Skip to content

fix(qdrant): align template standards#673

Merged
mberlofa merged 3 commits into
mainfrom
fix/qdrant-template-standards
Jul 6, 2026
Merged

fix(qdrant): align template standards#673
mberlofa merged 3 commits into
mainfrom
fix/qdrant-template-standards

Conversation

@mberlofa

@mberlofa mberlofa commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Align StatefulSet pod template labels with immutable selector labels plus user podLabels.
  • Guard empty ingress.ingressClassName rendering.
  • Move validation into the canonical qdrant.validate helper and add validations for ingress hosts plus selector-label podLabels overrides.
  • Add networkPolicy.extraEgress support with DNS, HTTPS, and distributed p2p baseline egress rules before user rules.
  • Align NOTES.txt with numbered HelmForge operational sections.

Validation

  • helm unittest charts/qdrant: 28 tests passed
  • helm lint --strict charts/qdrant: passed
  • make template-standards-check CHART=qdrant: passed
  • make standards-check CHART=qdrant: passed
  • make standards-guard CHART=qdrant: passed
  • make site-sync-check CHART=qdrant: passed
  • npm run lint: passed in site repo
  • npm run format:check: passed in site repo
  • npm run build: passed in site repo
  • node scripts/charts/validate-chart.js --chart qdrant --no-k3d: all local layers passed except the known local remote schema download failure from raw.githubusercontent.com
  • Strict kubeconform rerun with local official schemas: default plus every ci/*.yaml passed with Skipped: 0
  • k3d behavioral validation on k3d-helmforge-tests-wsl: default plus every ci/*.yaml passed sequentially
  • make release-check REPO=charts: passed with expected post-merge release warning
  • make attribution-check REPO=charts: passed

Site Sync

Site PR: helmforgedev/site#351

Summary by CodeRabbit

  • New Features

    • Added documentation for network policy, including inbound restrictions and optional egress isolation via extraEgress (with example).
    • Added support for networkPolicy.extraEgress in chart configuration and schema.
    • Improved post-deploy operator runbook with expanded checks and guidance.
  • Bug Fixes / Improvements

    • Ingress now sets ingressClassName only when configured.
    • Added stricter Helm chart validation for invalid value combinations and label overrides.
  • Tests

    • Expanded network policy and validation coverage, including egress-isolation behavior and new ingress/label validation cases.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e4d3f85f-43e3-4fc2-9b81-39eb47d7abbf

📥 Commits

Reviewing files that changed from the base of the PR and between ab19ab3 and 59481fa.

📒 Files selected for processing (14)
  • charts/qdrant/README.md
  • charts/qdrant/templates/NOTES.txt
  • charts/qdrant/templates/_helpers.tpl
  • charts/qdrant/templates/ingress.yaml
  • charts/qdrant/templates/networkpolicy.yaml
  • charts/qdrant/templates/statefulset.yaml
  • charts/qdrant/templates/validate.yaml
  • charts/qdrant/tests/networkpolicy-extra-egress-values.yaml
  • charts/qdrant/tests/networkpolicy_test.yaml
  • charts/qdrant/tests/podlabels-selector-instance-values.yaml
  • charts/qdrant/tests/podlabels-selector-name-values.yaml
  • charts/qdrant/tests/validation_test.yaml
  • charts/qdrant/values.schema.json
  • charts/qdrant/values.yaml
✅ Files skipped from review due to trivial changes (4)
  • charts/qdrant/tests/podlabels-selector-instance-values.yaml
  • charts/qdrant/tests/podlabels-selector-name-values.yaml
  • charts/qdrant/templates/ingress.yaml
  • charts/qdrant/README.md
🚧 Files skipped from review as they are similar to previous changes (9)
  • charts/qdrant/templates/networkpolicy.yaml
  • charts/qdrant/tests/validation_test.yaml
  • charts/qdrant/templates/statefulset.yaml
  • charts/qdrant/values.yaml
  • charts/qdrant/values.schema.json
  • charts/qdrant/templates/_helpers.tpl
  • charts/qdrant/tests/networkpolicy_test.yaml
  • charts/qdrant/tests/networkpolicy-extra-egress-values.yaml
  • charts/qdrant/templates/NOTES.txt

📝 Walkthrough

Walkthrough

This PR centralizes Qdrant chart validation, adds NetworkPolicy egress support, makes ingress class rendering conditional, aligns StatefulSet pod labels with selector labels, and rewrites install notes into a structured runbook.

Changes

Chart hardening and operator guidance

Layer / File(s) Summary
Validation helper and wiring
charts/qdrant/templates/_helpers.tpl, charts/qdrant/templates/validate.yaml, charts/qdrant/tests/podlabels-selector-*-values.yaml, charts/qdrant/tests/validation_test.yaml
Adds qdrant.validate, routes validation through it, and expands validation coverage for ingress hosts and selector-label overrides.
NetworkPolicy egress support
charts/qdrant/values.schema.json, charts/qdrant/values.yaml, charts/qdrant/templates/networkpolicy.yaml, charts/qdrant/tests/networkpolicy-extra-egress-values.yaml, charts/qdrant/tests/networkpolicy_test.yaml, charts/qdrant/README.md
Adds extraEgress support, conditional egress rendering, test coverage, and documentation.
Ingress, pod labels, and NOTES
charts/qdrant/templates/ingress.yaml, charts/qdrant/templates/statefulset.yaml, charts/qdrant/templates/NOTES.txt
Makes ingressClassName conditional, switches pod template labels to selector labels, and rewrites NOTES as a runbook.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

  • helmforgedev/charts#641: Also updates Qdrant NetworkPolicy rendering and tests to append user-supplied extraEgress rules into spec.egress.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the PR’s main theme of aligning the qdrant chart with HelmForge template standards.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/qdrant-template-standards

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Standards Check (GR-079) — PASS

Every changed chart fully passes standards-check.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🟢 Security Scan: qdrant

Framework Score
MITRE + NSA + SOC2 75.757576%

✅ Security posture acceptable.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
charts/qdrant/templates/networkpolicy.yaml (1)

39-55: 🔒 Security & Privacy | 🔵 Trivial

Unrestricted HTTPS egress (0.0.0.0/0:443) significantly limits the isolation guarantee.

The baseline egress rule permits TCP/443 to any IPv4/IPv6 destination. Since most outbound C2/exfiltration traffic also rides over 443, this rule effectively neutralizes egress isolation for anything using standard TLS, leaving extraEgress mainly restricting non-HTTPS traffic. This appears to be an intentional, documented tradeoff (README states "preserves DNS and HTTPS egress"), so flagging as an advisory rather than a blocking issue — consider whether narrowing this to known egress endpoints (e.g., via an allow-list value) would better match the "isolation" naming for users who need stricter guarantees.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/qdrant/templates/networkpolicy.yaml` around lines 39 - 55, The extra
egress rule in the network policy currently allows TCP/443 to all IPv4 and IPv6
destinations, which weakens the isolation guarantee. Review the egress section
in the networkPolicy template and adjust the handling of `extraEgress` so HTTPS
access is scoped to configurable allow-listed endpoints instead of `0.0.0.0/0`
and `::/0`, while keeping the DNS rule intact. If broad HTTPS egress is
intentionally retained, make that tradeoff explicit in the template/value naming
or comments tied to the `networkPolicy.extraEgress` logic.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/qdrant/templates/NOTES.txt`:
- Line 38: The recovery command in NOTES.txt uses dot notation in the jsonpath
expression for the secret data key, which fails for default and any API key
names containing special characters like hyphens or dots. Update the kubectl
command in the NOTES template to use bracket notation for the
.Values.auth.apiKeyKey lookup so it works regardless of the configured secret
key; locate this in the NOTES.txt template around the kubectl get secret
command.

---

Nitpick comments:
In `@charts/qdrant/templates/networkpolicy.yaml`:
- Around line 39-55: The extra egress rule in the network policy currently
allows TCP/443 to all IPv4 and IPv6 destinations, which weakens the isolation
guarantee. Review the egress section in the networkPolicy template and adjust
the handling of `extraEgress` so HTTPS access is scoped to configurable
allow-listed endpoints instead of `0.0.0.0/0` and `::/0`, while keeping the DNS
rule intact. If broad HTTPS egress is intentionally retained, make that tradeoff
explicit in the template/value naming or comments tied to the
`networkPolicy.extraEgress` logic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 950ebd65-36e3-4c72-bf56-c6cf3b9ac651

📥 Commits

Reviewing files that changed from the base of the PR and between 870b4c7 and 79cdbd2.

📒 Files selected for processing (14)
  • charts/qdrant/README.md
  • charts/qdrant/templates/NOTES.txt
  • charts/qdrant/templates/_helpers.tpl
  • charts/qdrant/templates/ingress.yaml
  • charts/qdrant/templates/networkpolicy.yaml
  • charts/qdrant/templates/statefulset.yaml
  • charts/qdrant/templates/validate.yaml
  • charts/qdrant/tests/networkpolicy-extra-egress-values.yaml
  • charts/qdrant/tests/networkpolicy_test.yaml
  • charts/qdrant/tests/podlabels-selector-instance-values.yaml
  • charts/qdrant/tests/podlabels-selector-name-values.yaml
  • charts/qdrant/tests/validation_test.yaml
  • charts/qdrant/values.schema.json
  • charts/qdrant/values.yaml

Comment thread charts/qdrant/templates/NOTES.txt Outdated
@mberlofa mberlofa force-pushed the fix/qdrant-template-standards branch from ab19ab3 to 59481fa Compare July 5, 2026 19:16
@mberlofa

mberlofa commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Addressed the remaining CodeRabbit advisory from the review body.

Decision:

  • Kept the existing broad HTTPS egress behavior for compatibility with external Qdrant/cloud endpoints.
  • Made the tradeoff explicit in values.yaml, README.md, and the NetworkPolicy template comment: when networkPolicy.extraEgress enables egress isolation, DNS and broad HTTPS egress to any IPv4/IPv6 destination are still preserved before appending custom rules.
  • The earlier NOTES JSONPath item was already fixed and confirmed by CodeRabbit in the resolved thread.
  • Synced the site docs in docs(qdrant): sync template standards updates site#351.

Validation:

  • make validate-chart CHART=qdrant passed after the final rebase: qdrant: FULLY VALIDATED (18 layers), including all k3d behavioral scenarios.
  • make site-sync-check CHART=qdrant passed and confirmed the site PR linkage requirement.
  • make release-check REPO=charts passed with the expected GR-077 release-publication warning.
  • make attribution-check REPO=charts passed.

The remaining NetworkPolicy advisory was posted in the CodeRabbit review body/top-level summary, not as an unresolved review thread, so there is no thread ID to reply to or resolve.

@mberlofa mberlofa merged commit 2e87082 into main Jul 6, 2026
17 checks passed
@mberlofa mberlofa deleted the fix/qdrant-template-standards branch July 6, 2026 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant