Skip to content

fix(jenkins): align template standards#677

Open
mberlofa wants to merge 3 commits into
mainfrom
fix/jenkins-template-standards
Open

fix(jenkins): align template standards#677
mberlofa wants to merge 3 commits into
mainfrom
fix/jenkins-template-standards

Conversation

@mberlofa

@mberlofa mberlofa commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Keep the Jenkins Helm test hook under templates/tests/ so helm test renders and executes it, with unittest coverage for the hook pod.
  • Add networkPolicy.extraEgress with schema and unit coverage while preserving existing generated egress controls.
  • Add chart validation helper, numbered NOTES sections, and README documentation.

Related

Validation

  • helm template test charts/jenkins | rg -n "helm.sh/hook|test-connection" (hook rendered from templates/tests/test-connection.yaml)
  • helm unittest charts/jenkins (24 tests, 7 suites)
  • make template-standards-check CHART=jenkins
  • node scripts/charts/validate-chart.js --chart jenkins --no-k3d
  • make validate-chart CHART=jenkins TIMEOUT=900 (FULLY VALIDATED, 20 layers)
  • make release-check REPO=charts
  • make attribution-check REPO=charts

Summary by CodeRabbit

  • New Features
    • Added networkPolicy.egress.extraEgress to append custom egress rules to the chart-generated NetworkPolicy.
    • Added fail-fast validation for related settings during chart rendering.
  • Bug Fixes
    • Prevents rendering/deployments when external secret, configuration scripts, or plugin-install settings are incomplete or conflicting.
  • Documentation
    • Reorganized installation Notes into numbered sections for clearer navigation.
    • Updated the chart README to clarify how extraEgress augments default egress behavior.
  • Tests
    • Added/updated tests covering extra egress rule rendering and Helm test hook pod output.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Standards Check (GR-079) — PASS

Every changed chart fully passes standards-check.

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: d230ed72-b5f9-492f-b6e3-13b7186c3ec1

📥 Commits

Reviewing files that changed from the base of the PR and between 599a639 and f6e8688.

📒 Files selected for processing (11)
  • charts/jenkins/README.md
  • charts/jenkins/templates/NOTES.txt
  • charts/jenkins/templates/_helpers.tpl
  • charts/jenkins/templates/externalsecret.yaml
  • charts/jenkins/templates/networkpolicy.yaml
  • charts/jenkins/templates/statefulset.yaml
  • charts/jenkins/tests/networkpolicy-extra-egress-values.yaml
  • charts/jenkins/tests/networkpolicy_test.yaml
  • charts/jenkins/tests/test_connection_test.yaml
  • charts/jenkins/values.schema.json
  • charts/jenkins/values.yaml
✅ Files skipped from review due to trivial changes (2)
  • charts/jenkins/README.md
  • charts/jenkins/templates/NOTES.txt
🚧 Files skipped from review as they are similar to previous changes (5)
  • charts/jenkins/tests/test_connection_test.yaml
  • charts/jenkins/values.schema.json
  • charts/jenkins/templates/networkpolicy.yaml
  • charts/jenkins/values.yaml
  • charts/jenkins/tests/networkpolicy-extra-egress-values.yaml

📝 Walkthrough

Walkthrough

This PR adds extraEgress support to the Jenkins chart NetworkPolicy, adds chart-value validation helpers, restructures the chart NOTES output into numbered sections, and adds Helm test coverage.

Changes

Jenkins Chart NetworkPolicy, Validation, and Notes Updates

Layer / File(s) Summary
extraEgress schema, values, and documentation
charts/jenkins/values.yaml, charts/jenkins/values.schema.json, charts/jenkins/README.md
Adds networkPolicy.egress.extraEgress to chart values, schema, and README notes.
NetworkPolicy template rendering and tests
charts/jenkins/templates/networkpolicy.yaml, charts/jenkins/tests/networkpolicy-extra-egress-values.yaml, charts/jenkins/tests/networkpolicy_test.yaml
Renders optional extra egress rules into the NetworkPolicy and adds test values plus assertions for the appended rule.
jenkins.validate helper and StatefulSet wiring
charts/jenkins/templates/_helpers.tpl, charts/jenkins/templates/externalsecret.yaml, charts/jenkins/templates/statefulset.yaml
Adds validation checks for external secrets, JCasC, and plugins configuration, then invokes them during StatefulSet and ExternalSecret template rendering.
NOTES.txt restructuring
charts/jenkins/templates/NOTES.txt
Renumbers the install notes into sectioned headings while preserving the existing commands and conditional output.
Helm test suite definition
charts/jenkins/tests/test_connection_test.yaml
Adds a Helm test case for the rendered test hook pod and its annotations.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

  • helmforgedev/charts#641: Also adds networkPolicy.egress.extraEgress support with matching NetworkPolicy test coverage.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the PR’s main goal of bringing the Jenkins chart templates in line with standards.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/jenkins-template-standards

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🟢 Security Scan: jenkins

Framework Score
MITRE + NSA + SOC2 91.41415%

✅ Security posture acceptable.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review


P1 Badge Keep Helm test hook under templates

This file is no longer part of the chart's rendered manifests because it was moved out of templates/. I checked Helm's CLI semantics (helm template --help says it renders chart templates, and helm test --help says tests are defined in the installed chart); in this revision helm template test charts/jenkins emits no helm.sh/hook: test, and --show-only tests/test-connection.yaml errors with could not find template. As a result, every Jenkins install loses its helm test smoke test even though NOTES/docs still instruct users to run it.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (3)
charts/jenkins/tests/networkpolicy_test.yaml (1)

36-45: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Index-based assertion is brittle against default egress-rule count changes.

spec.egress[3] implicitly depends on exactly 3 generated rules (cluster, DNS, internet) preceding extraEgress. If a default egress flag changes or a new generated rule is added, this index silently shifts and the test can pass/fail for the wrong reason. Using a contains assertion matching the rule content is more robust.

♻️ Suggested fix
   - it: should append extra egress rules
     values:
       - networkpolicy-extra-egress-values.yaml
     asserts:
-      - equal:
-          path: spec.egress[3].to[0].ipBlock.cidr
-          value: 10.0.0.0/8
-      - equal:
-          path: spec.egress[3].ports[0].port
-          value: 443
+      - contains:
+          path: spec.egress
+          content:
+            to:
+              - ipBlock:
+                  cidr: 10.0.0.0/8
+            ports:
+              - protocol: TCP
+                port: 443
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/jenkins/tests/networkpolicy_test.yaml` around lines 36 - 45, The
network policy test is asserting the extra egress rule by a hardcoded array
index, which is brittle when the number or order of default egress rules
changes. Update the assertions in the networkpolicy test to locate the extra
egress entry by its rule contents instead of spec.egress[3], using a
contains-style match against the egress rule fields so the test remains stable
as defaults evolve.
charts/jenkins/values.yaml (1)

191-192: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Naming inconsistency: extraEgress sits outside egress: block.

All other egress-related knobs (enabled, allowCluster, allowDns, allowInternet, extraRules) live under networkPolicy.egress, but extraEgress is a sibling of egress instead of nested inside it. Since it only takes effect when egress.enabled is true (per the template), placing it under egress would better reflect its scope and avoid confusing chart consumers about where egress-related overrides belong.

♻️ Suggested restructuring (requires matching changes in schema and template)
   egress:
     ...
     extraRules: []
-  # -- Additional egress rules appended after generated egress rules.
-  extraEgress: []
+    # -- Additional egress rules appended after generated egress rules.
+    extraEgress: []
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/jenkins/values.yaml` around lines 191 - 192, The network policy values
are inconsistent because extraEgress is defined as a top-level sibling instead
of being grouped under networkPolicy.egress like the other egress settings. Move
extraEgress into the egress block in values.yaml, and update any matching schema
and template references that read the current path so the namespaced egress
configuration stays consistent with enabled, allowCluster, allowDns,
allowInternet, and extraRules.
charts/jenkins/templates/_helpers.tpl (1)

99-115: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicate externalSecrets validation logic.

The externalSecrets checks in Lines 101-108 duplicate the fail checks already present in charts/jenkins/templates/externalsecret.yaml. Maintaining the same validation in two places risks the checks drifting out of sync (e.g., one gets updated with a new field/message and the other doesn't).

Consider extracting the externalSecrets checks into their own helper (e.g. jenkins.validate.externalSecrets) and having both jenkins.validate and externalsecret.yaml call it, so there is a single source of truth.

♻️ Suggested restructuring
+{{- define "jenkins.validate.externalSecrets" -}}
+{{- if and .Values.externalSecrets.enabled (not .Values.admin.existingSecret) -}}
+{{- fail "externalSecrets.enabled requires admin.existingSecret to be set to prevent credential drift between the chart-managed Secret and the ExternalSecret." -}}
+{{- end -}}
+{{- $externalSecretData := .Values.externalSecrets.data | default list -}}
+{{- $externalSecretDataFrom := .Values.externalSecrets.dataFrom | default list -}}
+{{- if and .Values.externalSecrets.enabled (eq (add (len $externalSecretData) (len $externalSecretDataFrom)) 0) -}}
+{{- fail "externalSecrets.data or externalSecrets.dataFrom must not be empty when externalSecrets.enabled=true" -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "jenkins.validate" -}}
-{{- if and .Values.externalSecrets.enabled (not .Values.admin.existingSecret) -}}
-{{- fail "externalSecrets.enabled requires admin.existingSecret to be set to prevent credential drift between the chart-managed Secret and the ExternalSecret." -}}
-{{- end -}}
-{{- $externalSecretData := .Values.externalSecrets.data | default list -}}
-{{- $externalSecretDataFrom := .Values.externalSecrets.dataFrom | default list -}}
-{{- if and .Values.externalSecrets.enabled (eq (add (len $externalSecretData) (len $externalSecretDataFrom)) 0) -}}
-{{- fail "externalSecrets.data or externalSecrets.dataFrom must not be empty when externalSecrets.enabled=true" -}}
-{{- end -}}
+{{- include "jenkins.validate.externalSecrets" . -}}
 {{- if and .Values.jcasC.enabled (eq (len (.Values.jcasC.configScripts | default dict)) 0) -}}

And in externalsecret.yaml, replace the inline checks with {{- include "jenkins.validate.externalSecrets" . -}}.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/jenkins/templates/_helpers.tpl` around lines 99 - 115, The
externalSecrets validation in jenkins.validate is duplicated elsewhere and
should be centralized. Extract the externalSecrets-related fail checks into a
dedicated helper such as jenkins.validate.externalSecrets, keep the shared logic
there, and have both jenkins.validate and externalsecret.yaml invoke that
helper. This will ensure the validation rules stay consistent and prevent drift
between the two templates.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/jenkins/README.md`:
- Around line 13-16: The README sentence in the NetworkPolicy section
incorrectly says the chart generates a separate Jenkins egress control. Update
the wording in the documentation to match the actual NetworkPolicy behavior
exposed by the chart, referring to the generated allowCluster, allowDns, and
allowInternet rules instead of “Jenkins,” and keep the mention of
networkPolicy.extraEgress as additive only.

---

Nitpick comments:
In `@charts/jenkins/templates/_helpers.tpl`:
- Around line 99-115: The externalSecrets validation in jenkins.validate is
duplicated elsewhere and should be centralized. Extract the
externalSecrets-related fail checks into a dedicated helper such as
jenkins.validate.externalSecrets, keep the shared logic there, and have both
jenkins.validate and externalsecret.yaml invoke that helper. This will ensure
the validation rules stay consistent and prevent drift between the two
templates.

In `@charts/jenkins/tests/networkpolicy_test.yaml`:
- Around line 36-45: The network policy test is asserting the extra egress rule
by a hardcoded array index, which is brittle when the number or order of default
egress rules changes. Update the assertions in the networkpolicy test to locate
the extra egress entry by its rule contents instead of spec.egress[3], using a
contains-style match against the egress rule fields so the test remains stable
as defaults evolve.

In `@charts/jenkins/values.yaml`:
- Around line 191-192: The network policy values are inconsistent because
extraEgress is defined as a top-level sibling instead of being grouped under
networkPolicy.egress like the other egress settings. Move extraEgress into the
egress block in values.yaml, and update any matching schema and template
references that read the current path so the namespaced egress configuration
stays consistent with enabled, allowCluster, allowDns, allowInternet, and
extraRules.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 21f3de72-f977-44dc-80e2-9a47aa418b2e

📥 Commits

Reviewing files that changed from the base of the PR and between 47bc2fc and 38b5226.

📒 Files selected for processing (10)
  • charts/jenkins/README.md
  • charts/jenkins/templates/NOTES.txt
  • charts/jenkins/templates/_helpers.tpl
  • charts/jenkins/templates/networkpolicy.yaml
  • charts/jenkins/templates/statefulset.yaml
  • charts/jenkins/tests/networkpolicy-extra-egress-values.yaml
  • charts/jenkins/tests/networkpolicy_test.yaml
  • charts/jenkins/tests/test-connection.yaml
  • charts/jenkins/values.schema.json
  • charts/jenkins/values.yaml

Comment thread charts/jenkins/README.md Outdated
@mberlofa mberlofa force-pushed the fix/jenkins-template-standards branch from be650e1 to 599a639 Compare July 4, 2026 11:10

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
charts/jenkins/tests/test_connection_test.yaml (1)

8-18: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider asserting hook-delete-policy too.

The template also sets metadata: name: "{{ include "jenkins.fullname" . }}-test-connection" labels: {{- include "jenkins.labels" . | nindent 4 }} annotations: "helm.sh/hook": test "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded. The new suite only asserts kind, name, and the helm.sh/hook annotation, leaving the delete-policy annotation uncovered.

♻️ Optional additional assertion
       - equal:
           path: metadata.annotations["helm.sh/hook"]
           value: test
+      - equal:
+          path: metadata.annotations["helm.sh/hook-delete-policy"]
+          value: before-hook-creation,hook-succeeded
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/jenkins/tests/test_connection_test.yaml` around lines 8 - 18, The Helm
test suite for the connection test hook only verifies the Pod kind, name, and
helm.sh/hook annotation, so it misses the hook cleanup setting. Update the test
in test_connection_test.yaml to also assert
metadata.annotations["helm.sh/hook-delete-policy"] on the rendered
test-connection Pod, using the existing jenkins test hook assertions so the
template’s full annotation set is covered.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@charts/jenkins/tests/test_connection_test.yaml`:
- Around line 8-18: The Helm test suite for the connection test hook only
verifies the Pod kind, name, and helm.sh/hook annotation, so it misses the hook
cleanup setting. Update the test in test_connection_test.yaml to also assert
metadata.annotations["helm.sh/hook-delete-policy"] on the rendered
test-connection Pod, using the existing jenkins test hook assertions so the
template’s full annotation set is covered.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 2914f1d7-f260-4ea1-9553-f3d8382da0c8

📥 Commits

Reviewing files that changed from the base of the PR and between be650e1 and 599a639.

📒 Files selected for processing (2)
  • charts/jenkins/README.md
  • charts/jenkins/tests/test_connection_test.yaml
✅ Files skipped from review due to trivial changes (1)
  • charts/jenkins/README.md

@mberlofa mberlofa force-pushed the fix/jenkins-template-standards branch from 599a639 to f6e8688 Compare July 5, 2026 14:36
@mberlofa

mberlofa commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Addressed the remaining CodeRabbit review-summary items for Jenkins.

What changed:

  • Moved networkPolicy.extraEgress to networkPolicy.egress.extraEgress across values, schema, README, template, and tests.
  • Replaced the brittle spec.egress[3] assertions with a content-based contains assertion.
  • Extracted duplicated ExternalSecret validation into jenkins.validate.externalSecrets and reused it from both jenkins.validate and externalsecret.yaml.
  • Added coverage for metadata.annotations["helm.sh/hook-delete-policy"] in the Helm test hook suite.
  • Synced the site PR: docs(jenkins): sync template standards updates site#355.

Validation:

  • make validate-chart CHART=jenkins TIMEOUT=1200 passed end-to-end after rebasing on origin/main (jenkins: FULLY VALIDATED (20 layers), including all GR-027 k3d scenarios).
  • make release-check REPO=charts passed with the expected GR-077 release-publication warning.
  • make attribution-check REPO=charts passed.

The README inline thread was already resolved. The remaining items were present in CodeRabbit review summaries rather than unresolved review threads, so there are no additional thread IDs to reply to or resolve.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant