Refactor roles and permissions for tenants #1067
Conversation
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
|
Warning Rate limit exceeded@kvaps has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 8 minutes and 16 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (56)
""" WalkthroughA new Helm chart library was introduced for RBAC management, including template helpers for handling access levels and tenant group subjects within Kubernetes. This library is referenced by multiple application charts. Various applications added RoleBinding resources that bind Roles to subjects generated by these RBAC helpers. Tenant roles were refined to restrict resource permissions and unify subject declarations. Changes
Sequence Diagram(s)sequenceDiagram
participant Helm Chart
participant RBAC Helpers (_rbac.tpl)
participant Kubernetes API
Helm Chart->>RBAC Helpers (_rbac.tpl): Call subjectsForTenantAndAccessLevel(minLevel, tenant)
RBAC Helpers (_rbac.tpl)->>RBAC Helpers (_rbac.tpl): Map access levels and parse tenant hierarchy
RBAC Helpers (_rbac.tpl)->>RBAC Helpers (_rbac.tpl): Generate Group and ServiceAccount subjects
RBAC Helpers (_rbac.tpl)-->>Helm Chart: Return RBAC subjects list
Helm Chart->>Kubernetes API: Apply RoleBinding with generated subjects
Possibly related PRs
Suggested labels
Suggested reviewers
Poem
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (3)
packages/library/cozy-lib/templates/_rbac.tpl (1)
8-15:accessLevelToIntis case-sensitive – consider normalising inputA stray upper-case (“Admin”) or mixed-case value will currently yield the “encountered access level …” failure. Converting the incoming string to lower-case before the lookup would make the helper more forgiving without affecting correctness.
packages/apps/tenant/charts/cozy-lib (2)
1-1: Validate relative path correctness
Ensure that../../../library/cozy-libresolves correctly frompackages/apps/tenant/charts/cozy-libto the actual library chart.
1-1: Use Chart.yaml dependency instead of symlink
Consider declaringcozy-libas a Helm library dependency in yourChart.yaml(underdependencies) rather than using a symlink. This approach is more explicit and works seamlessly withhelm dependency update.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
packages/apps/tenant/charts/cozy-lib(1 hunks)packages/library/cozy-lib/templates/_rbac.tpl(1 hunks)
🧰 Additional context used
🧠 Learnings (1)
packages/apps/tenant/charts/cozy-lib (1)
undefined
<retrieved_learning>
Learnt from: lllamnyp
PR: #1025
File: packages/apps/kafka/charts/cozy-lib:1-1
Timestamp: 2025-06-04T06:22:17.306Z
Learning: Files in packages/apps/*/charts/cozy-lib that contain the path "../../../library/cozy-lib" are symbolic links, not regular files. Git diffs may display symlinks as regular files with their target path as content, which can be misleading in code review.
</retrieved_learning>
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: pre-commit
🔇 Additional comments (3)
packages/library/cozy-lib/templates/_rbac.tpl (2)
26-34:$tenantsmutation insiderangerisks scope shadowingRe-assigning
$tenantsinside therangeloop relies on Go‐template’s subtle scoping rules. In some Helm versions the=creates a new variable scoped to the loop, leaving the outer$tenantsempty.Safest pattern:
-{{- $tenants := list }} -{{- range untilStep 2 (len $parts) 1 }} -{{- $tenants = append $tenants (slice $parts 0 . | join "-") }} -{{- end }} +{{- $tenants := list }} +{{- range $i := untilStep 2 (len $parts) 1 }} +{{- $tenants = append $tenants (slice $parts 0 $i | join "-") }} +{{- end }}Using an explicit loop variable (
$i) prevents accidental shadowing and reads clearer.
75-86: Helm/Sprig does not providefromYamlArrayin all versions
fromYamlArrayis only available starting Helm v3.12. If your supported cluster tooling still runs an older release the template will fail at render time. Verify target environments or fall back to the widely-availablefromYaml:-{{- $levels := include "cozy-lib.rbac.accessLevelsAtOrAbove" $level | fromYamlArray }} -{{- $tenants := include "cozy-lib.rbac.allParentTenantsAndThis" $global.Release.Namespace | fromYamlArray }} +{{- $levels := include "cozy-lib.rbac.accessLevelsAtOrAbove" $level | fromYaml }} +{{- $tenants := include "cozy-lib.rbac.allParentTenantsAndThis" $global.Release.Namespace | fromYaml }}Please double-check the Helm version constraint in
Chart.yaml.packages/apps/tenant/charts/cozy-lib (1)
1-1: Confirm symlink creation instead of regular file
This should be a Git symlink pointing topackages/library/cozy-lib(mode120000), not a regular file with the path as its content.#!/bin/bash # Verify that the chart file is stored as a symlink git ls-tree HEAD packages/apps/tenant/charts/cozy-lib
| {{- define "cozy-lib.rbac.accessLevelsAtOrAbove" }} | ||
| {{- $minLevelInt := include "cozy-lib.rbac.accessLevelToInt" . | int }} | ||
| {{- range $k, $v := (include "cozy-lib.rbac.accessLevelMap" "" | fromYaml) }} | ||
| {{- if ge (int $v) $minLevelInt }} | ||
| - {{ $k }} | ||
| {{- end }} | ||
| {{- end }} | ||
| {{- end }} |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Iteration over Go‐maps is non-deterministic – generated YAML order will drift between renders
range $k, $v := (include "cozy-lib.rbac.accessLevelMap" "" | fromYaml) iterates over an unsorted map. Consequently the list produced by this helper is not stable across Go versions / runs, causing noisy diffs and flaky chart comparisons.
-{{- range $k, $v := (include "cozy-lib.rbac.accessLevelMap" "" | fromYaml) }}
-{{- if ge (int $v) $minLevelInt }}
-- {{ $k }}
-{{- end }}
-{{- end }}
+{{- $accessMap := include "cozy-lib.rbac.accessLevelMap" "" | fromYaml }}
+{{- range $k := sortAlpha (keys $accessMap) }}
+{{- if ge (int (index $accessMap $k)) $minLevelInt }}
+- {{ $k }}
+{{- end }}
+{{- end }}This guarantees deterministic output while still honouring the minimum level threshold.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| {{- define "cozy-lib.rbac.accessLevelsAtOrAbove" }} | |
| {{- $minLevelInt := include "cozy-lib.rbac.accessLevelToInt" . | int }} | |
| {{- range $k, $v := (include "cozy-lib.rbac.accessLevelMap" "" | fromYaml) }} | |
| {{- if ge (int $v) $minLevelInt }} | |
| - {{ $k }} | |
| {{- end }} | |
| {{- end }} | |
| {{- end }} | |
| {{- define "cozy-lib.rbac.accessLevelsAtOrAbove" }} | |
| {{- $minLevelInt := include "cozy-lib.rbac.accessLevelToInt" . | int }} | |
| {{- $accessMap := include "cozy-lib.rbac.accessLevelMap" "" | fromYaml }} | |
| {{- range $k := sortAlpha (keys $accessMap) }} | |
| {{- if ge (int (index $accessMap $k)) $minLevelInt }} | |
| - {{ $k }} | |
| {{- end }} | |
| {{- end }} | |
| {{- end }} |
🤖 Prompt for AI Agents
In packages/library/cozy-lib/templates/_rbac.tpl around lines 17 to 24, the
iteration over the accessLevelMap Go map is non-deterministic, causing unstable
YAML output. To fix this, extract the map keys into a slice, sort the slice to
ensure a stable order, then iterate over the sorted keys to produce the output.
This will guarantee deterministic output while still respecting the minimum
access level threshold.
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
fde3ceb to
f83741e
Compare
There was a problem hiding this comment.
Actionable comments posted: 0
♻️ Duplicate comments (1)
packages/library/cozy-lib/templates/_rbac.tpl (1)
19-23: Iteration overaccessLevelMapis still non-deterministicThe helper keeps ranging over the raw map, so the order of the rendered list is dependent on Go’s map iteration order and will drift between template executions, creating noisy diffs.
-{{- range $k, $v := (include "cozy-lib.rbac.accessLevelMap" "" | fromYaml) }} -{{- if ge (int $v) $minLevelInt }} -- {{ $k }} -{{- end }} -{{- end }} +{{- $accessMap := include "cozy-lib.rbac.accessLevelMap" "" | fromYaml }} +{{- range $k := sortAlpha (keys $accessMap) }} +{{- if ge (int (index $accessMap $k)) $minLevelInt }} +- {{ $k }} +{{- end }} +{{- end }}Sorting the keys first guarantees a reproducible result while still honouring the numeric threshold.
🧹 Nitpick comments (1)
packages/library/cozy-lib/templates/_rbac.tpl (1)
90-95: New-line handling can break caller indentationAppending
{{ printf "\n" }}inside the loops forces a hard line-feed at column 0. When the helper is used inside another YAML structure that appliesnindent/indent, the emitted line resets to column 0 and may corrupt the document.Instead, let the caller control indentation:
-{{- include "cozy-lib.rbac.serviceAccountSubject" $t }}{{ printf "\n" }} +{{- include "cozy-lib.rbac.serviceAccountSubject" $t }}(Repeat for the inner loop.)
If a trailing newline is really required, the caller can add it withtrimSuffix/printf "\n" | indent.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
packages/library/cozy-lib/templates/_rbac.tpl(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (2)
- GitHub Check: pre-commit
- GitHub Check: Build
🔇 Additional comments (1)
packages/library/cozy-lib/templates/_rbac.tpl (1)
49-53:serviceAccountSubjectlikely renders an invalid SA referenceBoth
nameandnamespaceare set to the same value ({{ . }}), which in calling sites is the tenant string (e.g.tenant-abc-def). In most clusters the service-account name is not equal to the namespace name, so the RBAC binding will point to a service account that probably does not exist.Please confirm the intent; if the goal is to bind all service accounts in the namespace, the correct subject is a
Groupwith
name: system:serviceaccounts:<namespace>
Otherwise the helper should accept separatenameandnamespacearguments.
There was a problem hiding this comment.
Actionable comments posted: 13
🧹 Nitpick comments (13)
packages/apps/postgres/templates/dashboard-resourcemap.yaml (1)
29-34: Reorder fields for consistency
The---separator cleanly splits two resources. However, the RoleBinding block listskindbeforeapiVersion, whereas the Role above usesapiVersionfirst. Swapping these fields maintains a uniform style and aligns with common Kubernetes examples.packages/apps/bucket/templates/dashboard-resourcemap.yaml (1)
21-23: Inconsistent field ordering.For readability and consistency with the above Role definition, swap the
kindandapiVersionlines soapiVersioncomes first:--- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBindingpackages/apps/kubernetes/templates/dashboard-resourcemap.yaml (2)
37-41: Standardize resource header and add labels.The new RoleBinding begins with
kindbeforeapiVersion, which is valid but diverges from the typicalapiVersion-first ordering. Also, this resource lacks the common chart labels undermetadata.labelsthat are present on other resources in this chart (e.g.,app.kubernetes.io/name,helm.sh/chart).Consider this optional refactor for readability and consistency:
--- a/packages/apps/kubernetes/templates/dashboard-resourcemap.yaml +++ b/packages/apps/kubernetes/templates/dashboard-resourcemap.yaml @@ -37,5 +37,10 @@ --- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-dashboard-resources + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} subjects: {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} roleRef:
44-47: ReorderroleReffields for clarity.While YAML key order isn’t enforced, it’s more idiomatic to list
apiGroupfirst, thenkind, thenname. It improves readability:roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ .Release.Name }}-dashboard-resourcespackages/apps/vm-disk/templates/dashboard-resourcemap.yaml (1)
13-18: Specify namespace for RoleBinding.RoleBindings are namespaced resources. Explicitly adding
metadata.namespace: {{ .Release.Namespace }}ensures this binding is installed in the intended namespace and improves clarity.Apply this diff:
--- a/packages/apps/vm-disk/templates/dashboard-resourcemap.yaml +++ b/packages/apps/vm-disk/templates/dashboard-resourcemap.yaml @@ 16,18c16,19 metadata: - name: {{ .Release.Name }}-dashboard-resources + name: {{ .Release.Name }}-dashboard-resources + namespace: {{ .Release.Namespace }}packages/apps/vpn/templates/dashboard-resourcemap.yaml (1)
21-23: Consistent field ordering
ReorderapiVersionto appear beforekindto match Kubernetes conventions and the Role resource defined earlier.-kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBindingpackages/apps/tenant/templates/tenant.yaml (6)
26-27: Extract repeated core resources into a helper.The explicit core resource list (
pods,services,persistentvolumes,endpoints,events,resourcequotas) is duplicated across multiple Roles. Define a named template or variable in_helpers.tpl(e.g.,coreResources) and reference it here to DRY up the templates.
97-102: Reuse core resource list via helper.This
resources:block duplicates those same core objects. Replace the inline list with an include of the shared helper to keep updates centralized.
156-161: Abstract core resources list to a shared helper.The same six core resources appear here—calling your new helper instead will eliminate copy-paste and simplify future changes.
219-224: Deduplicate core resource definitions via helper.These core Kubernetes resources recur in the admin Role. Reference the extracted helper to reduce duplication and improve readability.
310-315: Extract core resources to helper for super-admin.Repeated resource list for super-admin Role—moving this into the shared helper will keep your templates DRY.
356-356: Super-admin RoleBinding helper invocation looks good.Helper usage is consistent. Minor nit: remove the extra space before the closing parenthesis in
(list "super-admin" (include "tenant.name" .) ).packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml (1)
30-34: Add explicit namespace to RoleBinding metadata
A RoleBinding is a namespaced resource; withoutnamespace:Helm will default to the release namespace but it’s best practice to declare it explicitly to avoid ambiguity.--- a/packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml +++ b/packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml @@ -33,6 +33,7 @@ metadata: name: {{ .Release.Name }}-dashboard-resources + namespace: {{ .Release.Namespace }} subjects: {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} roleRef:
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (56)
packages/apps/bucket/Chart.yaml(1 hunks)packages/apps/bucket/charts/cozy-lib(1 hunks)packages/apps/bucket/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/clickhouse/Chart.yaml(1 hunks)packages/apps/clickhouse/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/ferretdb/Chart.yaml(1 hunks)packages/apps/ferretdb/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/kafka/Chart.yaml(1 hunks)packages/apps/kafka/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/kubernetes/Chart.yaml(1 hunks)packages/apps/kubernetes/charts/cozy-lib(1 hunks)packages/apps/kubernetes/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/mysql/Chart.yaml(1 hunks)packages/apps/mysql/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/nats/Chart.yaml(1 hunks)packages/apps/nats/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/postgres/Chart.yaml(1 hunks)packages/apps/postgres/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/rabbitmq/Chart.yaml(1 hunks)packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/redis/Chart.yaml(1 hunks)packages/apps/redis/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/tenant/Chart.yaml(1 hunks)packages/apps/tenant/templates/tenant.yaml(9 hunks)packages/apps/versions_map(12 hunks)packages/apps/virtual-machine/Chart.yaml(1 hunks)packages/apps/virtual-machine/charts/cozy-lib(1 hunks)packages/apps/virtual-machine/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/vm-disk/Chart.yaml(1 hunks)packages/apps/vm-disk/charts/cozy-lib(1 hunks)packages/apps/vm-disk/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/vm-instance/Chart.yaml(1 hunks)packages/apps/vm-instance/charts/cozy-lib(1 hunks)packages/apps/vm-instance/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/vpn/Chart.yaml(1 hunks)packages/apps/vpn/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/bootbox/Chart.yaml(1 hunks)packages/extra/bootbox/charts/cozy-lib(1 hunks)packages/extra/bootbox/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/etcd/Chart.yaml(1 hunks)packages/extra/etcd/charts/cozy-lib(1 hunks)packages/extra/etcd/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/info/Chart.yaml(1 hunks)packages/extra/info/charts/cozy-lib(1 hunks)packages/extra/info/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/ingress/Chart.yaml(1 hunks)packages/extra/ingress/charts/cozy-lib(1 hunks)packages/extra/ingress/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/monitoring/Chart.yaml(1 hunks)packages/extra/monitoring/charts/cozy-lib(1 hunks)packages/extra/monitoring/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/seaweedfs/Chart.yaml(1 hunks)packages/extra/seaweedfs/charts/cozy-lib(1 hunks)packages/extra/seaweedfs/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/versions_map(3 hunks)packages/library/cozy-lib/templates/_rbac.tpl(1 hunks)
✅ Files skipped from review due to trivial changes (39)
- packages/apps/kubernetes/Chart.yaml
- packages/apps/kafka/Chart.yaml
- packages/extra/info/charts/cozy-lib
- packages/apps/rabbitmq/Chart.yaml
- packages/apps/postgres/Chart.yaml
- packages/apps/nats/Chart.yaml
- packages/extra/monitoring/charts/cozy-lib
- packages/apps/bucket/charts/cozy-lib
- packages/extra/info/Chart.yaml
- packages/apps/mysql/Chart.yaml
- packages/apps/redis/Chart.yaml
- packages/apps/vm-disk/charts/cozy-lib
- packages/extra/seaweedfs/charts/cozy-lib
- packages/apps/virtual-machine/charts/cozy-lib
- packages/apps/clickhouse/Chart.yaml
- packages/apps/kubernetes/charts/cozy-lib
- packages/apps/tenant/Chart.yaml
- packages/apps/bucket/Chart.yaml
- packages/apps/ferretdb/Chart.yaml
- packages/extra/etcd/charts/cozy-lib
- packages/apps/vm-disk/Chart.yaml
- packages/apps/nats/templates/dashboard-resourcemap.yaml
- packages/extra/ingress/Chart.yaml
- packages/extra/bootbox/Chart.yaml
- packages/apps/clickhouse/templates/dashboard-resourcemap.yaml
- packages/extra/ingress/templates/dashboard-resourcemap.yaml
- packages/apps/mysql/templates/dashboard-resourcemap.yaml
- packages/extra/etcd/Chart.yaml
- packages/extra/seaweedfs/Chart.yaml
- packages/apps/ferretdb/templates/dashboard-resourcemap.yaml
- packages/apps/vpn/Chart.yaml
- packages/apps/vm-instance/charts/cozy-lib
- packages/extra/bootbox/charts/cozy-lib
- packages/extra/bootbox/templates/dashboard-resourcemap.yaml
- packages/apps/virtual-machine/Chart.yaml
- packages/apps/vm-instance/Chart.yaml
- packages/extra/monitoring/Chart.yaml
- packages/extra/ingress/charts/cozy-lib
- packages/apps/versions_map
🚧 Files skipped from review as they are similar to previous changes (1)
- packages/library/cozy-lib/templates/_rbac.tpl
🧰 Additional context used
🪛 YAMLlint (1.37.1)
packages/extra/info/templates/dashboard-resourcemap.yaml
[error] 17-17: syntax error: expected , but found ''
(syntax)
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: Build
🔇 Additional comments (11)
packages/apps/virtual-machine/templates/dashboard-resourcemap.yaml (1)
14-23: Bind dashboard-resources Role to tenant subjects
The new RoleBinding correctly references{{ .Release.Name }}-dashboard-resources, leverages thecozy-lib.rbac.subjectsForTenantAndAccessLevelhelper for subject generation, and follows the same apiGroup/field ordering as other charts.packages/apps/postgres/templates/dashboard-resourcemap.yaml (1)
37-40: Role reference looks correct
TheroleRefblock correctly points to theRolenamed{{ .Release.Name }}-dashboard-resourcesin therbac.authorization.k8s.ioAPI group. No changes needed here.packages/apps/bucket/templates/dashboard-resourcemap.yaml (1)
28-31: Role reference looks correct.The
roleRefblock properly points to the newly defined Role. No changes needed here.packages/apps/vm-instance/templates/dashboard-resourcemap.yaml (2)
14-17: Add RoleBinding for dashboard resources matches pattern.The new RoleBinding resource correctly binds the dashboard-resources Role to tenants via the
cozy-libhelper and follows the established pattern across your charts.
20-23: Role reference is correctly set.The
roleRefpoints to the newly created Role{{ .Release.Name }}-dashboard-resourceswith the correct API group.packages/apps/kafka/templates/dashboard-resourcemap.yaml (1)
35-38: Validate RoleBinding’s roleRef
TheroleRefcorrectly references the{{ .Release.Name }}-dashboard-resourcesRole in therbac.authorization.k8s.ioAPI group. No issues detected here.packages/apps/tenant/templates/tenant.yaml (3)
127-127: Approve: RoleBinding subjects refactored with helper.Using
{{ include "cozy-lib.rbac.subjectsForTenant" (list "view" (include "tenant.name" .)) | nindent 2 }}ensures consistent binding logic and correct indentation.
198-198: Approve: Consistent use of subject helper.Good to see
cozy-lib.rbac.subjectsForTenantapplied with propernindent 2for the “use” RoleBinding.
289-289: Approve: Admin RoleBinding uses helper.Correct invocation of
cozy-lib.rbac.subjectsForTenantwithnindent 2.packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml (1)
36-36: ```shell
#!/bin/bashVerify the dependencies block in the RabbitMQ chart Chart.yaml
echo "Looking for 'dependencies:' in packages/apps/rabbitmq/Chart.yaml"
grep -n "dependencies:" packages/apps/rabbitmq/Chart.yaml || trueecho "Displaying lines after the dependencies block for context"
grep -n -A10 "dependencies:" packages/apps/rabbitmq/Chart.yaml || true</details> <details> <summary>packages/extra/versions_map (1)</summary> `2-3`: **Version entries look consistent** The commit hashes were frozen for released versions and new `HEAD` placeholders added. No structural or formatting issues detected. Also applies to: 14-15, 18-19, 25-26, 47-48, 54-55 </details> </blockquote></details> </details> <!-- This is an auto-generated comment by CodeRabbit for review status -->
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} | ||
| roleRef: |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Ensure proper indentation of generated subjects
The helper include isn’t indented under subjects: and may break YAML parsing. Pipe the output through nindent (and trim left whitespace) so each - entry aligns correctly:
-subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+subjects:
+{{- include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | nindent 2 }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} | |
| roleRef: | |
| subjects: | |
| {{- include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | nindent 2 }} | |
| roleRef: |
🤖 Prompt for AI Agents
In packages/apps/postgres/templates/dashboard-resourcemap.yaml at lines 35 to
36, the output of the helper include for subjects is not properly indented under
the subjects key, which can cause YAML parsing errors. Fix this by piping the
include statement through the nindent function with the correct indentation
level to align each list item properly under subjects, and use trim to remove
any leading whitespace.
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} |
There was a problem hiding this comment.
Indent included template output under subjects.
As written, the include call may emit list entries at the wrong indentation, breaking YAML. Pipe it through indent (or nindent) to scope it correctly under subjects:
- subjects:
- {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+ subjects:
+ {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | indent 2 }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | indent 2 }} |
🤖 Prompt for AI Agents
In packages/apps/bucket/templates/dashboard-resourcemap.yaml at lines 26 to 27,
the included templ
ED4F
ate output under `subjects` is not indented properly, which
can break YAML structure. Fix this by piping the `include` call through `indent`
or `nindent` to ensure the output is correctly indented and nested under
`subjects`.
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Indent the Helm include under subjects to produce valid YAML.
As written, the raw include call will break the list under subjects. You need to indent the rendered lines. For example:
-subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+subjects:
+ {{- include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | indent 2 }}This ensures each entry from the helper is nested correctly under subjects.
🤖 Prompt for AI Agents
In packages/apps/kubernetes/templates/dashboard-resourcemap.yaml around lines 42
to 43, the Helm include statement under the subjects key is not indented
properly, causing invalid YAML structure. Fix this by indenting the include line
so that the rendered output is correctly nested as list items under subjects,
ensuring valid YAML formatting.
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} |
There was a problem hiding this comment.
Fix YAML indentation under subjects.
The include statement must be indented to form valid YAML under subjects:. Without proper indentation, this block will break the manifest.
Apply this diff:
- subjects:
- {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+ subjects:
+ {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | indent 2 }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | indent 2 }} |
🤖 Prompt for AI Agents
In packages/apps/vm-instance/templates/dashboard-resourcemap.yaml at lines 18 to
19, the include statement under the subjects key is not indented properly,
causing invalid YAML. Fix this by indenting the include line with two spaces so
it is correctly nested under subjects, ensuring valid YAML structure.
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Fix indentation for Helm include under subjects
The include invocation at line 34 needs to be indented under the subjects: key to emit valid YAML. Wrap the helper call with nindent (or indent) so its output aligns correctly.
Apply this diff:
@@ 33,34c33,34
-subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+subjects:
+{{- include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | nindent 2 }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} | |
| subjects: | |
| {{- include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | nindent 2 }} |
🤖 Prompt for AI Agents
In packages/apps/kafka/templates/dashboard-resourcemap.yaml at lines 33-34, the
Helm include statement under the subjects key is not properly indented, causing
invalid YAML output. Fix this by wrapping the include call with the nindent
function to indent its output correctly under the subjects key, ensuring valid
YAML structure.
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Indent included subjects block for valid YAML
The raw include call isn’t indented under subjects:, which will break the manifest. Pipe the include through indent to align its output correctly.
--- a/packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml
@@ -35,2 +35,2 @@
-subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+subjects:
+ {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | indent 2 }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | indent 2 }} |
🤖 Prompt for AI Agents
In packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml at lines 35 to
36, the included subjects block is not indented under the `subjects:` key,
causing invalid YAML. Fix this by piping the include statement through the
`indent` function with appropriate spaces (usually 2) to align the included
content correctly under `subjects:`.
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) }} | ||
| roleRef: | ||
| kind: Role |
There was a problem hiding this comment.
Incorrect indentation breaks RoleBinding YAML
subjects: is a top-level key, therefore the list returned by the helper must be indented.
Without the extra indentation Helm renders an invalid manifest and yamllint / kubectl apply will fail.
subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) | indent 2 }}Apply the same pattern (| indent 2) everywhere this helper is used.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) }} | |
| roleRef: | |
| kind: Role | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) | indent 2 }} | |
| roleRef: | |
| kind: Role |
🤖 Prompt for AI Agents
In packages/extra/seaweedfs/templates/dashboard-resourcemap.yaml around lines 35
to 38, the list output by the helper under the top-level key 'subjects:' is not
indented, causing invalid YAML. Fix this by piping the helper output through '|
indent 2' to properly indent the list items under 'subjects:'. Apply this
indentation pattern consistently wherever this helper is used to ensure valid
YAML manifests.
| name: {{ .Release.Name }}-dashboard-resources | ||
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" .Release.Namespace) }} | ||
| roleRef: | ||
| kind: Role |
There was a problem hiding this comment.
YAML-lint error: unindented helper output
Static analysis already flagged a syntax error at this exact spot.
Indent the helper output so that it becomes the value of subjects:.
subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" .Release.Namespace) }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" .Release.Namespace) | indent 2 }}Fixing this solves the expected <block end> error.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| name: {{ .Release.Name }}-dashboard-resources | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" .Release.Namespace) }} | |
| roleRef: | |
| kind: Role | |
| name: {{ .Release.Name }}-dashboard-resources | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" .Release.Namespace) | indent 2 }} | |
| roleRef: | |
| kind: Role |
🧰 Tools
🪛 YAMLlint (1.37.1)
[error] 17-17: syntax error: expected , but found ''
(syntax)
🤖 Prompt for AI Agents
In packages/extra/info/templates/dashboard-resourcemap.yaml around lines 17 to
21, the output of the helper function under the `subjects:` key is not indented
properly, causing a YAML syntax error. Indent the helper output so it is
correctly nested as the value of `subjects:` by adding appropriate spaces before
the helper invocation line. This will fix the `expected <block end>` error.
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" .Release.Namespace) }} | ||
| roleRef: | ||
| kind: Role |
There was a problem hiding this comment.
Helper output must be indented
Same indentation issue as in the other charts – the rendered YAML will be malformed.
subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" .Release.Namespace) }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" .Release.Namespace) | indent 2 }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" .Release.Namespace) }} | |
| roleRef: | |
| kind: Role | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" .Release.Namespace) | indent 2 }} | |
| roleRef: | |
| kind: Role |
🤖 Prompt for AI Agents
In packages/extra/etcd/templates/dashboard-resourcemap.yaml around lines 25 to
28, the output of the helper include
"cozy-lib.rbac.subjectsForTenantAndAccessLevel" is not properly indented,
causing malformed YAML. Fix this by indenting the helper output to align
correctly with the surrounding YAML structure, typically by adding spaces before
the include statement so the rendered content matches the expected YAML
indentation level.
| name: {{ .Release.Name }}-dashboard-resources | ||
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) }} | ||
| roleRef: |
There was a problem hiding this comment.
Indent helper output to produce valid YAML
subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) | indent 2 }}Consider creating a small wrapper helper that always indents two spaces to avoid repeating this mistake.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| name: {{ .Release.Name }}-dashboard-resources | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) }} | |
| roleRef: | |
| name: {{ .Release.Name }}-dashboard-resources | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) | indent 2 }} | |
| roleRef: |
🤖 Prompt for AI Agents
In packages/extra/monitoring/templates/dashboard-resourcemap.yaml around lines
56 to 59, the output of the helper
"cozy-lib.rbac.subjectsForTenantAndAccessLevel" is not indented properly,
causing invalid YAML. Fix this by indenting the helper output two spaces to
align correctly under "subjects:". To prevent this issue recurring, create a
wrapper helper that calls the original helper and automatically adds two spaces
of indentation to its output.
There was a problem hiding this comment.
Actionable comments posted: 5
♻️ Duplicate comments (2)
packages/extra/bootbox/templates/dashboard-resourcemap.yaml (1)
38-40: Indentation issue – RoleBinding will not renderSame fix as above:
subjects: -{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" .Release.Namespace) }} +{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" .Release.Namespace) | nindent 2 }}packages/apps/kubernetes/templates/dashboard-resourcemap.yaml (1)
41-44: Invalid YAML due to un-indented includePlease indent the helper output:
subjects: -{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} +{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | nindent 2 }}
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (56)
packages/apps/bucket/Chart.yaml(1 hunks)packages/apps/bucket/charts/cozy-lib(1 hunks)packages/apps/bucket/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/clickhouse/Chart.yaml(1 hunks)packages/apps/clickhouse/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/ferretdb/Chart.yaml(1 hunks)packages/apps/ferretdb/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/kafka/Chart.yaml(1 hunks)packages/apps/kafka/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/kubernetes/Chart.yaml(1 hunks)packages/apps/kubernetes/charts/cozy-lib(1 hunks)packages/apps/kubernetes/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/mysql/Chart.yaml(1 hunks)packages/apps/mysql/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/nats/Chart.yaml(1 hunks)packages/apps/nats/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/postgres/Chart.yaml(1 hunks)packages/apps/postgres/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/rabbitmq/Chart.yaml(1 hunks)packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/redis/Chart.yaml(1 hunks)packages/apps/redis/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/tenant/Chart.yaml(1 hunks)packages/apps/tenant/templates/tenant.yaml(9 hunks)packages/apps/versions_map(12 hunks)packages/apps/virtual-machine/Chart.yaml(1 hunks)packages/apps/virtual-machine/charts/cozy-lib(1 hunks)packages/apps/virtual-machine/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/vm-disk/Chart.yaml(1 hunks)packages/apps/vm-disk/charts/cozy-lib(1 hunks)packages/apps/vm-disk/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/vm-instance/Chart.yaml(1 hunks)packages/apps/vm-instance/charts/cozy-lib(1 hunks)packages/apps/vm-instance/templates/dashboard-resourcemap.yaml(1 hunks)packages/apps/vpn/Chart.yaml(1 hunks)packages/apps/vpn/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/bootbox/Chart.yaml(1 hunks)packages/extra/bootbox/charts/cozy-lib(1 hunks)packages/extra/bootbox/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/etcd/Chart.yaml(1 hunks)packages/extra/etcd/charts/cozy-lib(1 hunks)packages/extra/etcd/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/info/Chart.yaml(1 hunks)packages/extra/info/charts/cozy-lib(1 hunks)packages/extra/info/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/ingress/Chart.yaml(1 hunks)packages/extra/ingress/charts/cozy-lib(1 hunks)packages/extra/ingress/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/monitoring/Chart.yaml(1 hunks)packages/extra/monitoring/charts/cozy-lib(1 hunks)packages/extra/monitoring/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/seaweedfs/Chart.yaml(1 hunks)packages/extra/seaweedfs/charts/cozy-lib(1 hunks)packages/extra/seaweedfs/templates/dashboard-resourcemap.yaml(1 hunks)packages/extra/versions_map(3 hunks)packages/library/cozy-lib/templates/_rbac.tpl(1 hunks)
✅ Files skipped from review due to trivial changes (41)
- packages/extra/ingress/Chart.yaml
- packages/apps/rabbitmq/Chart.yaml
- packages/extra/ingress/charts/cozy-lib
- packages/extra/etcd/charts/cozy-lib
- packages/apps/kubernetes/charts/cozy-lib
- packages/apps/vm-disk/charts/cozy-lib
- packages/apps/mysql/Chart.yaml
- packages/apps/ferretdb/Chart.yaml
- packages/extra/seaweedfs/Chart.yaml
- packages/apps/kubernetes/Chart.yaml
- packages/apps/vm-instance/charts/cozy-lib
- packages/apps/tenant/Chart.yaml
- packages/extra/bootbox/Chart.yaml
- packages/apps/postgres/Chart.yaml
- packages/apps/bucket/charts/cozy-lib
- packages/apps/vpn/Chart.yaml
- packages/extra/bootbox/charts/cozy-lib
- packages/extra/info/charts/cozy-lib
- packages/apps/redis/Chart.yaml
- packages/apps/virtual-machine/charts/cozy-lib
- packages/apps/bucket/Chart.yaml
- packages/extra/info/Chart.yaml
- packages/extra/monitoring/charts/cozy-lib
- packages/apps/vm-instance/Chart.yaml
- packages/apps/virtual-machine/Chart.yaml
- packages/extra/seaweedfs/charts/cozy-lib
- packages/apps/clickhouse/Chart.yaml
- packages/apps/kafka/Chart.yaml
- packages/apps/vm-instance/templates/dashboard-resourcemap.yaml
- packages/apps/bucket/templates/dashboard-resourcemap.yaml
- packages/extra/monitoring/Chart.yaml
- packages/apps/redis/templates/dashboard-resourcemap.yaml
- packages/apps/vm-disk/Chart.yaml
- packages/apps/nats/Chart.yaml
- packages/apps/virtual-machine/templates/dashboard-resourcemap.yaml
- packages/extra/ingress/templates/dashboard-resourcemap.yaml
- packages/apps/postgres/templates/dashboard-resourcemap.yaml
- packages/apps/clickhouse/templates/dashboard-resourcemap.yaml
- packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml
- packages/apps/versions_map
- packages/extra/etcd/Chart.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- packages/library/cozy-lib/templates/_rbac.tpl
🧰 Additional context used
🪛 YAMLlint (1.37.1)
packages/extra/info/templates/dashboard-resourcemap.yaml
[error] 17-17: syntax error: expected , but found ''
(syntax)
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: Test
🔇 Additional comments (4)
packages/extra/versions_map (1)
2-3:HEADplaceholders should be pinned before releaseSeveral new lines keep the commit reference as the moving
HEAD. This makes reproducible builds impossible once the branch moves on.Recommend replacing
HEADwith the exact commit SHA at merge time (or automate the pinning step in CI).Also applies to: 14-16, 18-18, 26-26, 47-47, 55-55
packages/apps/vm-disk/templates/dashboard-resourcemap.yaml (1)
13-23: New RoleBinding addition looks correct. TheRoleBindingbinds the${Release.Name}-dashboard-resourcesRole to the “use” subjects generated by the helper. Ensure that the helper’s output is correctly indented undersubjects:in the rendered YAML (e.g. viahelm templatevalidation).packages/extra/etcd/templates/dashboard-resourcemap.yaml (1)
20-30: RoleBinding forsuper-adminis correct. The helper ties the Role{{ .Release.Name }}-dashboard-resourcesto super-admin subjects. Verify viahelm templatethat the include output is properly indented undersubjects:.packages/apps/tenant/templates/tenant.yaml (1)
127-128: Centralized subject binding via helper is good. Usingcozy-lib.rbac.subjectsForTenantfor view/use/admin/super-admin RoleBindings cleans up inline logic and ensures consistency.Also applies to: 198-199, 289-290, 356-357
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) }} | ||
| roleRef: |
There was a problem hiding this comment.
Subjects block will break YAML – missing indentation after subjects:
cozy-lib.rbac.subjectsForTenantAndAccessLevel most likely renders a list that starts at column 0.
Without an extra indent, the emitted - kind: lines will be treated as top-level keys, producing invalid YAML and an unusable manifest.
subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) | nindent 2 }}(The same pipe is used for most Helm-supplied helpers such as tpl/lookup.)
Please fix here and in every other chart adopting the helper.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) }} | |
| roleRef: | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) | nindent 2 }} | |
| roleRef: |
🤖 Prompt for AI Agents
In packages/extra/seaweedfs/templates/dashboard-resourcemap.yaml around lines 35
to 37, the subjects block lacks proper indentation after the 'subjects:' key,
causing invalid YAML. Fix this by indenting the output of the
'cozy-lib.rbac.subjectsForTenantAndAccessLevel' helper so that its list items
align correctly under 'subjects:'. Apply this indentation fix consistently
wherever this helper is used in other charts to ensure valid YAML manifests.
| name: {{ .Release.Name }}-dashboard-resources | ||
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Same indentation bug as in other charts
Apply identical | nindent 2 piping to make the generated subjects list valid YAML.
subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | nindent 2 }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| name: {{ .Release.Name }}-dashboard-resources | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} | |
| name: {{ .Release.Name }}-dashboard-resources | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | nindent 2 }} |
🤖 Prompt for AI Agents
In packages/apps/kafka/templates/dashboard-resourcemap.yaml at lines 32 to 34,
the generated YAML for the subjects list is incorrectly indented, causing
invalid YAML. Fix this by piping the output of the include statement through `|
nindent 2` to ensure the subjects list is properly indented with 2 spaces,
making the YAML valid.
| --- | ||
| kind: RoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: {{ .Release.Name }}-dashboard-resources | ||
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} | ||
| roleRef: | ||
| kind: Role | ||
| name: {{ .Release.Name }}-dashboard-resources | ||
| apiGroup: rbac.authorization.k8s.io |
There was a problem hiding this comment.
Indent included subjects under subjects:
The include block must be indented so the generated list items nest correctly under subjects:. Without proper indentation, the rendered YAML will be invalid.
Apply this diff:
@@ -32,3 +32,4 @@
metadata:
name: {{ .Release.Name }}-dashboard-resources
subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+ {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | indent 2 }}
roleRef:📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| --- | |
| kind: RoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: {{ .Release.Name }}-dashboard-resources | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }} | |
| roleRef: | |
| kind: Role | |
| name: {{ .Release.Name }}-dashboard-resources | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| kind: RoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: {{ .Release.Name }}-dashboard-resources | |
| subjects: | |
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) | indent 2 }} | |
| roleRef: | |
| kind: Role | |
| name: {{ .Release.Name }}-dashboard-resources | |
| apiGroup: rbac.authorization.k8s.io |
🤖 Prompt for AI Agents
In packages/apps/mysql/templates/dashboard-resourcemap.yaml around lines 28 to
38, the included subjects list under the `subjects:` key is not indented
properly, causing invalid YAML output. Fix this by indenting the `include`
statement so that the generated list items are correctly nested under
`subjects:` with appropriate spaces.
| --- | ||
| kind: RoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: {{ .Release.Name }}-dashboard-resources | ||
| subjects: | ||
| {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" .Release.Namespace) }} | ||
| roleRef: | ||
| kind: Role | ||
| name: {{ .Release.Name }}-dashboard-resources | ||
| apiGroup: rbac.authorization.k8s.io |
There was a problem hiding this comment.
Mismatch between Role and RoleBinding names & YAML syntax error.
- The Role above is named literally
info-dashboard-resources, but the new RoleBinding references{{ .Release.Name }}-dashboard-resources. If.Release.Name≠info, the binding will point at a non-existent Role. - YAMLlint flags the unquoted templated scalar at line 17.
Apply these fixes:
4c4
- name: info-dashboard-resources
+ name: {{ .Release.Name }}-dashboard-resources
17c17
- name: {{ .Release.Name }}-dashboard-resources
+ name: "{{ .Release.Name }}-dashboard-resources"
19c19
- {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" .Release.Namespace) }}
+ {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" .Release.Namespace) | nindent 2 }}Committable suggestion skipped: line range outside the PR's diff.
🧰 Tools
🪛 YAMLlint (1.37.1)
[error] 17-17: syntax error: expected , but found ''
(syntax)
🤖 Prompt for AI Agents
In packages/extra/info/templates/dashboard-resourcemap.yaml lines 13 to 23, fix
the RoleBinding to reference the exact Role name by replacing {{ .Release.Name
}} with the literal Role name "info" to ensure they match. Also, quote the
templated scalar on line 17 to resolve the YAML syntax error flagged by
YAMLlint.
| resources: ["pods", "services", "persistentvolumes", "endpoints", "events", "resourcequotas"] | ||
| verbs: ["get", "list", "watch"] |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Cluster-scoped resource in a namespaced Role. All five Role definitions now explicitly list persistentvolumes (a cluster-scoped resource), which cannot be managed by a namespaced Role. Replace it with persistentvolumeclaims or remove if not needed.
- resources: ["pods", "services", "persistentvolumes", "endpoints", "events", "resourcequotas"]
+ resources: ["pods", "services", "persistentvolumeclaims", "endpoints", "events", "resourcequotas"]Replicate this change across the default, view, use, admin, and super-admin Role blocks.
Also applies to: 97-102, 156-162, 219-224, 310-315
🤖 Prompt for AI Agents
In packages/apps/tenant/templates/tenant.yaml at lines 26-27 and also at lines
97-102, 156-162, 219-224, and 310-315, the Role definitions incorrectly include
the cluster-scoped resource "persistentvolumes" which is not allowed in
namespaced Roles. Replace "persistentvolumes" with "persistentvolumeclaims" or
remove it if not required in each of these Role resource lists to ensure
compliance with Kube
BE96
rnetes RBAC rules.
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
52b7653 to
3b8a9f9
Compare
Summary by CodeRabbit