From 569aea255f73156951b45274f8b4ee0ec5ad5f23 Mon Sep 17 00:00:00 2001
From: shankar0123 <skreddy040@gmail.com>
Date: Sat, 16 May 2026 22:48:47 +0000
Subject: [PATCH] =?UTF-8?q?fix(helm):=20servicemonitor.yaml=20=E2=80=94=20?=
 =?UTF-8?q?Go=20templates=20don't=20support=20nested=20comments=20(B3=20ci?=
 =?UTF-8?q?-guard)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

c70bb07 was incomplete. Replacing the YAML `#` comment block with a
Helm `{{- /* ... */ -}}` comment block was correct, but the NOTE
section I added explaining the syntax contained the literal
characters `*/ -}}` (it described the comment-syntax in prose).

Go templates DO NOT support nested comments. The lexer scans forward
from `{{- /*` looking for the FIRST `*/}}` or `*/ -}}` token and
treats whatever it finds as the comment terminator. So the literal
`*/ -}}` sequence inside my explanatory NOTE closed the comment
early, exposing the trailing narrative (which contained `{{ ... }}`
as descriptive text about template actions) as live YAML. Helm's
template engine then parsed `{{ ... }}` literal text as a real
template action whose body is `...` — `unexpected <.> in operand`
at servicemonitor.yaml:26.

Verified locally with helm 3.16.0 + the B3-helm-chart-coherence
ci-guard:
  B3-helm-chart-coherence: clean (default + external-Postgres +
  cert-manager + production hardening + 3 fail-fast gates +
  DEPL-003 viaHook env render all green).

Fix: rewrote the NOTE without the literal closing-syntax `*/ -}}`
characters and without the `{{ ... }}` action-delimiter examples.
The narrative now points operators at docs/operator/helm-deployment.md
for the full explanation rather than inlining template-action examples
into the chart-template comment block.

Lesson update: descriptive references to Helm template actions inside
chart templates must live in Helm-comment blocks (correct) AND those
comment blocks must not contain the literal closing-delimiter sequence
`*/ -}}` as text (also correct). When in doubt, narrate the rule from
the operator-facing doc, don't inline syntax examples in chart-template
comments.
---
 .../certctl/templates/servicemonitor.yaml     | 31 ++++++++-----------
 1 file changed, 13 insertions(+), 18 deletions(-)

diff --git a/deploy/helm/certctl/templates/servicemonitor.yaml b/deploy/helm/certctl/templates/servicemonitor.yaml
index 60279d2..5c58463 100644
--- a/deploy/helm/certctl/templates/servicemonitor.yaml
+++ b/deploy/helm/certctl/templates/servicemonitor.yaml
@@ -47,28 +47,23 @@ spec:
         Pre-Sprint-6 the default was an implicit insecureSkipVerify
         true via the template falling through the else branch.
         Post-Sprint-6 values.yaml ships a real-verify default
-        (caFile + serverName matching the chart's existingSecret /
+        (caFile + serverName matching the chart existingSecret /
         cert-manager-emitted Secret at /etc/prometheus/secrets/
         certctl-ca/), so the truthy if-branch below always fires for
         the default install. Operators who want skipVerify back must
         override with tlsConfig insecureSkipVerify true explicitly.
-        Operators who blank tlsConfig entirely (tlsConfig null or
-        tlsConfig empty-map) hit the else-branch below and trip the
-        Helm fail directive at chart-render time — there is no way
-        to inherit the pre-Sprint-6 implicit-skipVerify behavior
-        silently.
-
-        NOTE: this comment uses Helm's {{- /* ... */ -}} comment
-        syntax, NOT YAML's # comments. The # form is parsed by YAML
-        but Helm's template engine still scans for {{ ... }} action
-        delimiters everywhere in the source text, including inside
-        YAML comments. Earlier drafts of this block used # comments
-        that referenced {{ if ... }} and {{ fail }} as descriptive
-        text — Helm tried to parse those as template actions, hit
-        invalid # tokens inside the action body, and aborted the
-        whole chart render. Lesson: descriptive references to
-        template actions go in Helm-comment blocks, never in YAML
-        comments.
+        Operators who blank tlsConfig entirely hit the else-branch
+        below and trip the Helm fail directive at chart-render time;
+        there is no way to inherit the pre-Sprint-6 implicit-skip
+        behavior silently. See docs/operator/helm-deployment.md for
+        the narrative explanation, including the lesson that comment
+        text referencing Helm template-action delimiters must live
+        in Helm-style comment blocks (this block), never in YAML
+        hash-comment blocks — the Helm lexer scans for action
+        delimiters everywhere in the source text, ignoring YAML
+        comment markers, so descriptive references to actions inside
+        YAML hash-comments are reinterpreted as template actions
+        and abort the entire chart render.
         */ -}}
         {{- if .Values.monitoring.serviceMonitor.tlsConfig }}
         {{- toYaml .Values.monitoring.serviceMonitor.tlsConfig | nindent 8 }}