fix(notediscovery): align template standards#672
Conversation
Standards Check (GR-079) — PASSEvery changed chart fully passes standards-check. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (14)
✅ Files skipped from review due to trivial changes (4)
🚧 Files skipped from review as they are similar to previous changes (9)
📝 WalkthroughWalkthroughThis PR adds ChangesNoteDiscovery Chart Updates
Estimated code review effort: 3 (Moderate) | ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
🟢 Security Scan:
|
| Framework | Score |
|---|---|
| MITRE + NSA + SOC2 | 87.37374% |
✅ Security posture acceptable.
There was a problem hiding this comment.
💡 Codex Review
Because this hook manifest was moved to charts/notediscovery/tests/, Helm treats it as an ordinary chart file instead of a rendered template; I checked helm template review charts/notediscovery --show-only tests/test-connection.yaml, which reports it cannot find that template, while Helm renders test hooks from templates/tests/. In installs from this chart, the helm.sh/hook: test pod is never created, so the helm test command in NOTES has nothing to run.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
🧹 Nitpick comments (1)
charts/notediscovery/templates/_helpers.tpl (1)
164-170: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueConsider consolidating the two selector-label override checks.
Both blocks repeat the same
hasKey/failpattern forapp.kubernetes.io/nameandapp.kubernetes.io/instance. Arangeover a list of protected keys would reduce duplication and make it easier to add more protected labels later.♻️ Optional refactor
{{- $podLabels := .Values.podLabels | default dict -}} -{{- if hasKey $podLabels "app.kubernetes.io/name" -}} -{{- fail "podLabels must not override the selector label app.kubernetes.io/name" -}} -{{- end -}} -{{- if hasKey $podLabels "app.kubernetes.io/instance" -}} -{{- fail "podLabels must not override the selector label app.kubernetes.io/instance" -}} -{{- end -}} +{{- range $key := (list "app.kubernetes.io/name" "app.kubernetes.io/instance") -}} +{{- if hasKey $podLabels $key -}} +{{- fail (printf "podLabels must not override the selector label %s" $key) -}} +{{- end -}} +{{- end -}}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@charts/notediscovery/templates/_helpers.tpl` around lines 164 - 170, The two pod label override guards in _helpers.tpl duplicate the same hasKey/fail pattern for app.kubernetes.io/name and app.kubernetes.io/instance; refactor this check into a single range over a list of protected selector keys. Keep the existing fail behavior in the shared loop so any protected key in $podLabels is rejected, and make the helper easier to extend by adding future protected labels in one place.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@charts/notediscovery/templates/_helpers.tpl`:
- Around line 164-170: The two pod label override guards in _helpers.tpl
duplicate the same hasKey/fail pattern for app.kubernetes.io/name and
app.kubernetes.io/instance; refactor this check into a single range over a list
of protected selector keys. Keep the existing fail behavior in the shared loop
so any protected key in $podLabels is rejected, and make the helper easier to
extend by adding future protected labels in one place.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 225328ed-83e3-4b02-b3c7-c8cdd4074ff3
📒 Files selected for processing (13)
charts/notediscovery/README.mdcharts/notediscovery/templates/NOTES.txtcharts/notediscovery/templates/_helpers.tplcharts/notediscovery/templates/deployment.yamlcharts/notediscovery/templates/ingress.yamlcharts/notediscovery/templates/networkpolicy.yamlcharts/notediscovery/tests/networkpolicy_test.yamlcharts/notediscovery/tests/podlabels-selector-instance-values.yamlcharts/notediscovery/tests/podlabels-selector-name-values.yamlcharts/notediscovery/tests/test-connection.yamlcharts/notediscovery/tests/validation_test.yamlcharts/notediscovery/values.schema.jsoncharts/notediscovery/values.yaml
9112435 to
dc7172e
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
charts/notediscovery/tests/test_connection_test.yaml (1)
16-18: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winConsider asserting
helm.sh/hook-delete-policytoo.The template also sets
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded, which isn't covered here. Adding an assertion would tighten coverage of the hook lifecycle behavior.♻️ Suggested addition
- equal: path: metadata.annotations["helm.sh/hook"] value: test + - equal: + path: metadata.annotations["helm.sh/hook-delete-policy"] + value: before-hook-creation,hook-succeeded🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@charts/notediscovery/tests/test_connection_test.yaml` around lines 16 - 18, The Helm test coverage in the connection test should also verify the hook delete policy set by the template. Update the test in test_connection_test.yaml to assert metadata.annotations["helm.sh/hook-delete-policy"] matches before-hook-creation,hook-succeeded, alongside the existing helm.sh/hook check, so the lifecycle behavior of the test hook is covered by the test.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@charts/notediscovery/tests/test_connection_test.yaml`:
- Around line 16-18: The Helm test coverage in the connection test should also
verify the hook delete policy set by the template. Update the test in
test_connection_test.yaml to assert
metadata.annotations["helm.sh/hook-delete-policy"] matches
before-hook-creation,hook-succeeded, alongside the existing helm.sh/hook check,
so the lifecycle behavior of the test hook is covered by the test.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 7bbb8aa9-14d3-40b5-9a09-ad8515a138f0
📒 Files selected for processing (3)
charts/notediscovery/tests/networkpolicy-extra-egress-values.yamlcharts/notediscovery/tests/networkpolicy_test.yamlcharts/notediscovery/tests/test_connection_test.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
- charts/notediscovery/tests/networkpolicy-extra-egress-values.yaml
- charts/notediscovery/tests/networkpolicy_test.yaml
dc7172e to
7fa0924
Compare
|
Addressed both remaining CodeRabbit nitpicks from the review bodies. What changed:
Validation:
These CodeRabbit items were posted in review bodies/top-level summaries, not as unresolved review threads. The only thread on the PR was already resolved/outdated, so there is no new thread ID to reply to or resolve. |
Summary
templates/tests/sohelm testrenders and executes it, with unittest coverage for the hook pod.podLabels.ingress.ingressClassNamerendering and add fail-fast validation for enabled ingress without hosts.networkPolicy.extraEgresssupport with DNS and HTTPS baseline egress allowances before user rules.NOTES.txtwith numbered HelmForge operational sections.Validation
helm template test charts/notediscovery | rg -n "helm.sh/hook|test-connection"(hook rendered fromtemplates/tests/test-connection.yaml)helm unittest charts/notediscovery(33 tests, 8 suites)make template-standards-check CHART=notediscoverynode scripts/charts/validate-chart.js --chart notediscovery --no-k3dmake validate-chart CHART=notediscovery TIMEOUT=900(FULLY VALIDATED, 19 layers)make standards-check CHART=notediscoverymake standards-guard CHART=notediscoverymake site-sync-check CHART=notediscoverymake release-check REPO=chartspassed with expected post-merge release warningmake attribution-check REPO=chartsSite Sync
Site PR: helmforgedev/site#350
Summary by CodeRabbit
networkPolicy.extraEgressto support custom outbound egress rules while preserving built-in DNS (53) and HTTPS (443) access.ingressClassName.podLabelsselector, and Helm test hook coverage.