carverauto/serviceradar

Fork 0

helm updates for flowgger and netflow #2822

Merged

mfreeman451 merged 1 commit from refs/pull/2822/head into staging

2026-02-01 04:52:17 +00:00

mfreeman451 commented

2026-02-01 04:51:26 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2652
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2652
Original created: 2026-02-01T04:51:26Z
Original updated: 2026-02-01T05:23:45Z
Original head: carverauto/serviceradar:chore/k8s-updates
Original base: staging
Original merged: 2026-02-01T04:52:17Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement

Description

Add externalTrafficPolicy configuration to Kubernetes services
- Enables local traffic policy for Calico BGP compatibility
Update MetalLB pool references from k3s-lan-pool to k3s-pool
Update demo LoadBalancer IP addresses for flowgger and netflow services
Add configuration documentation for external traffic policy settings

Diagram Walkthrough

flowchart LR
  A["Helm Templates"] -->|Add externalTrafficPolicy| B["flowgger.yaml"]
  A -->|Add externalTrafficPolicy| C["netflow-collector.yaml"]
  D["Values Files"] -->|Update pool names| E["values-demo.yaml"]
  D -->|Add policy defaults| F["values.yaml"]
  G["K8s Manifests"] -->|Set Local policy| H["Demo Services"]

File Walkthrough

Relevant files

Enhancement

flowgger.yaml `Add externalTrafficPolicy to flowgger service` helm/serviceradar/templates/flowgger.yaml Add conditional `externalTrafficPolicy` field to external service spec Allows configuration of traffic policy via values	+3/-0
netflow-collector.yaml `Add externalTrafficPolicy to netflow service` helm/serviceradar/templates/netflow-collector.yaml Add conditional `externalTrafficPolicy` field to service spec Enables traffic policy configuration through Helm values	+3/-0
serviceradar-netflow-collector.yaml `Add Local traffic policy to netflow service` k8s/demo/base/serviceradar-netflow-collector.yaml Add `externalTrafficPolicy: Local` to netflow collector service spec Enables local endpoint traffic routing	+1/-0
serviceradar-flowgger-external.yaml `Add Local traffic policy to flowgger service` k8s/demo/prod/serviceradar-flowgger-external.yaml Add `externalTrafficPolicy: Local` to flowgger external service spec Configures local traffic routing for production environment	+1/-0

Configuration changes

values-demo.yaml

Update demo values with new pool and traffic policy

helm/serviceradar/values-demo.yaml

Update flowgger MetalLB pool from k3s-lan-pool to k3s-pool
Update flowgger LoadBalancerIP to 23.138.124.24
Add externalTrafficPolicy: Local to flowgger configuration
Update netflow MetalLB pool and LoadBalancerIP, add Local traffic
policy

+6/-4

Documentation

values.yaml

Add externalTrafficPolicy defaults and documentation

helm/serviceradar/values.yaml

Add externalTrafficPolicy: Cluster default to flowgger external
service
Add documentation comment explaining Calico BGP requirement
Add externalTrafficPolicy: Cluster default to netflow collector
service
Include explanatory comment for traffic policy configuration

+4/-0

Imported from GitHub pull request. Original GitHub pull request: #2652 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2652 Original created: 2026-02-01T04:51:26Z Original updated: 2026-02-01T05:23:45Z Original head: carverauto/serviceradar:chore/k8s-updates Original base: staging Original merged: 2026-02-01T04:52:17Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement ___ ### **Description** - Add `externalTrafficPolicy` configuration to Kubernetes services - Enables local traffic policy for Calico BGP compatibility - Update MetalLB pool references from `k3s-lan-pool` to `k3s-pool` - Update demo LoadBalancer IP addresses for flowgger and netflow services - Add configuration documentation for external traffic policy settings ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Helm Templates"] -->|Add externalTrafficPolicy| B["flowgger.yaml"] A -->|Add externalTrafficPolicy| C["netflow-collector.yaml"] D["Values Files"] -->|Update pool names| E["values-demo.yaml"] D -->|Add policy defaults| F["values.yaml"] G["K8s Manifests"] -->|Set Local policy| H["Demo Services"] ``` <details><summary><h3>File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Enhancement</td><td><table> <tr> <td> <details> <summary>flowgger.yaml<dd><code>Add externalTrafficPolicy to flowgger service</code>                        </dd></summary> <hr> helm/serviceradar/templates/flowgger.yaml <ul><li>Add conditional <code>externalTrafficPolicy</code> field to external service spec <li> Allows configuration of traffic policy via values</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2652/files#diff-511cfbfe42e0c41cd2fddf67a04911b48724ca9ea9f6d1ddc1f4bb7bf07086ab">+3/-0</a>      </td> </tr> <tr> <td> <details> <summary>netflow-collector.yaml<dd><code>Add externalTrafficPolicy to netflow service</code>                          </dd></summary> <hr> helm/serviceradar/templates/netflow-collector.yaml <ul><li>Add conditional <code>externalTrafficPolicy</code> field to service spec <li> Enables traffic policy configuration through Helm values</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2652/files#diff-2caca5e6b4a9d567d04bd326125e554b1f571be0f7746fb6f9144e0a33f65b07">+3/-0</a>      </td> </tr> <tr> <td> <details> <summary>serviceradar-netflow-collector.yaml<dd><code>Add Local traffic policy to netflow service</code>                            </dd></summary> <hr> k8s/demo/base/serviceradar-netflow-collector.yaml <ul><li>Add <code>externalTrafficPolicy: Local</code> to netflow collector service spec <li> Enables local endpoint traffic routing</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2652/files#diff-c29757a23e5f4021c9cd4d6d35a261edf9b56c706188bb24855fafa84454b797">+1/-0</a>      </td> </tr> <tr> <td> <details> <summary>serviceradar-flowgger-external.yaml<dd><code>Add Local traffic policy to flowgger service</code>                          </dd></summary> <hr> k8s/demo/prod/serviceradar-flowgger-external.yaml <ul><li>Add <code>externalTrafficPolicy: Local</code> to flowgger external service spec <li> Configures local traffic routing for production environment</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2652/files#diff-0e3d242dcaf4f3a83adc9de3f7183db6299c50bca47b9cd544ee02dfec263dcf">+1/-0</a>      </td> </tr> </table></td></tr><tr><td>Configuration changes</td><td><table> <tr> <td> <details> <summary>values-demo.yaml<dd><code>Update demo values with new pool and traffic policy</code>            </dd></summary> <hr> helm/serviceradar/values-demo.yaml <ul><li>Update flowgger MetalLB pool from <code>k3s-lan-pool</code> to <code>k3s-pool</code> <li> Update flowgger LoadBalancerIP to <code>23.138.124.24</code> <li> Add <code>externalTrafficPolicy: Local</code> to flowgger configuration <li> Update netflow MetalLB pool and LoadBalancerIP, add Local traffic policy</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2652/files#diff-3a2c6c76ca4d5e8a336cd917d39b1704c03ea94a5cba4da1eb20629c63a5b914">+6/-4</a>      </td> </tr> </table></td></tr><tr><td>Documentation</td><td><table> <tr> <td> <details> <summary>values.yaml<dd><code>Add externalTrafficPolicy defaults and documentation</code>          </dd></summary> <hr> helm/serviceradar/values.yaml <ul><li>Add <code>externalTrafficPolicy: Cluster</code> default to flowgger external service <li> Add documentation comment explaining Calico BGP requirement <li> Add <code>externalTrafficPolicy: Cluster</code> default to netflow collector service <li> Include explanatory comment for traffic policy configuration</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2652/files#diff-d4449c7cb70362554b274f81eae5a4b81a8e81df494282e383d1b7ea3871c452">+4/-0</a>      </td> </tr> </table></td></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2026-02-01 04:52:05 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2652#issuecomment-3830373256
Original created: 2026-02-01T04:52:05Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Unintended public exposure Description: The demo configuration sets `type: LoadBalancer` with specific `loadBalancerIP` values (e.g., `23.138.124.24`/`23.138.124.25`) which may unintentionally expose syslog/NetFlow ingestion services publicly if applied in an environment where these IPs are routable; confirm these IPs are intended, restricted by firewall/ACLs, and not usable outside a controlled demo network. values-demo.yaml [90-107] Referred Code `flowgger: externalService: enabled: true annotations: metallb.universe.tf/address-pool: k3s-pool loadBalancerIP: "23.138.124.24" externalTrafficPolicy: Local netflowCollector: enabled: true config: stream_max_bytes: 1073741824 service: type: LoadBalancer annotations: metallb.universe.tf/address-pool: k3s-pool loadBalancerIP: "23.138.124.25" externalTrafficPolicy: Local`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Misleading config comment: The comment says the setting will "only advertise from nodes with local endpoints" (i.e., `externalTrafficPolicy: Local`) but the default value is set to `Cluster`, making the configuration self-documentation misleading. Referred Code `# Only advertise from nodes with local endpoints (required for Calico BGP) externalTrafficPolicy: Cluster` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing edge-case guard: `externalTrafficPolicy` is rendered whenever a value is provided, even if the Service `type` is `ClusterIP`, which can produce an invalid Kubernetes Service manifest instead of handling the edge case safely. Referred Code `type: {{ .Values.netflowCollector.service.type \| default "ClusterIP" }} {{- with .Values.netflowCollector.service.externalTrafficPolicy }} externalTrafficPolicy: {{ . }} {{- end }}` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: No value validation: The template inserts `.Values.flowgger.externalService.externalTrafficPolicy` directly into the manifest without validating it against allowed values (`Local`/`Cluster`) or gating it by Service type, allowing invalid external inputs to generate unsafe/invalid resources. Referred Code `type: {{ .Values.flowgger.externalService.type \| default "LoadBalancer" }} {{- with .Values.flowgger.externalService.externalTrafficPolicy }} externalTrafficPolicy: {{ . }} {{- end }}` Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2652#issuecomment-3830373256 Original created: 2026-02-01T04:52:05Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=1>⚪</td> <td><details><summary>Unintended public exposure </summary> Description: The demo configuration sets <code>type: LoadBalancer</code> with specific <code>loadBalancerIP</code> values (e.g., <code>23.138.124.24</code>/<code>23.138.124.25</code>) which may unintentionally expose syslog/NetFlow ingestion services publicly if applied in an environment where these IPs are routable; confirm these IPs are intended, restricted by firewall/ACLs, and not usable outside a controlled demo network. <a href='https://github.com/carverauto/serviceradar/pull/2652/files#diff-3a2c6c76ca4d5e8a336cd917d39b1704c03ea94a5cba4da1eb20629c63a5b914R90-R107'>values-demo.yaml [90-107]</a> <details open><summary>Referred Code</summary> ```yaml flowgger: externalService: enabled: true annotations: metallb.universe.tf/address-pool: k3s-pool loadBalancerIP: "23.138.124.24" externalTrafficPolicy: Local netflowCollector: enabled: true config: stream_max_bytes: 1073741824 service: type: LoadBalancer annotations: metallb.universe.tf/address-pool: k3s-pool loadBalancerIP: "23.138.124.25" externalTrafficPolicy: Local ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=3>🟢</td><td> <details><summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=3>🔴</td> <td><details> <summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2652/files#diff-d4449c7cb70362554b274f81eae5a4b81a8e81df494282e383d1b7ea3871c452R255-R256'>Misleading config comment</a>: The comment says the setting will "only advertise from nodes with local endpoints" (i.e., <code>externalTrafficPolicy: Local</code>) but the default value is set to <code>Cluster</code>, making the configuration self-documentation misleading. <details open><summary>Referred Code</summary> ```yaml # Only advertise from nodes with local endpoints (required for Calico BGP) externalTrafficPolicy: Cluster ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2652/files#diff-2caca5e6b4a9d567d04bd326125e554b1f571be0f7746fb6f9144e0a33f65b07R146-R149'>Missing edge-case guard</a>: <code>externalTrafficPolicy</code> is rendered whenever a value is provided, even if the Service <code>type</code> is <code>ClusterIP</code>, which can produce an invalid Kubernetes Service manifest instead of handling the edge case safely. <details open><summary>Referred Code</summary> ```yaml type: {{ .Values.netflowCollector.service.type | default "ClusterIP" }} {{- with .Values.netflowCollector.service.externalTrafficPolicy }} externalTrafficPolicy: {{ . }} {{- end }} ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2652/files#diff-511cfbfe42e0c41cd2fddf67a04911b48724ca9ea9f6d1ddc1f4bb7bf07086abR192-R195'>No value validation</a>: The template inserts <code>.Values.flowgger.externalService.externalTrafficPolicy</code> directly into the manifest without validating it against allowed values (<code>Local</code>/<code>Cluster</code>) or gating it by Service type, allowing invalid external inputs to generate unsafe/invalid resources. <details open><summary>Referred Code</summary> ```yaml type: {{ .Values.flowgger.externalService.type | default "LoadBalancer" }} {{- with .Values.flowgger.externalService.externalTrafficPolicy }} externalTrafficPolicy: {{ . }} {{- end }} ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2026-02-01 04:52:23 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2652#issuecomment-3830373522
Original created: 2026-02-01T04:52:23Z

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: build

Failed stage: Configure SRQL fixture database for tests [❌]

Failed test name: ""

Failure summary:

The action failed during environment/fixture setup because the required secret
SRQL_TEST_DATABASE_CA_CERT was not configured.
- The log explicitly reports:
SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS. (around lines
676-678).
- The SRQL_TEST_DATABASE_CA_CERT environment variable is empty in the job environment
(lines 361, 517, 580), causing the setup script to exit with code 1.

Relevant error logs:

1:  Runner name: 'arc-runner-set-hk6mk-runner-hpmb6'
2:  Runner group name: 'Default'
...

139:  ^[[36;1mif command -v apt-get >/dev/null 2>&1; then^[[0m
140:  ^[[36;1m  sudo apt-get update^[[0m
141:  ^[[36;1m  sudo apt-get install -y build-essential pkg-config libssl-dev protobuf-compiler cmake flex bison^[[0m
142:  ^[[36;1melif command -v dnf >/dev/null 2>&1; then^[[0m
143:  ^[[36;1m  sudo dnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
144:  ^[[36;1melif command -v yum >/dev/null 2>&1; then^[[0m
145:  ^[[36;1m  sudo yum install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
146:  ^[[36;1melif command -v microdnf >/dev/null 2>&1; then^[[0m
147:  ^[[36;1m  sudo microdnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
148:  ^[[36;1melse^[[0m
149:  ^[[36;1m  echo "Unsupported package manager; please install gcc, g++ (or clang), make, OpenSSL headers, pkg-config, and protoc manually." >&2^[[0m
150:  ^[[36;1m  exit 1^[[0m
151:  ^[[36;1mfi^[[0m
152:  ^[[36;1m^[[0m
153:  ^[[36;1mensure_pkg_config^[[0m
154:  ^[[36;1mprotoc --version || (echo "protoc installation failed" && exit 1)^[[0m
155:  shell: /usr/bin/bash -e {0}
...

356:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
357:  env:
358:  BUILDBUDDY_ORG_API_KEY: ***
359:  SRQL_TEST_DATABASE_URL: ***
360:  SRQL_TEST_ADMIN_URL: ***
361:  SRQL_TEST_DATABASE_CA_CERT: 
362:  DOCKERHUB_USERNAME: ***
363:  DOCKERHUB_TOKEN: ***
364:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
365:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
366:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
367:  ##[endgroup]
368:  ##[group]Run : install rustup if needed
369:  ^[[36;1m: install rustup if needed^[[0m
370:  ^[[36;1mif ! command -v rustup &>/dev/null; then^[[0m
371:  ^[[36;1m  curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused --location --silent --show-error --fail https://sh.rustup.rs | sh -s -- --default-toolchain none -y^[[0m
372:  ^[[36;1m  echo "$CARGO_HOME/bin" >> $GITHUB_PATH^[[0m
...

512:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
513:  env:
514:  BUILDBUDDY_ORG_API_KEY: ***
515:  SRQL_TEST_DATABASE_URL: ***
516:  SRQL_TEST_ADMIN_URL: ***
517:  SRQL_TEST_DATABASE_CA_CERT: 
518:  DOCKERHUB_USERNAME: ***
519:  DOCKERHUB_TOKEN: ***
520:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
521:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
522:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
523:  CARGO_HOME: /home/runner/.cargo
524:  CARGO_INCREMENTAL: 0
525:  CARGO_TERM_COLOR: always
526:  ##[endgroup]
527:  ##[group]Run : work around spurious network errors in curl 8.0
528:  ^[[36;1m: work around spurious network errors in curl 8.0^[[0m
529:  ^[[36;1m# https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/timeout.20investigation^[[0m
...

580:  SRQL_TEST_DATABASE_CA_CERT: 
581:  DOCKERHUB_USERNAME: ***
582:  DOCKERHUB_TOKEN: ***
583:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
584:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
585:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
586:  CARGO_HOME: /home/runner/.cargo
587:  CARGO_INCREMENTAL: 0
588:  CARGO_TERM_COLOR: always
589:  ##[endgroup]
590:  Attempting to download 1.x...
591:  Acquiring v1.28.1 from https://github.com/bazelbuild/bazelisk/releases/download/v1.28.1/bazelisk-linux-amd64
592:  Adding to the cache ...
593:  Successfully cached bazelisk to /home/runner/_work/_tool/bazelisk/1.28.1/x64
594:  Added bazelisk to the path
595:  ##[warning]Failed to restore: Cache service responded with 400
596:  Restored bazelisk cache dir @ /home/runner/.cache/bazelisk
...

662:  env:
663:  BUILDBUDDY_ORG_API_KEY: ***
664:  SRQL_TEST_DATABASE_URL: ***
665:  SRQL_TEST_ADMIN_URL: ***
666:  SRQL_TEST_DATABASE_CA_CERT: 
667:  DOCKERHUB_USERNAME: ***
668:  DOCKERHUB_TOKEN: ***
669:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
670:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
671:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
672:  CARGO_HOME: /home/runner/.cargo
673:  CARGO_INCREMENTAL: 0
674:  CARGO_TERM_COLOR: always
675:  ##[endgroup]
676:  SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS.
677:  ##[error]Process completed with exit code 1.
678:  Post job cleanup.

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2652#issuecomment-3830373522 Original created: 2026-02-01T04:52:23Z --- ## CI Feedback 🧐 A test triggered by this PR failed. Here is an AI-generated analysis of the failure: <table><tr><td> **Action:** build</td></tr> <tr><td> **Failed stage:** [Configure SRQL fixture database for tests](https://github.com/carverauto/serviceradar/actions/runs/21556906013/job/62114829831) [❌] </td></tr> <tr><td> **Failed test name:** "" </td></tr> <tr><td> **Failure summary:** The action failed during environment/fixture setup because the required secret <code>SRQL_TEST_DATABASE_CA_CERT</code> was not configured. - The log explicitly reports: <code>SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS.</code> (around lines 676-678). - The <code>SRQL_TEST_DATABASE_CA_CERT</code> environment variable is empty in the job environment (lines 361, 517, 580), causing the setup script to exit with code 1. </td></tr> <tr><td> <details><summary>Relevant error logs:</summary> ```yaml 1: Runner name: 'arc-runner-set-hk6mk-runner-hpmb6' 2: Runner group name: 'Default' ... 139: ^[[36;1mif command -v apt-get >/dev/null 2>&1; then^[[0m 140: ^[[36;1m sudo apt-get update^[[0m 141: ^[[36;1m sudo apt-get install -y build-essential pkg-config libssl-dev protobuf-compiler cmake flex bison^[[0m 142: ^[[36;1melif command -v dnf >/dev/null 2>&1; then^[[0m 143: ^[[36;1m sudo dnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 144: ^[[36;1melif command -v yum >/dev/null 2>&1; then^[[0m 145: ^[[36;1m sudo yum install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 146: ^[[36;1melif command -v microdnf >/dev/null 2>&1; then^[[0m 147: ^[[36;1m sudo microdnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 148: ^[[36;1melse^[[0m 149: ^[[36;1m echo "Unsupported package manager; please install gcc, g++ (or clang), make, OpenSSL headers, pkg-config, and protoc manually." >&2^[[0m 150: ^[[36;1m exit 1^[[0m 151: ^[[36;1mfi^[[0m 152: ^[[36;1m^[[0m 153: ^[[36;1mensure_pkg_config^[[0m 154: ^[[36;1mprotoc --version || (echo "protoc installation failed" && exit 1)^[[0m 155: shell: /usr/bin/bash -e {0} ... 356: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 357: env: 358: BUILDBUDDY_ORG_API_KEY: *** 359: SRQL_TEST_DATABASE_URL: *** 360: SRQL_TEST_ADMIN_URL: *** 361: SRQL_TEST_DATABASE_CA_CERT: 362: DOCKERHUB_USERNAME: *** 363: DOCKERHUB_TOKEN: *** 364: TEST_CNPG_DATABASE: serviceradar_web_ng_test 365: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 366: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 367: ##[endgroup] 368: ##[group]Run : install rustup if needed 369: ^[[36;1m: install rustup if needed^[[0m 370: ^[[36;1mif ! command -v rustup &>/dev/null; then^[[0m 371: ^[[36;1m curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused --location --silent --show-error --fail https://sh.rustup.rs | sh -s -- --default-toolchain none -y^[[0m 372: ^[[36;1m echo "$CARGO_HOME/bin" >> $GITHUB_PATH^[[0m ... 512: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 513: env: 514: BUILDBUDDY_ORG_API_KEY: *** 515: SRQL_TEST_DATABASE_URL: *** 516: SRQL_TEST_ADMIN_URL: *** 517: SRQL_TEST_DATABASE_CA_CERT: 518: DOCKERHUB_USERNAME: *** 519: DOCKERHUB_TOKEN: *** 520: TEST_CNPG_DATABASE: serviceradar_web_ng_test 521: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 522: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 523: CARGO_HOME: /home/runner/.cargo 524: CARGO_INCREMENTAL: 0 525: CARGO_TERM_COLOR: always 526: ##[endgroup] 527: ##[group]Run : work around spurious network errors in curl 8.0 528: ^[[36;1m: work around spurious network errors in curl 8.0^[[0m 529: ^[[36;1m# https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/timeout.20investigation^[[0m ... 580: SRQL_TEST_DATABASE_CA_CERT: 581: DOCKERHUB_USERNAME: *** 582: DOCKERHUB_TOKEN: *** 583: TEST_CNPG_DATABASE: serviceradar_web_ng_test 584: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 585: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 586: CARGO_HOME: /home/runner/.cargo 587: CARGO_INCREMENTAL: 0 588: CARGO_TERM_COLOR: always 589: ##[endgroup] 590: Attempting to download 1.x... 591: Acquiring v1.28.1 from https://github.com/bazelbuild/bazelisk/releases/download/v1.28.1/bazelisk-linux-amd64 592: Adding to the cache ... 593: Successfully cached bazelisk to /home/runner/_work/_tool/bazelisk/1.28.1/x64 594: Added bazelisk to the path 595: ##[warning]Failed to restore: Cache service responded with 400 596: Restored bazelisk cache dir @ /home/runner/.cache/bazelisk ... 662: env: 663: BUILDBUDDY_ORG_API_KEY: *** 664: SRQL_TEST_DATABASE_URL: *** 665: SRQL_TEST_ADMIN_URL: *** 666: SRQL_TEST_DATABASE_CA_CERT: 667: DOCKERHUB_USERNAME: *** 668: DOCKERHUB_TOKEN: *** 669: TEST_CNPG_DATABASE: serviceradar_web_ng_test 670: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 671: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 672: CARGO_HOME: /home/runner/.cargo 673: CARGO_INCREMENTAL: 0 674: CARGO_TERM_COLOR: always 675: ##[endgroup] 676: SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS. 677: ##[error]Process completed with exit code 1. 678: Post job cleanup. ``` </details></td></tr></table>

qodo-code-review[bot] commented

2026-02-01 04:52:54 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2652#issuecomment-3830373935
Original created: 2026-02-01T04:52:54Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Consolidate Kubernetes manifests into a single tool The PR edits both Helm charts and static Kubernetes manifests in `k8s/demo/`. To improve maintainability and create a single source of truth, consider managing all Kubernetes resources exclusively through the Helm chart. Examples: k8s/demo/base/serviceradar-netflow-collector.yaml [157] `externalTrafficPolicy: Local` helm/serviceradar/values-demo.yaml [96-107] `externalTrafficPolicy: Local netflowCollector: enabled: true config: stream_max_bytes: 1073741824 service: type: LoadBalancer annotations: metallb.universe.tf/address-pool: k3s-pool ... (clipped 2 lines)` Solution Walkthrough: Before: `# helm/serviceradar/values-demo.yaml flowgger: externalService: externalTrafficPolicy: Local netflowCollector: service: externalTrafficPolicy: Local # k8s/demo/base/serviceradar-netflow-collector.yaml apiVersion: v1 kind: Service spec: externalTrafficPolicy: Local ... # k8s/demo/prod/serviceradar-flowgger-external.yaml apiVersion: v1 kind: Service spec: externalTrafficPolicy: Local ...` After: `# helm/serviceradar/values-demo.yaml flowgger: externalService: externalTrafficPolicy: Local netflowCollector: service: externalTrafficPolicy: Local # The k8s/demo/ directory is removed. # All manifests are now generated by Helm, for example: # helm template . -f values-demo.yaml > demo-manifests.yaml # helm template . -f values-prod.yaml > prod-manifests.yaml` Suggestion importance[1-10]: 9 __ Why: This is a significant architectural suggestion that correctly identifies a major maintainability issue, as the PR modifies both Helm charts and static manifests for the same purpose, increasing complexity and risk of drift.	High
Possible issue	Only add traffic policy for non-ClusterIP In the Helm template, add a condition to only set `externalTrafficPolicy` if the service type is not `ClusterIP`, as this field is not supported for `ClusterIP` services. helm/serviceradar/templates/flowgger.yaml [193-195] `-{{- with .Values.flowgger.externalService.externalTrafficPolicy }} -externalTrafficPolicy: {{ . }} +{{- if and .Values.flowgger.externalService.externalTrafficPolicy (ne .Values.flowgger.externalService.type "ClusterIP") }} + externalTrafficPolicy: {{ .Values.flowgger.externalService.externalTrafficPolicy }} {{- end }}` Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly points out that `externalTrafficPolicy` is invalid for `ClusterIP` services and provides a valid guard to prevent rendering invalid Kubernetes manifests.	Medium
	Skip policy on ClusterIP services In the Helm template, add a condition to only set `externalTrafficPolicy` if the service type is not `ClusterIP`, as this field is not supported for `ClusterIP` services. helm/serviceradar/templates/netflow-collector.yaml [147-149] `-{{- with .Values.netflowCollector.service.externalTrafficPolicy }} -externalTrafficPolicy: {{ . }} +{{- if and .Values.netflowCollector.service.externalTrafficPolicy (ne .Values.netflowCollector.service.type "ClusterIP") }} + externalTrafficPolicy: {{ .Values.netflowCollector.service.externalTrafficPolicy }} {{- end }}` Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly points out that `externalTrafficPolicy` is invalid for `ClusterIP` services and provides a valid guard to prevent rendering invalid Kubernetes manifests.	Medium
	Correct default traffic policy value Change the default `externalTrafficPolicy` from `Cluster` to `Local` in `values.yaml` to align the value with its descriptive comment. helm/serviceradar/values.yaml [249-260] # External service configuration for syslog/NetFlow ingestion from outside the cluster. # When enabled, creates a LoadBalancer service separate from the internal ClusterIP. externalService: enabled: false # Service type: LoadBalancer, NodePort, or ClusterIP type: LoadBalancer # Only advertise from nodes with local endpoints (required for Calico BGP) - externalTrafficPolicy: Cluster + externalTrafficPolicy: Local # Annotations for load balancer configuration (MetalLB, cloud providers, etc.) # Example for MetalLB: metallb.universe.tf/address-pool: k3s-pool # Example for AWS NLB: service.beta.kubernetes.io/aws-load-balancer-type: nlb annotations: {} `[To ensure code accuracy, apply this suggestion manually]` Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies a contradiction between the comment and the default value for `externalTrafficPolicy`, which could lead to user confusion and misconfiguration.	Low
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2652#issuecomment-3830373935 Original created: 2026-02-01T04:52:54Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Consolidate Kubernetes manifests into a single tool</summary> ___ **The PR edits both Helm charts and static Kubernetes manifests in <code>k8s/demo/</code>. To improve maintainability and create a single source of truth, consider managing all Kubernetes resources exclusively through the Helm chart.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/2652/files#diff-c29757a23e5f4021c9cd4d6d35a261edf9b56c706188bb24855fafa84454b797R157-R157">k8s/demo/base/serviceradar-netflow-collector.yaml [157]</a> </summary> ```yaml externalTrafficPolicy: Local ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/2652/files#diff-3a2c6c76ca4d5e8a336cd917d39b1704c03ea94a5cba4da1eb20629c63a5b914R96-R107">helm/serviceradar/values-demo.yaml [96-107]</a> </summary> ```yaml externalTrafficPolicy: Local netflowCollector: enabled: true config: stream_max_bytes: 1073741824 service: type: LoadBalancer annotations: metallb.universe.tf/address-pool: k3s-pool ... (clipped 2 lines) ``` </details> ### Solution Walkthrough: #### Before: ```yaml # helm/serviceradar/values-demo.yaml flowgger: externalService: externalTrafficPolicy: Local netflowCollector: service: externalTrafficPolicy: Local # k8s/demo/base/serviceradar-netflow-collector.yaml apiVersion: v1 kind: Service spec: externalTrafficPolicy: Local ... # k8s/demo/prod/serviceradar-flowgger-external.yaml apiVersion: v1 kind: Service spec: externalTrafficPolicy: Local ... ``` #### After: ```yaml # helm/serviceradar/values-demo.yaml flowgger: externalService: externalTrafficPolicy: Local netflowCollector: service: externalTrafficPolicy: Local # The k8s/demo/ directory is removed. # All manifests are now generated by Helm, for example: # helm template . -f values-demo.yaml > demo-manifests.yaml # helm template . -f values-prod.yaml > prod-manifests.yaml ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: This is a significant architectural suggestion that correctly identifies a major maintainability issue, as the PR modifies both Helm charts and static manifests for the same purpose, increasing complexity and risk of drift. </details></details></td><td align=center>High </td></tr><tr><td rowspan=3>Possible issue</td> <td> <details><summary>Only add traffic policy for non-ClusterIP</summary> ___ **In the Helm template, add a condition to only set <code>externalTrafficPolicy</code> if the service type is not <code>ClusterIP</code>, as this field is not supported for <code>ClusterIP</code> services.** [helm/serviceradar/templates/flowgger.yaml [193-195]](https://github.com/carverauto/serviceradar/pull/2652/files#diff-511cfbfe42e0c41cd2fddf67a04911b48724ca9ea9f6d1ddc1f4bb7bf07086abR193-R195) ```diff -{{- with .Values.flowgger.externalService.externalTrafficPolicy }} -externalTrafficPolicy: {{ . }} +{{- if and .Values.flowgger.externalService.externalTrafficPolicy (ne .Values.flowgger.externalService.type "ClusterIP") }} + externalTrafficPolicy: {{ .Values.flowgger.externalService.externalTrafficPolicy }} {{- end }} ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly points out that `externalTrafficPolicy` is invalid for `ClusterIP` services and provides a valid guard to prevent rendering invalid Kubernetes manifests. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Skip policy on ClusterIP services</summary> ___ **In the Helm template, add a condition to only set <code>externalTrafficPolicy</code> if the service type is not <code>ClusterIP</code>, as this field is not supported for <code>ClusterIP</code> services.** [helm/serviceradar/templates/netflow-collector.yaml [147-149]](https://github.com/carverauto/serviceradar/pull/2652/files#diff-2caca5e6b4a9d567d04bd326125e554b1f571be0f7746fb6f9144e0a33f65b07R147-R149) ```diff -{{- with .Values.netflowCollector.service.externalTrafficPolicy }} -externalTrafficPolicy: {{ . }} +{{- if and .Values.netflowCollector.service.externalTrafficPolicy (ne .Values.netflowCollector.service.type "ClusterIP") }} + externalTrafficPolicy: {{ .Values.netflowCollector.service.externalTrafficPolicy }} {{- end }} ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly points out that `externalTrafficPolicy` is invalid for `ClusterIP` services and provides a valid guard to prevent rendering invalid Kubernetes manifests. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Correct default traffic policy value</summary> ___ **Change the default <code>externalTrafficPolicy</code> from <code>Cluster</code> to <code>Local</code> in <code>values.yaml</code> to align the value with its descriptive comment.** [helm/serviceradar/values.yaml [249-260]](https://github.com/carverauto/serviceradar/pull/2652/files#diff-d4449c7cb70362554b274f81eae5a4b81a8e81df494282e383d1b7ea3871c452R249-R260) ```diff # External service configuration for syslog/NetFlow ingestion from outside the cluster. # When enabled, creates a LoadBalancer service separate from the internal ClusterIP. externalService: enabled: false # Service type: LoadBalancer, NodePort, or ClusterIP type: LoadBalancer # Only advertise from nodes with local endpoints (required for Calico BGP) - externalTrafficPolicy: Cluster + externalTrafficPolicy: Local # Annotations for load balancer configuration (MetalLB, cloud providers, etc.) # Example for MetalLB: metallb.universe.tf/address-pool: k3s-pool # Example for AWS NLB: service.beta.kubernetes.io/aws-load-balancer-type: nlb annotations: {} ``` `[To ensure code accuracy, apply this suggestion manually]` <details><summary>Suggestion importance[1-10]: 6</summary> __ Why: The suggestion correctly identifies a contradiction between the comment and the default value for `externalTrafficPolicy`, which could lead to user confusion and misconfiguration. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>