels, guarded ingressClassName, centralized validate helper, and numbered NOTES
  • add networkPolicy.extraEgress with built-in DNS and HTTPS baseline egress when egress isolation is enabled
  • keep Memos-specific StatefulSet/database validation behavior while adding selector-label override coverage

Validation

  • helm unittest charts/memos: 20 tests passed
  • helm lint --strict charts/memos
  • make template-standards-check CHART=memos
  • make standards-check CHART=memos
  • make standards-guard CHART=memos
  • node scripts/charts/validate-chart.js --chart memos --no-k3d: all local layers passed except local Windows remote kubeconform schema download from raw.githubusercontent.com
  • strict kubeconform rerun with local official schemas: default plus all ci/*.yaml passed, Skipped: 0
  • k3d behavioral validation on k3d-helmforge-tests-wsl: default plus all ci/*.yaml passed

Issue: #633
Site PR: helmforgedev/site#349

Summary by CodeRabbit

  • New Features
    • Added network policy egress isolation controls, including built-in DNS/HTTPS allowances and support for appending optional extra egress rules.
    • Expanded Helm chart runtime/exposure information in the installation notes (access, workload checks, configuration details, persistence, database, validation, and troubleshooting).
  • Bug Fixes
    • Omit ingressClassName in rendered Ingress resources when left empty.
    • NetworkPolicy now conditionally includes egress rules only when egress isolation or extra egress is configured.
  • Tests
    • Updated and added chart assertions covering Ingress rendering, NetworkPolicy egress ordering, and validation failures.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Standards Check (GR-079) — PASS

Every changed chart fully passes standards-check.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates chart validation, ingress and network policy rendering, StatefulSet pod labels, and NOTES output, with supporting schema, values, and test changes.

Changes

Chart validation, networking, and documentation updates

Layer / File(s) Summary
Shared validation helper and wiring
charts/memos/templates/_helpers.tpl, charts/memos/templates/validate.yaml, charts/memos/tests/validation_test.yaml
Adds a shared memos.validate helper, routes validation through it, and adds tests for selector-label overrides in podLabels.
Conditional ingress class name rendering
charts/memos/templates/ingress.yaml, charts/memos/README.md, charts/memos/tests/templates_test.yaml
Omits spec.ingressClassName when empty, documents the behavior, and verifies it in template tests.
Egress rules and network policy extension
charts/memos/templates/networkpolicy.yaml, charts/memos/values.schema.json, charts/memos/values.yaml, charts/memos/tests/networkpolicy_test.yaml
Adds gated egress rendering with default DNS/HTTPS rules, configurable extraEgress, schema/value support, and egress tests.
StatefulSet pod label fix and label test
charts/memos/templates/statefulset.yaml, charts/memos/tests/templates_test.yaml
Switches StatefulSet pod labels to selector labels and updates the test assertions accordingly.
NOTES.txt rewrite
charts/memos/templates/NOTES.txt
Reworks post-install notes into structured sections for access, workload, runtime config, persistence, database, exposure, troubleshooting, resources, and validation.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

  • helmforgedev/charts#641: Also updates a chart NetworkPolicy template and tests to add an extraEgress path that appends additional egress rules.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately reflects the PR’s main goal of aligning the Memos chart templates with standards.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/memos-template-standards

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🟢 Security Scan: memos

Framework Score
MITRE + NSA + SOC2 84.84849%

✅ Security posture acceptable.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (5)
charts/memos/templates/networkpolicy.yaml (2)

16-18: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Egress isolation is only reachable via extraEgress; no way to enable DNS+HTTPS-only isolation.

Per the README, egress isolation (and the Egress policyType) only activates when extraEgress is non-empty. A user who wants only the baseline DNS/HTTPS egress restriction, without any additional rules, has no supported way to enable it short of passing a placeholder rule. Consider decoupling egress isolation from extraEgress presence (e.g., a dedicated networkPolicy.egressIsolation boolean) so the baseline-only case is directly supported.

Also applies to: 29-49

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/memos/templates/networkpolicy.yaml` around lines 16 - 18, The
NetworkPolicy template currently ties enabling the Egress policyType to the
presence of $extraEgress, so baseline DNS/HTTPS-only egress isolation cannot be
turned on by itself. Update charts/memos/templates/networkpolicy.yaml around the
policyTypes and egress rendering logic to decouple isolation from extraEgress,
ideally by introducing a dedicated flag such as networkPolicy.egressIsolation in
the values consumed by the template. Keep the existing extraEgress handling for
additional rules, but make the NetworkPolicy render Egress whenever isolation is
explicitly enabled, even if no extra rules are provided.

29-37: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Baseline DNS egress rule is overly broad.

The DNS allowance uses namespaceSelector: {} with no podSelector, which selects all pods in every namespace on port 53. For a rule intended as a restrictive "baseline," this permits egress to essentially any workload in the cluster over UDP/TCP 53, undermining the isolation the feature is meant to provide. Consider scoping this to the DNS provider's namespace/pod labels (e.g., kube-system + k8s-app: kube-dns/coredns), while acknowledging this may need to be configurable since DNS provider labels vary by cluster/CNI.

🔒 Example tightened DNS egress rule
   egress:
     - to:
-        - namespaceSelector: {}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
       ports:
         - protocol: UDP
           port: 53
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/memos/templates/networkpolicy.yaml` around lines 29 - 37, The DNS
egress rule in the network policy template is too broad because the egress
target uses an empty namespaceSelector without any podSelector, which
effectively allows port 53 to every pod in every namespace. Update the
NetworkPolicy logic in the template that builds the baseline egress rules to
scope DNS traffic to the actual DNS provider namespace/pods instead of all
workloads, ideally by using specific namespace and pod labels such as
kube-system with k8s-app selectors for kube-dns or coredns. If cluster-specific
DNS labels vary, make this selector configurable so the baseline remains
restrictive while still working across environments.
charts/memos/tests/networkpolicy_test.yaml (1)

17-40: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider adding a default-case test.

This test only covers extraEgress being set. There's no assertion that with networkPolicy.enabled: true and default (empty) extraEgress, the Egress policyType and spec.egress are both absent — the behavior this cohort's design most relies on.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/memos/tests/networkpolicy_test.yaml` around lines 17 - 40, Add a
default-case Helm test for the network policy template: in
networkPolicy_test.yaml, create a case for networkPolicy.enabled: true with
empty or unset extraEgress and assert that spec.policyTypes does not include
Egress and spec.egress is absent. Keep the existing extraEgress scenario in
place, but add this complementary assertion so the networkPolicy template
behavior is covered when no extra egress rules are configured.
charts/memos/tests/validation_test.yaml (1)

34-40: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add a companion test for the app.kubernetes.io/name override case.

Only the instance key override is tested; _helpers.tpl also fails when podLabels sets app.kubernetes.io/name, which is currently uncovered.

✅ Suggested addition
   - it: fails when podLabels override selector labels
     set:
       podLabels:
         app.kubernetes.io/instance: custom
     asserts:
       - failedTemplate:
           errorMessage: "podLabels must not override the selector label app.kubernetes.io/instance"
+  - it: fails when podLabels override the name selector label
+    set:
+      podLabels:
+        app.kubernetes.io/name: custom
+    asserts:
+      - failedTemplate:
+          errorMessage: "podLabels must not override the selector label app.kubernetes.io/name"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/memos/tests/validation_test.yaml` around lines 34 - 40, Add a
companion validation test for the missing selector-label override case in the
memos chart. Extend the existing `fails when podLabels override selector labels`
coverage in validation_test.yaml to also assert that setting
podLabels.app.kubernetes.io/name fails with the corresponding error from the
chart helpers. Use the same testing pattern and reference the _helpers.tpl
selector-label validation so both app.kubernetes.io/instance and
app.kubernetes.io/name override paths are covered.
charts/memos/templates/_helpers.tpl (1)

34-40: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Optional: reduce duplication in selector-key guard.

The two hasKey blocks are structurally identical. A loop over a list of protected keys would avoid duplication and stay in sync automatically if the selector label set ever changes.

♻️ Optional consolidation
 {{- $podLabels := .Values.podLabels | default dict -}}
-{{- if hasKey $podLabels "app.kubernetes.io/name" -}}
-{{- fail "podLabels must not override the selector label app.kubernetes.io/name" -}}
-{{- end -}}
-{{- if hasKey $podLabels "app.kubernetes.io/instance" -}}
-{{- fail "podLabels must not override the selector label app.kubernetes.io/instance" -}}
-{{- end -}}
+{{- range list "app.kubernetes.io/name" "app.kubernetes.io/instance" -}}
+{{- if hasKey $podLabels . -}}
+{{- fail (printf "podLabels must not override the selector label %s" .) -}}
+{{- end -}}
+{{- end -}}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/memos/templates/_helpers.tpl` around lines 34 - 40, The selector-key
guard in the helper template is duplicated for each protected label key.
Refactor the logic in the helper that validates podLabels by iterating over a
list of reserved selector keys instead of repeating separate hasKey/fail blocks,
so the checks stay centralized and are easier to extend if the protected set
changes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@charts/memos/templates/_helpers.tpl`:
- Around line 34-40: The selector-key guard in the helper template is duplicated
for each protected label key. Refactor the logic in the helper that validates
podLabels by iterating over a list of reserved selector keys instead of
repeating separate hasKey/fail blocks, so the checks stay centralized and are
easier to extend if the protected set changes.

In `@charts/memos/templates/networkpolicy.yaml`:
- Around line 16-18: The NetworkPolicy template currently ties enabling the
Egress policyType to the presence of $extraEgress, so baseline DNS/HTTPS-only
egress isolation cannot be turned on by itself. Update
charts/memos/templates/networkpolicy.yaml around the policyTypes and egress
rendering logic to decouple isolation from extraEgress, ideally by introducing a
dedicated flag such as networkPolicy.egressIsolation in the values consumed by
the template. Keep the existing extraEgress handling for additional rules, but
make the NetworkPolicy render Egress whenever isolation is explicitly enabled,
even if no extra rules are provided.
- Around line 29-37: The DNS egress rule in the network policy template is too
broad because the egress target uses an empty namespaceSelector without any
podSelector, which effectively allows port 53 to every pod in every namespace.
Update the NetworkPolicy logic in the template that builds the baseline egress
rules to scope DNS traffic to the actual DNS provider namespace/pods instead of
all workloads, ideally by using specific namespace and pod labels such as
kube-system with k8s-app selectors for kube-dns or coredns. If cluster-specific
DNS labels vary, make this selector configurable so the baseline remains
restrictive while still working across environments.

In `@charts/memos/tests/networkpolicy_test.yaml`:
- Around line 17-40: Add a default-case Helm test for the network policy
template: in networkPolicy_test.yaml, create a case for networkPolicy.enabled:
true with empty or unset extraEgress and assert that spec.policyTypes does not
include Egress and spec.egress is absent. Keep the existing extraEgress scenario
in place, but add this complementary assertion so the networkPolicy template
behavior is covered when no extra egress rules are configured.

In `@charts/memos/tests/validation_test.yaml`:
- Around line 34-40: Add a companion validation test for the missing
selector-label override case in the memos chart. Extend the existing `fails when
podLabels override selector labels` coverage in validation_test.yaml to also
assert that setting podLabels.app.kubernetes.io/name fails with the
corresponding error from the chart helpers. Use the same testing pattern and
reference the _helpers.tpl selector-label validation so both
app.kubernetes.io/instance and app.kubernetes.io/name override paths are
covered.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 69e776bb-ec17-492c-a348-e390ec328c8f

📥 Commits

Reviewing files that changed from the base of the PR and between 870b4c7 and 1480ecb.

📒 Files selected for processing (12)
  • charts/memos/README.md
  • charts/memos/templates/NOTES.txt
  • charts/memos/templates/_helpers.tpl
  • charts/memos/templates/ingress.yaml
  • charts/memos/templates/networkpolicy.yaml
  • charts/memos/templates/statefulset.yaml
  • charts/memos/templates/validate.yaml
  • charts/memos/tests/networkpolicy_test.yaml
  • charts/memos/tests/templates_test.yaml
  • charts/memos/tests/validation_test.yaml
  • charts/memos/values.schema.json
  • charts/memos/values.yaml

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Warning

Docstrings generation - IN PROGRESS

Generating docstrings for this pull request

@mberlofa mberlofa force-pushed the fix/memos-template-standards branch from 1480ecb to c9b148f Compare July 5, 2026 19:48
@mberlofa

mberlofa commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Addressed the CodeRabbit review-body items that still applied.

What changed:

  • Added networkPolicy.egressIsolation so users can enable baseline DNS/HTTPS egress isolation without adding placeholder extraEgress rules.
  • Kept backward compatibility: non-empty networkPolicy.extraEgress still enables egress isolation and appends custom rules.
  • Added configurable networkPolicy.dnsEgress, defaulting to kube-system pods labeled k8s-app: kube-dns, instead of allowing TCP/UDP 53 to every pod in every namespace.
  • Added default-case and baseline-isolation NetworkPolicy tests.
  • Added coverage for podLabels.app.kubernetes.io/name and refactored the selector-label guard to a shared loop.
  • Synced the site docs in docs(memos): sync template standards updates site#349.

Validation:

  • helm unittest charts/memos -f tests/networkpolicy_test.yaml -f tests/validation_test.yaml passed.
  • make validate-chart CHART=memos passed after the final rebase: memos: FULLY VALIDATED (16 layers), including all k3d behavioral scenarios.
  • make site-sync-check CHART=memos passed and confirmed the site PR linkage requirement.
  • make release-check REPO=charts passed with the expected GR-077 release-publication warning.
  • make attribution-check REPO=charts passed.

These CodeRabbit items were posted in the review body/top-level summary. There are currently no review threads on the PR, so there is no thread ID to reply to or resolve.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
charts/memos/values.yaml (1)

165-176: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Consider making the HTTPS baseline egress destination configurable too.

dnsEgress is user-overridable, but per the referenced template logic the HTTPS baseline egress rule targets 0.0.0.0/0/::/0 on port 443 unconditionally, allowing egress to any external address once egressIsolation or extraEgress is enabled. For clusters wanting tighter default HTTPS egress scoping, an equivalent overridable httpsEgress value (mirroring dnsEgress) would be consistent with the pattern already established here.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/memos/values.yaml` around lines 165 - 176, Add a configurable HTTPS
baseline egress setting to match the existing dnsEgress pattern, since the
current baseline HTTPS rule in the related egress template is hardcoded to allow
all destinations. Update the values schema in values.yaml to introduce an
overridable httpsEgress default alongside dnsEgress, and then change the egress
template logic that builds the baseline HTTPS rule to read from that new value
instead of always using 0.0.0.0/0 and ::/0. Keep the existing egressIsolation
and extraEgress behavior intact while making the HTTPS destination
user-configurable.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@charts/memos/values.yaml`:
- Around line 165-176: Add a configurable HTTPS baseline egress setting to match
the existing dnsEgress pattern, since the current baseline HTTPS rule in the
related egress template is hardcoded to allow all destinations. Update the
values schema in values.yaml to introduce an overridable httpsEgress default
alongside dnsEgress, and then change the egress template logic that builds the
baseline HTTPS rule to read from that new value instead of always using
0.0.0.0/0 and ::/0. Keep the existing egressIsolation and extraEgress behavior
intact while making the HTTPS destination user-configurable.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9dc9a3c3-2bed-42c5-bcf8-4763cff35d8f

📥 Commits

Reviewing files that changed from the base of the PR and between 1480ecb and c9b148f.

📒 Files selected for processing (12)
  • charts/memos/README.md
  • charts/memos/templates/NOTES.txt
  • charts/memos/templates/_helpers.tpl
  • charts/memos/templates/ingress.yaml
  • charts/memos/templates/networkpolicy.yaml
  • charts/memos/templates/statefulset.yaml
  • charts/memos/templates/validate.yaml
  • charts/memos/tests/networkpolicy_test.yaml
  • charts/memos/tests/templates_test.yaml
  • charts/memos/tests/validation_test.yaml
  • charts/memos/values.schema.json
  • charts/memos/values.yaml
✅ Files skipped from review due to trivial changes (2)
  • charts/memos/README.md
  • charts/memos/templates/NOTES.txt
🚧 Files skipped from review as they are similar to previous changes (7)
  • charts/memos/templates/ingress.yaml
  • charts/memos/templates/statefulset.yaml
  • charts/memos/tests/validation_test.yaml
  • charts/memos/tests/templates_test.yaml
  • charts/memos/values.schema.json
  • charts/memos/templates/_helpers.tpl
  • charts/memos/templates/networkpolicy.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant