Fix helm upgrade procedure

[arikalon1]

Add helm values for mutation mode and threshold
Fix readme

Summary by CodeRabbit

• New Features
  • Added configuration options for default mutation mode and update threshold to the Enforcer deployment.
• Bug Fixes
  • Updated the default mutation mode to "ignore" when not explicitly set.
• Documentation
  • Improved and clarified instructions for configuring Robusta account connection, including enhanced examples for secret-based token retrieval.
• Chores
  • Updated Helm chart and container image versions to 0.3.2.
  • Removed automatic rollout restart of the Enforcer deployment during certificate job execution.
  • Added pod annotation to trigger updates based on release revision checksum.

[coderabbitai]

Walkthrough

The changes update documentation for configuring Robusta account connections, adjust the default mutation mode for the enforcer, and introduce new configuration options for mutation mode and update threshold in Helm values. The Helm chart version is incremented, deployment templates are updated with new environment variables and annotations, and certificate job logic is simplified by removing deployment restart steps.

Changes

File(s)	Change Summary
enforcer/README.md	Rewrote and clarified instructions for configuring Robusta account connection, with improved YAML examples.
enforcer/env_vars.py	Changed default value of KRR_MUTATION_MODE_DEFAULT from "enforce" to "ignore".
helm/krr-enforcer/Chart.yaml	Updated version and appVersion from 0.3.1 to 0.3.2.
helm/krr-enforcer/templates/enforcer-cert-job.yaml	Removed logic that checked for and restarted the enforcer deployment after certificate changes.
helm/krr-enforcer/templates/enforcer.yaml	Added pod annotation checksum/cert; introduced KRR_MUTATION_MODE_DEFAULT and UPDATE_THRESHOLD environment vars.
helm/krr-enforcer/values.yaml	Added mutationMode and updateThreshold config options; updated image tag to 0.3.2.

Sequence Diagram(s)

Loading

sequenceDiagram
    participant User
    participant Helm
    participant Kubernetes
    participant Enforcer Pod

    User->>Helm: Install/Upgrade krr-enforcer with values.yaml
    Helm->>Kubernetes: Deploy enforcer.yaml with env vars (mutationMode, updateThreshold)
    Kubernetes->>Enforcer Pod: Start pod with configured environment variables
    Note right of Enforcer Pod: Uses KRR_MUTATION_MODE_DEFAULT ("ignore" by default)\nUses UPDATE_THRESHOLD (default 20.0)

Loading

sequenceDiagram
    participant User
    participant Helm
    participant Kubernetes
    participant CertJobPod

    User->>Helm: Run enforcer-cert-job
    Helm->>Kubernetes: Create cert-job pod
    Kubernetes->>CertJobPod: Generate certs, create secrets, configure webhook
    Note right of CertJobPod: No longer restarts enforcer deployment after cert changes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

enforcer/env_vars.py (1)

18-18: Align default mutation mode with Helm values
Changes the code fallback for KRR_MUTATION_MODE_DEFAULT from "enforce" to "ignore", matching the new Helm mutationMode default. Consider validating this value at startup to catch typos or unsupported modes.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f220c31 and e04844c.

📒 Files selected for processing (6)

• enforcer/README.md (1 hunks)
• enforcer/env_vars.py (1 hunks)
• helm/krr-enforcer/Chart.yaml (1 hunks)
• helm/krr-enforcer/templates/enforcer-cert-job.yaml (0 hunks)
• helm/krr-enforcer/templates/enforcer.yaml (2 hunks)
• helm/krr-enforcer/values.yaml (1 hunks)

💤 Files with no reviewable changes (1)

• helm/krr-enforcer/templates/enforcer-cert-job.yaml

🔇 Additional comments (6)

helm/krr-enforcer/values.yaml (2)

4-7: Introduce Enforcer configuration defaults
Defines global default settings for mutation mode and update threshold, aligning with new environment variables in the enforcer container.

---

13-13: Update container image tag
Bumps the enforcer’s image version from 0.3.1 to 0.3.2, consistent with the Chart.yaml and deployment template.

helm/krr-enforcer/Chart.yaml (1)

6-7: Bump Helm chart and app versions
Synchronizes both version and appVersion fields to 0.3.2, aligning chart metadata with the updated image and configuration.

helm/krr-enforcer/templates/enforcer.yaml (2)

27-27: Add checksum annotation to trigger pod restarts
Includes a SHA256 hash of the release revision to the pod template annotations, ensuring the enforcer pod rolls when certificates change.

---

122-125: Inject new environment variables
Adds KRR_MUTATION_MODE_DEFAULT and UPDATE_THRESHOLD into the container spec, sourcing from .Values, to propagate Helm settings into the running pod. Values are correctly quoted for string-based env vars.

enforcer/README.md (1)

62-69: Clarify Robusta account configuration step
Introduces a new “Configure Robusta Account Connection” section to guide users through account setup. The instructions are concise, but verify that the environment variable names match those consumed by the code.

[coderabbitai]

⚠️ Potential issue

Correct environment variable names in Option B
Docs reference CLUSTER_NAME and ROBUSTA_UI_TOKEN, but the code reads ROBUSTA_ACCOUNT_ID and STORE_* variables. Confirm and align these names to avoid runtime mismatches.

🤖 Prompt for AI Agents

In enforcer/README.md between lines 85 and 96, the environment variable names in
the documentation do not match those used in the code, causing potential runtime
mismatches. Review the code to identify the exact environment variable names it
expects, such as `ROBUSTA_ACCOUNT_ID` and `STORE_*`, then update the README to
use these exact names instead of `CLUSTER_NAME` and `ROBUSTA_UI_TOKEN`. Ensure
the documentation and code use consistent environment variable names to prevent
confusion and errors.

[aantn]

@arikalon1 I assume this is wrong?

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[coderabbitai]

🛠️ Refactor suggestion

Refine Option A example to match actual env var names
The placeholder TOKEN_ENV_VAR_NAME may be confusing. Replace it with the concrete variable your deployment uses (e.g., ROBUSTA_UI_TOKEN or STORE_API_KEY) to ensure consistency between docs and code.

🤖 Prompt for AI Agents

In enforcer/README.md around lines 71 to 79, the example uses a placeholder
environment variable name TOKEN_ENV_VAR_NAME, which can be confusing. Replace
TOKEN_ENV_VAR_NAME with a concrete environment variable name that matches your
actual deployment, such as ROBUSTA_UI_TOKEN or STORE_API_KEY, to ensure the
documentation aligns with real usage and avoids ambiguity.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

enforcer/README.md (1)

78-82: Correct environment variable names for Option B
The documentation currently shows CLUSTER_NAME and ROBUSTA_UI_TOKEN, but the enforcer code expects ROBUSTA_ACCOUNT_ID and STORE_* variables. Please verify and align the YAML example to use the exact environment variable names to avoid runtime mismatches.

🧹 Nitpick comments (1)

enforcer/README.md (1)

69-69: Insert comma for grammatical correctness
Use a comma before "and" to separate independent clauses:

- this method won’t work and you should use Option B (described below) instead.
+ this method won’t work, and you should use Option B (described below) instead.

🧰 Tools

🪛 LanguageTool

[uncategorized] ~69-~69: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...netes-secrets)), this method won’t work and you should use Option B (described belo...

(COMMA_COMPOUND_SENTENCE)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e04844c and ebf48a5.

📒 Files selected for processing (1)

• enforcer/README.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

enforcer/README.md

[uncategorized] ~69-~69: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...netes-secrets)), this method won’t work and you should use Option B (described belo...

(COMMA_COMPOUND_SENTENCE)

🔇 Additional comments (4)

enforcer/README.md (4)

62-63: Added a dedicated account-connection step
Inserting "Configure Robusta Account Connection" as step 2 clearly separates prerequisites from installation.

---

64-65: Introductory explanation is clear
This sentence succinctly explains why the Enforcer needs account access before presenting configuration options.

---

66-68: Option A description is well-structured
The "Same Namespace" option is clearly explained and highlights its simplicity for users co-located with Robusta.

---

72-74: Option B section is clear
The heading and description for the different-namespace setup provide clear guidance on when explicit credentials are needed.