Initial ctrlc-sync helm chart

[dacbd]

This is an initial release/setup.

I have plans to allow you to configure the other scanners, making more of the settings modular.

Summary by CodeRabbit

• New Features
  • Added a Helm chart to deploy ctrlc-sync with chart metadata and packaging.
  • Optional RBAC support: ClusterRole and ClusterRoleBinding with service account handling.
  • Flexible API key support: secret-backed or literal values and configurable environment variables.
  • CronJob-based sync jobs with schedule, concurrency, resource and lifecycle controls.
  • Packaging ignore rules to exclude VCS, IDE, backup and temp files from chart packages.

[coderabbitai]

Warning

Rate limit exceeded

@dacbd has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 37 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Adds a new Helm chart ctrlc-sync with packaging config, template helpers, environment rendering, RBAC manifests, a CronJob workload, Secret/ServiceAccount templates, and a comprehensive values.yaml scaffold.

Changes

Cohort / File(s)	Summary
Chart metadata & packaging charts/ctrlc-sync/.helmignore, charts/ctrlc-sync/Chart.yaml	New Chart.yaml (apiVersion: v2, name: ctrlc-sync, version 0.1.0, appVersion v0.16.2, maintainer) and .helmignore with VCS, editor, backup/temp patterns.
Helpers & env rendering charts/ctrlc-sync/templates/_helpers.tpl, charts/ctrlc-sync/templates/_env.tpl	Adds Helm helpers for name/fullname, chart id, secret name, labels, selector labels, serviceAccount and RBAC resource names; new env block emits CTRLPLANE_* vars with map vs scalar handling and secretKeyRef for apiKey.
RBAC templates charts/ctrlc-sync/templates/clusterroles.yaml, charts/ctrlc-sync/templates/clusterrolebinding.yaml	Conditional ClusterRole and ClusterRoleBinding templates (render when .Values.rbac.enabled), using helpers for names/labels; ClusterRole includes rules for apps and namespaces.
Workload & support resources charts/ctrlc-sync/templates/cronjob.yaml, charts/ctrlc-sync/templates/secret.yaml, charts/ctrlc-sync/templates/serviceaccount.yaml	CronJob template with configurable schedule, job/pod spec, image, envs, volumes, security contexts, tolerations, imagePull settings; Secret for scalar ctrlc.apiKey; optional ServiceAccount creation.
Defaults & configuration charts/ctrlc-sync/values.yaml	Adds comprehensive values.yaml with defaults and examples for ctrlc settings, cron/job options, RBAC toggle, image, serviceAccount, resources, volumes, scheduling, and pod security contexts.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Helm as Helm (templates)
participant K8s as Kubernetes API
participant Secret as Secret
participant SA as ServiceAccount
participant RBAC as ClusterRole/Binding
participant Cron as CronJob/Job/Pod
Helm->>K8s: Install chart (Chart.yaml, templates, values)
K8s->>Secret: Create Secret (apiKey) [if scalar]
K8s->>SA: Create ServiceAccount (if .Values.serviceAccount.create)
K8s->>RBAC: Create ClusterRole & ClusterRoleBinding (if .Values.rbac.enabled)
K8s->>Cron: Create CronJob resource
Cron->>K8s: Schedule Job -> create Pod
Pod->>Secret: Read apiKey via env or secretKeyRef
Pod->>SA: Run under ServiceAccount

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I stitched a chart beneath the moon,
Templates hummed and secrets tuned,
CronJobs drum a steady beat,
Helpers name each pod we meet,
A rabbit cheers — deploys complete.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: the initial setup of a new ctrlc-sync Helm chart. It is specific, directly related to the changeset content, and accurately reflects the primary purpose of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dacbd/ctrlc-sync-init

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@charts/ctrlc-sync/templates/cronjob.yaml`:
- Around line 37-93: The pod template in the CronJob template is missing
restartPolicy which causes the API server to reject the manifest; update the pod
spec in charts/ctrlc-sync/templates/cronjob.yaml (inside the template -> spec
block where containers, volumes, nodeSelector, etc. are defined) to set
restartPolicy: {{ .Values.job.restartPolicy }} and add a corresponding default
in values.yaml (e.g., job.restartPolicy with a value of "OnFailure" or "Never");
ensure the restartPolicy is validated to only allow "OnFailure" or "Never" for
Job/CronJob pods.

In `@charts/ctrlc-sync/values.yaml`:
- Around line 94-102: The comment text in values.yaml incorrectly references
"Deployment"; update the two comment lines associated with the values keys
volumes and volumeMounts in the ctrlc-sync chart so they say "CronJob" (e.g.,
"Additional volumes on the CronJob definition" and "Additional volumeMounts on
the CronJob definition") to accurately reflect the resource created by this
chart.
- Around line 3-11: The Kubernetes API type in the docs comment is incorrect:
the example showing apiKey -> valueFrom -> secretKeyRef corresponds to
EnvVarSource (not EnvFromSource); update the reference/link and any mention in
the comment to point to EnvVarSource (and its docs URL) and keep the example
keys (apiKey, valueFrom, secretKeyRef) as-is so readers can find the correct
pattern.

🧹 Nitpick comments (2)

charts/ctrlc-sync/templates/cronjob.yaml (1)

54-63: Consider setting secure defaults for security contexts.

Trivy flags that the CronJob uses a default security context, which allows root privileges and writable root filesystem. While the template supports overriding via podSecurityContext and securityContext values, shipping secure defaults would be a better baseline.

🔒 Suggested default values

In values.yaml, consider adding:

podSecurityContext:
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL

charts/ctrlc-sync/values.yaml (1)

71-80: Consider enabling security defaults instead of leaving them commented out.

For a production-ready chart, enabling runAsNonRoot: true and dropping all capabilities by default would be a stronger security posture. Currently these are only commented-out examples, so users who don't customize will run with no security context restrictions.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@charts/ctrlc-sync/templates/cronjob.yaml`:
- Around line 48-49: The restartPolicy key is placed as a sibling of spec under
the Pod template instead of inside the pod spec; move restartPolicy into the
PodSpec under the template (i.e., into template.spec.restartPolicy) and remove
the misplaced sibling entry so the CronJob/Job template reads template.metadata,
template.spec, and inside template.spec include restartPolicy: OnFailure
(ensuring it is under the same structure as containers/initContainers).

In `@charts/ctrlc-sync/values.yaml`:
- Around line 27-30: The Helm template guard is using truthiness so numeric zero
values (e.g., ttlSecondsAfterFinished: 0) are ignored; update the conditionals
in cronjob.yaml to check existence instead of truthiness by using hasKey (hasKey
.Values.job "ttlSecondsAfterFinished") or an explicit nil comparison (ne
.Values.job.ttlSecondsAfterFinished nil) for
.Values.job.ttlSecondsAfterFinished, and apply the same change for
.Values.job.activeDeadlineSeconds and .Values.job.startingDeadlineSeconds so
zero is rendered correctly.

🧹 Nitpick comments (2)

charts/ctrlc-sync/templates/cronjob.yaml (2)

59-68: Consider hardening default security context for the container.

Trivy flags that the container runs without a read-only root filesystem and uses the default security context (KSV-0014, KSV-0118). Since values default to {}, the chart ships with no security hardening. Consider providing secure defaults that users can override:

# values.yaml
securityContext:
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  allowPrivilegeEscalation: false

This is a common best practice for Helm charts to be secure-by-default.

---

9-15: Falsy-value guards will silently drop 0 values for timeZone, startingDeadlineSeconds, etc.

As noted in the values.yaml review, {{- if .Values.cron.startingDeadlineSeconds }} will not render when the value is 0. While 0 may not be a practical value for startingDeadlineSeconds, this pattern is error-prone. Consider using {{- if not (kindIs "invalid" ...) }} or {{- if hasKey .Values.cron "startingDeadlineSeconds" }} for numeric optional fields.