fix(helm): preserve STS serviceName + networkPolicy.egress back-compat

waleedlatif1 · waleedlatif1 · commit d5c2e8ef5d6e · 2026-05-12T13:45:30.000-07:00
Greptile flagged two real upgrade-breaking changes vs the prior chart:

1. statefulset-postgresql spec.serviceName flipped from &lt;name&gt;-postgresql
   to &lt;name&gt;-postgresql-headless. spec.serviceName is immutable, so any
   existing install would hit 'Forbidden: updates to statefulset spec ...'
   on helm upgrade. Revert to the original name (the headless Service in
   services.yaml is added alongside, not as a swap).

2. networkPolicy.egress changed from a list to a map ({extraRules, exceptCidrs}),
   silently dropping any custom egress list set by existing users. Restore
   the original list semantics for networkPolicy.egress and move cloud-metadata
   blocking to a sibling top-level field networkPolicy.egressExceptCidrs.

Adds NOTES.txt upgrade-notes entry covering both + the ESO v1→v1beta1 default
flip (functionally a no-op, but worth surfacing).
diff --git a/helm/sim/templates/NOTES.txt b/helm/sim/templates/NOTES.txt
@@ -81,7 +81,16 @@ Your release is named {{ .Release.Name }} in namespace {{ .Release.Namespace }}.
      # Upgrade after changing values
      helm upgrade {{ .Release.Name }} ./helm/sim --namespace {{ .Release.Namespace }} -f your-values.yaml
 
-5. Where to go next:
+5. Upgrade notes (read before upgrading from a chart version released before this one):
+
+   * externalSecrets.apiVersion default is "v1beta1" (was "v1"). v1beta1 is
+     supported by every ESO release from v0.7+ through current. If you're on
+     ESO v0.17+ and want the graduated v1 API, set externalSecrets.apiVersion: "v1".
+   * networkPolicy.egress remains a list of custom egress rules (unchanged).
+     Cloud-metadata CIDR blocking is now configured via networkPolicy.egressExceptCidrs
+     (defaults to AWS/GCP/Azure IMDS + ECS task metadata).
+
+6. Where to go next:
 
    * Production checklist:  helm/sim/README.md (search "Production checklist")
    * Troubleshooting:       helm/sim/README.md (search "Troubleshooting")
diff --git a/helm/sim/templates/networkpolicy.yaml b/helm/sim/templates/networkpolicy.yaml
@@ -107,14 +107,14 @@ spec:
     - ipBlock:
         cidr: 0.0.0.0/0
         except:
-          {{- range (default (list "169.254.169.254/32" "169.254.170.2/32") .Values.networkPolicy.egress.exceptCidrs) }}
+          {{- range (default (list "169.254.169.254/32" "169.254.170.2/32") .Values.networkPolicy.egressExceptCidrs) }}
           - {{ . | quote }}
           {{- end }}
     ports:
     - protocol: TCP
       port: 443
   # Allow custom egress rules
-  {{- with .Values.networkPolicy.egress.extraRules }}
+  {{- with .Values.networkPolicy.egress }}
   {{- toYaml . | nindent 2 }}
   {{- end }}
 
@@ -189,14 +189,14 @@ spec:
     - ipBlock:
         cidr: 0.0.0.0/0
         except:
-          {{- range (default (list "169.254.169.254/32" "169.254.170.2/32") .Values.networkPolicy.egress.exceptCidrs) }}
+          {{- range (default (list "169.254.169.254/32" "169.254.170.2/32") .Values.networkPolicy.egressExceptCidrs) }}
           - {{ . | quote }}
           {{- end }}
     ports:
     - protocol: TCP
       port: 443
   # Allow custom egress rules
-  {{- with .Values.networkPolicy.egress.extraRules }}
+  {{- with .Values.networkPolicy.egress }}
   {{- toYaml . | nindent 2 }}
   {{- end }}
 {{- end }}
@@ -296,7 +296,7 @@ spec:
     - ipBlock:
         cidr: 0.0.0.0/0
         except:
-          {{- range (default (list "169.254.169.254/32" "169.254.170.2/32") .Values.networkPolicy.egress.exceptCidrs) }}
+          {{- range (default (list "169.254.169.254/32" "169.254.170.2/32") .Values.networkPolicy.egressExceptCidrs) }}
           - {{ . | quote }}
           {{- end }}
     ports:
diff --git a/helm/sim/templates/statefulset-postgresql.yaml b/helm/sim/templates/statefulset-postgresql.yaml
@@ -90,7 +90,12 @@ metadata:
   labels:
     {{- include "sim.postgresql.labels" . | nindent 4 }}
 spec:
-  serviceName: {{ include "sim.fullname" . }}-postgresql-headless
+  # Must remain {{ include "sim.fullname" . }}-postgresql (not the -headless
+  # name) — spec.serviceName is immutable on a StatefulSet, and the prior
+  # chart shipped with this value. Changing it would break `helm upgrade` for
+  # every existing install with `Forbidden: updates to statefulset spec ...`.
+  # The headless Service in services.yaml is added alongside, not as a swap.
+  serviceName: {{ include "sim.fullname" . }}-postgresql
   replicas: 1
   minReadySeconds: 10
   podManagementPolicy: OrderedReady
diff --git a/helm/sim/tests/networkpolicy_test.yaml b/helm/sim/tests/networkpolicy_test.yaml
@@ -128,10 +128,10 @@ tests:
               - protocol: TCP
                 port: 3000
 
-  - it: egress.extraRules are appended to both app and realtime NetworkPolicies
+  - it: networkPolicy.egress (custom rules) are appended to both app and realtime NetworkPolicies
     set:
       <<: *defaults
-      networkPolicy.egress.extraRules:
+      networkPolicy.egress:
         - to: []
           ports:
             - protocol: TCP
diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml
@@ -954,7 +954,7 @@ monitoring:
 # to each other and to required external services (DNS, HTTPS) while blocking
 # everything else. The egress block additionally blacklists cloud metadata
 # endpoints (169.254.169.254/32, 169.254.170.2/32) by default — extend
-# egress.exceptCidrs with your cluster's API server CIDR for tighter isolation.
+# egressExceptCidrs with your cluster's API server CIDR for tighter isolation.
 # Your CNI must support NetworkPolicy (Calico, Cilium, GKE Dataplane V2, etc.).
 networkPolicy:
   enabled: false
@@ -973,16 +973,18 @@ networkPolicy:
   # Custom ingress rules appended to the policy
   ingress: []
 
-  # Egress configuration
-  egress:
-    # CIDRs excluded from broad HTTPS (443) egress.
-    # Defaults block AWS/GCP/Azure IMDS (169.254.169.254/32) and ECS task metadata
-    # (169.254.170.2/32). Add your cluster's API server CIDR for stronger isolation.
-    exceptCidrs:
-      - "169.254.169.254/32"
-      - "169.254.170.2/32"
-    # Custom egress rules appended to the policy
-    extraRules: []
+  # Custom egress rules appended to the policy.
+  # Kept as a top-level list (not a map) for backward compatibility with the
+  # pre-1.0 chart that shipped `networkPolicy.egress: []`. Existing values
+  # files continue to work without changes.
+  egress: []
+
+  # CIDRs excluded from broad HTTPS (443) egress.
+  # Defaults block AWS/GCP/Azure IMDS (169.254.169.254/32) and ECS task metadata
+  # (169.254.170.2/32). Add your cluster's API server CIDR for stronger isolation.
+  egressExceptCidrs:
+    - "169.254.169.254/32"
+    - "169.254.170.2/32"
 
 # Shared storage for enterprise workflows requiring data sharing between pods
 sharedStorage:
