chore: fix lint issues

.github/workflows/__need-fix-to-issue.yml

@@ -21,6 +21,10 @@ permissions:
   contents: read
   issues: write
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   main:
     uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@9a3d71ca9f68bc1061db8ea1442084ac31a0f8bf # 0.23.0

.github/workflows/__shared-ci.yml

@@ -23,7 +23,6 @@ jobs:
       # FIXME: re-enable the following checks
       linter-env: |
         VALIDATE_KUBERNETES_KUBECONFORM=false
-        VALIDATE_CHECKOV=false
         VALIDATE_JAVASCRIPT_PRETTIER=false
 
   test-action-docker-build-image:

actions/helm/parse-chart-uri/README.md

@@ -42,9 +42,9 @@ This action does not requires any permissions.
 
 <!-- start inputs -->
 
-| **Input**        | **Description**    | **Default** | **Required** |
-| ---------------- | ------------------ | ----------- | ------------ |
-| <code>uri</code> | Chart URI to parse |             | **true**     |
+| **Input**          | **Description**    | **Default** | **Required** |
+| ------------------ | ------------------ | ----------- | ------------ |
+| <code>`uri`</code> | Chart URI to parse |             | **true**     |
 
 <!-- end inputs -->
 <!-- start outputs -->

tests/charts/umbrella-application/charts/app/templates/configmap.yaml

@@ -1,13 +1,13 @@
 ---
-kind: ConfigMap
 apiVersion: v1
+kind: ConfigMap
 metadata:
-  name: {{ template "app.fullname" . }}-config
-  namespace: {{ .Values.namespace }}
+  name: {{ include "app.fullname" . }}-config
+  namespace: {{ .Values.namespace | default "app-system" }}
   labels:
     {{- include "app.labels" . | nindent 4 }}
 data:
-  {{- with .Values.application }}
+  {{- with .Values.app }}
   DB_CONNECTION: {{ .dbConnection | quote }}
   DB_HOST: {{ .dbHost | quote }}
   DB_PORT: {{ .dbPort | quote }}

tests/charts/umbrella-application/charts/app/templates/deployment.yaml

@@ -3,7 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "app.fullname" . }}
-  namespace: {{ .Values.namespace }}
+  namespace: {{ .Values.namespace | default "app-system" }}
   labels:
     {{- include "app.labels" . | nindent 4 }}
 spec:
@@ -34,7 +34,11 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- if .Values.image.digest }}
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}@{{ .Values.image.digest }}"
+          {{- else }}
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           envFrom:
             - configMapRef:

tests/charts/umbrella-application/charts/app/templates/hpa.yaml

@@ -1,9 +1,10 @@
----
 {{- if .Values.autoscaling.enabled }}
+---
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "app.fullname" . }}
+  namespace: {{ .Values.namespace | default "app-system" }}
   labels:
     {{- include "app.labels" . | nindent 4 }}
 spec:
@@ -18,12 +19,16 @@ spec:
     - type: Resource
       resource:
         name: cpu
-        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
     {{- end }}
     {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
     - type: Resource
       resource:
         name: memory
-        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
     {{- end }}
 {{- end }}

tests/charts/umbrella-application/charts/app/templates/ingress.yaml

@@ -17,6 +17,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ .Values.namespace | default "app-system" }}
   labels:
     {{- include "app.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}

tests/charts/umbrella-application/charts/app/templates/networkpolicy.yaml

@@ -0,0 +1,58 @@
+{{- if .Values.networkPolicy.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "app.fullname" . }}
+  namespace: {{ .Values.namespace | default "app-system" }}
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "app.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    {{- if .Values.networkPolicy.ingress }}
+    {{- range .Values.networkPolicy.ingress }}
+    - {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- else }}
+    # Default: Allow ingress from any pod in the same namespace on HTTP port
+    - from:
+        - namespaceSelector: {}
+      ports:
+        - protocol: TCP
+          port: 8080
+    {{- end }}
+  egress:
+    {{- if .Values.networkPolicy.egress }}
+    {{- range .Values.networkPolicy.egress }}
+    - {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- else }}
+    # Default: Allow egress to DNS and MySQL
+    - to: []
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    - to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: mysql
+      ports:
+        - protocol: TCP
+          port: 3306
+    # Allow HTTPS for external API calls
+    - to: []
+      ports:
+        - protocol: TCP
+          port: 443
+        - protocol: TCP
+          port: 80
+    {{- end }}
+{{- end }}

tests/charts/umbrella-application/charts/app/templates/service.yaml

@@ -3,8 +3,9 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "app.fullname" . }}
-  namespace: {{ .Values.namespace }}
-  labels: {{- include "app.labels" . | nindent 4 }}
+  namespace: {{ .Values.namespace | default "app-system" }}
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:

tests/charts/umbrella-application/charts/app/templates/serviceaccount.yaml

@@ -1,9 +1,10 @@
 {{- if .Values.serviceAccount.create -}}
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "app.serviceAccountName" . }}
-  namespace: {{ .Values.namespace }}
+  namespace: {{ .Values.namespace | default "app-system" }}
   labels:
     {{- include "app.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

tests/charts/umbrella-application/charts/app/values.yaml

@@ -2,6 +2,9 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 ---
+# Namespace for the application (defaults to "app-system" if not specified)
+namespace: "app-system"
+
 app:
   dbConnection: mysql
   dbHost: "mysql"
@@ -88,14 +91,22 @@ autoscaling:
   minReplicas: 1
   maxReplicas: 100
   targetCPUUtilizationPercentage: 80
-  # targetMemoryUtilizationPercentage: 80
+  targetMemoryUtilizationPercentage: 80
 
 nodeSelector: {}
 
 tolerations: []
 
 affinity: {}
 
+# Network Policy configuration
+networkPolicy:
+  enabled: true
+  # Custom ingress rules (optional)
+  ingress: []
+  # Custom egress rules (optional)  
+  egress: []
+
 # chart dependencies
 mysql:
   fullnameOverride: mysql