From df56462267fb7d2b5c8b04cdde5a371249037fb3 Mon Sep 17 00:00:00 2001 From: Brian 'redbeard' Harrington Date: Tue, 13 Jan 2026 17:38:06 -0500 Subject: [PATCH 1/6] fix(helm): rename localCluster to localClusterDomain in hello-world values The template hello-world-cm.yaml references .Values.global.localClusterDomain but the values file had the key named localCluster, causing the template to render with an empty value. --- charts/all/hello-world/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/all/hello-world/values.yaml b/charts/all/hello-world/values.yaml index 55083f741..8b8d1398d 100644 --- a/charts/all/hello-world/values.yaml +++ b/charts/all/hello-world/values.yaml @@ -1,4 +1,4 @@ --- global: hubClusterDomain: hub.example.com - localCluster: local.example.com + localClusterDomain: local.example.com From a29bf2296ae62a4c5157e0267020397f01d8439b Mon Sep 17 00:00:00 2001 From: Brian 'redbeard' Harrington Date: Tue, 13 Jan 2026 17:38:26 -0500 Subject: [PATCH 2/6] fix(helm): change insecureEdgeTerminationPolicy from Allow to Redirect Setting insecureEdgeTerminationPolicy to Allow permits unencrypted HTTP traffic to the routes. Changing to Redirect forces all HTTP requests to be redirected to HTTPS, improving security. Affected routes: - hello-world - config-demo --- charts/all/config-demo/templates/config-demo-route.yaml | 2 +- charts/all/hello-world/templates/hello-world-route.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/all/config-demo/templates/config-demo-route.yaml b/charts/all/config-demo/templates/config-demo-route.yaml index 4a2677287..280447e50 100644 --- a/charts/all/config-demo/templates/config-demo-route.yaml +++ b/charts/all/config-demo/templates/config-demo-route.yaml @@ -13,5 +13,5 @@ spec: weight: 100 wildcardPolicy: None tls: - insecureEdgeTerminationPolicy: Allow + insecureEdgeTerminationPolicy: Redirect termination: edge diff --git a/charts/all/hello-world/templates/hello-world-route.yaml b/charts/all/hello-world/templates/hello-world-route.yaml index 4b1243656..8653c7de3 100644 --- a/charts/all/hello-world/templates/hello-world-route.yaml +++ b/charts/all/hello-world/templates/hello-world-route.yaml @@ -13,5 +13,5 @@ spec: weight: 100 wildcardPolicy: None tls: - insecureEdgeTerminationPolicy: Allow + insecureEdgeTerminationPolicy: Redirect termination: edge From 6d18b333988c2ef0701cd487252b10b73c39f5c5 Mon Sep 17 00:00:00 2001 From: Brian 'redbeard' Harrington Date: Tue, 13 Jan 2026 17:38:45 -0500 Subject: [PATCH 3/6] fix(helm): set readOnlyRootFilesystem to true in config-demo deployment The container already has emptyDir volumes mounted for all writable paths: - /tmp - /var/cache/httpd - /var/run/httpd - /var/www/html (via configMap) With these mounts in place, the root filesystem can safely be read-only, improving container security posture. --- charts/all/config-demo/templates/config-demo-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/all/config-demo/templates/config-demo-deployment.yaml b/charts/all/config-demo/templates/config-demo-deployment.yaml index 64db6c4b7..befa91871 100644 --- a/charts/all/config-demo/templates/config-demo-deployment.yaml +++ b/charts/all/config-demo/templates/config-demo-deployment.yaml @@ -51,7 +51,7 @@ spec: memory: 256Mi securityContext: allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: From 68a30e9d26247d82338bf89084c6867df5f81fef Mon Sep 17 00:00:00 2001 From: Brian 'redbeard' Harrington Date: Tue, 13 Jan 2026 17:56:59 -0500 Subject: [PATCH 4/6] fix(helm): template container images from values.yaml - Add image.repository, image.tag, image.pullPolicy to both chart values - Update deployments to use templated image values - Remove commented imagePullPolicy, now explicit in values - Allows image overrides without modifying templates Affected charts: - hello-world - config-demo --- charts/all/config-demo/templates/config-demo-deployment.yaml | 4 ++-- charts/all/config-demo/values.yaml | 5 +++++ charts/all/hello-world/templates/hello-world-deployment.yaml | 4 ++-- charts/all/hello-world/values.yaml | 5 +++++ 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/charts/all/config-demo/templates/config-demo-deployment.yaml b/charts/all/config-demo/templates/config-demo-deployment.yaml index befa91871..0bd905468 100644 --- a/charts/all/config-demo/templates/config-demo-deployment.yaml +++ b/charts/all/config-demo/templates/config-demo-deployment.yaml @@ -24,8 +24,8 @@ spec: type: RuntimeDefault containers: - name: apache - image: registry.access.redhat.com/ubi10/httpd-24:10.0-1755779646 - #imagePullPolicy: Always + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - containerPort: 8080 name: http diff --git a/charts/all/config-demo/values.yaml b/charts/all/config-demo/values.yaml index 6d27c371d..e8aeee0bd 100644 --- a/charts/all/config-demo/values.yaml +++ b/charts/all/config-demo/values.yaml @@ -13,3 +13,8 @@ global: clusterGroup: isHubCluster: true + +image: + repository: registry.access.redhat.com/ubi10/httpd-24 + tag: "10.0-1755779646" + pullPolicy: IfNotPresent diff --git a/charts/all/hello-world/templates/hello-world-deployment.yaml b/charts/all/hello-world/templates/hello-world-deployment.yaml index e065d4bf1..f5473537f 100644 --- a/charts/all/hello-world/templates/hello-world-deployment.yaml +++ b/charts/all/hello-world/templates/hello-world-deployment.yaml @@ -23,8 +23,8 @@ spec: type: RuntimeDefault containers: - name: apache - image: registry.access.redhat.com/ubi10/httpd-24:10.0-1755779646 - #imagePullPolicy: Always + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - containerPort: 8080 name: http diff --git a/charts/all/hello-world/values.yaml b/charts/all/hello-world/values.yaml index 8b8d1398d..cff2bfd48 100644 --- a/charts/all/hello-world/values.yaml +++ b/charts/all/hello-world/values.yaml @@ -2,3 +2,8 @@ global: hubClusterDomain: hub.example.com localClusterDomain: local.example.com + +image: + repository: registry.access.redhat.com/ubi10/httpd-24 + tag: "10.0-1755779646" + pullPolicy: IfNotPresent From e3d224e73faed220e700fb60fe13b078c7df1f2f Mon Sep 17 00:00:00 2001 From: Brian 'redbeard' Harrington Date: Tue, 13 Jan 2026 17:58:07 -0500 Subject: [PATCH 5/6] fix(helm): remove unnecessary creationTimestamp: null from pod template Kubernetes auto-populates creationTimestamp. Explicitly setting it to null in templates is unnecessary and may cause validation warnings. --- charts/all/config-demo/templates/config-demo-deployment.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/all/config-demo/templates/config-demo-deployment.yaml b/charts/all/config-demo/templates/config-demo-deployment.yaml index 0bd905468..31974a927 100644 --- a/charts/all/config-demo/templates/config-demo-deployment.yaml +++ b/charts/all/config-demo/templates/config-demo-deployment.yaml @@ -12,7 +12,6 @@ spec: deploymentconfig: config-demo template: metadata: - creationTimestamp: null labels: app: config-demo deploymentconfig: config-demo From c7fb1bdc1d7b462e18e774fd0366b83331cce43b Mon Sep 17 00:00:00 2001 From: Brian 'redbeard' Harrington Date: Tue, 13 Jan 2026 17:58:34 -0500 Subject: [PATCH 6/6] fix(config): standardize to argoProject key name in values-standalone.yaml The validated patterns operator expects 'argoProject' not 'project'. Also rename 'projects' to 'argoProjects' for consistency with values-hub.yaml. --- values-standalone.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/values-standalone.yaml b/values-standalone.yaml index 57d74f9f1..b70e32b41 100644 --- a/values-standalone.yaml +++ b/values-standalone.yaml @@ -7,7 +7,7 @@ clusterGroup: - config-demo - hello-world subscriptions: {} - projects: + argoProjects: - hub - config-demo - hello-world @@ -26,24 +26,24 @@ clusterGroup: vault: name: vault namespace: vault - project: hub + argoProject: hub chart: hashicorp-vault chartVersion: 0.1.* golang-external-secrets: name: golang-external-secrets namespace: golang-external-secrets - project: hub + argoProject: hub chart: golang-external-secrets chartVersion: 0.1.* config-demo: name: config-demo namespace: config-demo - project: config-demo + argoProject: config-demo path: charts/all/config-demo hello-world: name: hello-world namespace: hello-world - project: hello-world + argoProject: hello-world path: charts/all/hello-world imperative: # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm