Skip to content

fix(immich): align template standards#676

Open
mberlofa wants to merge 3 commits into
mainfrom
fix/immich-template-standards
Open

fix(immich): align template standards#676
mberlofa wants to merge 3 commits into
mainfrom
fix/immich-template-standards

Conversation

@mberlofa

@mberlofa mberlofa commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Keep the Immich Helm test hook under templates/tests/ so helm test renders and executes it, with unittest coverage for the hook pod.
  • Add networkPolicy.extraEgress and unit coverage.
  • Rewrite NOTES into numbered operational sections.
  • Remove decorative status icons from the touched README security scan block.

Related

Validation

  • helm template test charts/immich | rg -n "helm.sh/hook|test-connection" (hook rendered from templates/tests/test-connection.yaml)
  • helm unittest charts/immich (45 tests, 8 suites)
  • make template-standards-check CHART=immich
  • node scripts/charts/validate-chart.js --chart immich --no-k3d
  • make validate-chart CHART=immich TIMEOUT=900 (FULLY VALIDATED, 12 layers)
  • make site-sync-check CHART=immich
  • make release-check REPO=charts
  • make attribution-check REPO=charts

Site Validation

  • npm run lint
  • npm run format:check
  • npm run build

Summary by CodeRabbit

  • New Features
    • Added support for extra outbound NetworkPolicy rules via networkPolicy.extraEgress, allowing additional egress destinations and ports.
  • Documentation
    • Updated the chart README with a new NetworkPolicy section and refined the security scan formatting.
    • Reworked the chart NOTES/help output into clearer numbered sections with additional troubleshooting guidance.
  • Tests
    • Expanded NetworkPolicy test coverage to confirm extraEgress is appended after the base egress rules.
    • Added a Helm connection test suite to validate the rendered test pod.
  • Chores
    • Extended the NetworkPolicy values schema and defaults to include enabled, ingress, egress, and extraEgress.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 4a7014a2-659b-415d-a563-2b0081d3cbc0

📥 Commits

Reviewing files that changed from the base of the PR and between 4511e4a and 495cdae.

📒 Files selected for processing (8)
  • charts/immich/README.md
  • charts/immich/templates/NOTES.txt
  • charts/immich/templates/networkpolicy.yaml
  • charts/immich/tests/networkpolicy-extra-egress-values.yaml
  • charts/immich/tests/networkpolicy_test.yaml
  • charts/immich/tests/test_connection_test.yaml
  • charts/immich/values.schema.json
  • charts/immich/values.yaml
✅ Files skipped from review due to trivial changes (1)
  • charts/immich/README.md
🚧 Files skipped from review as they are similar to previous changes (5)
  • charts/immich/tests/test_connection_test.yaml
  • charts/immich/tests/networkpolicy-extra-egress-values.yaml
  • charts/immich/values.schema.json
  • charts/immich/templates/networkpolicy.yaml
  • charts/immich/values.yaml

📝 Walkthrough

Walkthrough

This PR adds extraEgress support to the immich chart NetworkPolicy, updates the schema, values, template, tests, and README, reorganizes NOTES.txt into numbered help sections, and adds a Helm connection test suite.

Changes

NetworkPolicy extraEgress Feature

Layer / File(s) Summary
Values schema and defaults for extraEgress
charts/immich/values.schema.json, charts/immich/values.yaml
Adds enabled, ingress, egress, and extraEgress properties to the networkPolicy schema and a default empty extraEgress list in values.
NetworkPolicy template egress concatenation
charts/immich/templates/networkpolicy.yaml
Renders spec.egress from the concatenation of .Values.networkPolicy.egress and .Values.networkPolicy.extraEgress.
NetworkPolicy test suite and documentation
charts/immich/tests/networkpolicy_test.yaml, charts/immich/tests/networkpolicy-extra-egress-values.yaml, charts/immich/README.md
Adds Helm test coverage for NetworkPolicy rendering, a fixture for appended extra egress to 10.0.0.0/8 on port 443, and a README example plus security-scan formatting update.

NOTES.txt Restructuring

Layer / File(s) Summary
NOTES.txt numbered sections
charts/immich/templates/NOTES.txt
Reorganizes the chart help output into numbered sections and adds health path, validation, troubleshooting, production reminders, and resources content.

Helm connection test suite

Layer / File(s) Summary
Connection test suite
charts/immich/tests/test_connection_test.yaml
Adds a Helm test suite that renders the connection test Pod and checks its hook annotation.

Estimated code review effort: 2 (Simple) | ~12 minutes

Possibly related PRs

  • helmforgedev/charts#641: Both PRs update Helm chart NetworkPolicy rendering to support extra egress rules and add matching test coverage.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately reflects the PR’s main goal of aligning the Immich chart with repository template and documentation standards.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/immich-template-standards

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Standards Check (GR-079) — PASS

Every changed chart fully passes standards-check.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🟢 Security Scan: immich

Framework Score
MITRE + NSA + SOC2 88.611115%

✅ Security posture acceptable.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
charts/immich/tests/networkpolicy_test.yaml (1)

27-37: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add a test verifying egress + extraEgress ordering.

The values.yaml comment promises extraEgress rules are "appended after networkPolicy.egress", but the current fixture only sets extraEgress (base egress stays empty). No test verifies the concatenation order when both lists are non-empty.

♻️ Suggested additional test case
   - it: should append extra egress rules
     values:
       - networkpolicy-extra-egress-values.yaml
     asserts:
       - equal:
           path: spec.egress[0].to[0].ipBlock.cidr
           value: 10.0.0.0/8
       - equal:
           path: spec.egress[0].ports[0].port
           value: 443
+
+  - it: should append extraEgress after base egress rules
+    set:
+      networkPolicy.enabled: true
+      networkPolicy.egress[0].to[0].ipBlock.cidr: 172.16.0.0/12
+      networkPolicy.extraEgress[0].to[0].ipBlock.cidr: 10.0.0.0/8
+    asserts:
+      - equal:
+          path: spec.egress[0].to[0].ipBlock.cidr
+          value: 172.16.0.0/12
+      - equal:
+          path: spec.egress[1].to[0].ipBlock.cidr
+          value: 10.0.0.0/8
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/immich/tests/networkpolicy_test.yaml` around lines 27 - 37, The
networkpolicy test currently only covers extraEgress by itself, so it does not
verify the documented append order when both networkPolicy.egress and
extraEgress are set. Update the networkpolicy_test.yaml fixture to include a
case using both lists and assert through the existing helm-unittest paths that
the base egress entries appear first and the extraEgress entries are appended
afterward; use the current test structure and the spec.egress assertions to
locate the right place.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@charts/immich/tests/networkpolicy_test.yaml`:
- Around line 27-37: The networkpolicy test currently only covers extraEgress by
itself, so it does not verify the documented append order when both
networkPolicy.egress and extraEgress are set. Update the networkpolicy_test.yaml
fixture to include a case using both lists and assert through the existing
helm-unittest paths that the base egress entries appear first and the
extraEgress entries are appended afterward; use the current test structure and
the spec.egress assertions to locate the right place.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 6b3e6ec8-4c91-49cd-b65e-ec460e034fa8

📥 Commits

Reviewing files that changed from the base of the PR and between 47bc2fc and 7a633e4.

📒 Files selected for processing (8)
  • charts/immich/README.md
  • charts/immich/templates/NOTES.txt
  • charts/immich/templates/networkpolicy.yaml
  • charts/immich/tests/networkpolicy-extra-egress-values.yaml
  • charts/immich/tests/networkpolicy_test.yaml
  • charts/immich/tests/test-connection.yaml
  • charts/immich/values.schema.json
  • charts/immich/values.yaml

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

apiVersion: v1
kind: Pod

P2 Badge Keep the Helm test hook under templates

Because this test Pod was moved to chart-root tests/, it is no longer rendered into the installed release as a Helm test hook; I checked helm create --help, which shows test files under templates/tests/, and helm test --help, which says tests are defined in the installed chart. In this location the annotated Pod is just an inert chart file, so the helm test command advertised in NOTES has no Immich connection test to run.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread charts/immich/templates/networkpolicy.yaml Outdated
@mberlofa mberlofa force-pushed the fix/immich-template-standards branch from 4511e4a to 495cdae Compare July 5, 2026 14:55
@mberlofa

mberlofa commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Addressed the CodeRabbit review-summary nitpick about networkPolicy.egress + networkPolicy.extraEgress ordering coverage.

What changed:

  • Added a network policy unit test that sets both base networkPolicy.egress and networkPolicy.extraEgress.
  • Asserted that the base egress entry renders first and the extra egress entry is appended afterward.
  • No chart value or rendered behavior change was needed.

Validation:

  • make validate-chart CHART=immich TIMEOUT=1200 passed end-to-end after rebasing on origin/main (immich: FULLY VALIDATED (12 layers), including all GR-027 k3d scenarios). The validator justified transient readiness/FailedMount warnings on healthy workloads.
  • make site-sync-check CHART=immich passed on the existing site PR branch docs(immich): sync template standards updates site#354; no additional site change was required for this test-only update.
  • make release-check REPO=charts passed with the expected GR-077 release-publication warning.
  • make attribution-check REPO=charts passed.

This feedback was present in the CodeRabbit review summary rather than an unresolved review thread, so there is no thread ID to reply to or resolve.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant