HYPERFLEET-786 - chore: use CHANGE_ME for both registry and repository defaults

[xueli181114]

Summary

• Rename chart from sentinel to hyperfleet-sentinel for consistency with hyperfleet-api and hyperfleet-adapter
• Set image.registry and image.repository defaults to CHANGE_ME with _helpers.tpl validation guards
• Move runAsNonRoot/runAsUser from container securityContext to podSecurityContext
• Add seccompProfile.type: RuntimeDefault to container security context
• Add configurable podLabels to deployment template

Breaking Changes

Chart rename: sentinel → hyperfleet-sentinel

This changes the app.kubernetes.io/name selector label from sentinel to hyperfleet-sentinel. Since Kubernetes selector labels are immutable on Deployments, existing sentinel releases must be uninstalled before upgrading:

helm uninstall <sentinel-clusters-release> -n <namespace>
helm uninstall <sentinel-nodepools-release> -n <namespace>
# Then reinstall with the new chart

Umbrella charts (hyperfleet-infra) must also update their dependency name and values key from sentinel: to hyperfleet-sentinel:.

Test plan

• make test-helm passes (all 10 scenarios)
• Real deployment verified on GKE cluster with googlepubsub broker

Relates to: HYPERFLEET-786
Depends on: architecture#108

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

The PR updates Helm chart defaults, templates, and the Makefile test commands. charts/values.yaml: image.repository default changed to CHANGE_ME, added podLabels: {}, moved runAsNonRoot: true and runAsUser: 65532 into podSecurityContext (removed from container securityContext), and added securityContext.seccompProfile.type: RuntimeDefault. charts/templates/_helpers.tpl: adds sentinel.validateValues that fails if image registry/repository are CHANGE_ME. charts/templates/deployment.yaml now calls that helper and merges .Values.podLabels into pod labels. Makefile test-helm target now passes explicit --set image.registry and --set image.repository for lint/template runs.

Sequence Diagram(s)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: updating Helm chart defaults to use 'CHANGE_ME' placeholders for both image registry and repository, along with related security and configuration improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/templates/_helpers.tpl`:
- Around line 66-68: The failing validation only checks .Values.image.registry
(the block in charts/templates/_helpers.tpl) but deployment resolves registry
from .Values.global.imageRegistry first; update the guard to accept a valid
registry when either .Values.image.registry is set and not "CHANGE_ME" or when
.Values.global.imageRegistry is set and not "CHANGE_ME" (i.e., change the eq
check to consider both .Values.image.registry and .Values.global.imageRegistry
or resolve effectiveRegistry = coalesce(.Values.image.registry,
.Values.global.imageRegistry) before validating) so releases that set
global.imageRegistry won't be blocked.

In `@charts/templates/deployment.yaml`:
- Around line 23-25: podLabels can overwrite required selector labels causing
selector mismatch; update the charts/templates/deployment.yaml template so that
.Values.podLabels are merged in a way that does not override
sentinel.selectorLabels (the required keys like app.kubernetes.io/name and
app.kubernetes.io/instance). Specifically, ensure sentinel.selectorLabels are
rendered after or merged with higher precedence (e.g., mergeMaps behavior) so
sentinel.selectorLabels take precedence over .Values.podLabels, and reference
the symbols .Values.podLabels and sentinel.selectorLabels in your change to
guarantee those keys cannot be replaced.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 40a0dc8f-9542-425f-947b-79a5cdc66774

📥 Commits

Reviewing files that changed from the base of the PR and between 8f7d6e6 and 0c136fd.

📒 Files selected for processing (4)

• Makefile
• charts/templates/_helpers.tpl
• charts/templates/deployment.yaml
• charts/values.yaml

[xueli181114]

/retest

[86254860]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 86254860

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [86254860]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment