feat(urbanstack-shared-app): add urbanstack-shared-app chart

[ol-teuto]

Will be used by urbanstack to deploy shared apps. Most values will be set by the platform, only the image can be chosen by the user.

Summary by CodeRabbit

• New Features

  • Introduced a new Helm chart, urbanstack-shared-app, providing templates for Kubernetes Deployment, Service, Ingress, NetworkPolicy, PersistentVolumeClaim, and image pull secrets.
  • Added configurable Helm values for image details, authentication, database, Keycloak, storage, resource limits, and metadata.
  • Included validation to enforce Helm release name length.

• Chores

  • Added code ownership for the new chart.
  • Updated release configuration to include the new chart.
  • Added supporting configuration and CI files for chart deployment and testing.

[coderabbitai]

Walkthrough

A new Helm chart named urbanstack-shared-app has been introduced, including all standard chart files, Kubernetes manifest templates, helper templates, and CI configuration. The chart is registered in release automation and assigned code owners. It provides deployment, service, ingress, network policy, PVC, and validation templates, with supporting values, schema, and CI files.

Changes

Cohort / File(s)	Change Summary
Code Owners and Release Automation .github/CODEOWNERS, .github/release-please/config.json	Added code ownership for charts/urbanstack-shared-app and registered the new chart in release-please configuration.
Chart Metadata and Values charts/urbanstack-shared-app/Chart.yaml, charts/urbanstack-shared-app/values.yaml	Added Helm chart metadata and default values for urbanstack-shared-app, defining chart properties, configurable parameters, and resource defaults.
Helm Ignore and Helpers charts/urbanstack-shared-app/.helmignore, charts/urbanstack-shared-app/templates/_helpers.tpl	Added .helmignore for packaging exclusions and helper templates for standardized label generation including tenant and citytool labels.
Kubernetes Templates charts/urbanstack-shared-app/templates/deployment.yaml, charts/urbanstack-shared-app/templates/service.yaml, charts/urbanstack-shared-app/templates/ingress.yaml, charts/urbanstack-shared-app/templates/pvc.yaml, charts/urbanstack-shared-app/templates/networkpolicy.yaml, charts/urbanstack-shared-app/templates/image-pull-secret.yaml	Added manifest templates for Deployment, Service, Ingress, PersistentVolumeClaim, NetworkPolicy, and conditional image pull secret for the application, using values and helpers for dynamic configuration including security contexts, probes, environment variables, volume mounts, and network policies.
Helm Validation charts/urbanstack-shared-app/templates/validation.yaml	Added Helm template validation to enforce a maximum release name length to ensure compatibility with PostgreSQL username length restrictions.
CI and Test Configuration charts/urbanstack-shared-app/ci/_common.sh, charts/urbanstack-shared-app/ci/auth-values.yaml, charts/urbanstack-shared-app/ci/cert-issuer.yaml, charts/urbanstack-shared-app/ci/artifacthub-values.yaml	Added CI helper scripts and test configuration files for registry authentication, certificate issuer, and artifacthub image repository placeholder.
Configuration Schema charts/urbanstack-shared-app/values.schema.json	Added JSON schema file defining structure and validation rules for Helm chart values for UrbanStack shared app deployments, including image, authentication, database, Keycloak, network policy, storage, resources, and metadata fields.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Helm
    participant Kubernetes API
    participant Secret
    participant PVC
    participant Deployment
    participant Service
    participant Ingress
    participant NetworkPolicy

    User->>Helm: Install urbanstack-shared-app chart
    Helm->>Kubernetes API: Render and apply templates
    Kubernetes API->>Secret: Create image pull secret (if auth provided)
    Kubernetes API->>PVC: Create PersistentVolumeClaim
    Kubernetes API->>Deployment: Create Deployment with env vars and probes
    Kubernetes API->>Service: Create ClusterIP Service
    Kubernetes API->>Ingress: Create Ingress for HTTP routing
    Kubernetes API->>NetworkPolicy: Create NetworkPolicy for egress/ingress

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~18 minutes

Suggested reviewers

• marvinWolff
• tasches
• teutonet-bot

Poem

🐇
A chart hops in, so fresh and new,
With helpers, values, labels too!
Deployments, secrets, all in line,
PVCs and probes combine.
Urbanstack now can share its app—
Helm’s magic in a YAML wrap!
🥕✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (11)

charts/urbanstack-shared-app/templates/validation.yaml (1)

1-4: Rename validation stub to .tpl to silence YAML linters

The snippet renders no Kubernetes object and exists purely for template-time validation, yet its .yaml suffix triggers YAML-lint errors (see pipeline output).
Move it to e.g. templates/_validation.tpl or validation.gotmpl; Helm will still evaluate it, but static analysis tools will skip it.
No behaviour change, just cleaner CI.

charts/urbanstack-shared-app/templates/pvc.yaml (3)

4-4: Use a fullname helper instead of raw .Release.Name

Hard-coding the PVC name to the release name removes the option of fullnameOverride and makes the object collide with any other resource that happens to share the release.
Prefer the standard helper, e.g. {{ include "external-citytool.fullname" . }}, for consistency and flexibility.

---

6-6: Inline helper on a new line to avoid YAML-lint gripe

-  labels:
-    {{- include "external-citytool.labels" . | nindent 4 }}
+  labels:
+{{- include "external-citytool.labels" . | nindent 4 }}

This prevents the “expected node content, but found '-'” error some YAML linters raise.

---

12-12: Guard storage.size with a sane default

-      storage: {{ .Values.storage.size | quote }}
+      storage: {{ .Values.storage.size | default "5Gi" | quote }}

Without a default the template hard-fails on a missing value.

charts/urbanstack-shared-app/templates/ingress.yaml (1)

7-11: Move templating helpers out of the annotation line

-  annotations:
-    kubernetes.io/tls-acme: "true"
-    {{- with .Values.certIssuer }}
-    cert-manager.io/issuer: {{ . | quote }}
-    {{- end }}
+  annotations:
+    kubernetes.io/tls-acme: "true"
+{{- with .Values.certIssuer }}
+    cert-manager.io/issuer: {{ . | quote }}
+{{- end }}

YAML tools stop complaining and the block is easier to read.

charts/urbanstack-shared-app/templates/image-pull-secret.yaml (2)

5-6: Put label helper on its own line for clean YAML

-  labels: {{- include "external-citytool.labels" . | nindent 4 }}
+  labels:
+{{- include "external-citytool.labels" . | nindent 4 }}

---

9-9: Add username / password keys to .dockerconfigjson

Older tooling occasionally requires the explicit fields:

-  .dockerconfigjson: {{ dict "auths" (dict .Values.image.registry (dict "auth" (printf "%s:%s" .Values.registryAuth.username .Values.registryAuth.password | b64enc))) | toJson | quote }}
+  .dockerconfigjson: {{ dict "auths" (dict .Values.image.registry (dict "username" .Values.registryAuth.username "password" .Values.registryAuth.password "auth" (printf "%s:%s" .Values.registryAuth.username .Values.registryAuth.password | b64enc))) | toJson | quote }}

charts/urbanstack-shared-app/templates/service.yaml (1)

4-6: Align with helpers and fix inline template

-  name: {{ .Release.Name }}
-  labels:
-    {{- include "external-citytool.labels" . | nindent 4 }}
+  name: {{ include "external-citytool.fullname" . }}
+  labels:
+{{- include "external-citytool.labels" . | nindent 4 }}

charts/urbanstack-shared-app/templates/networkpolicy.yaml (1)

52-60: Final newline missing

File ends without a terminating newline, which violates POSIX and some tools’ expectations.

charts/urbanstack-shared-app/templates/deployment.yaml (2)

26-33: Missing seccompProfile hardening

The pod has a strict security context but omits an explicit seccompProfile, leaving the runtime default ambiguous.

      securityContext:
+        seccompProfile:
+          type: RuntimeDefault

---

94-101: resources block optional – default may request zero CPU/Memory

Many clusters reject pods without resource requests. Consider setting conservative defaults in values.yaml to avoid run-time failures.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6fcc912 and 0459b2c.

📒 Files selected for processing (17)

• .github/CODEOWNERS (1 hunks)
• .github/release-please/config.json (1 hunks)
• charts/urbanstack-shared-app/.helmignore (1 hunks)
• charts/urbanstack-shared-app/Chart.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/_common.sh (1 hunks)
• charts/urbanstack-shared-app/ci/artifacthub-values.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/auth-values.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/cert-issuer.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/_helpers.tpl (1 hunks)
• charts/urbanstack-shared-app/templates/deployment.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/image-pull-secret.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/ingress.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/networkpolicy.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/pvc.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/service.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/validation.yaml (1 hunks)
• charts/urbanstack-shared-app/values.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (6)

• charts/urbanstack-shared-app/ci/artifacthub-values.yaml
• charts/urbanstack-shared-app/.helmignore
• charts/urbanstack-shared-app/ci/_common.sh
• charts/urbanstack-shared-app/values.yaml
• .github/release-please/config.json
• charts/urbanstack-shared-app/templates/_helpers.tpl

🚧 Files skipped from review as they are similar to previous changes (4)

• .github/CODEOWNERS
• charts/urbanstack-shared-app/ci/auth-values.yaml
• charts/urbanstack-shared-app/ci/cert-issuer.yaml
• charts/urbanstack-shared-app/Chart.yaml

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1602
File: charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml:38-40
Timestamp: 2025-07-24T09:49:40.961Z
Learning: Official Helm charts like oauth2-proxy manage image versioning automatically through their Chart.yaml appVersion field, making manual tag pinning in consumer values unnecessary and potentially harmful. The chart version itself provides reproducibility by ensuring the correct image tag is used.

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The official kubernetes-sigs/metrics-server Helm chart pins the image tag to a specific version in its values.yaml by default, ensuring reproducible deployments without requiring explicit tag specification in consuming charts.

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's `valuesFrom` feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The kubernetes-sigs/metrics-server Helm chart uses `v{{ .Chart.AppVersion }}` as the default image tag when `image.tag` is empty, which provides pinned versioning through the chart's AppVersion rather than using floating tags like "latest".

charts/urbanstack-shared-app/templates/deployment.yaml (2)

Learnt from: cwrau
PR: #1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The official kubernetes-sigs/metrics-server Helm chart pins the image tag to a specific version in its values.yaml by default, ensuring reproducible deployments without requiring explicit tag specification in consuming charts.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

charts/urbanstack-shared-app/templates/image-pull-secret.yaml (2)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1602
File: charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml:38-40
Timestamp: 2025-07-24T09:49:40.961Z
Learning: Official Helm charts like oauth2-proxy manage image versioning automatically through their Chart.yaml appVersion field, making manual tag pinning in consumer values unnecessary and potentially harmful. The chart version itself provides reproducibility by ensuring the correct image tag is used.

charts/urbanstack-shared-app/templates/ingress.yaml (1)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

charts/urbanstack-shared-app/templates/pvc.yaml (1)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

charts/urbanstack-shared-app/templates/service.yaml (2)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., { cloudflare: {} }), never a string format. The template correctly uses {{ .Values.dns.provider | keys | first }} to extract the provider name from the map keys.

🪛 YAMLlint (1.37.1)

charts/urbanstack-shared-app/templates/deployment.yaml

[error] 8-8: syntax error: expected the node content, but found '-'

(syntax)

---

[error] 102-102: trailing spaces

(trailing-spaces)

charts/urbanstack-shared-app/templates/image-pull-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/ingress.yaml

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/networkpolicy.yaml

[warning] 16-16: wrong indentation: expected 2 but found 4

(indentation)

---

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/pvc.yaml

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/service.yaml

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/validation.yaml

[error] 2-2: syntax error: expected '', but found '{'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: check licenses

🔇 Additional comments (3)

charts/urbanstack-shared-app/templates/ingress.yaml (1)

25-27: secretName can overflow 63-char DNS label limit

{{ .Values.host }}-tls is unbounded. Consider truncating or hashing when the host exceeds 61 chars.

charts/urbanstack-shared-app/templates/service.yaml (1)

15-15: Verify that external-citytool.selectorLabels exists

If _helpers.tpl does not define this helper the Service will render invalid YAML. Please double-check or add it.

charts/urbanstack-shared-app/templates/deployment.yaml (1)

21-24: Image-pull secret may reference non-existent resource

The template references pullsecret-{{ .Release.Name }} only when registryAuth.username and password are set.
If the secret template uses a different naming convention (e.g. includes the registry), the Deployment will fail.

Confirm the secret template produces the same name or update either side for consistency.

[coderabbitai]

🛠️ Refactor suggestion

matchLabels block is rendered on the same line – YAML breaks

toYaml already emits a newline; keep matchLabels: on its own line and drop the inline expression.

-            matchLabels: {{- .Values.postgres.networkPolicy.matchLabels | toYaml | nindent 14 }}
+            matchLabels:
+              {{- .Values.postgres.networkPolicy.matchLabels | toYaml | nindent 14 }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- to: # allow database access
	- podSelector:
	matchLabels: {{- .Values.postgres.networkPolicy.matchLabels | toYaml | nindent 14 }}
	ports:
	- protocol: TCP
	- to: # allow database access
	- podSelector:
	matchLabels:
	{{- .Values.postgres.networkPolicy.matchLabels | toYaml | nindent 14 }}
	ports:
	- protocol: TCP

🤖 Prompt for AI Agents

In charts/urbanstack-shared-app/templates/networkpolicy.yaml around lines 33 to
37, the matchLabels block is rendered inline causing YAML formatting issues. To
fix this, place the matchLabels: key on its own line and then use the toYaml
function with proper indentation on the following lines, avoiding inline
rendering to ensure valid multiline YAML output.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

charts/urbanstack-shared-app/templates/ingress.yaml (1)

17-23: Key order still violates networking.k8s.io/v1 schema

Previous feedback already flagged this.
On some clusters the manifest will be rejected because path / pathType must come before backend.

-          - backend: 
-              service:
-                name: {{ .Release.Name }}
-                port:
-                  name: http
-            pathType: Prefix
-            path: /
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  name: http

charts/urbanstack-shared-app/templates/networkpolicy.yaml (2)

15-20: Indentation of list item under egress: is still off – results in invalid YAML

- to: must be indented exactly two spaces more than egress:. With the current four-space shift the document fails yamllint and will be rejected by kubectl apply.

-    {{- if .Values.allowExternalEgress }}
-    - to: # allow external endpoints outside of the cluster
+  {{- if .Values.allowExternalEgress }}
+  - to: # allow external endpoints outside of the cluster

---

34-36: Inline matchLabels breaks YAML – keep the key and rendered map on separate lines

toYaml already emits the newline. Rendering it inline produces matchLabels: key: value on one line, which is not valid.

-            matchLabels: {{- .Values.postgres.networkPolicy.matchLabels | toYaml | nindent 14 }}
+            matchLabels:
+              {{- .Values.postgres.networkPolicy.matchLabels | toYaml | nindent 14 }}

🧹 Nitpick comments (4)

charts/urbanstack-shared-app/templates/pvc.yaml (1)

4-6: Consider suffixing the PVC name for clarity & future-proofing

Using the bare release name makes the PVC share its name with the Deployment, Service, Ingress, etc.
While Kubernetes allows cross-kind name reuse, it becomes painful when grepping, debugging or replacing single resources later on.

-  name: {{ .Release.Name }}
+  # Keep within the 63-char DNS label limit
+  name: {{ printf "%s-pvc" .Release.Name | trunc 63 | trimSuffix "-" }}

charts/urbanstack-shared-app/templates/image-pull-secret.yaml (1)

4-7: Minor readability nit – move label block to the next line

Keeping the labels: key on its own line improves diff readability and mirrors the pattern used in the other templates.

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

charts/urbanstack-shared-app/templates/deployment.yaml (2)

14-16: Prefer RollingUpdate over Recreate for zero-downtime upgrades

Unless the application explicitly cannot handle more than one replica, using Recreate causes a short outage on every deployment. RollingUpdate is the safer default and aligns with Kubernetes best practices.

-  strategy:
-    type: Recreate
+  strategy:
+    type: RollingUpdate

---

102-102: Trailing whitespace

There is a single trailing space on this line – harmless but worth dropping to keep the manifest clean.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0459b2c and 387b63b.

📒 Files selected for processing (17)

• .github/CODEOWNERS (1 hunks)
• .github/release-please/config.json (1 hunks)
• charts/urbanstack-shared-app/.helmignore (1 hunks)
• charts/urbanstack-shared-app/Chart.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/_common.sh (1 hunks)
• charts/urbanstack-shared-app/ci/artifacthub-values.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/auth-values.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/cert-issuer.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/_helpers.tpl (1 hunks)
• charts/urbanstack-shared-app/templates/deployment.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/image-pull-secret.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/ingress.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/networkpolicy.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/pvc.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/service.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/validation.yaml (1 hunks)
• charts/urbanstack-shared-app/values.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (4)

• .github/release-please/config.json
• charts/urbanstack-shared-app/ci/_common.sh
• charts/urbanstack-shared-app/.helmignore
• charts/urbanstack-shared-app/values.yaml

🚧 Files skipped from review as they are similar to previous changes (6)

• charts/urbanstack-shared-app/ci/cert-issuer.yaml
• charts/urbanstack-shared-app/ci/artifacthub-values.yaml
• .github/CODEOWNERS
• charts/urbanstack-shared-app/templates/_helpers.tpl
• charts/urbanstack-shared-app/Chart.yaml
• charts/urbanstack-shared-app/ci/auth-values.yaml

🧰 Additional context used

🧠 Learnings (7)

📓 Common learnings

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1602
File: charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml:38-40
Timestamp: 2025-07-24T09:49:40.961Z
Learning: Official Helm charts like oauth2-proxy manage image versioning automatically through their Chart.yaml appVersion field, making manual tag pinning in consumer values unnecessary and potentially harmful. The chart version itself provides reproducibility by ensuring the correct image tag is used.

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The official kubernetes-sigs/metrics-server Helm chart pins the image tag to a specific version in its values.yaml by default, ensuring reproducible deployments without requiring explicit tag specification in consuming charts.

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's `valuesFrom` feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The kubernetes-sigs/metrics-server Helm chart uses `v{{ .Chart.AppVersion }}` as the default image tag when `image.tag` is empty, which provides pinned versioning through the chart's AppVersion rather than using floating tags like "latest".

charts/urbanstack-shared-app/templates/deployment.yaml (3)

Learnt from: cwrau
PR: #1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The official kubernetes-sigs/metrics-server Helm chart pins the image tag to a specific version in its values.yaml by default, ensuring reproducible deployments without requiring explicit tag specification in consuming charts.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., { cloudflare: {} }), never a string format. The template correctly uses {{ .Values.dns.provider | keys | first }} to extract the provider name from the map keys.

charts/urbanstack-shared-app/templates/image-pull-secret.yaml (1)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

charts/urbanstack-shared-app/templates/ingress.yaml (1)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

charts/urbanstack-shared-app/templates/networkpolicy.yaml (3)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., { cloudflare: {} }), never a string format. The template correctly uses {{ .Values.dns.provider | keys | first }} to extract the provider name from the map keys.

Learnt from: cwrau
PR: #1600
File: charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml:55-61
Timestamp: 2025-07-24T13:42:05.473Z
Learning: In charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml, the receiver-type parsing logic that splits keys by space and only handles exactly two tokens is intentional and matches the schema design. The schema pattern ^email($| \S+$) specifically allows "email" or "email " format, not arbitrary multi-space patterns. The current parsing implementation correctly enforces this constraint.

charts/urbanstack-shared-app/templates/pvc.yaml (1)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

charts/urbanstack-shared-app/templates/service.yaml (2)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., { cloudflare: {} }), never a string format. The template correctly uses {{ .Values.dns.provider | keys | first }} to extract the provider name from the map keys.

🪛 YAMLlint (1.37.1)

charts/urbanstack-shared-app/templates/deployment.yaml

[error] 8-8: syntax error: expected the node content, but found '-'

(syntax)

---

[error] 102-102: trailing spaces

(trailing-spaces)

charts/urbanstack-shared-app/templates/image-pull-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/ingress.yaml

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/networkpolicy.yaml

[warning] 16-16: wrong indentation: expected 2 but found 4

(indentation)

---

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/pvc.yaml

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/service.yaml

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/validation.yaml

[error] 2-2: syntax error: expected '', but found '{'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: check licenses

🔇 Additional comments (3)

charts/urbanstack-shared-app/templates/validation.yaml (1)

1-4: Validation guard is succinct and correct

The length check and fail message are spot-on and match the 52-char requirement.

charts/urbanstack-shared-app/templates/service.yaml (1)

1-15: Service template looks solid

Ports, selector labels and type are all consistent with the Deployment spec (assuming the container exposes a named port http).

charts/urbanstack-shared-app/templates/deployment.yaml (1)

73-74: Overwriting the reserved HOSTNAME env var can break in-container discovery

Kubernetes automatically sets HOSTNAME to the Pod’s DNS name. Redefining it may confuse libraries that rely on this variable (e.g. Java networking). Consider using a custom variable (e.g. APP_HOSTNAME) instead.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (2)

charts/urbanstack-shared-app/templates/networkpolicy.yaml (2)

14-19: Indentation under egress: still breaks YAML

- to: must be indented exactly two spaces deeper than egress:. The current four-space indent ({{- if …}} adds two) makes YAMLlint unhappy and renders an invalid manifest.

   egress:
 {{- if .Values.allowExternalEgress }}
-    - to: # allow external endpoints outside of the cluster
+  - to: # allow external endpoints outside of the cluster
       - ipBlock:
           cidr: 0.0.0.0/0
           except:
             - 10.0.0.0/8
             - 172.16.0.0/12
             - 192.168.0.0/16
 {{- end }}

---

32-37: Inline matchLabels renders garbled YAML – move it to its own line

Rendering the mapping on the same line as matchLabels: concatenates keys and values. Emit matchLabels: on its own line, then indent the rendered YAML.

-            matchLabels: {{- .Values.postgres.networkPolicy.matchLabels | toYaml | nindent 14 }}
+            matchLabels:
+              {{- .Values.postgres.networkPolicy.matchLabels | toYaml | nindent 14 }}

While touching this block, align the surrounding ports: key two spaces back so it’s on the same level as to:.

-      ports:
+    ports:

🧹 Nitpick comments (4)

charts/urbanstack-shared-app/templates/validation.yaml (1)

1-4: Clarify comment vs condition

The guard correctly fails at 53 chars (gt 52), but the comment mentions a normal limit of 53.
A more explicit comment avoids the off-by-one mental gymnastic.

-{{/* normal limit is 53, but we need 52 as the limit, because postgres usernames are limited to 64 chars */}}
+{{/* PostgreSQL usernames are limited to 64 chars. We reserve 12 chars for suffixes, therefore the Helm
+     release name must be ≤ 52 chars. */}}

charts/urbanstack-shared-app/templates/pvc.yaml (1)

6-11: Make storage class & access mode configurable

Hard-coding ReadWriteOnce and leaving the storageClassName implicit prevents
clusters that rely on a non-default class, or that need ReadWriteMany, from
re-using this chart as-is.

-spec:
-  accessModes:
-    - ReadWriteOnce
+spec:
+  {{- if .Values.storage.accessModes }}
+  accessModes: {{ toYaml .Values.storage.accessModes | nindent 4 }}
+  {{- else }}
+  accessModes:
+    - ReadWriteOnce
+  {{- end }}
+
+  {{- if .Values.storage.storageClassName }}
+  storageClassName: {{ .Values.storage.storageClassName | quote }}
+  {{- end }}

Add the corresponding defaults to values.yaml:

storage:
  size: 8Gi
  # storageClassName: gp2
  # accessModes:
  #   - ReadWriteOnce

charts/urbanstack-shared-app/templates/service.yaml (1)

6-13: Expose service type & ports via values for reuse

Locking the chart to ClusterIP/80 restricts legitimate scenarios (NodePort,
LoadBalancer, GRPC non-80, etc.). Parameterising these two knobs keeps the
chart flexible without breaking defaults.

-spec:
-  type: ClusterIP
+spec:
+  type: {{ default "ClusterIP" .Values.service.type }}
   ports:
-    - port: 80
-      targetPort: http
+    - port: {{ default 80 .Values.service.port }}
+      targetPort: {{ default "http" .Values.service.targetPort }}
       protocol: TCP
       name: http

Add to values.yaml:

service:
  # type: NodePort | LoadBalancer | ClusterIP
  # port: 80
  # targetPort: http

charts/urbanstack-shared-app/templates/deployment.yaml (1)

99-99: Remove trailing whitespace

Line 99 contains only spaces – fails yamllint trailing-spaces rule.

-      
+

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 387b63b and 3b045fd.

📒 Files selected for processing (17)

• .github/CODEOWNERS (1 hunks)
• .github/release-please/config.json (1 hunks)
• charts/urbanstack-shared-app/.helmignore (1 hunks)
• charts/urbanstack-shared-app/Chart.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/_common.sh (1 hunks)
• charts/urbanstack-shared-app/ci/artifacthub-values.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/auth-values.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/cert-issuer.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/_helpers.tpl (1 hunks)
• charts/urbanstack-shared-app/templates/deployment.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/image-pull-secret.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/ingress.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/networkpolicy.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/pvc.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/service.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/validation.yaml (1 hunks)
• charts/urbanstack-shared-app/values.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (5)

• .github/release-please/config.json
• charts/urbanstack-shared-app/ci/_common.sh
• charts/urbanstack-shared-app/values.yaml
• charts/urbanstack-shared-app/.helmignore
• charts/urbanstack-shared-app/templates/_helpers.tpl

🚧 Files skipped from review as they are similar to previous changes (5)

• charts/urbanstack-shared-app/ci/artifacthub-values.yaml
• charts/urbanstack-shared-app/ci/cert-issuer.yaml
• charts/urbanstack-shared-app/Chart.yaml
• .github/CODEOWNERS
• charts/urbanstack-shared-app/ci/auth-values.yaml

🧰 Additional context used

🧠 Learnings (7)

📓 Common learnings

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1602
File: charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml:38-40
Timestamp: 2025-07-24T09:49:40.961Z
Learning: Official Helm charts like oauth2-proxy manage image versioning automatically through their Chart.yaml appVersion field, making manual tag pinning in consumer values unnecessary and potentially harmful. The chart version itself provides reproducibility by ensuring the correct image tag is used.

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The official kubernetes-sigs/metrics-server Helm chart pins the image tag to a specific version in its values.yaml by default, ensuring reproducible deployments without requiring explicit tag specification in consuming charts.

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's `valuesFrom` feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The kubernetes-sigs/metrics-server Helm chart uses `v{{ .Chart.AppVersion }}` as the default image tag when `image.tag` is empty, which provides pinned versioning through the chart's AppVersion rather than using floating tags like "latest".

charts/urbanstack-shared-app/templates/deployment.yaml (3)

Learnt from: cwrau
PR: #1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The official kubernetes-sigs/metrics-server Helm chart pins the image tag to a specific version in its values.yaml by default, ensuring reproducible deployments without requiring explicit tag specification in consuming charts.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., { cloudflare: {} }), never a string format. The template correctly uses {{ .Values.dns.provider | keys | first }} to extract the provider name from the map keys.

charts/urbanstack-shared-app/templates/image-pull-secret.yaml (2)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1602
File: charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml:38-40
Timestamp: 2025-07-24T09:49:40.961Z
Learning: Official Helm charts like oauth2-proxy manage image versioning automatically through their Chart.yaml appVersion field, making manual tag pinning in consumer values unnecessary and potentially harmful. The chart version itself provides reproducibility by ensuring the correct image tag is used.

charts/urbanstack-shared-app/templates/ingress.yaml (1)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

charts/urbanstack-shared-app/templates/networkpolicy.yaml (3)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., { cloudflare: {} }), never a string format. The template correctly uses {{ .Values.dns.provider | keys | first }} to extract the provider name from the map keys.

Learnt from: cwrau
PR: #1600
File: charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml:55-61
Timestamp: 2025-07-24T13:42:05.473Z
Learning: In charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml, the receiver-type parsing logic that splits keys by space and only handles exactly two tokens is intentional and matches the schema design. The schema pattern ^email($| \S+$) specifically allows "email" or "email " format, not arbitrary multi-space patterns. The current parsing implementation correctly enforces this constraint.

charts/urbanstack-shared-app/templates/pvc.yaml (1)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

charts/urbanstack-shared-app/templates/service.yaml (2)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., { cloudflare: {} }), never a string format. The template correctly uses {{ .Values.dns.provider | keys | first }} to extract the provider name from the map keys.

🪛 YAMLlint (1.37.1)

charts/urbanstack-shared-app/templates/deployment.yaml

[warning] 19-19: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 99-99: trailing spaces

(trailing-spaces)

---

[error] 7-7: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/image-pull-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/ingress.yaml

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/networkpolicy.yaml

[warning] 15-15: wrong indentation: expected 2 but found 4

(indentation)

---

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/pvc.yaml

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/service.yaml

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/validation.yaml

[error] 2-2: syntax error: expected '', but found '{'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: check licenses

🔇 Additional comments (1)

charts/urbanstack-shared-app/templates/networkpolicy.yaml (1)

4-5: Helper prefix fixed – thanks for aligning with chart name

The switch to urbanstack-shared-app.* helpers removes the previous namespace-collision risk and improves operator UX. ✅

[cwrau]

Are you sure this works?

So the application (hardcoded) calls the ingress-nginx but with a different Host header / SNI so (hardcoded) nginx proxies it correctly?

[ol-teuto]

I think it should work, nginx has to handle the Host header in normal scenarios too. This is also only needed for local testing, so I could add an option to enable/disable this

[cwrau]

You should use https://artifacthub.io/packages/helm/bitnami/common#labels via our common chart

[ol-teuto]

Is it really worth it to pull in a dependency for this?

[cwrau]

Definitely, if the best-practices labels someday change, this chart doesn't have to be adjusted.

And with this dependency you can, and should, also use https://artifacthub.io/packages/helm/bitnami/common#names, https://artifacthub.io/packages/helm/bitnami/common#images, https://artifacthub.io/packages/helm/bitnami/common#ingress, and all the other nice templates.

Essentially, the _helpers.tpl should be empty, as all of the templates are already covered by the common chart

[ol-teuto]

I updated the MR to include the common chart where it makes sense

[cwrau]

Same here, use https://artifacthub.io/packages/helm/bitnami/common#labels

[coderabbitai]

Actionable comments posted: 9

♻️ Duplicate comments (4)

charts/urbanstack-shared-app/templates/image-pull-secret.yaml (1)

8-9: Extend .dockerconfigjson for wider registry compatibility

Add explicit username & password keys alongside auth.

-  .dockerconfigjson: {{ dict "auths" (dict .Values.image.registry (dict "auth" (printf "%s:%s" .Values.registryAuth.username .Values.registryAuth.password | b64enc))) | toJson | quote }}
+  .dockerconfigjson: {{ dict "auths" (dict .Values.image.registry (dict
+        "username" .Values.registryAuth.username
+        "password" .Values.registryAuth.password
+        "auth"     (printf "%s:%s" .Values.registryAuth.username .Values.registryAuth.password | b64enc))) | toJson | quote }}

charts/urbanstack-shared-app/templates/networkpolicy.yaml (2)

34-34: matchLabels inline rendering issue (same as previous review)

The helper already returns a newline. Keeping it on the same line risks broken YAML—place it on its own line.

-            matchLabels: {{- .Values.postgres.networkPolicy.matchLabels | toYaml | nindent 14 }}
+            matchLabels:
+              {{- .Values.postgres.networkPolicy.matchLabels | toYaml | nindent 14 }}

---

24-26: namespaceSelector still nested under podSelector – move two spaces left

namespaceSelector: must be a sibling of podSelector:. Current 10-space indent keeps it nested and invalidates the selector block.

-          namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: kube-system
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: kube-system

charts/urbanstack-shared-app/templates/deployment.yaml (1)

18-21: imagePullSecrets block still mis-indented (previous feedback not applied)

Keys under template.spec require 8-space indentation. Rendered YAML now has 6 spaces, breaking the document.

-      {{- if and .Values.registryAuth.username .Values.registryAuth.password }}
-      imagePullSecrets:
-        - name: {{ printf "pullsecret-%s" .Release.Name | quote }}
-      {{- end }}
+      {{- if and .Values.registryAuth.username .Values.registryAuth.password }}
+        imagePullSecrets:
+          - name: {{ printf "pullsecret-%s" .Release.Name | quote }}
+      {{- end }}

🧹 Nitpick comments (1)

charts/urbanstack-shared-app/templates/deployment.yaml (1)

99-99: Remove trailing spaces

There is dangling whitespace on the blank line; fails strict linters.

-      
+

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3b045fd and ec56d3f.

📒 Files selected for processing (18)

• .github/CODEOWNERS (1 hunks)
• .github/release-please/config.json (1 hunks)
• charts/urbanstack-shared-app/.helmignore (1 hunks)
• charts/urbanstack-shared-app/Chart.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/_common.sh (1 hunks)
• charts/urbanstack-shared-app/ci/artifacthub-values.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/auth-values.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/cert-issuer.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/_helpers.tpl (1 hunks)
• charts/urbanstack-shared-app/templates/deployment.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/image-pull-secret.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/ingress.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/networkpolicy.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/pvc.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/service.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/validation.yaml (1 hunks)
• charts/urbanstack-shared-app/values.schema.json (1 hunks)
• charts/urbanstack-shared-app/values.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (6)

• .github/release-please/config.json
• charts/urbanstack-shared-app/values.schema.json
• charts/urbanstack-shared-app/.helmignore
• charts/urbanstack-shared-app/ci/_common.sh
• charts/urbanstack-shared-app/values.yaml
• charts/urbanstack-shared-app/templates/_helpers.tpl

🚧 Files skipped from review as they are similar to previous changes (5)

• .github/CODEOWNERS
• charts/urbanstack-shared-app/ci/auth-values.yaml
• charts/urbanstack-shared-app/ci/artifacthub-values.yaml
• charts/urbanstack-shared-app/Chart.yaml
• charts/urbanstack-shared-app/ci/cert-issuer.yaml

🧰 Additional context used

🧠 Learnings (7)

📓 Common learnings

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1602
File: charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml:38-40
Timestamp: 2025-07-24T09:49:40.961Z
Learning: Official Helm charts like oauth2-proxy manage image versioning automatically through their Chart.yaml appVersion field, making manual tag pinning in consumer values unnecessary and potentially harmful. The chart version itself provides reproducibility by ensuring the correct image tag is used.

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The official kubernetes-sigs/metrics-server Helm chart pins the image tag to a specific version in its values.yaml by default, ensuring reproducible deployments without requiring explicit tag specification in consuming charts.

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's `valuesFrom` feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: teutonet/teutonet-helm-charts#1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The kubernetes-sigs/metrics-server Helm chart uses `v{{ .Chart.AppVersion }}` as the default image tag when `image.tag` is empty, which provides pinned versioning through the chart's AppVersion rather than using floating tags like "latest".

charts/urbanstack-shared-app/templates/deployment.yaml (3)

Learnt from: cwrau
PR: #1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The official kubernetes-sigs/metrics-server Helm chart pins the image tag to a specific version in its values.yaml by default, ensuring reproducible deployments without requiring explicit tag specification in consuming charts.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., { cloudflare: {} }), never a string format. The template correctly uses {{ .Values.dns.provider | keys | first }} to extract the provider name from the map keys.

charts/urbanstack-shared-app/templates/image-pull-secret.yaml (2)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., { cloudflare: {} }), never a string format. The template correctly uses {{ .Values.dns.provider | keys | first }} to extract the provider name from the map keys.

charts/urbanstack-shared-app/templates/ingress.yaml (2)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., { cloudflare: {} }), never a string format. The template correctly uses {{ .Values.dns.provider | keys | first }} to extract the provider name from the map keys.

charts/urbanstack-shared-app/templates/networkpolicy.yaml (3)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., { cloudflare: {} }), never a string format. The template correctly uses {{ .Values.dns.provider | keys | first }} to extract the provider name from the map keys.

Learnt from: cwrau
PR: #1600
File: charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml:55-61
Timestamp: 2025-07-24T13:42:05.473Z
Learning: In charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml, the receiver-type parsing logic that splits keys by space and only handles exactly two tokens is intentional and matches the schema design. The schema pattern ^email($| \S+$) specifically allows "email" or "email " format, not arbitrary multi-space patterns. The current parsing implementation correctly enforces this constraint.

charts/urbanstack-shared-app/templates/pvc.yaml (1)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

charts/urbanstack-shared-app/templates/service.yaml (2)

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's valuesFrom feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Learnt from: cwrau
PR: #1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., { cloudflare: {} }), never a string format. The template correctly uses {{ .Values.dns.provider | keys | first }} to extract the provider name from the map keys.

🪛 YAMLlint (1.37.1)

charts/urbanstack-shared-app/templates/deployment.yaml

[warning] 19-19: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 99-99: trailing spaces

(trailing-spaces)

---

[error] 7-7: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/image-pull-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/ingress.yaml

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/networkpolicy.yaml

[warning] 15-15: wrong indentation: expected 2 but found 4

(indentation)

---

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/pvc.yaml

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/service.yaml

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/validation.yaml

[error] 2-2: syntax error: expected '', but found '{'

(syntax)

🪛 GitHub Actions: Lint Helm Charts

charts/urbanstack-shared-app/templates/deployment.yaml

[error] 1-1: Helm lint error: 'postgres' contains additional property 'matchLabels' which is not allowed; 'registryAuth' missing required fields 'username' and 'password'.

charts/urbanstack-shared-app/templates/image-pull-secret.yaml

[error] 1-1: Helm lint error: 'postgres' contains additional property 'matchLabels' which is not allowed; 'registryAuth' missing required fields 'username' and 'password'.

charts/urbanstack-shared-app/templates/ingress.yaml

[error] 1-1: Helm lint error: 'postgres' contains additional property 'matchLabels' which is not allowed; 'registryAuth' missing required fields 'username' and 'password'.

charts/urbanstack-shared-app/templates/networkpolicy.yaml

[error] 1-1: Helm lint error: 'postgres' contains additional property 'matchLabels' which is not allowed; 'registryAuth' missing required fields 'username' and 'password'.

charts/urbanstack-shared-app/templates/pvc.yaml

[error] 1-1: Helm lint error: 'postgres' contains additional property 'matchLabels' which is not allowed; 'registryAuth' missing required fields 'username' and 'password'.

charts/urbanstack-shared-app/templates/service.yaml

[error] 1-1: Helm lint error: 'postgres' contains additional property 'matchLabels' which is not allowed; 'registryAuth' missing required fields 'username' and 'password'.

charts/urbanstack-shared-app/templates/validation.yaml

[error] 1-1: Helm lint error: 'postgres' contains additional property 'matchLabels' which is not allowed; 'registryAuth' missing required fields 'username' and 'password'.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: check licenses

[coderabbitai]

⚠️ Potential issue

Move helper output to next line for metadata.labels

Inline helper usage causes the “expected node content, but found ‘-’” syntax error.

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
	labels:
	{{- include "urbanstack-shared-app.labels" . | nindent 4 }}

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 7-7: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents

In charts/urbanstack-shared-app/templates/deployment.yaml at line 7, the inline
usage of the helper for metadata.labels causes a YAML syntax error due to the
leading dash. To fix this, move the helper output to the next line and properly
indent it so that the labels are correctly parsed as a YAML map, avoiding the
syntax error.

[coderabbitai]

⚠️ Potential issue

labels needs its own block

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	metadata:
	name: {{ printf "pullsecret-%s" .Release.Name | quote }}
	labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
	type: kubernetes.io/dockerconfigjson
	metadata:
	name: {{ printf "pullsecret-%s" .Release.Name | quote }}
	labels:
	{{- include "urbanstack-shared-app.labels" . | nindent 4 }}
	type: kubernetes.io/dockerconfigjson

🤖 Prompt for AI Agents

In charts/urbanstack-shared-app/templates/image-pull-secret.yaml around lines 4
to 7, the labels field is incorrectly formatted inline and needs to be its own
YAML block. Change the labels line so that it starts a new block with proper
indentation, placing the included labels content on the next indented line to
ensure valid YAML structure.

[coderabbitai]

⚠️ Potential issue

Inline labels causes malformed manifest

Same issue as in pvc.yaml – move the helper to the next indented line.

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	name: {{ .Release.Name | quote }}
	labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
	annotations:
	name: {{ .Release.Name | quote }}
	labels:
	{{- include "urbanstack-shared-app.labels" . | nindent 4 }}
	annotations:

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents

In charts/urbanstack-shared-app/templates/ingress.yaml around lines 4 to 6, the
labels field is rendered inline, causing a malformed manifest. To fix this, move
the labels helper invocation to its own line and indent it properly so that the
labels are rendered as a nested map under the labels key, ensuring correct YAML
structure.

[coderabbitai]

⚠️ Potential issue

Bad indentation under tls: – will be rejected by API server

List items must be indented beneath tls:. Fix:

-  tls:
-  - hosts:
-    - {{ .Values.host | quote }}
-    secretName: {{ printf "%s-tls" .Values.host | quote }}
+  tls:
+    - hosts:
+        - {{ .Values.host | quote }}
+      secretName: {{ printf "%s-tls" .Values.host | quote }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	tls:
	- hosts:
	- {{ .Values.host | quote }}
	secretName: {{ printf "%s-tls" .Values.host | quote }}
	tls:
	- hosts:
	- {{ .Values.host | quote }}
	secretName: {{ printf "%s-tls" .Values.host | quote }}

🤖 Prompt for AI Agents

In charts/urbanstack-shared-app/templates/ingress.yaml around lines 23 to 26,
the list items under the tls key are not properly indented, which will cause
rejection by the API server. Adjust the indentation so that the dash and its
nested keys (hosts and secretName) are indented one level further under tls,
ensuring proper YAML list structure.

[coderabbitai]

⚠️ Potential issue

Fix metadata.labels – inline helper breaks YAML parsing

labels: must end the line and the helper output must start on the next line.
Current rendering produces the “expected node content, but found ‘-’” error reported by yamllint & Helm-lint.

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	name: {{ .Release.Name | quote }}
	labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
	spec:
	name: {{ .Release.Name | quote }}
	labels:
	{{- include "urbanstack-shared-app.labels" . | nindent 4 }}
	spec:

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents

In charts/urbanstack-shared-app/templates/networkpolicy.yaml around lines 4 to
6, the metadata.labels field is incorrectly formatted causing YAML parsing
errors. Modify the labels line so that it ends immediately after the colon, and
place the output of the inline helper on the following indented line. This
ensures proper YAML structure and resolves the "expected node content, but found
'-'" linting errors.

[coderabbitai]

⚠️ Potential issue

labels rendered on same line – breaks YAML

The current output collapses into labels: app.kubernetes.io/name: …, which is invalid.

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	name: {{ .Release.Name | quote }}
	labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
	name: {{ .Release.Name | quote }}
	labels:
	{{- include "urbanstack-shared-app.labels" . | nindent 4 }}

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents

In charts/urbanstack-shared-app/templates/pvc.yaml around lines 4 to 5, the
labels field is rendered on the same line as the key, causing invalid YAML
output. To fix this, ensure the labels block is properly indented and rendered
on a new line by removing the inline dash after labels and using correct
indentation so that the labels map appears as a nested block under the labels
key.

[coderabbitai]

⚠️ Potential issue

Invalid YAML due to inline labels

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	name: {{ .Release.Name | quote }}
	labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
	spec:
	name: {{ .Release.Name | quote }}
	labels:
	{{- include "urbanstack-shared-app.labels" . | nindent 4 }}
	spec:

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents

In charts/urbanstack-shared-app/templates/service.yaml around lines 4 to 6, the
labels field is incorrectly formatted as an inline value, causing invalid YAML.
Change the labels field to be a proper YAML mapping by placing the include
statement on the next line and indenting it correctly under labels, ensuring
valid YAML structure.

[coderabbitai]

🛠️ Refactor suggestion

Rename or silence the file – current .yaml is not valid YAML

The template contains only Helm logic, yet the .yaml suffix makes YAML-lint parse it and fail (expected '<document start>').
Either rename the file to validation.tpl / _validation.tpl or keep the name but add a pragma to disable linting:

+# yamllint disable-file

Doing so removes unnecessary CI noise without altering behaviour.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{{/* normal limit is 53, but we need 52 as the limit, because postgres usernames are limited to 64 chars */}}
	{{- if gt (.Release.Name | len) 52 -}}
	{{ fail "Release.Name max length is 52!" }}
	{{- end -}}
	# yamllint disable-file
	{{/* normal limit is 53, but we need 52 as the limit, because postgres usernames are limited to 64 chars */}}
	{{- if gt (.Release.Name | len) 52 -}}
	{{ fail "Release.Name max length is 52!" }}
	{{- end -}}

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 2-2: syntax error: expected '', but found '{'

(syntax)

🪛 GitHub Actions: Lint Helm Charts

[error] 1-1: Helm lint error: 'postgres' contains additional property 'matchLabels' which is not allowed; 'registryAuth' missing required fields 'username' and 'password'.

🤖 Prompt for AI Agents

In charts/urbanstack-shared-app/templates/validation.yaml lines 1 to 4, the file
is named with a .yaml extension but contains only Helm template logic, causing
YAML linting errors. To fix this, rename the file to have a .tpl or
_validation.tpl extension to indicate it is a Helm template, or keep the .yaml
extension but add a YAML linting pragma at the top to disable linting for this
file, preventing unnecessary CI noise without changing functionality.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (12)

charts/urbanstack-shared-app/templates/validation.yaml (1)

1-4: Keep YAML-lint quiet – rename file or add pragma
The template contains no real YAML, yet the .yaml suffix makes YAML-lint choke (see CI output). Rename to validation.tpl / _validation.tpl or add a pragma at the top:

+# yamllint disable-file
 {{/* normal limit is 53, but we need 52 as the limit, because postgres usernames are limited to 64 chars */}}

charts/urbanstack-shared-app/templates/pvc.yaml (1)

4-5: Inline labels still breaks linters
Same issue flagged earlier: the helper must start on its own line to keep linters happy.

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

charts/urbanstack-shared-app/templates/ingress.yaml (2)

4-5: Inline labels → malformed manifest

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

---

19-22: Indent list items under tls:
List items must be indented beneath tls:; current output is rejected by strict API servers.

-  tls:
-  - hosts:
-    - {{ .Values.host | quote }}
-    secretName: {{ printf "%s-tls" .Values.host | quote }}
+  tls:
+    - hosts:
+        - {{ .Values.host | quote }}
+      secretName: {{ printf "%s-tls" .Values.host | quote }}

charts/urbanstack-shared-app/templates/image-pull-secret.yaml (2)

5-6: Inline labels → YAML error

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

---

9-9: Registry auth JSON still omits username / password fields
Keeping only auth breaks pulls on Harbor/GitLab/ECR. Full record:

-  .dockerconfigjson: {{ dict "auths" (dict .Values.image.registry (dict "auth" (printf "%s:%s" .Values.registryAuth.username .Values.registryAuth.password | b64enc))) | toJson | quote }}
+  .dockerconfigjson: {{ dict "auths" (dict .Values.image.registry (dict
+        "username" .Values.registryAuth.username
+        "password" .Values.registryAuth.password
+        "auth"     (printf "%s:%s" .Values.registryAuth.username .Values.registryAuth.password | b64enc))) | toJson | quote }}

charts/urbanstack-shared-app/templates/service.yaml (1)

4-5: Inline labels → YAML error

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

charts/urbanstack-shared-app/templates/networkpolicy.yaml (3)

5-5: Fix YAML syntax error in labels field

The inline helper usage causes a YAML parsing error. The labels key must end with a colon and the helper output should be on the next indented line.

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

---

15-15: Fix indentation of egress list items

The list items under egress: are indented with 4 spaces instead of the required 2 spaces. This violates YAML structure and causes linting errors.

-    {{- if .Values.allowExternalEgress }}
-    - to: # allow external endpoints outside of the cluster
+  {{- if .Values.allowExternalEgress }}
+  - to: # allow external endpoints outside of the cluster

Apply the same indentation fix to all other egress list items starting at lines 20, 32, and 38.

---

34-34: Fix inline YAML rendering for matchLabels

The matchLabels field is rendered inline, which can cause YAML formatting issues when the helper produces multi-line output.

-            matchLabels: {{- .Values.postgres.networkPolicy.matchLabels | toYaml | nindent 14 }}
+            matchLabels:
+              {{- .Values.postgres.networkPolicy.matchLabels | toYaml | nindent 14 }}

charts/urbanstack-shared-app/templates/deployment.yaml (2)

7-7: Fix YAML syntax error in labels field

The inline helper usage causes a YAML parsing error identical to the NetworkPolicy template.

-  labels: {{- include "urbanstack-shared-app.labels" . | nindent 4 }}
+  labels:
+    {{- include "urbanstack-shared-app.labels" . | nindent 4 }}

---

19-19: Fix indentation of imagePullSecrets block

The imagePullSecrets block is indented 6 spaces instead of the expected 4 spaces under spec:, causing YAML linting errors.

-      imagePullSecrets:
-        - name: {{ printf "pullsecret-%s" .Release.Name | quote }}
+    imagePullSecrets:
+      - name: {{ printf "pullsecret-%s" .Release.Name | quote }}

🧹 Nitpick comments (2)

charts/urbanstack-shared-app/templates/networkpolicy.yaml (1)

38-50: Consider making ingress controller configurable

The NetworkPolicy is hardcoded to ingress-nginx. While the maintainer mentioned this is acceptable for their specific use case, consider adding a configuration option for better chart reusability.

+{{- $ingressController := .Values.ingressController | default "ingress-nginx" }}
 - to: # allow using nginx proxy to call other services
     - podSelector:
         matchLabels:
-          app.kubernetes.io/instance: ingress-nginx
-          app.kubernetes.io/name: ingress-nginx
+          app.kubernetes.io/instance: {{ $ingressController }}
+          app.kubernetes.io/name: {{ $ingressController }}
       namespaceSelector:
         matchLabels:
-          kubernetes.io/metadata.name: ingress-nginx
+          kubernetes.io/metadata.name: {{ $ingressController }}

Apply the same pattern to the ingress section (lines 52-59).

charts/urbanstack-shared-app/templates/deployment.yaml (1)

99-100: Remove trailing whitespace

Line 99 contains trailing spaces which violate YAML formatting standards.

-      
+

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ec56d3f and e280290.

⛔ Files ignored due to path filters (1)

• charts/urbanstack-shared-app/Chart.lock is excluded by !**/*.lock

📒 Files selected for processing (18)

• .github/CODEOWNERS (1 hunks)
• .github/release-please/config.json (1 hunks)
• charts/urbanstack-shared-app/.helmignore (1 hunks)
• charts/urbanstack-shared-app/Chart.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/_common.sh (1 hunks)
• charts/urbanstack-shared-app/ci/artifacthub-values.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/auth-values.yaml (1 hunks)
• charts/urbanstack-shared-app/ci/cert-issuer.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/_helpers.tpl (1 hunks)
• charts/urbanstack-shared-app/templates/deployment.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/image-pull-secret.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/ingress.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/networkpolicy.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/pvc.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/service.yaml (1 hunks)
• charts/urbanstack-shared-app/templates/validation.yaml (1 hunks)
• charts/urbanstack-shared-app/values.schema.json (1 hunks)
• charts/urbanstack-shared-app/values.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (3)

• charts/urbanstack-shared-app/ci/_common.sh
• .github/release-please/config.json
• charts/urbanstack-shared-app/.helmignore

🚧 Files skipped from review as they are similar to previous changes (8)

• charts/urbanstack-shared-app/ci/cert-issuer.yaml
• charts/urbanstack-shared-app/ci/auth-values.yaml
• charts/urbanstack-shared-app/ci/artifacthub-values.yaml
• .github/CODEOWNERS
• charts/urbanstack-shared-app/values.yaml
• charts/urbanstack-shared-app/templates/_helpers.tpl
• charts/urbanstack-shared-app/Chart.yaml
• charts/urbanstack-shared-app/values.schema.json

🧰 Additional context used

🪛 YAMLlint (1.37.1)

charts/urbanstack-shared-app/templates/deployment.yaml

[warning] 19-19: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 99-99: trailing spaces

(trailing-spaces)

---

[error] 7-7: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/image-pull-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/ingress.yaml

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/networkpolicy.yaml

[warning] 15-15: wrong indentation: expected 2 but found 4

(indentation)

---

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/pvc.yaml

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/service.yaml

[error] 5-5: syntax error: expected the node content, but found '-'

(syntax)

charts/urbanstack-shared-app/templates/validation.yaml

[error] 2-2: syntax error: expected '', but found '{'

(syntax)

🔇 Additional comments (3)

charts/urbanstack-shared-app/templates/deployment.yaml (3)

23-30: LGTM: Strong security configuration

The security context configuration is excellent, implementing defense-in-depth with proper user/group IDs, non-root execution, and disabled host access. This follows Kubernetes security best practices.

---

33-42: LGTM: Container security hardening

The container security context properly implements the principle of least privilege with read-only root filesystem, dropped capabilities, and disabled privilege escalation.

---

74-87: LGTM: Well-configured health probes

The health probe configuration is appropriate with a reasonable startup probe (100 seconds total) and separate liveness/readiness endpoints following best practices.