carverauto/serviceradar

Fork 0

helm updates for flowgger and netflow #2823

Merged

mfreeman451 merged 1 commit from refs/pull/2823/head into staging

2026-02-01 05:23:43 +00:00

mfreeman451 commented

2026-02-01 05:23:26 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2654
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2654
Original created: 2026-02-01T05:23:26Z
Original updated: 2026-02-01T05:25:00Z
Original head: carverauto/serviceradar:chore/k8s-updates
Original base: staging
Original merged: 2026-02-01T05:23:43Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement

Description

Add externalTrafficPolicy configuration to Helm templates for flowgger and netflow services
Update demo values with new IP addresses and pool names for MetalLB
Set externalTrafficPolicy: Local in demo and production Kubernetes manifests
Add documentation comments explaining Calico BGP requirement for traffic policy

Diagram Walkthrough

flowchart LR
  A["Helm Templates"] -->|Add externalTrafficPolicy| B["flowgger.yaml & netflow-collector.yaml"]
  C["Values Files"] -->|Update IPs & pool names| D["values-demo.yaml & values.yaml"]
  E["K8s Manifests"] -->|Set Local policy| F["Demo & Prod Services"]
  B --> G["Enhanced Service Configuration"]
  D --> G
  F --> G

File Walkthrough

Relevant files

Enhancement

flowgger.yaml `Add externalTrafficPolicy to flowgger service` helm/serviceradar/templates/flowgger.yaml Add conditional `externalTrafficPolicy` field to flowgger external service spec Allow configuration via `Values.flowgger.externalService.externalTrafficPolicy` Maintain backward compatibility with conditional rendering	+3/-0
netflow-collector.yaml `Add externalTrafficPolicy to netflow service` helm/serviceradar/templates/netflow-collector.yaml Add conditional `externalTrafficPolicy` field to netflow collector service spec Allow configuration via `Values.netflowCollector.service.externalTrafficPolicy` Maintain backward compatibility with conditional rendering	+3/-0
serviceradar-netflow-collector.yaml `Add externalTrafficPolicy to netflow service` k8s/demo/base/serviceradar-netflow-collector.yaml Add `externalTrafficPolicy: Local` to netflow collector service spec	+1/-0
serviceradar-flowgger-external.yaml `Add externalTrafficPolicy to flowgger service` k8s/demo/prod/serviceradar-flowgger-external.yaml Add `externalTrafficPolicy: Local` to flowgger external service spec	+1/-0

Configuration changes

values.yaml

Add externalTrafficPolicy defaults with documentation

helm/serviceradar/values.yaml

Add externalTrafficPolicy: Cluster default for flowgger external
service
Add externalTrafficPolicy: Cluster default for netflow collector
service
Add documentation comments explaining Calico BGP requirement

+4/-0

values-demo.yaml

Update demo IPs, pools, and traffic policies

helm/serviceradar/values-demo.yaml

Update flowgger loadBalancerIP from 192.168.6.81 to 23.138.124.24
Update netflow loadBalancerIP from 192.168.6.82 to 23.138.124.25
Change MetalLB address pool from k3s-lan-pool to k3s-pool for both
services
Set externalTrafficPolicy: Local for both flowgger and netflow
services

+6/-4

Imported from GitHub pull request. Original GitHub pull request: #2654 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2654 Original created: 2026-02-01T05:23:26Z Original updated: 2026-02-01T05:25:00Z Original head: carverauto/serviceradar:chore/k8s-updates Original base: staging Original merged: 2026-02-01T05:23:43Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement ___ ### **Description** - Add `externalTrafficPolicy` configuration to Helm templates for flowgger and netflow services - Update demo values with new IP addresses and pool names for MetalLB - Set `externalTrafficPolicy: Local` in demo and production Kubernetes manifests - Add documentation comments explaining Calico BGP requirement for traffic policy ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Helm Templates"] -->|Add externalTrafficPolicy| B["flowgger.yaml & netflow-collector.yaml"] C["Values Files"] -->|Update IPs & pool names| D["values-demo.yaml & values.yaml"] E["K8s Manifests"] -->|Set Local policy| F["Demo & Prod Services"] B --> G["Enhanced Service Configuration"] D --> G F --> G ``` <details><summary><h3>File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Enhancement</td><td><table> <tr> <td> <details> <summary>flowgger.yaml<dd><code>Add externalTrafficPolicy to flowgger service</code>                        </dd></summary> <hr> helm/serviceradar/templates/flowgger.yaml <ul><li>Add conditional <code>externalTrafficPolicy</code> field to flowgger external service spec <li> Allow configuration via <code>Values.flowgger.externalService.externalTrafficPolicy</code> <li> Maintain backward compatibility with conditional rendering</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2654/files#diff-511cfbfe42e0c41cd2fddf67a04911b48724ca9ea9f6d1ddc1f4bb7bf07086ab">+3/-0</a>      </td> </tr> <tr> <td> <details> <summary>netflow-collector.yaml<dd><code>Add externalTrafficPolicy to netflow service</code>                          </dd></summary> <hr> helm/serviceradar/templates/netflow-collector.yaml <ul><li>Add conditional <code>externalTrafficPolicy</code> field to netflow collector service spec <li> Allow configuration via <code>Values.netflowCollector.service.externalTrafficPolicy</code> <li> Maintain backward compatibility with conditional rendering</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2654/files#diff-2caca5e6b4a9d567d04bd326125e554b1f571be0f7746fb6f9144e0a33f65b07">+3/-0</a>      </td> </tr> <tr> <td> <details> <summary>serviceradar-netflow-collector.yaml<dd><code>Add externalTrafficPolicy to netflow service</code>                          </dd></summary> <hr> k8s/demo/base/serviceradar-netflow-collector.yaml <ul><li>Add <code>externalTrafficPolicy: Local</code> to netflow collector service spec</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2654/files#diff-c29757a23e5f4021c9cd4d6d35a261edf9b56c706188bb24855fafa84454b797">+1/-0</a>      </td> </tr> <tr> <td> <details> <summary>serviceradar-flowgger-external.yaml<dd><code>Add externalTrafficPolicy to flowgger service</code>                        </dd></summary> <hr> k8s/demo/prod/serviceradar-flowgger-external.yaml <ul><li>Add <code>externalTrafficPolicy: Local</code> to flowgger external service spec</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2654/files#diff-0e3d242dcaf4f3a83adc9de3f7183db6299c50bca47b9cd544ee02dfec263dcf">+1/-0</a>      </td> </tr> </table></td></tr><tr><td>Configuration changes</td><td><table> <tr> <td> <details> <summary>values.yaml<dd><code>Add externalTrafficPolicy defaults with documentation</code>        </dd></summary> <hr> helm/serviceradar/values.yaml <ul><li>Add <code>externalTrafficPolicy: Cluster</code> default for flowgger external service <li> Add <code>externalTrafficPolicy: Cluster</code> default for netflow collector service <li> Add documentation comments explaining Calico BGP requirement</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2654/files#diff-d4449c7cb70362554b274f81eae5a4b81a8e81df494282e383d1b7ea3871c452">+4/-0</a>      </td> </tr> <tr> <td> <details> <summary>values-demo.yaml<dd><code>Update demo IPs, pools, and traffic policies</code>                          </dd></summary> <hr> helm/serviceradar/values-demo.yaml <ul><li>Update flowgger loadBalancerIP from <code>192.168.6.81</code> to <code>23.138.124.24</code> <li> Update netflow loadBalancerIP from <code>192.168.6.82</code> to <code>23.138.124.25</code> <li> Change MetalLB address pool from <code>k3s-lan-pool</code> to <code>k3s-pool</code> for both services <li> Set <code>externalTrafficPolicy: Local</code> for both flowgger and netflow services</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2654/files#diff-3a2c6c76ca4d5e8a336cd917d39b1704c03ea94a5cba4da1eb20629c63a5b914">+6/-4</a>      </td> </tr> </table></td></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2026-02-01 05:23:52 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2654#issuecomment-3830402974
Original created: 2026-02-01T05:23:52Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Public service exposure Description: The demo Helm values introduce hardcoded public `loadBalancerIP` addresses (`23.138.124.24` and `23.138.124.25`) which can unintentionally expose syslog/NetFlow ingestion endpoints to the public Internet when applied, increasing the risk of unauthorized traffic ingestion, DDoS, or data leakage if these endpoints are not additionally protected (e.g., by source IP restrictions, firewall rules, or private address pools). values-demo.yaml [94-107] Referred Code `metallb.universe.tf/address-pool: k3s-pool loadBalancerIP: "23.138.124.24" externalTrafficPolicy: Local netflowCollector: enabled: true config: stream_max_bytes: 1073741824 service: type: LoadBalancer annotations: metallb.universe.tf/address-pool: k3s-pool loadBalancerIP: "23.138.124.25" externalTrafficPolicy: Local`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2654#issuecomment-3830402974 Original created: 2026-02-01T05:23:52Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=1>⚪</td> <td><details><summary>Public service exposure </summary> Description: The demo Helm values introduce hardcoded public <code>loadBalancerIP</code> addresses (<code>23.138.124.24</code> and <code>23.138.124.25</code>) which can unintentionally expose syslog/NetFlow ingestion endpoints to the public Internet when applied, increasing the risk of unauthorized traffic ingestion, DDoS, or data leakage if these endpoints are not additionally protected (e.g., by source IP restrictions, firewall rules, or private address pools). <a href='https://github.com/carverauto/serviceradar/pull/2654/files#diff-3a2c6c76ca4d5e8a336cd917d39b1704c03ea94a5cba4da1eb20629c63a5b914R94-R107'>values-demo.yaml [94-107]</a> <details open><summary>Referred Code</summary> ```yaml metallb.universe.tf/address-pool: k3s-pool loadBalancerIP: "23.138.124.24" externalTrafficPolicy: Local netflowCollector: enabled: true config: stream_max_bytes: 1073741824 service: type: LoadBalancer annotations: metallb.universe.tf/address-pool: k3s-pool loadBalancerIP: "23.138.124.25" externalTrafficPolicy: Local ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=6>🟢</td><td> <details><summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2026-02-01 05:25:00 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2654#issuecomment-3830404070
Original created: 2026-02-01T05:25:00Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Prevent invalid Kubernetes service manifest Conditionally render the `externalTrafficPolicy` field only when the service type is not `ClusterIP` to prevent Kubernetes API validation errors during Helm installation. helm/serviceradar/templates/netflow-collector.yaml [145-152] spec: type: {{ .Values.netflowCollector.service.type \| default "ClusterIP" }} - {{- with .Values.netflowCollector.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ . }} + {{- if and .Values.netflowCollector.service.externalTrafficPolicy (ne (.Values.netflowCollector.service.type \| default "ClusterIP") "ClusterIP") }} + externalTrafficPolicy: {{ .Values.netflowCollector.service.externalTrafficPolicy }} {{- end }} {{- if .Values.netflowCollector.service.loadBalancerIP }} loadBalancerIP: {{ .Values.netflowCollector.service.loadBalancerIP \| quote }} {{- end }} Apply / Chat Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies a bug where `helm install` would fail with default values because `externalTrafficPolicy` is invalid for the default service type `ClusterIP`. The proposed fix prevents this deployment failure, making it a critical correction.	High
	Fix template field indentation Replace the `with` block with an `if` block and add proper indentation to ensure the `externalTrafficPolicy` field is rendered correctly in the final YAML. helm/serviceradar/templates/flowgger.yaml [193-195] `-{{- with .Values.flowgger.externalService.externalTrafficPolicy }} -externalTrafficPolicy: {{ . }} +{{- if .Values.flowgger.externalService.externalTrafficPolicy }} + externalTrafficPolicy: {{ . }} {{- end }}` Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly points out that the current `{{- with ... }}` block with a leading space on the next line will produce incorrect YAML indentation. The proposed fix using `{{- if ... }}` and adding indentation is a necessary correction for the Helm template to be valid.	Low
	Correct YAML indentation in template Replace the `with` block with an `if` block and add proper indentation to ensure the `externalTrafficPolicy` field is correctly aligned in the generated service manifest. helm/serviceradar/templates/netflow-collector.yaml [147-149] `-{{- with .Values.netflowCollector.service.externalTrafficPolicy }} -externalTrafficPolicy: {{ . }} +{{- if .Values.netflowCollector.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ . }} {{- end }}` Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly identifies that the current `{{- with ... }}` block combined with a leading space on the next line will generate invalid YAML due to incorrect indentation. The proposed fix using `{{- if ... }}` and adding indentation is required for the Helm template to function correctly.	Low
High-level	Consolidate Kubernetes manifests into Helm The suggestion recommends consolidating Kubernetes configurations into Helm charts. It points out that maintaining both Helm and static manifests increases overhead and risks inconsistencies. Examples: k8s/demo/base/serviceradar-netflow-collector.yaml [157] `externalTrafficPolicy: Local` helm/serviceradar/values-demo.yaml [107] `externalTrafficPolicy: Local` Solution Walkthrough: Before: `# The same configuration is applied in two separate systems. # In helm/serviceradar/values-demo.yaml netflowCollector: service: ... externalTrafficPolicy: Local # In k8s/demo/base/serviceradar-netflow-collector.yaml apiVersion: v1 kind: Service ... spec: ... externalTrafficPolicy: Local ...` After: `# Configuration is consolidated into a single system (Helm). # In helm/serviceradar/values-demo.yaml # This becomes the single source of truth for deployment. netflowCollector: service: ... externalTrafficPolicy: Local # The file k8s/demo/base/serviceradar-netflow-collector.yaml # is removed, and deployments are generated from the Helm chart.` Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies a significant architectural issue of maintaining parallel Helm and static Kubernetes configurations, which the PR perpetuates, and proposes a valid long-term solution.	Medium
General	Clarify default policy comment Update the comment for `externalTrafficPolicy` to clarify that the default is `Cluster` and explain when to set it to `Local`. helm/serviceradar/values.yaml [255-256] `-# Only advertise from nodes with local endpoints (required for Calico BGP) +# Set to 'Local' to only advertise from nodes with local endpoints (required for Calico BGP) externalTrafficPolicy: Cluster` Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that the comment for `externalTrafficPolicy` is misleading, as it describes the behavior of `Local` while the default value is `Cluster`. Fixing this improves clarity and prevents potential misconfiguration by users.	Low
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2654#issuecomment-3830404070 Original created: 2026-02-01T05:25:00Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=3>Possible issue</td> <td> <details><summary>Prevent invalid Kubernetes service manifest</summary> ___ **Conditionally render the <code>externalTrafficPolicy</code> field only when the service type is not <code>ClusterIP</code> to prevent Kubernetes API validation errors during Helm installation.** [helm/serviceradar/templates/netflow-collector.yaml [145-152]](https://github.com/carverauto/serviceradar/pull/2654/files#diff-2caca5e6b4a9d567d04bd326125e554b1f571be0f7746fb6f9144e0a33f65b07R145-R152) ```diff spec: type: {{ .Values.netflowCollector.service.type | default "ClusterIP" }} - {{- with .Values.netflowCollector.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ . }} + {{- if and .Values.netflowCollector.service.externalTrafficPolicy (ne (.Values.netflowCollector.service.type | default "ClusterIP") "ClusterIP") }} + externalTrafficPolicy: {{ .Values.netflowCollector.service.externalTrafficPolicy }} {{- end }} {{- if .Values.netflowCollector.service.loadBalancerIP }} loadBalancerIP: {{ .Values.netflowCollector.service.loadBalancerIP | quote }} {{- end }} ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: This suggestion correctly identifies a bug where `helm install` would fail with default values because `externalTrafficPolicy` is invalid for the default service type `ClusterIP`. The proposed fix prevents this deployment failure, making it a critical correction. </details></details></td><td align=center>High </td></tr><tr><td> <details><summary>Fix template field indentation</summary> ___ **Replace the <code>with</code> block with an <code>if</code> block and add proper indentation to ensure the <code>externalTrafficPolicy</code> field is rendered correctly in the final YAML.** [helm/serviceradar/templates/flowgger.yaml [193-195]](https://github.com/carverauto/serviceradar/pull/2654/files#diff-511cfbfe42e0c41cd2fddf67a04911b48724ca9ea9f6d1ddc1f4bb7bf07086abR193-R195) ```diff -{{- with .Values.flowgger.externalService.externalTrafficPolicy }} -externalTrafficPolicy: {{ . }} +{{- if .Values.flowgger.externalService.externalTrafficPolicy }} + externalTrafficPolicy: {{ . }} {{- end }} ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 5</summary> __ Why: The suggestion correctly points out that the current `{{- with ... }}` block with a leading space on the next line will produce incorrect YAML indentation. The proposed fix using `{{- if ... }}` and adding indentation is a necessary correction for the Helm template to be valid. </details></details></td><td align=center>Low </td></tr><tr><td> <details><summary>Correct YAML indentation in template</summary> ___ **Replace the <code>with</code> block with an <code>if</code> block and add proper indentation to ensure the <code>externalTrafficPolicy</code> field is correctly aligned in the generated service manifest.** [helm/serviceradar/templates/netflow-collector.yaml [147-149]](https://github.com/carverauto/serviceradar/pull/2654/files#diff-2caca5e6b4a9d567d04bd326125e554b1f571be0f7746fb6f9144e0a33f65b07R147-R149) ```diff -{{- with .Values.netflowCollector.service.externalTrafficPolicy }} -externalTrafficPolicy: {{ . }} +{{- if .Values.netflowCollector.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ . }} {{- end }} ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 5</summary> __ Why: The suggestion correctly identifies that the current `{{- with ... }}` block combined with a leading space on the next line will generate invalid YAML due to incorrect indentation. The proposed fix using `{{- if ... }}` and adding indentation is required for the Helm template to function correctly. </details></details></td><td align=center>Low </td></tr><tr><td rowspan=1>High-level</td> <td> <details><summary>Consolidate Kubernetes manifests into Helm</summary> ___ **The suggestion recommends consolidating Kubernetes configurations into Helm charts. It points out that maintaining both Helm and static manifests increases overhead and risks inconsistencies.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/2654/files#diff-c29757a23e5f4021c9cd4d6d35a261edf9b56c706188bb24855fafa84454b797R157-R157">k8s/demo/base/serviceradar-netflow-collector.yaml [157]</a> </summary> ```yaml externalTrafficPolicy: Local ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/2654/files#diff-3a2c6c76ca4d5e8a336cd917d39b1704c03ea94a5cba4da1eb20629c63a5b914R107-R107">helm/serviceradar/values-demo.yaml [107]</a> </summary> ```yaml externalTrafficPolicy: Local ``` </details> ### Solution Walkthrough: #### Before: ```yaml # The same configuration is applied in two separate systems. # In helm/serviceradar/values-demo.yaml netflowCollector: service: ... externalTrafficPolicy: Local # In k8s/demo/base/serviceradar-netflow-collector.yaml apiVersion: v1 kind: Service ... spec: ... externalTrafficPolicy: Local ... ``` #### After: ```yaml # Configuration is consolidated into a single system (Helm). # In helm/serviceradar/values-demo.yaml # This becomes the single source of truth for deployment. netflowCollector: service: ... externalTrafficPolicy: Local # The file k8s/demo/base/serviceradar-netflow-collector.yaml # is removed, and deployments are generated from the Helm chart. ``` <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly identifies a significant architectural issue of maintaining parallel Helm and static Kubernetes configurations, which the PR perpetuates, and proposes a valid long-term solution. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=1>General</td> <td> <details><summary>Clarify default policy comment</summary> ___ **Update the comment for <code>externalTrafficPolicy</code> to clarify that the default is <code>Cluster</code> and explain when to set it to <code>Local</code>.** [helm/serviceradar/values.yaml [255-256]](https://github.com/carverauto/serviceradar/pull/2654/files#diff-d4449c7cb70362554b274f81eae5a4b81a8e81df494282e383d1b7ea3871c452R255-R256) ```diff -# Only advertise from nodes with local endpoints (required for Calico BGP) +# Set to 'Local' to only advertise from nodes with local endpoints (required for Calico BGP) externalTrafficPolicy: Cluster ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 6</summary> __ Why: The suggestion correctly identifies that the comment for `externalTrafficPolicy` is misleading, as it describes the behavior of `Local` while the default value is `Cluster`. Fixing this improves clarity and prevents potential misconfiguration by users. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>