gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:21:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(helm): servicemonitor.yaml — Go templates don't support nested comments (B3 ci-guard)

Browse Source 
c70bb07 was incomplete. Replacing the YAML `#` comment block with a
Helm `{{- /* ... */ -}}` comment block was correct, but the NOTE
section I added explaining the syntax contained the literal
characters `*/ -}}` (it described the comment-syntax in prose).

Go templates DO NOT support nested comments. The lexer scans forward
from `{{- /*` looking for the FIRST `*/}}` or `*/ -}}` token and
treats whatever it finds as the comment terminator. So the literal
`*/ -}}` sequence inside my explanatory NOTE closed the comment
early, exposing the trailing narrative (which contained `{{ ... }}`
as descriptive text about template actions) as live YAML. Helm's
template engine then parsed `{{ ... }}` literal text as a real
template action whose body is `...` — `unexpected <.> in operand`
at servicemonitor.yaml:26.

Verified locally with helm 3.16.0 + the B3-helm-chart-coherence
ci-guard:
  B3-helm-chart-coherence: clean (default + external-Postgres +
  cert-manager + production hardening + 3 fail-fast gates +
  DEPL-003 viaHook env render all green).

Fix: rewrote the NOTE without the literal closing-syntax `*/ -}}`
characters and without the `{{ ... }}` action-delimiter examples.
The narrative now points operators at docs/operator/helm-deployment.md
for the full explanation rather than inlining template-action examples
into the chart-template comment block.

Lesson update: descriptive references to Helm template actions inside
chart templates must live in Helm-comment blocks (correct) AND those
comment blocks must not contain the literal closing-delimiter sequence
`*/ -}}` as text (also correct). When in doubt, narrate the rule from
the operator-facing doc, don't inline syntax examples in chart-template
comments.
This commit is contained in:
shankar0123
2026-05-16 22:48:47 +00:00
parent c70bb071f9
commit 569aea255f
1 changed files with 13 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy/helm/certctl/templates/servicemonitor.yaml
+13 -18
View File
@@ -47,28 +47,23 @@ spec:
Pre-Sprint-6 the default was an implicit insecureSkipVerify Pre-Sprint-6 the default was an implicit insecureSkipVerify
true via the template falling through the else branch. true via the template falling through the else branch.
Post-Sprint-6 values.yaml ships a real-verify default Post-Sprint-6 values.yaml ships a real-verify default
(caFile + serverName matching the chart's existingSecret / (caFile + serverName matching the chart existingSecret /
cert-manager-emitted Secret at /etc/prometheus/secrets/ cert-manager-emitted Secret at /etc/prometheus/secrets/
certctl-ca/), so the truthy if-branch below always fires for certctl-ca/), so the truthy if-branch below always fires for
the default install. Operators who want skipVerify back must the default install. Operators who want skipVerify back must
override with tlsConfig insecureSkipVerify true explicitly. override with tlsConfig insecureSkipVerify true explicitly.
Operators who blank tlsConfig entirely (tlsConfig null or Operators who blank tlsConfig entirely hit the else-branch
tlsConfig empty-map) hit the else-branch below and trip the below and trip the Helm fail directive at chart-render time;
Helm fail directive at chart-render time — there is no way there is no way to inherit the pre-Sprint-6 implicit-skip
to inherit the pre-Sprint-6 implicit-skipVerify behavior behavior silently. See docs/operator/helm-deployment.md for
silently. the narrative explanation, including the lesson that comment
text referencing Helm template-action delimiters must live
NOTE: this comment uses Helm's {{- /* ... */ -}} comment in Helm-style comment blocks (this block), never in YAML
syntax, NOT YAML's # comments. The # form is parsed by YAML hash-comment blocks — the Helm lexer scans for action
but Helm's template engine still scans for {{ ... }} action delimiters everywhere in the source text, ignoring YAML
delimiters everywhere in the source text, including inside comment markers, so descriptive references to actions inside
YAML comments. Earlier drafts of this block used # comments YAML hash-comments are reinterpreted as template actions
that referenced {{ if ... }} and {{ fail }} as descriptive and abort the entire chart render.
text — Helm tried to parse those as template actions, hit
invalid # tokens inside the action body, and aborted the
whole chart render. Lesson: descriptive references to
template actions go in Helm-comment blocks, never in YAML
comments.
*/ -}} */ -}}
{{- if .Values.monitoring.serviceMonitor.tlsConfig }} {{- if .Values.monitoring.serviceMonitor.tlsConfig }}
{{- toYaml .Values.monitoring.serviceMonitor.tlsConfig | nindent 8 }} {{- toYaml .Values.monitoring.serviceMonitor.tlsConfig | nindent 8 }}