Skip to content

fix(oauth2-proxy): align template standards#682

Open
mberlofa wants to merge 2 commits into
mainfrom
fix/oauth2-proxy-template-standards
Open

fix(oauth2-proxy): align template standards#682
mberlofa wants to merge 2 commits into
mainfrom
fix/oauth2-proxy-template-standards

Conversation

@mberlofa

@mberlofa mberlofa commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

  • keep the Helm test hook under templates/tests so helm test remains functional
  • add networkPolicy.extraEgress support with schema and unit coverage
  • expand NOTES and README coverage for the operational controls

Validation

  • make validate-chart CHART=oauth2-proxy TIMEOUT=900: FULLY VALIDATED (12 layers), including k3d behavioral scenarios for default, ci/ci-values.yaml, and ci/k3d-values.yaml.
  • make site-sync-check CHART=oauth2-proxy
  • make release-check REPO=charts passed with the expected GR-077 post-merge release confirmation warning.
  • make attribution-check REPO=charts

Site PR: helmforgedev/site#360
Issue: #633

Summary by CodeRabbit

  • New Features
    • Added networkPolicy.extraEgress to append additional full egress rules (preserving chart default DNS/HTTP(S) egress behavior when custom egress isn’t provided).
  • Documentation
    • Expanded the NetworkPolicy README with guidance for enabling networkPolicy.enabled and configuring extraEgress.
    • Reformatted the Helm install NOTES into a numbered layout.
  • Tests
    • Added/extended NetworkPolicy rendering tests to cover defaults, extraEgress, and combined egress + extraEgress.
    • Removed the obsolete “Test Connection” test suite.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Standards Check (GR-079) — PASS

Every changed chart fully passes standards-check.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🟢 Security Scan: oauth2-proxy

Framework Score
MITRE + NSA + SOC2 94.9495%

✅ Security posture acceptable.

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 642056f6-6c0b-4223-90c2-2512d5d3d144

📥 Commits

Reviewing files that changed from the base of the PR and between cdad333 and 7ad56aa.

📒 Files selected for processing (1)
  • charts/oauth2-proxy/tests/networkpolicy_test.yaml

📝 Walkthrough

Walkthrough

Adds extraEgress support to the oauth2-proxy NetworkPolicy, documents it, adds tests, and reformats NOTES.txt into numbered sections.

Changes

NetworkPolicy extraEgress feature

Layer / File(s) Summary
extraEgress values, schema, and template
charts/oauth2-proxy/values.yaml, charts/oauth2-proxy/values.schema.json, charts/oauth2-proxy/templates/networkpolicy.yaml
Adds networkPolicy.extraEgress defaults and schema support, and appends the configured egress rules in the NetworkPolicy template when default egress rendering is used.
NetworkPolicy tests and docs
charts/oauth2-proxy/tests/networkpolicy_test.yaml, charts/oauth2-proxy/README.md
Adds Helm coverage for the default NetworkPolicy render and the custom extra egress path, and documents networkPolicy.enabled and networkPolicy.extraEgress usage.

NOTES.txt restructuring

Layer / File(s) Summary
Numbered NOTES sections
charts/oauth2-proxy/templates/NOTES.txt
Replaces the banner and label-based NOTES layout with numbered headings for access, service, credentials, networking, operations, security reminders, and documentation.

Estimated code review effort: 2 (Simple) | ~12 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Values as values.yaml
  participant Schema as values.schema.json
  participant Template as networkpolicy.yaml
  Values->>Schema: define networkPolicy.extraEgress
  Template->>Values: read extraEgress
  Template->>Template: render appended egress entries
Loading

Possibly related PRs

  • helmforgedev/charts#641: Adds and validates the same networkPolicy.extraEgress rendering behavior in the oauth2-proxy chart.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is related to the chart templating cleanup, though it is broader than the main egress and notes updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/oauth2-proxy-template-standards

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

{{/* SPDX-License-Identifier: Apache-2.0 */}}

P2 Badge Keep the Helm test hook under templates

When this chart is installed, this test pod is no longer part of the rendered release because Helm chart tests must live under the chart's templates/ directory; the local check helm template test charts/oauth2-proxy --show-only tests/test-connection.yaml also reports that this is not a template. As a result helm test has no connection test hook to run even though the chart notes still instruct users to run it, so the hook should remain under templates/tests/ or another path below templates/.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
charts/oauth2-proxy/tests/networkpolicy_test.yaml (1)

28-44: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider adding a test for extraEgress combined with custom networkPolicy.egress.

Since the template appends extraEgress after either the default or a custom egress (see networkpolicy.yaml lines 29-45), a test exercising both networkPolicy.egress and networkPolicy.extraEgress together would close a coverage gap for that combination.

♻️ Suggested additional test case
  - it: should append extraEgress after custom egress
    set:
      networkPolicy.enabled: true
      networkPolicy.egress:
        - ports:
            - protocol: TCP
              port: 9000
      networkPolicy.extraEgress:
        - to:
            - ipBlock:
                cidr: 10.80.0.0/16
          ports:
            - protocol: TCP
              port: 443
    asserts:
      - equal:
          path: spec.egress[0].ports[0].port
          value: 9000
      - equal:
          path: spec.egress[1].to[0].ipBlock.cidr
          value: 10.80.0.0/16
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/oauth2-proxy/tests/networkpolicy_test.yaml` around lines 28 - 44, Add
a test that covers `networkPolicy.egress` and `networkPolicy.extraEgress`
together, since `networkpolicy.yaml` appends `extraEgress` after any custom
egress. Update `charts/oauth2-proxy/tests/networkpolicy_test.yaml` by adding a
case like `should append extraEgress after custom egress` that sets both values,
then assert the custom egress entry stays first and the extra egress entry is
appended afterward. Use the existing `spec.egress` assertions in
`networkPolicy`/`networkpolicy_test.yaml` to locate the coverage gap.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@charts/oauth2-proxy/tests/networkpolicy_test.yaml`:
- Around line 28-44: Add a test that covers `networkPolicy.egress` and
`networkPolicy.extraEgress` together, since `networkpolicy.yaml` appends
`extraEgress` after any custom egress. Update
`charts/oauth2-proxy/tests/networkpolicy_test.yaml` by adding a case like
`should append extraEgress after custom egress` that sets both values, then
assert the custom egress entry stays first and the extra egress entry is
appended afterward. Use the existing `spec.egress` assertions in
`networkPolicy`/`networkpolicy_test.yaml` to locate the coverage gap.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ee061303-57d6-46e2-8d65-7f2ca4d5cecb

📥 Commits

Reviewing files that changed from the base of the PR and between 47bc2fc and 2889150.

📒 Files selected for processing (8)
  • charts/oauth2-proxy/README.md
  • charts/oauth2-proxy/templates/NOTES.txt
  • charts/oauth2-proxy/templates/networkpolicy.yaml
  • charts/oauth2-proxy/tests/networkpolicy_test.yaml
  • charts/oauth2-proxy/tests/test-connection.yaml
  • charts/oauth2-proxy/tests/test_connection_test.yaml
  • charts/oauth2-proxy/values.schema.json
  • charts/oauth2-proxy/values.yaml
💤 Files with no reviewable changes (1)
  • charts/oauth2-proxy/tests/test_connection_test.yaml

@mberlofa mberlofa force-pushed the fix/oauth2-proxy-template-standards branch from 2889150 to ddc8146 Compare July 4, 2026 08:58
@mberlofa mberlofa force-pushed the fix/oauth2-proxy-template-standards branch from ddc8146 to cdad333 Compare July 4, 2026 20:00
@mberlofa

mberlofa commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Addressed the still-valid CodeRabbit review-body nitpick:

  • Added a NetworkPolicy unit test covering networkPolicy.egress together with networkPolicy.extraEgress.
  • The test asserts custom egress remains first and extraEgress is appended afterward.

Validation completed after the fix:

  • make validate-chart CHART=oauth2-proxy TIMEOUT=1200 passed: oauth2-proxy: FULLY VALIDATED (12 layers) including all GR-027 k3d scenarios.
  • make release-check REPO=charts passed with only the expected GR-077 release warning.
  • make attribution-check REPO=charts passed.

This CodeRabbit note was in the review summary body, not as a separate resolvable review thread, so there was no thread ID to resolve.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant