[MOSIP-44613] eSignet 1.7.1 multi-namespace standalone deployment — DSFs, hooks, workflows and values

[bhumi46]

Summary

• Restructure external-dsf.yaml: move esignet-keycloak-init to keycloak namespace (priority -11); add per-namespace postgres-init entries for mosip_esignet_cre, mosip_esignet_qa11, mosip_esignet_sunbird, mosip_mockidentitysystem, and signup schemas; fix MinIO re-deploy root-password pass-through
• Restructure esignet-dsf.yaml: deploy 4 fully isolated eSignet instances (esignet / esignet-cre / esignet-qa11 / esignet-sunbird) with per-namespace SoftHSM, plugin values, oidc-ui, mock-RP, PMS partner+policy, and optional onboarders
• Add signup-dsf.yaml: Signup Keycloak init, kernel services (authmanager / auditmanager / otpmanager / notifier), mock-smtp, signup-service, signup-ui (all disabled by default)
• Add testrigs-dsf.yaml: API testrig for all 4 esignet namespaces + signup apitestrig + signup uitestrig; sequential cronjob trigger via trigger-test-jobs-esignet.sh
• Add 30+ hook scripts under esignet-1.7.1/: config-server setup/postinstall, cre/qa11/sunbird preinstall wrappers, keycloak-init pre/postinstall fan-out, MISP and mock-RP onboarder hooks (replaces old partner-onboarder), signup hooks (keycloak-init, kernel, notifier, signup-service), testrig setup hooks
• Add helmsman_signup.yml workflow (new); extend helmsman_esignet.yml with multi-namespace secret injection and auto-trigger chain to signup; fix helmsman_external.yml MinIO password on upgrade
• Add plugin values (esignet-{,cre-,qa11-,sunbird-}plugin-values.yaml), keycloak init values (keycloak-esignet-init-values.yaml, keycloak-signup-init-values.yaml), config-server values, SoftHSM values, and testrig values under Helmsman/utils/

Linked Issues

Closes mosip/mosip-infra#1790

Sub-tasks:

• [MOSIP-44613] Restructure external-dsf.yaml — move keycloak-init to keycloak ns and add multi-namespace postgres-init mosip-infra#1878 — Restructure external-dsf.yaml
• [MOSIP-44613] Restructure esignet-dsf.yaml — 4 parallel eSignet instances (mock, mosip-identity, sunbird-rc) mosip-infra#1879 — Restructure esignet-dsf.yaml
• [MOSIP-44613] Add signup-dsf.yaml and Signup stack hooks (kernel, signup-service, signup-ui) mosip-infra#1880 — Add signup-dsf.yaml and Signup stack hooks
• [MOSIP-44613] Add testrigs-dsf.yaml and testrig hooks for all 4 eSignet namespaces + Signup mosip-infra#1881 — Add testrigs-dsf.yaml and testrig hooks
• [MOSIP-44613] Add per-namespace hook scripts — config-server, cre/qa11/sunbird preinstalls, keycloak-init fan-out mosip-infra#1882 — Per-namespace hook scripts (config-server, cre/qa11/sunbird preinstalls, keycloak fan-out)
• [MOSIP-44613] Add MISP and mock-RP onboarder hooks (replace old partner-onboarder) mosip-infra#1883 — MISP and mock-RP onboarder hooks
• [MOSIP-44613] Update GitHub Actions workflows — new helmsman_signup.yml, multi-secret esignet workflow, auto-trigger chain mosip-infra#1884 — GitHub Actions workflow updates
• [MOSIP-44613] Add plugin, keycloak, config-server and testrig values files under Helmsman/utils/ mosip-infra#1885 — Plugin, keycloak, config-server and testrig values files

Test plan

• external-dsf.yaml apply: postgres-init creates all 4 esignet DBs + mock-identity + signup schemas; esignet-keycloak-init completes in keycloak ns; esignet-postinstall-keycloak-init.sh fans keycloak resources to all 4 esignet namespaces; MinIO upgrade passes existing root password without PASSWORDS ERROR
• esignet-dsf.yaml apply: all 4 eSignet instances healthy (plugin 1/2/2/3); oidc-ui VirtualServices resolve on correct subdomains; mock-RP services up in each namespace; esignet-domain-config CM present in all 4 namespaces with correct mosip-esignet-host per namespace
• signup-dsf.yaml apply: kernel services (authmanager/auditmanager/otpmanager/notifier), signup-service, signup-ui all healthy; esignet-dsf=completed label present on default namespace before signup workflow fires
• testrigs-dsf.yaml apply: cronjobs created in all 4 esignet namespaces + signup; trigger-test-jobs-esignet.sh fires sequentially without resource exhaustion
• Re-deploy (upgrade) succeeds without manual cleanup — pre-helmsman-cleanup.sh removes stale Jobs before re-run

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • eSignet standalone expanded to CRE/QA11/Sunbird + signup profile; multi-namespace test rigs, signup deploy workflow and auto-trigger; new workflow inputs for DB ports and eSignet domain names.

• Documentation

  • Large deployment/playbook updates and new guide added covering profiles, workflow inputs/secrets, and profile-scoped state handling.

• Bug Fixes

  • Hardened readiness timeouts and idempotent hooks; improved secret masking/handling and Keycloak secret retrieval; avoid SoftHSM PIN regeneration on reruns.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds multi-namespace eSignet DSFs, signup and testrigs DSFs, many Helm hook scripts and values, workflow input/secret wiring (helmsman_* + signup), terraform profile artifacts, and documentation updates for profile-scoped state and GH_INFRA_PAT.

Changes

eSignet deployment stack

Layer / File(s)

Summary

End-to-end eSignet checkpoint Helmsman/dsf/..., .github/workflows/*, Helmsman/hooks/esignet-1.7.1/*, Helmsman/utils/*, terraform/..., docs/*, README.md, CLAUDE.md

All edits required to add standalone multi-namespace eSignet, signup and testrig DSFs; new/updated Helmsman workflows (inputs, secret masking, persistence, Keycloak secret handling, signup dispatch); many pre/post-install hook scripts and helper usage; Helm values files for plugins and SoftHSM per-namespace; terraform profile tfvars and kubeconfigs; and documentation updates for INFRA_PROFILE and GH_INFRA_PAT.

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant Helmsman
  participant Keycloak
  participant Kubernetes
  GitHubActions->>Helmsman: dispatch helmsman_{external,esignet,testrigs,signup} workflows
  Helmsman->>Keycloak: fetch/export client secrets (when configured)
  Helmsman->>Kubernetes: deploy DSFs (Helm releases) and run hook scripts
  Helmsman->>GitHubActions: dispatch signup workflow after successful esignet apply

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related issues

• [MOSIP-44613] Add signup-dsf.yaml and Signup stack hooks (kernel, signup-service, signup-ui) mosip-infra#1880 — signup DSF and signup-related hooks map to these changes.
• [MOSIP-44613] Restructure esignet-dsf.yaml — 4 parallel eSignet instances (mock, mosip-identity, sunbird-rc) mosip-infra#1879 — restructuring to multi-namespace eSignet aligns with that request.
• [MOSIP-44613] Replace hardcoded DB ports with ${db_port} placeholder across all DSFs and workflows mosip-infra#1889 — db_port/esignet_db_port inputs and templating match this issue.

Possibly related PRs

• mosip/infra#226 — related workflow input validation and env persistence edits.
• mosip/infra#246 — related terraform/profile-isolated state documentation updates.

Suggested reviewers

• ckm007

Poem

🐰 I hop through namespaces, quick and spry,
Secrets and charts now flutter by.
eSignet wakes, signup sings,
Hooks and values spread soft wings.
Carrot-cheers for merged delight! 🥕

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

[coderabbitai]

Actionable comments posted: 2

Note

Due to the large number of review comments, Critical severity comments were prioritized as inline comments.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (21)

.github/workflows/helmsman_external.yml (1)

85-97: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

URL-encode the environment name before calling the GitHub variables API.

This workflow uses github.ref_name as the environment name. Branch names like feature/esignet include /, so the current PATCH/POST URLs point at the wrong API path and manual runs on those branches won't persist variables correctly.

As per coding guidelines, workflow environments are named after the branch.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helmsman_external.yml around lines 85 - 97, The PATCH/POST
calls in the save_var function use ENVIRONMENT (from github.ref_name) raw, which
breaks for branch names with slashes; URL-encode ENVIRONMENT before building the
GitHub API URLs. Add a local encoded variable (e.g., ENVIRONMENT_ENCODED) in
save_var by URL-encoding $ENVIRONMENT (using a small helper or builtin like
python -c, printf+sed, or a urlencode function), and replace occurrences of
$ENVIRONMENT in the PATCH/POST URLs with that encoded variable while keeping
REPO, GH_TOKEN, save_var, and STATUS logic unchanged.

Source: Coding guidelines

.github/workflows/helmsman_esignet.yml (1)

64-96: ⚠️ Potential issue | 🟠 Major

Stop inlining github.event.inputs.* directly into bash scripts and curl -d JSON in .github/workflows/helmsman_esignet.yml.

The workflow injects unescaped dispatch inputs into run: scripts (e.g., PROFILE="${{ github.event.inputs.profile }}", DOMAIN/ENV/... on lines 64-96) and also interpolates them into curl JSON bodies (also around lines 145-179 and 590-604). If any input contains characters like quotes/backslashes—or $(...)—bash can perform command substitution and the JSON payload can break/become malformed. Pass these values via step env: and construct the curl JSON using a JSON serializer (e.g., jq -n --arg ...) to ensure correct escaping.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helmsman_esignet.yml around lines 64 - 96, The workflow
currently inlines github.event.inputs.* directly into the run: script (e.g.,
PROFILE, DOMAIN, ENV, CRE_DOMAIN, QABASE_DOMAIN, CRE_SPRING_LABEL,
QA11_SPRING_LABEL) and also interpolates them into curl -d JSON bodies, which
allows injection and malformed JSON; fix this by passing all dispatch inputs via
the step-level env: map instead of embedding ${{ github.event.inputs.* }} inside
the script, read them inside the script from the environment, and replace any
direct curl -d "..." interpolation with a JSON serializer like jq (e.g., jq -n
--arg profile "$PROFILE" --arg domain "$DOMAIN"
'{profile:$profile,domain:$domain,...}' ) so every value is properly escaped
before curl --data `@-`; ensure the same change is applied for the other curl
usages that currently embed inputs.

Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh (2)

10-12: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update header env-var names to match runtime requirements.

The header still documents CAPTCHA_SITE_KEY / CAPTCHA_SECRET_KEY, but Lines 18-19 require ESIGNET_CAPTCHA_SITE_KEY / ESIGNET_CAPTCHA_SECRET_KEY. This mismatch will mislead manual execution.

Also applies to: 18-19

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh` around lines 10 - 12,
Update the header comment to use the runtime env var names required by the
script: replace occurrences of CAPTCHA_SITE_KEY and CAPTCHA_SECRET_KEY with
ESIGNET_CAPTCHA_SITE_KEY and ESIGNET_CAPTCHA_SECRET_KEY so the documented
variables match the actual checks that reference ESIGNET_CAPTCHA_SITE_KEY and
ESIGNET_CAPTCHA_SECRET_KEY in captcha-postinstall.sh.

---

14-21: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add the standard hook bootstrap before dereferencing WORKDIR.

Line 20 can hard-fail under set -u when WORKDIR is not set, and this hook also doesn’t accept KUBECONFIG as an optional first argument per hook contract.

Suggested fix

 set -euo pipefail
+
+if [[ -n "${1:-}" ]]; then
+  export KUBECONFIG="$1"
+  shift
+fi
+
+: "${WORKDIR:?ERROR: WORKDIR must be set}"
 
 ESIGNET_NS="${ESIGNET_NS:-esignet}"
 CAPTCHA_NS="captcha"
 CAPTCHA_SITE_KEY="${ESIGNET_CAPTCHA_SITE_KEY:?ERROR: ESIGNET_CAPTCHA_SITE_KEY environment variable must be set}"
 CAPTCHA_SECRET_KEY="${ESIGNET_CAPTCHA_SECRET_KEY:?ERROR: ESIGNET_CAPTCHA_SECRET_KEY environment variable must be set}"
 COPY_UTIL="$WORKDIR/utils/copy-cm-and-secrets/copy_cm_func.sh"
+[[ -x "$COPY_UTIL" ]] || { echo "ERROR: copy utility not executable: $COPY_UTIL" >&2; exit 1; }

As per coding guidelines, “All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh` around lines 14 - 21,
The script currently dereferences WORKDIR when setting COPY_UTIL and will
hard-fail under set -u if WORKDIR is unset and it also doesn't accept an
optional KUBECONFIG per hook contract; update the top of the hook to include the
standard hook bootstrap (the routine that initializes WORKDIR and handles
optional first-arg KUBECONFIG) before any variable expansions, then reference
WORKDIR only after that bootstrap runs so COPY_UTIL="$WORKDIR/..." is safe
(ensure the bootstrap is sourced or invoked prior to using WORKDIR and that the
hook entrypoint accepts/forwards the optional KUBECONFIG argument).

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/postgres-postinstall.sh (2)

11-14: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove stale DB_USER_PASSWORD documentation.

The script no longer validates or uses DB_USER_PASSWORD, but lines 11 and 14 still document it as REQUIRED. Remove these stale references:

 # Environment Variables:
-#   DB_USER_PASSWORD     - Database user password (REQUIRED)
 #   POSTGRES_HOST        - PostgreSQL host (default: postgres-postgresql.postgres)
 #   POSTGRES_PORT        - PostgreSQL port (default: 5432)
 #   DB_USER              - Database username (default: esignetuser)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/postgres-postinstall.sh` around lines 11 - 14,
Remove the stale DB_USER_PASSWORD documentation from the header comment: delete
the two comment lines that list "DB_USER_PASSWORD - Database user password
(REQUIRED)" (the occurrences at the top of the env var list) so only the actual
used variables remain (e.g., POSTGRES_HOST, POSTGRES_PORT, DB_USER). Search the
file for any other comment mentions of DB_USER_PASSWORD and remove them or
update them to reflect current behavior, and confirm there is no remaining
validation or usage of DB_USER_PASSWORD in the script.

---

1-41: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add KUBECONFIG optional argument support.

All hook scripts must accept KUBECONFIG as an optional first argument for idempotent local execution. Add this pattern at the start of the script:

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - Postgres Post-install
 # =============================================================================
+# Usage: postgres-postinstall.sh [KUBECONFIG_PATH]
+#
+if [ -n "${1:-}" ]; then
+  export KUBECONFIG="$1"
+fi
+
 # Based on: deploy/postgres/generate-secret-cm.py

As per coding guidelines: "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument". Based on learnings, hooks require KUBECONFIG to be explicitly exported when running locally.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/postgres-postinstall.sh` around lines 1 - 41,
This script must accept an optional KUBECONFIG first argument and export it for
subsequent kubectl calls; add logic at the top to check if "$1" is non-empty and
if so export KUBECONFIG="$1" (and shift positional args if you intend to accept
more), leaving existing behavior when no arg is provided; ensure the exported
KUBECONFIG is used by the kubectl commands that create the postgres-config
(referencing the existing POSTGRES_NS, POSTGRES_HOST, POSTGRES_PORT, DB_USER,
DB_NAME variables and the kubectl create/apply pipeline) so local idempotent
execution works.

Sources: Coding guidelines, Learnings

Helmsman/hooks/esignet-1.7.1/esignet-db-postinstall.sh (1)

1-24: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add KUBECONFIG optional argument support.

All hook scripts must accept KUBECONFIG as an optional first argument. Add this pattern:

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - Database Init Post-install (postgres-init-esignet)
 # =============================================================================
+# Usage: esignet-db-postinstall.sh [KUBECONFIG_PATH]
+#
+if [ -n "${1:-}" ]; then
+  export KUBECONFIG="$1"
+fi
+
 # postgres-init-esignet runs in the postgres namespace and creates

As per coding guidelines: "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/esignet-db-postinstall.sh` around lines 1 - 24,
The script esignet-db-postinstall.sh must accept an optional first argument
KUBECONFIG; modify the top of the script to read the first positional argument
into KUBECONFIG (default empty) and export it if provided so subsequent
kubectl/oc calls use it. Locate the variables POSTGRES_NS and COPY_UTIL and the
main for loop that calls $COPY_UTIL, then add a small arg-parsing block before
those that sets KUBECONFIG="${1:-}" and if non-empty does export KUBECONFIG,
ensuring no other positional args are consumed and the script remains
idempotent.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/softhsm-esignet-postinstall.sh (1)

1-39: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add KUBECONFIG optional argument support.

All hook scripts must accept KUBECONFIG as an optional first argument. Add this pattern:

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - SoftHSM eSignet Post-install
 # =============================================================================
+# Usage: softhsm-esignet-postinstall.sh [KUBECONFIG_PATH]
+#
+if [ -n "${1:-}" ]; then
+  export KUBECONFIG="$1"
+fi
+
 # Based on: deploy/esignet/install.sh (copy_cm_func.sh calls for softhsm)

As per coding guidelines: "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/softhsm-esignet-postinstall.sh` around lines 1 -
39, This script must accept an optional first argument KUBECONFIG and use it for
all kubectl and helper calls: add logic at top to detect if $1 is present and
set a KUBECONFIG_ARG (e.g., "--kubeconfig=$1" or empty), export KUBECONFIG if
desired, then use that variable when invoking kubectl (the wait call) and when
calling COPY_UTIL so the copy_cm_and_secrets helper runs against the same
cluster; update references to kubectl and the CALL to COPY_UTIL (symbols:
SOFTHSM_NS, ESIGNET_NS, COPY_UTIL, kubectl) to include the KUBECONFIG_ARG.
Ensure behavior is unchanged when no argument is supplied.

Source: Coding guidelines

Helmsman/hooks/wait-for-istio-crds.sh (1)

1-25: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add KUBECONFIG optional argument support.

All hook scripts must accept KUBECONFIG as an optional first argument. Add this pattern:

 #!/bin/bash
 # Waits for Istio CRDs to be available before deploying Istio-dependent resources.
 # Used as preInstall for istio-addons charts when prereq-dsf and external-dsf
 # run in parallel — Istio CRDs are installed by prereq-dsf and must exist
 # before any VirtualService/Gateway can be created.
+#
+# Usage: wait-for-istio-crds.sh [KUBECONFIG_PATH]
+#
+if [ -n "${1:-}" ]; then
+  export KUBECONFIG="$1"
+fi
+
 set -euo pipefail

As per coding guidelines: "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/wait-for-istio-crds.sh` around lines 1 - 25, Update the
wait-for-istio-crds.sh script to accept an optional KUBECONFIG first argument
and pass it to all kubectl invocations: read the first positional arg into a
variable (e.g., KUBECONFIG_PATH="${1:-}") and build a KUBECONFIG_FLAG like
KUBECONFIG_FLAG="--kubeconfig=${KUBECONFIG_PATH}" only when non-empty; then
append ${KUBECONFIG_FLAG} to the kubectl get crd
virtualservices.networking.istio.io and kubectl get crd
gateways.networking.istio.io commands (preserving the existing TIMEOUT,
INTERVAL, ELAPSED logic and exit handling) so the script remains idempotent and
works with or without the KUBECONFIG argument.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/mock-identity-init-db.sh (1)

1-31: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add KUBECONFIG optional argument support.

All hook scripts must accept KUBECONFIG as an optional first argument. Add this pattern:

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - Mock Identity System DB Init Pre-install
 # =============================================================================
+# Usage: mock-identity-init-db.sh [KUBECONFIG_PATH]
+#
+if [ -n "${1:-}" ]; then
+  export KUBECONFIG="$1"
+fi
+
 # Based on: esignet-mock-services/deploy/postgres/init_db.sh

As per coding guidelines: "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/mock-identity-init-db.sh` around lines 1 - 31,
The script must accept an optional KUBECONFIG as the first argument and export
it for kubectl to use; modify the top of the script (near the set -euo pipefail
and ESIGNET_NS/COPY_UTIL declarations) to check if a first positional parameter
exists, if so assign it to KUBECONFIG, export KUBECONFIG, and shift positional
args (e.g. if [ "${1:-}" != "" ]; then KUBECONFIG="$1"; export KUBECONFIG;
shift; fi); keep the rest of the logic (namespace creation, labeling, and
calling COPY_UTIL secret ...) unchanged so kubectl picks up the provided
KUBECONFIG and the script remains idempotent.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh (1)

1-25: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add KUBECONFIG optional argument support.

All hook scripts must accept KUBECONFIG as an optional first argument. Add this pattern:

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - Database Init Pre-install (postgres-init-esignet)
 # =============================================================================
+# Usage: esignet-init-db.sh [KUBECONFIG_PATH]
+#
+if [ -n "${1:-}" ]; then
+  export KUBECONFIG="$1"
+fi
+
 # Based on: deploy/postgres/postgres-init.sh

As per coding guidelines: "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh` around lines 1 - 25, The
script must accept an optional first argument KUBECONFIG and use it for all
kubectl calls: add parsing at the top to set a KUBECONFIG variable only if an
argument is passed (e.g., KUBECONFIG="$1" when $# -ge 1) and define a KUBECTL
wrapper variable (e.g., KUBECTL="kubectl${KUBECONFIG:+
--kubeconfig=$KUBECONFIG}") then replace direct kubectl invocations in the for
loop (the kubectl create namespace, kubectl apply -f -, and kubectl label
namespace commands) with "$KUBECTL" so the script uses the provided kubeconfig
when supplied and remains optional/compatible when not.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh (1)

1-33: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add KUBECONFIG optional argument support.

All hook scripts must accept KUBECONFIG as an optional first argument. Add this pattern:

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - Postgres Pre-install
 # =============================================================================
+# Usage: postgres-preinstall.sh [KUBECONFIG_PATH]
+#
+if [ -n "${1:-}" ]; then
+  export KUBECONFIG="$1"
+fi
+
 # Based on: deploy/install-prereq.sh

As per coding guidelines: "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh` around lines 1 - 33,
Update the script to accept an optional first argument for KUBECONFIG: if an
argument is provided, assign it to KUBECONFIG and export it (so kubectl picks it
up), otherwise leave existing environment/default behavior; keep existing
variables ESIGNET_NS and INSTALLATION_DOMAIN and all kubectl invocations (the
lines that run kubectl create namespace ... --dry-run=client -o yaml | kubectl
apply -f - and kubectl label namespace ...) unchanged except to rely on the
exported KUBECONFIG so the commands operate against the provided kubeconfig;
ensure the header parsing occurs before any kubectl calls so the optional
KUBECONFIG is honored.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/softhsm-esignet-setup.sh (1)

1-30: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add KUBECONFIG optional argument support.

All hook scripts must accept KUBECONFIG as an optional first argument. Add this pattern:

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - SoftHSM eSignet Pre-install Setup
 # =============================================================================
+# Usage: softhsm-esignet-setup.sh [KUBECONFIG_PATH]
+#
+if [ -n "${1:-}" ]; then
+  export KUBECONFIG="$1"
+fi
+
 # Based on: deploy/softhsm/install.sh

As per coding guidelines: "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/softhsm-esignet-setup.sh` around lines 1 - 30,
This script must accept an optional first argument for KUBECONFIG and use it for
kubectl/helm operations; add at the top (after set -euo pipefail) code to
capture the optional arg (e.g. KUBECONFIG_ARG="${1:-${KUBECONFIG:-}}"), export
KUBECONFIG when non-empty, and ensure kubectl and helm calls use that context
(either via exported KUBECONFIG or by passing --kubeconfig="$KUBECONFIG_ARG");
update the existing kubectl create/label and helm repo update invocations to
respect the provided KUBECONFIG while leaving ESIGNET_NS behavior unchanged.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/notifier-postinstall.sh (1)

1-23: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add KUBECONFIG optional argument support and fix missing final newline.

The script does not accept the optional KUBECONFIG argument that all hook scripts must support per guidelines. Additionally, line 23 is missing the final newline character.

🔧 Proposed fix

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - Notifier Post-install
 # =============================================================================
 # Based on: esignet-signup/deploy/kernel/install.sh
 # Patches notifier deployment with SMS number length env vars after install.
 # =============================================================================
 set -euo pipefail
 
+# Accept optional KUBECONFIG as first argument
+export KUBECONFIG="${1:-$KUBECONFIG}"
+
 KERNEL_NS="kernel"
 
 echo "================================================"
 echo "eSignet 1.7.1 - Notifier Post-install"
 echo "================================================"

And add a final newline at the end of line 23.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/notifier-postinstall.sh` around lines 1 - 23,
Update the notifier-postinstall.sh script to accept an optional KUBECONFIG
argument and use it when invoking kubectl, and add the missing final newline;
specifically, parse an optional first arg into a KUBECONFIG variable (default
empty), export or prepend it to the kubectl command invocation used in the set
env call (the kubectl -n "$KERNEL_NS" set env deployment/notifier ... line) so
that kubectl uses the provided kubeconfig if given, and ensure the file ends
with a terminating newline character.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/uitestrig-signup-setup.sh (1)

1-35: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add KUBECONFIG optional argument support and fix missing final newline.

The script does not accept the optional KUBECONFIG argument that all hook scripts must support per guidelines. Additionally, line 35 is missing the final newline character.

🔧 Proposed fix

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - Signup UI Testrig Pre-install Setup
 # =============================================================================
 # Prepares the signup-uitestrig namespace.
 # Copies keycloak resources from keycloak ns, MinIO s3 secret from minio ns,
 # and postgres-postgresql from postgres ns.
 # Stale uitestrig CMs are deleted so the chart recreates them from set: values.
 # =============================================================================
 set -euo pipefail
 
+# Accept optional KUBECONFIG as first argument
+export KUBECONFIG="${1:-$KUBECONFIG}"
+
 NS=signup-uitestrig
 COPY_UTIL="$WORKDIR/utils/copy-cm-and-secrets/copy_cm_func.sh"

And add a final newline at the end of line 35.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/uitestrig-signup-setup.sh` around lines 1 - 35,
The script lacks support for an optional KUBECONFIG argument and is missing a
trailing newline; add parsing so the script accepts an optional first argument
(e.g., KUBECONFIG) and, when provided, export it or prepend it to kubectl calls
(or set KUBECONFIG env var) and pass it through to the COPY_UTIL invocations
(references: NS, COPY_UTIL and all kubectl lines) so every kubectl and
$COPY_UTIL call uses the provided KUBECONFIG, and ensure the file ends with a
final newline character.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/signup-service-preinstall.sh (1)

1-96: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add KUBECONFIG optional argument support and fix missing final newline.

The script does not accept the optional KUBECONFIG argument that all hook scripts must support per guidelines. Additionally, line 96 is missing the final newline character.

🔧 Proposed fix

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - Signup Service Pre-install
 # =============================================================================
 # Based on: esignet-signup/deploy/prereq.sh + deploy/msg-gateway/install.sh
 # Sets up all prerequisites for signup-service:
 #   - Copies redis-config configmap and redis secret
 #   - Creates keycloak-host configmap (KEYCLOAK_EXTERNAL_URL)
 #   - Creates empty signup-captcha secret (update site/secret keys for prod)
 #   - Creates empty signup-keystore and signup-keystore-password secrets
 #   - Creates msg-gateway configmap and secret (default: mock-smtp)
 #
 # Environment Variables:
 #   SIGNUP_NS              - Signup namespace (default: signup)
 #   MOSIP_IAM_EXTERNAL_HOST - Keycloak external host (e.g. iam.sandbox.xyz.net)
 #   MOSIP_SIGNUP_CAPTCHA_SITE_KEY   - reCAPTCHA site key (default: empty)
 #   MOSIP_SIGNUP_CAPTCHA_SECRET_KEY - reCAPTCHA secret key (default: empty)
 # =============================================================================
 set -euo pipefail
 
+# Accept optional KUBECONFIG as first argument
+export KUBECONFIG="${1:-$KUBECONFIG}"
+
 SIGNUP_NS="${SIGNUP_NS:-signup}"
 REDIS_NS="redis"
 KEYCLOAK_NS="keycloak"
 IAM_EXTERNAL_HOST="${MOSIP_IAM_EXTERNAL_HOST:-}"
 CAPTCHA_SITE_KEY="${MOSIP_SIGNUP_CAPTCHA_SITE_KEY:-}"
 CAPTCHA_SECRET_KEY="${MOSIP_SIGNUP_CAPTCHA_SECRET_KEY:-}"
 COPY_UTIL="$WORKDIR/utils/copy-cm-and-secrets/copy_cm_func.sh"

And add a final newline at the end of line 96.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/signup-service-preinstall.sh` around lines 1 -
96, The script must accept an optional KUBECONFIG and ensure a final newline;
add handling at the top to read an optional KUBECONFIG (e.g., accept first arg
or env var) and then use it for all kubectl invocations (replace direct
"kubectl" calls with a variable like KUBECTL or prefix kubectl with
"--kubeconfig $KUBECONFIG" when KUBECONFIG is set) so functions/commands such as
the namespace creation, configmap/secret creation, $COPY_UTIL calls and kubectl
patch use the provided kubeconfig, and add a terminating newline at the end of
the file.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/trigger-test-jobs-esignet.sh (1)

1-93: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add KUBECONFIG optional argument support and fix missing final newline.

The script does not accept the optional KUBECONFIG argument that all hook scripts must support per guidelines. Additionally, line 93 is missing the final newline character.

🔧 Proposed fix

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - Trigger Testrig CronJobs
 # =============================================================================
 # Immediately triggers testrig CronJobs after deployment:
 #   apitestrig  → esignet ns   (cronjob-apitestrig-esignet)
 #   signup-apitestrig → signup ns  (if deployed)
 #   signup-uitestrig  → signup-uitestrig ns (if deployed)
 # =============================================================================
 set -euo pipefail
 
+# Accept optional KUBECONFIG as first argument
+export KUBECONFIG="${1:-$KUBECONFIG}"
+
 CONTINUE_ON_FAILURE="${CONTINUE_ON_FAILURE:-true}"
 JOB_TIMEOUT="${JOB_TIMEOUT:-5400}"
 OVERALL_SUCCESS=true

And add a final newline at the end of line 93.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/trigger-test-jobs-esignet.sh` around lines 1 -
93, The script must accept an optional KUBECONFIG parameter and append a final
newline; update the top-level arg handling to capture KUBECONFIG (e.g.
KUBECONFIG_ARG="" and if [[ -n "${1:-}" ]]; then KUBECONFIG="$1"; fi and set
KUBECONFIG_ARG="--kubeconfig=$KUBECONFIG" when KUBECONFIG is non-empty) and then
use that variable in every kubectl invocation inside trigger_and_wait and
trigger_all_in_ns (replace kubectl ... with kubectl $KUBECONFIG_ARG ...) so all
calls honor the optional config, and ensure the file ends with a newline
character.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/signup-keycloak-init-preinstall.sh (1)

1-60: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add KUBECONFIG optional argument support and fix missing final newline.

The script does not accept the optional KUBECONFIG argument that all hook scripts must support per guidelines. Additionally, line 60 is missing the final newline character.

🔧 Proposed fix

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - Signup Keycloak Init Pre-install
 # =============================================================================
 # Based on: esignet-signup/deploy/keycloak/keycloak-init.sh
 # Copies keycloak configmaps/secrets to signup namespace and ensures
 # keycloak-client-secrets contains mosip_signup_client_secret before
 # the keycloak-init helm chart runs.
 #
 # On first deploy: generates a UUID secret if none exists in keycloak ns.
 # On re-deploy:    propagates the existing secret from keycloak namespace.
 #
 # Environment Variables:
 #   SIGNUP_NS - Signup namespace (default: signup)
 # =============================================================================
 set -euo pipefail
 
+# Accept optional KUBECONFIG as first argument
+export KUBECONFIG="${1:-$KUBECONFIG}"
+
 SIGNUP_NS="${SIGNUP_NS:-signup}"
 KEYCLOAK_NS="keycloak"
 SECRET_KEY="mosip_signup_client_secret"
 COPY_UTIL="$WORKDIR/utils/copy-cm-and-secrets/copy_cm_func.sh"
 
 echo "================================================"
 echo "eSignet 1.7.1 - Signup Keycloak Init Pre-install"
 echo "================================================"

And add a final newline at the end of line 60.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/signup-keycloak-init-preinstall.sh` around lines
1 - 60, Add optional KUBECONFIG argument handling and ensure the file ends with
a newline: at the top of the script (after set -euo pipefail) accept an optional
first argument and export it as KUBECONFIG when present (e.g. if [ -n "${1:-}"
]; then export KUBECONFIG="$1"; fi) so all kubectl calls (used throughout the
script, e.g. the kubectl lines that use SIGNUP_NS, KEYCLOAK_NS and SECRET_KEY
and the COPY_UTIL helper invocations) will respect the provided kubeconfig; also
add a final newline character at the end of the file.

Source: Coding guidelines

Helmsman/utils/esignet-apitestrig-values.yaml (1)

29-29: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add missing final newline.

Line 29 is missing a final newline character.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/utils/esignet-apitestrig-values.yaml` at line 29, The YAML file
esignet-apitestrig-values.yaml is missing a final newline; open that file and
add a single trailing newline character at the end so the file ends with a
newline, save and commit the change (ensuring no other content is altered).

Helmsman/utils/config-server-esignet-values.yaml (1)

140-140: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add missing final newline.

Line 140 is missing a final newline character.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/utils/config-server-esignet-values.yaml` at line 140, The file is
missing a final newline at EOF; open the YAML file and add a single trailing
newline character (LF) so the file ends with '\n' (ensure the last line is
terminated), then save the file to include the final newline.

Helmsman/hooks/esignet-1.7.1/kernel-preinstall.sh (1)

1-45: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add KUBECONFIG optional argument support and fix missing final newline.

The script does not accept the optional KUBECONFIG argument that all hook scripts must support per guidelines. Additionally, line 45 is missing the final newline character.

🔧 Proposed fix

 #!/bin/bash
 # =============================================================================
 # eSignet 1.7.1 - Kernel Services Pre-install
 # =============================================================================
 # Based on: esignet-signup/deploy/kernel/install.sh
 # Creates kernel namespace, domain-config configmap, and optionally copies
 # artifactory-share and config-server-share configmaps if available.
 #
 # This script is idempotent — safe to run multiple times (used as preInstall
 # for authmanager, auditmanager, and otpmanager which run in parallel).
 #
 # Environment Variables:
 #   MOSIP_API_HOST           - External API host (e.g. api.sandbox.xyz.net)
 #   MOSIP_API_INTERNAL_HOST  - Internal API host (e.g. api-internal.sandbox.xyz.net)
 # =============================================================================
 set -euo pipefail
 
+# Accept optional KUBECONFIG as first argument
+export KUBECONFIG="${1:-$KUBECONFIG}"
+
 KERNEL_NS="kernel"
 API_HOST="${MOSIP_API_HOST:-}"
 API_INTERNAL_HOST="${MOSIP_API_INTERNAL_HOST:-}"
 COPY_UTIL="$WORKDIR/utils/copy-cm-and-secrets/copy_cm_func.sh"

And add a final newline at the end of line 45.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/kernel-preinstall.sh` around lines 1 - 45, The
kernel pre-install hook is missing the standard optional KUBECONFIG argument
handling and the file also needs a trailing newline. Update kernel-preinstall.sh
to accept an optional first argument for KUBECONFIG near the top of the script,
export or apply it before any kubectl calls in the kernel
namespace/domain-config setup flow, and keep the existing behavior unchanged
when no argument is provided. Also ensure the script ends with a final newline
after the Kernel pre-install completed. echo.

Source: Coding guidelines

🟡 Minor comments (9)

CLAUDE.md-142-151 (1)

142-151: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix the malformed priority table header (3 columns declared, 4 provided).

At Line 146 and Line 151, rows include a fourth notes cell, but the table header only defines three columns. Some renderers will drop/misalign that data.

Suggested markdown fix

-| Priority | Component | Namespace |
-|---|---|---|
+| Priority | Component | Namespace | Notes |
+|---|---|---|---|

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CLAUDE.md` around lines 142 - 151, The priority table defines three columns
but rows include a fourth "notes" cell; update the table header for that table
in CLAUDE.md to declare four columns (e.g., add a "Notes" header and a
corresponding separator pipe so the header and separator rows have four columns)
so each data row (the rows containing extra notes like the dynamic DB creation
and postInstall details) aligns correctly with the header; ensure the header
separator line (the --- row) also has four entries to match.

Source: Linters/SAST tools

Helmsman/hooks/esignet-1.7.1/apitestrig-esignet-qa11-setup.sh-10-13 (1)

10-13: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add optional KUBECONFIG argument handling.

This hook does not currently accept/consume a first positional kubeconfig argument before running kubectl.

As per coding guidelines, "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/apitestrig-esignet-qa11-setup.sh` around lines
10 - 13, The script must accept an optional first positional KUBECONFIG argument
and use it for subsequent kubectl invocations; modify the top of the script
(near NS and COPY_UTIL) to check if $1 is non-empty and, if so, export
KUBECONFIG="$1" (or assign to a local variable used by kubectl) and shift the
positional args so existing variables like NS and COPY_UTIL remain correct;
ensure all later kubectl calls reference the KUBECONFIG-aware environment (or
use "${KUBECONFIG:-}" if invoking kubectl with --kubeconfig) so the hook remains
idempotent and supports the optional kubeconfig parameter.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/signup-init-db.sh-13-17 (1)

13-17: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add optional KUBECONFIG argument handling.

This hook does not currently accept/consume a first positional kubeconfig argument before running kubectl.

As per coding guidelines, "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/signup-init-db.sh` around lines 13 - 17, The
script must accept an optional first positional KUBECONFIG and use it for
kubectl calls; update signup-init-db.sh to detect if $1 is present and treat it
as KUBECONFIG (e.g., set/export KUBECONFIG="$1" and shift) so existing
environment variables still work, then ensure all kubectl invocations in the
script use either the KUBECONFIG env or explicit --kubeconfig "$KUBECONFIG";
keep current variables (SIGNUP_NS, POSTGRES_NS, COPY_UTIL) and idempotency
unchanged.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/apitestrig-esignet-sunbird-setup.sh-10-13 (1)

10-13: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add optional KUBECONFIG argument handling.

This hook does not currently accept/consume a first positional kubeconfig argument before running kubectl.

As per coding guidelines, "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/apitestrig-esignet-sunbird-setup.sh` around
lines 10 - 13, The script apitestrig-esignet-sunbird-setup.sh must accept an
optional first positional KUBECONFIG argument: detect if $1 is provided, set
KUBECONFIG to that value (falling back to existing $KUBECONFIG if not), and
shift past it so subsequent positional args remain unchanged; ensure all kubectl
calls in the script use the resulting KUBECONFIG environment (no changes to each
kubectl invocation needed if you export KUBECONFIG). Update the top of the
script near variables NS and COPY_UTIL to perform this argument handling and
export KUBECONFIG to make the hook idempotent and compliant with guidelines.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/apitestrig-signup-setup.sh-10-13 (1)

10-13: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add optional KUBECONFIG argument handling.

This hook does not currently accept/consume a first positional kubeconfig argument before running kubectl.

As per coding guidelines, "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/apitestrig-signup-setup.sh` around lines 10 -
13, The script apitestrig-signup-setup.sh must accept an optional first
positional KUBECONFIG argument and use it for all kubectl calls; modify the
script to check if "$1" is non-empty, then export KUBECONFIG="$1" and shift the
positional args (so existing variable names NS and COPY_UTIL remain unchanged)
so subsequent calls to kubectl (and any functions sourced from COPY_UTIL)
automatically use that kubeconfig; ensure behavior is unchanged when no argument
is provided (i.e., do nothing and rely on the existing environment).

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/apitestrig-esignet-setup.sh-10-13 (1)

10-13: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add optional KUBECONFIG argument handling.

This hook does not currently accept/consume a first positional kubeconfig argument before running kubectl.

As per coding guidelines, "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/apitestrig-esignet-setup.sh` around lines 10 -
13, The script must accept an optional first positional KUBECONFIG argument and
use it for subsequent kubectl invocations; add logic at the top to check if $1
is non-empty and looks like a kubeconfig path, set or export KUBECONFIG="$1" (or
assign to a local KUBECONFIG variable used by kubectl invocations), and shift
the positional args so the rest of the script (and variables like NS and
COPY_UTIL) continue to work unchanged; ensure the new handling preserves set
-euo pipefail semantics and leaves behavior unchanged when no argument is
provided.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/apitestrig-esignet-cre-setup.sh-10-13 (1)

10-13: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add optional KUBECONFIG argument handling.

This hook does not currently accept/consume a first positional kubeconfig argument before running kubectl.

As per coding guidelines, "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/apitestrig-esignet-cre-setup.sh` around lines 10
- 13, Add handling for an optional first positional KUBECONFIG argument: at the
top of the script (near the existing set -euo pipefail and variable declarations
like NS and COPY_UTIL) check if "${1:-}" is non-empty and, if so, export
KUBECONFIG="$1" and shift so the rest of the script continues unchanged; ensure
subsequent kubectl usages rely on the KUBECONFIG env var (or explicitly pass
"$KUBECONFIG" as needed).

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/signup-keycloak-init-postinstall.sh-12-16 (1)

12-16: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add optional KUBECONFIG argument handling.

This hook does not currently accept/consume a first positional kubeconfig argument before running kubectl.

As per coding guidelines, "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/signup-keycloak-init-postinstall.sh` around
lines 12 - 16, Add optional KUBECONFIG handling at the top of the script: detect
a first positional argument and, if present, export it as KUBECONFIG (or set a
kubectl wrapper variable) and shift so the rest of the script is unchanged; then
ensure all subsequent kubectl calls in this hook use the KUBECONFIG (either via
export KUBECONFIG or by invoking kubectl with --kubeconfig) so the script
remains idempotent and follows the guideline. Locate this logic near the
existing variable declarations (SIGNUP_NS, KEYCLOAK_NS, SECRET_KEY) and apply it
consistently to every kubectl invocation in signup-keycloak-init-postinstall.sh.

Source: Coding guidelines

Helmsman/hooks/esignet-1.7.1/softhsm-esignet-sunbird-setup.sh-7-9 (1)

7-9: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Accept optional KUBECONFIG in wrapper and forward remaining args.

This wrapper currently ignores a caller-provided kubeconfig path, so cluster-context override is not honored.

As per coding guidelines, "All hook scripts must be idempotent and accept KUBECONFIG as an optional first argument."

Suggested patch

 set -euo pipefail
+if [[ $# -gt 0 ]]; then
+  export KUBECONFIG="$1"
+  shift
+fi
 export ESIGNET_NS="esignet-sunbird"
-exec "$WORKDIR/hooks/esignet-1.7.1/softhsm-esignet-setup.sh"
+exec "$WORKDIR/hooks/esignet-1.7.1/softhsm-esignet-setup.sh" "$@"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/softhsm-esignet-sunbird-setup.sh` around lines 7
- 9, The wrapper currently ignores a caller-provided KUBECONFIG; update the top
of the script to accept an optional first argument as KUBECONFIG and forward any
remaining args to the exec call: if a first positional argument is present,
export KUBECONFIG="$1" and shift, then exec
"$WORKDIR/hooks/esignet-1.7.1/softhsm-esignet-setup.sh" "$@"; keep the existing
set -euo pipefail and export ESIGNET_NS="esignet-sunbird" semantics so the
wrapper remains idempotent and passes through any additional arguments.

Source: Coding guidelines

🧹 Nitpick comments (1)

Helmsman/hooks/esignet-1.7.1/trigger-test-jobs-esignet.sh (1)

24-24: 💤 Low value

Consider separating declaration and assignment to avoid masking return values.

ShellCheck flags SC2155 on these lines: combining local declaration with command substitution can mask the command's exit status, potentially hiding failures.

♻️ Proposed refactor

-  local job_name="${cronjob}-manual-$(date +%s)"
+  local job_name
+  job_name="${cronjob}-manual-$(date +%s)"
   echo "▶ Creating $job_name from $cronjob in $ns"
   kubectl create job -n "$ns" "$job_name" --from="cronjob/$cronjob"
 
   local elapsed=0
   while [[ $elapsed -lt $JOB_TIMEOUT ]]; do
-    local complete=$(kubectl get job -n "$ns" "$job_name" \
-      -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' 2>/dev/null || echo "")
-    local failed=$(kubectl get job -n "$ns" "$job_name" \
-      -o jsonpath='{.status.conditions[?(@.type=="Failed")].status}' 2>/dev/null || echo "")
+    local complete
+    complete=$(kubectl get job -n "$ns" "$job_name" \
+      -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' 2>/dev/null || echo "")
+    local failed
+    failed=$(kubectl get job -n "$ns" "$job_name" \
+      -o jsonpath='{.status.conditions[?(@.type=="Failed")].status}' 2>/dev/null || echo "")

Also applies to: 30-32

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/hooks/esignet-1.7.1/trigger-test-jobs-esignet.sh` at line 24, Split
the combined local+command-substitution declarations to avoid masking exit
codes: declare the variables first with local (e.g., local job_name) and then
perform the command substitution assignments on subsequent lines (e.g.,
job_name="${cronjob}-manual-$(date +%s)"). Apply the same pattern for the other
occurrences flagged (the statements around lines 30–32) so each command
substitution is not combined with a local declaration and any non-zero exit
status is preserved.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 46768f79-f521-4d74-8825-a1cb14ee48f0

📥 Commits

Reviewing files that changed from the base of the PR and between b90e326 and 4dae731.

📒 Files selected for processing (88)

• .github/workflows/helmsman_esignet.yml
• .github/workflows/helmsman_external.yml
• .github/workflows/helmsman_signup.yml
• .github/workflows/helmsman_testrigs.yml
• CLAUDE.md
• Helmsman/dsf/esignet/esignet-dsf.yaml
• Helmsman/dsf/esignet/external-dsf.yaml
• Helmsman/dsf/esignet/prereq-dsf.yaml
• Helmsman/dsf/esignet/signup-dsf.yaml
• Helmsman/dsf/esignet/testrigs-dsf.yaml
• Helmsman/hooks/esignet-1.7.1/apitestrig-esignet-cre-setup.sh
• Helmsman/hooks/esignet-1.7.1/apitestrig-esignet-qa11-setup.sh
• Helmsman/hooks/esignet-1.7.1/apitestrig-esignet-setup.sh
• Helmsman/hooks/esignet-1.7.1/apitestrig-esignet-sunbird-setup.sh
• Helmsman/hooks/esignet-1.7.1/apitestrig-signup-setup.sh
• Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/config-server-esignet-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/config-server-esignet-setup.sh
• Helmsman/hooks/esignet-1.7.1/esignet-cre-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-db-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh
• Helmsman/hooks/esignet-1.7.1/esignet-misp-onboarder-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-misp-onboarder-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-mock-rp-onboarder-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-mock-rp-onboarder-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-postinstall-keycloak-init.sh
• Helmsman/hooks/esignet-1.7.1/esignet-preinstall-keycloak-init.sh
• Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-qa11-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-sunbird-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/kernel-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/mock-identity-init-db.sh
• Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/mock-relying-party-service-cre-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/mock-relying-party-service-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/mock-relying-party-service-qa11-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/mock-relying-party-service-sunbird-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/mock-relying-party-ui-cre-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/mock-relying-party-ui-qa11-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/mock-relying-party-ui-sunbird-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/notifier-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/oidc-ui-cre-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/oidc-ui-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/oidc-ui-qa11-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/oidc-ui-sunbird-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/pms-partner-cre-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/pms-partner-qa11-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/postgres-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/redis-setup.sh
• Helmsman/hooks/esignet-1.7.1/signup-init-db.sh
• Helmsman/hooks/esignet-1.7.1/signup-keycloak-init-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/signup-keycloak-init-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/signup-service-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/softhsm-esignet-cre-setup.sh
• Helmsman/hooks/esignet-1.7.1/softhsm-esignet-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/softhsm-esignet-qa11-setup.sh
• Helmsman/hooks/esignet-1.7.1/softhsm-esignet-setup.sh
• Helmsman/hooks/esignet-1.7.1/softhsm-esignet-sunbird-setup.sh
• Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/trigger-test-jobs-esignet.sh
• Helmsman/hooks/esignet-1.7.1/uitestrig-signup-setup.sh
• Helmsman/hooks/wait-for-istio-crds.sh
• Helmsman/utils/config-server-esignet-values.yaml
• Helmsman/utils/esignet-apitestrig-values.yaml
• Helmsman/utils/esignet-cre-plugin-values.yaml
• Helmsman/utils/esignet-plugin-values.yaml
• Helmsman/utils/esignet-qa11-plugin-values.yaml
• Helmsman/utils/esignet-signup-apitestrig-values.yaml
• Helmsman/utils/esignet-sunbird-plugin-values.yaml
• Helmsman/utils/esignet-values.yaml
• Helmsman/utils/keycloak-esignet-init-values.yaml
• Helmsman/utils/keycloak-signup-init-values.yaml
• Helmsman/utils/signup-uitestrig-values.yaml
• Helmsman/utils/softhsm-esignet-cre-values.yaml
• Helmsman/utils/softhsm-esignet-qa11-values.yaml
• Helmsman/utils/softhsm-esignet-sunbird-values.yaml
• terraform/implementations/aws/infra/estest-CONTROL-PLANE-NODE-1.yaml
• terraform/implementations/aws/infra/estest.yaml
• terraform/implementations/aws/infra/profiles/esignet/aws.tfvars
• terraform/implementations/aws/infra/profiles/mosip/aws.tfvars
• terraform/implementations/aws/infra/tf-plan.gpg
• terraform/modules/aws/rke2-cluster/ansible/estest-CONTROL-PLANE-NODE-1.yaml

💤 Files with no reviewable changes (5)

• Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh
• Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh
• Helmsman/dsf/esignet/esignet-dsf.yaml
• Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

Helmsman/dsf/esignet/esignet-dsf.yaml (1)

1-19: ⚡ Quick win

Document dependency on external-dsf.yaml for complete deployment.

The DSF header comments list components but don't mention that this DSF requires prior deployment of external dependencies (postgres-init, keycloak-init) from external-dsf.yaml. Per coding guidelines, "eSignet DSF priority order must start at -18 (postgres) and deploy keycloak-init at -11 in keycloak namespace." Since those entries are in external-dsf.yaml, consider adding a dependency note in the header.

📝 Suggested header addition

 # =============================================================================
 # eSignet Profile - eSignet Services DSF (Desired State File)
 # =============================================================================
 # This DSF deploys eSignet v1.7.1 services for the standalone eSignet profile.
+#
+# Prerequisites: Deploy external-dsf.yaml first (postgres-init at -18, 
+# keycloak-init at -11, and other external dependencies).
 #
 # Components (in priority order):

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/dsf/esignet/esignet-dsf.yaml` around lines 1 - 19, Add a short
header note to esignet-dsf.yaml stating that this DSF depends on
external-dsf.yaml for external prerequisites (specifically postgres-init at
priority -18 and keycloak-init at priority -11 in the keycloak namespace) so
reviewers know those components must be deployed first; reference the
external-dsf.yaml dependency and the specific entries postgres-init and
keycloak-init (priority -18 and -11) in the comment block at the top of the
file.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Helmsman/dsf/esignet/esignet-dsf.yaml`:
- Around line 493-555: The preInstall hooks pms-partner-cre-preinstall.sh and
pms-partner-qa11-preinstall.sh create Istio Gateways that reference TLS secrets
credentialName: pms-partner-cre-tls and pms-partner-qa11-tls but there are no
Secret manifests in the repo; ensure those TLS Secrets exist in the istio-system
namespace before helm install by either adding Kubernetes Secret manifests (or
cert-manager Certificate resources) for pms-partner-cre-tls and
pms-partner-qa11-tls to the repo and/or document/automate their pre-provisioning
(or modify the preinstall hooks to create/import the secrets), and verify the
Gateway names (pms-partner-cre-gateway, pms-partner-qa11-gateway) point to the
correct credentialName values.
- Around line 568-638: The DSF deploys the mosip/partner-onboarder only as the
esignet release and leaves esignet-misp-onboarder disabled, while esignet-cre
and esignet-qa11 only get an empty placeholder secret (mosip-esignet-misp-key /
esignet-misp-onboarder-key), so the MOSIP_ESIGNET_MISP_KEY never gets populated;
fix by either (A) adding namespace-specific releases named like
esignet-misp-onboarder for the esignet-cre and esignet-qa11 namespaces (same
chart mosip/partner-onboarder and same set keys) so the onboarder job writes the
per-namespace secret, or (B) implement a post-install hook/job that copies the
populated secret esignet-misp-onboarder-key (key: mosip-esignet-misp-key) from
the esignet namespace into esignet-cre and esignet-qa11 after the shared
onboarder runs; if you keep a single shared onboarder, add documentation
describing this copy mechanism and ensure the preInstall hooks that currently
create placeholders are updated to expect the copy step.

---

Nitpick comments:
In `@Helmsman/dsf/esignet/esignet-dsf.yaml`:
- Around line 1-19: Add a short header note to esignet-dsf.yaml stating that
this DSF depends on external-dsf.yaml for external prerequisites (specifically
postgres-init at priority -18 and keycloak-init at priority -11 in the keycloak
namespace) so reviewers know those components must be deployed first; reference
the external-dsf.yaml dependency and the specific entries postgres-init and
keycloak-init (priority -18 and -11) in the comment block at the top of the
file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 8dd7192c-850d-49a2-9fea-430316650865

📥 Commits

Reviewing files that changed from the base of the PR and between 4dae731 and 63e5954.

⛔ Files ignored due to path filters (5)

• docs/_images/esignet.png is excluded by !**/*.png
• docs/_images/helmsman-external-services.png is excluded by !**/*.png
• docs/_images/helmsman-testrigs.png is excluded by !**/*.png
• docs/_images/infra-terraform-apply.png is excluded by !**/*.png
• docs/_images/infra-terraform-destroy.png is excluded by !**/*.png

📒 Files selected for processing (8)

• .github/workflows/README.md
• Helmsman/dsf/esignet/esignet-dsf.yaml
• README.md
• docs/ENVIRONMENT_DESTRUCTION_GUIDE.md
• docs/SECRET_GENERATION_GUIDE.md
• docs/TERRAFORM_WORKFLOW_GUIDE.md
• docs/_images/ARCHITECTURE_DIAGRAMS.md
• terraform/README.md

✅ Files skipped from review due to trivial changes (1)

• docs/ENVIRONMENT_DESTRUCTION_GUIDE.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for gateway and TLS secret creation in hooks

echo "=== Checking for gateway creation in hooks ==="
rg -n 'pms-partner-cre-gateway|pms-partner-qa11-gateway' \
  Helmsman/hooks/esignet-1.7.1/pms-partner-cre-preinstall.sh \
  Helmsman/hooks/esignet-1.7.1/pms-partner-qa11-preinstall.sh

echo ""
echo "=== Checking for TLS secret references ==="
rg -n 'pms-partner-cre-tls|pms-partner-qa11-tls' \
  Helmsman/hooks/esignet-1.7.1/ \
  Helmsman/dsf/esignet/

Repository: mosip/infra

Length of output: 802

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Find all references to pms-partner-cre-tls / pms-partner-qa11-tls ==="
rg -n 'pms-partner-(cre|qa11)-tls' Helmsman | head -n 50

echo ""
echo "=== Show hook scripts around gateway creation + TLS credential usage ==="
for f in Helmsman/hooks/esignet-1.7.1/pms-partner-cre-preinstall.sh Helmsman/hooks/esignet-1.7.1/pms-partner-qa11-preinstall.sh; do
  echo "--- $f (first 120 lines) ---"
  nl -ba "$f" | sed -n '1,120p'
  echo ""
done

echo "=== Search for Kubernetes secret creation commands inside hooks ==="
rg -n 'kubectl (create|apply).*secret|kind: Secret|apiVersion: v1.*Secret' Helmsman/hooks/esignet-1.7.1/pms-partner-*-preinstall.sh || true

Repository: mosip/infra

Length of output: 564

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Hook script headers: check for kubectl/apply and namespaces ==="
for f in \
  Helmsman/hooks/esignet-1.7.1/pms-partner-cre-preinstall.sh \
  Helmsman/hooks/esignet-1.7.1/pms-partner-qa11-preinstall.sh; do
  echo
  echo "--- $f (lines 1-120) ---"
  sed -n '1,120p' "$f"
  echo
  echo "--- $f (credentialName + surrounding ~15 lines) ---"
  rg -n --context 15 'credentialName: pms-partner-(cre|qa11)-tls|credentialName: pms-partner-(cre|qa11)-tls' "$f" || true
done

echo "=== Search repo for Secret creation/manifests referencing the TLS secret names ==="
rg -n \
  'pms-partner-(cre|qa11)-tls' \
  Helmsman \
  | head -n 200

echo "=== Search specifically for Kubernetes Secret manifests/usages for those names ==="
rg -n \
  '(kind: *Secret|metadata:.*name: *pms-partner-(cre|qa11)-tls|kubectl (create|apply)|apiVersion: *v1.*Secret)' \
  Helmsman \
  | head -n 200

Repository: mosip/infra

Length of output: 16382

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Exact match search for TLS secret names (cre) and (qa11) ==="
rg -n 'pms-partner-cre-tls' . || true
echo "----"
rg -n 'pms-partner-qa11-tls' . || true

echo
echo "=== Search for any Secret manifests that include 'pms-partner' and 'tls' keywords (broader) ==="
rg -n --glob='*.yml' --glob='*.yaml' '(kind:\s*Secret|apiVersion:\s*v1).*pms-partner.*tls|pms-partner.*tls.*(kind:|apiVersion:)' Helmsman || true

Repository: mosip/infra

Length of output: 1375

---

Ensure PMS TLS Secrets are pre-provisioned (hooks only create Gateways).

pms-partner-cre-preinstall.sh / pms-partner-qa11-preinstall.sh create the Istio Gateways (pms-partner-*-gateway) in esignet-cre / esignet-qa11 and reference credentialName: pms-partner-cre-tls and pms-partner-qa11-tls, but the repo does not contain any Secret manifests/creation for those TLS secret names. The pms-partner-* releases therefore require pms-partner-cre-tls and pms-partner-qa11-tls to already exist in istio-system before these preInstall hooks run (e.g., via cert-manager or manual import).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Helmsman/dsf/esignet/esignet-dsf.yaml` around lines 493 - 555, The preInstall
hooks pms-partner-cre-preinstall.sh and pms-partner-qa11-preinstall.sh create
Istio Gateways that reference TLS secrets credentialName: pms-partner-cre-tls
and pms-partner-qa11-tls but there are no Secret manifests in the repo; ensure
those TLS Secrets exist in the istio-system namespace before helm install by
either adding Kubernetes Secret manifests (or cert-manager Certificate
resources) for pms-partner-cre-tls and pms-partner-qa11-tls to the repo and/or
document/automate their pre-provisioning (or modify the preinstall hooks to
create/import the secrets), and verify the Gateway names
(pms-partner-cre-gateway, pms-partner-qa11-gateway) point to the correct
credentialName values.

Source: Coding guidelines

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/helmsman_external.yml (1)

62-82: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Consider validating db_port in the required variables check.

The validation step checks domain_name, env_name, clusterid, and slack_channel_name, but does not validate db_port. Given that all downstream DSF files now require ${db_port} for postgres-init and other database configurations (as seen in external-dsf.yaml, esignet-dsf.yaml, mosip-dsf.yaml, and testrigs-dsf.yaml), an empty or unset db_port will cause Helm chart deployment failures.

🔍 Suggested validation addition

           DOMAIN="${{ github.event.inputs.domain_name || vars.DOMAIN_NAME }}"
           ENV="${{ github.event.inputs.env_name || vars.ENV_NAME }}"
           CLUSTER="${{ github.event.inputs.clusterid || vars.CLUSTER_ID }}"
           SLACK_CH="${{ github.event.inputs.slack_channel_name || vars.SLACK_CHANNEL_NAME }}"
+          DB_PORT="${{ github.event.inputs.db_port || vars.DB_PORT }}"
           [ -z "$DOMAIN" ]    && errors+=("domain_name is empty — set vars.DOMAIN_NAME under Environment '${{ github.ref_name }}'")
           [ -z "$ENV" ]       && errors+=("env_name is empty — set vars.ENV_NAME under Environment '${{ github.ref_name }}'")
           [ -z "$CLUSTER" ]   && errors+=("clusterid is empty — set vars.CLUSTER_ID under Environment '${{ github.ref_name }}'")
           [ -z "$SLACK_CH" ]  && errors+=("slack_channel_name is empty — set vars.SLACK_CHANNEL_NAME under Environment '${{ github.ref_name }}'")
+          [ -z "$DB_PORT" ]   && errors+=("db_port is empty — set vars.DB_PORT under Environment '${{ github.ref_name }}'")

Also add DB_PORT to the success output around line 82.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helmsman_external.yml around lines 62 - 82, Add validation
for db_port alongside the existing DOMAIN/ENV/CLUSTER/SLACK_CH checks: capture
DB_PORT from inputs/vars into a DB_PORT variable (like
DOMAIN/ENV/CLUSTER/SLACK_CH), append an error to the errors array if DB_PORT is
empty, and include DB_PORT in the success echo output (echo "✓ db_port =
$DB_PORT") so the workflow fails early when db_port is unset; update the error
messages/printf block to reflect this new check and reuse the same errors array
and exit flow.

.github/workflows/helmsman_mosip.yml (1)

48-62: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Consider validating db_port in the required variables check.

Similar to helmsman_external.yml, this workflow validates domain_name and env_name but not db_port. The downstream mosip-dsf.yaml (line 232) now requires ${db_port} for masterdata-loader database configuration. An unset db_port will cause deployment failures.

🔍 Suggested validation addition

           errors=()
           DOMAIN="${{ github.event.inputs.domain_name || vars.DOMAIN_NAME }}"
           ENV="${{ github.event.inputs.env_name || vars.ENV_NAME }}"
+          DB_PORT="${{ github.event.inputs.db_port || vars.DB_PORT }}"
           [ -z "$DOMAIN" ] && errors+=("domain_name is empty — set vars.DOMAIN_NAME under Environment '${{ github.ref_name }}'")
           [ -z "$ENV" ]    && errors+=("env_name is empty — set vars.ENV_NAME under Environment '${{ github.ref_name }}'")
+          [ -z "$DB_PORT" ] && errors+=("db_port is empty — set vars.DB_PORT under Environment '${{ github.ref_name }}'")

Also add DB_PORT to the success output around line 62.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helmsman_mosip.yml around lines 48 - 62, Add validation
for DB_PORT like DOMAIN and ENV: read DB_PORT="${{ github.event.inputs.db_port
|| vars.DB_PORT }}" into the same errors array, check [ -z "$DB_PORT" ] &&
errors+=("db_port is empty — set vars.DB_PORT under Environment '${{
github.ref_name }}'"), and if all good echo "✓ db_port    = $DB_PORT" alongside
the existing success lines; ensure you reference the same errors array and exit
behavior used in the DOMAIN/ENV validation so an unset db_port fails early
before mosip-dsf.yaml consumes ${db_port}.

🧹 Nitpick comments (2)

.github/workflows/helmsman_external.yml (1)

108-111: ⚡ Quick win

Consider persisting db_port alongside other workflow inputs.

The persistence step saves DOMAIN_NAME, ENV_NAME, CLUSTER_ID, and SLACK_CHANNEL_NAME as environment variables via the GitHub API, but does not persist DB_PORT. This creates an inconsistency: if a user supplies db_port via workflow_dispatch, it won't be persisted for subsequent runs, requiring manual re-entry or reliance on a separately configured vars.DB_PORT.

♻️ Suggested persistence addition

           save_var "DOMAIN_NAME"        "${{ github.event.inputs.domain_name }}"
           save_var "ENV_NAME"           "${{ github.event.inputs.env_name }}"
           save_var "CLUSTER_ID"         "${{ github.event.inputs.clusterid }}"
           save_var "SLACK_CHANNEL_NAME" "${{ github.event.inputs.slack_channel_name }}"
+          save_var "DB_PORT"            "${{ github.event.inputs.db_port }}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helmsman_external.yml around lines 108 - 111, The workflow
saves several workflow_dispatch inputs using save_var but omits persisting the
DB_PORT input; update the persistence block to call save_var for "DB_PORT" using
the github.event.inputs.db_port value so db_port is stored like
DOMAIN_NAME/ENV_NAME/CLUSTER_ID/SLACK_CHANNEL_NAME and is available for
subsequent runs; locate the save_var lines (e.g., the existing save_var
"DOMAIN_NAME" ... entries) and add save_var "DB_PORT" "${{
github.event.inputs.db_port }}" in the same section.

.github/workflows/helmsman_mosip.yml (1)

112-113: ⚡ Quick win

Consider persisting db_port alongside other workflow inputs.

The persistence step saves DOMAIN_NAME and ENV_NAME, but not DB_PORT. This creates the same inconsistency as in helmsman_external.yml: user-supplied db_port values won't persist across workflow runs.

♻️ Suggested persistence addition

           save_var "DOMAIN_NAME" "${{ github.event.inputs.domain_name }}"
           save_var "ENV_NAME"    "${{ github.event.inputs.env_name }}"
+          save_var "DB_PORT"     "${{ github.event.inputs.db_port }}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helmsman_mosip.yml around lines 112 - 113, The workflow
persistence step currently calls save_var for DOMAIN_NAME and ENV_NAME but omits
DB_PORT, so add a save_var invocation for "DB_PORT" using the input value "${{
github.event.inputs.db_port }}" to persist user-provided db_port across runs;
update the same persistence block where save_var "DOMAIN_NAME" and save_var
"ENV_NAME" are invoked so save_var "DB_PORT" is saved consistently with those
variables.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/helmsman_external.yml:
- Around line 62-82: Add validation for db_port alongside the existing
DOMAIN/ENV/CLUSTER/SLACK_CH checks: capture DB_PORT from inputs/vars into a
DB_PORT variable (like DOMAIN/ENV/CLUSTER/SLACK_CH), append an error to the
errors array if DB_PORT is empty, and include DB_PORT in the success echo output
(echo "✓ db_port = $DB_PORT") so the workflow fails early when db_port is unset;
update the error messages/printf block to reflect this new check and reuse the
same errors array and exit flow.

In @.github/workflows/helmsman_mosip.yml:
- Around line 48-62: Add validation for DB_PORT like DOMAIN and ENV: read
DB_PORT="${{ github.event.inputs.db_port || vars.DB_PORT }}" into the same
errors array, check [ -z "$DB_PORT" ] && errors+=("db_port is empty — set
vars.DB_PORT under Environment '${{ github.ref_name }}'"), and if all good echo
"✓ db_port    = $DB_PORT" alongside the existing success lines; ensure you
reference the same errors array and exit behavior used in the DOMAIN/ENV
validation so an unset db_port fails early before mosip-dsf.yaml consumes
${db_port}.

---

Nitpick comments:
In @.github/workflows/helmsman_external.yml:
- Around line 108-111: The workflow saves several workflow_dispatch inputs using
save_var but omits persisting the DB_PORT input; update the persistence block to
call save_var for "DB_PORT" using the github.event.inputs.db_port value so
db_port is stored like DOMAIN_NAME/ENV_NAME/CLUSTER_ID/SLACK_CHANNEL_NAME and is
available for subsequent runs; locate the save_var lines (e.g., the existing
save_var "DOMAIN_NAME" ... entries) and add save_var "DB_PORT" "${{
github.event.inputs.db_port }}" in the same section.

In @.github/workflows/helmsman_mosip.yml:
- Around line 112-113: The workflow persistence step currently calls save_var
for DOMAIN_NAME and ENV_NAME but omits DB_PORT, so add a save_var invocation for
"DB_PORT" using the input value "${{ github.event.inputs.db_port }}" to persist
user-provided db_port across runs; update the same persistence block where
save_var "DOMAIN_NAME" and save_var "ENV_NAME" are invoked so save_var "DB_PORT"
is saved consistently with those variables.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 315642f6-1086-4ba5-aec8-002a968ef580

📥 Commits

Reviewing files that changed from the base of the PR and between 63e5954 and 04c6f14.

📒 Files selected for processing (14)

• .github/workflows/helmsman_esignet.yml
• .github/workflows/helmsman_external.yml
• .github/workflows/helmsman_mosip.yml
• .github/workflows/helmsman_testrigs.yml
• Helmsman/dsf/esignet/external-dsf.yaml
• Helmsman/dsf/esignet/testrigs-dsf.yaml
• Helmsman/dsf/mosip-platform-java11/esignet-dsf.yaml
• Helmsman/dsf/mosip-platform-java11/external-dsf.yaml
• Helmsman/dsf/mosip-platform-java11/mosip-dsf.yaml
• Helmsman/dsf/mosip-platform-java11/testrigs-dsf.yaml
• Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml
• Helmsman/dsf/mosip-platform-java21/external-dsf.yaml
• Helmsman/dsf/mosip-platform-java21/mosip-dsf.yaml
• Helmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml

🚧 Files skipped from review as they are similar to previous changes (4)

• .github/workflows/helmsman_testrigs.yml
• .github/workflows/helmsman_esignet.yml
• Helmsman/dsf/esignet/external-dsf.yaml
• Helmsman/dsf/esignet/testrigs-dsf.yaml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/helmsman_external.yml (1)

225-237: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

kubectl is used before it is installed.

The "Mask sensitive secrets" step (line 225) uses kubectl to retrieve the MinIO secret, but "Setup kubectl and kubeconfig" (line 239) runs later. This will fail because kubectl is not available on the runner at this point.

Move this step after the "Setup kubectl, istioctl and kubeconfig" step, or at minimum after kubectl is installed and KUBECONFIG is configured.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helmsman_external.yml around lines 225 - 237, The "Mask
sensitive secrets" step currently calls kubectl to read the MinIO secret (the
MINIO_ROOT_PASSWORD extraction line) before kubectl/KUBECONFIG are prepared;
move the entire "Mask sensitive secrets" step so it runs after the "Setup
kubectl, istioctl and kubeconfig" step (or any step that installs kubectl and
exports KUBECONFIG) to ensure kubectl is available and configured before
MINIO_ROOT_PASSWORD is fetched and masked.

🧹 Nitpick comments (1)

.github/workflows/helmsman_external.yml (1)

73-80: 💤 Low value

Both DB_PORT and ESIGNET_DB_PORT are validated as required for all profiles.

When profile is mosip-platform-java11 or mosip-platform-java21, ESIGNET_DB_PORT may not be needed. Similarly, when profile is esignet, DB_PORT (for MOSIP platform postgres) may be unused. Consider making validation profile-conditional to avoid requiring operators to set variables they don't need.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helmsman_external.yml around lines 73 - 80, The current
validation always requires DB_PORT and ESIGNET_DB_PORT; change it to conditional
validation based on the profile value (e.g., the env var holding the profile
name) so only required ports are enforced for a given profile. Update the checks
around DB_PORT and ESIGNET_DB_PORT to first test the profile (compare against
"esignet", "mosip-platform-java11", "mosip-platform-java21" or whatever PROFILE
variable you use) and only append the appropriate error messages when the
profile requires that port; preserve the existing error text and array name
(errors+=(...)) and keep the other validations unchanged so functions/lines
referencing DB_PORT and ESIGNET_DB_PORT behave correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/helmsman_external.yml:
- Around line 225-237: The "Mask sensitive secrets" step currently calls kubectl
to read the MinIO secret (the MINIO_ROOT_PASSWORD extraction line) before
kubectl/KUBECONFIG are prepared; move the entire "Mask sensitive secrets" step
so it runs after the "Setup kubectl, istioctl and kubeconfig" step (or any step
that installs kubectl and exports KUBECONFIG) to ensure kubectl is available and
configured before MINIO_ROOT_PASSWORD is fetched and masked.

---

Nitpick comments:
In @.github/workflows/helmsman_external.yml:
- Around line 73-80: The current validation always requires DB_PORT and
ESIGNET_DB_PORT; change it to conditional validation based on the profile value
(e.g., the env var holding the profile name) so only required ports are enforced
for a given profile. Update the checks around DB_PORT and ESIGNET_DB_PORT to
first test the profile (compare against "esignet", "mosip-platform-java11",
"mosip-platform-java21" or whatever PROFILE variable you use) and only append
the appropriate error messages when the profile requires that port; preserve the
existing error text and array name (errors+=(...)) and keep the other
validations unchanged so functions/lines referencing DB_PORT and ESIGNET_DB_PORT
behave correctly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: dbf09d14-2bcd-4648-b17a-7c10985c3c82

📥 Commits

Reviewing files that changed from the base of the PR and between 04c6f14 and 5d69bf1.

📒 Files selected for processing (8)

• .github/workflows/helmsman_esignet.yml
• .github/workflows/helmsman_external.yml
• .github/workflows/helmsman_mosip.yml
• .github/workflows/helmsman_testrigs.yml
• Helmsman/dsf/esignet/external-dsf.yaml
• Helmsman/dsf/esignet/testrigs-dsf.yaml
• Helmsman/dsf/mosip-platform-java11/esignet-dsf.yaml
• Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml

🚧 Files skipped from review as they are similar to previous changes (6)

• Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml
• Helmsman/dsf/mosip-platform-java11/esignet-dsf.yaml
• .github/workflows/helmsman_mosip.yml
• Helmsman/dsf/esignet/testrigs-dsf.yaml
• .github/workflows/helmsman_esignet.yml
• Helmsman/dsf/esignet/external-dsf.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/helmsman_testrigs.yml:
- Around line 83-88: The validation block incorrectly runs when PROFILE is empty
(e.g., on push events), causing esignet-only checks to fail; modify the
condition that guards CRE_DOMAIN/QABASE_DOMAIN validation so it only runs for an
actual esignet profile (e.g., change if [ -z "$PROFILE" ] || [ "$PROFILE" =
"esignet" ]; then to if [ "$PROFILE" = "esignet" ]; then) or remove these checks
from this step and move them into the deploy job after PROFILE detection; update
references to PROFILE, CRE_DOMAIN, and QABASE_DOMAIN accordingly so
esignet-specific validation is deferred until the profile is known.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3b687fed-03c6-44bd-9cc4-4462b9377694

📥 Commits

Reviewing files that changed from the base of the PR and between 5d69bf1 and 5d09aac.

📒 Files selected for processing (4)

• .github/workflows/helmsman_esignet.yml
• .github/workflows/helmsman_testrigs.yml
• CLAUDE.md
• Helmsman/dsf/esignet/testrigs-dsf.yaml

✅ Files skipped from review due to trivial changes (1)

• CLAUDE.md

🚧 Files skipped from review as they are similar to previous changes (1)

• Helmsman/dsf/esignet/testrigs-dsf.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Push events to non-esignet profiles will fail validation incorrectly.

When triggered by push to Helmsman/dsf/mosip-platform-java11/testrigs-dsf.yaml, PROFILE is empty here (it's detected later in the deploy job). The condition [ -z "$PROFILE" ] then validates CRE_DOMAIN_NAME/QABASE_DOMAIN_NAME, causing the workflow to fail even though those variables aren't required for non-esignet profiles.

Consider moving profile detection before this validation, or skipping esignet-specific validation for push events and deferring it to the deploy job after profile is known.

Proposed fix: defer esignet-specific validation to deploy job or move profile detection earlier

Option 1 - Only validate on explicit esignet profile (remove empty check):

-          if [ -z "$PROFILE" ] || [ "$PROFILE" = "esignet" ]; then
+          if [ "$PROFILE" = "esignet" ]; then
             CRE_DOMAIN="${{ github.event.inputs.cre_domain_name || vars.CRE_DOMAIN_NAME }}"
             QABASE_DOMAIN="${{ github.event.inputs.qabase_domain_name || vars.QABASE_DOMAIN_NAME }}"
             [ -z "$CRE_DOMAIN" ]    && errors+=("cre_domain_name is empty — set vars.CRE_DOMAIN_NAME under Environment '${{ github.ref_name }}'")
             [ -z "$QABASE_DOMAIN" ] && errors+=("qabase_domain_name is empty — set vars.QABASE_DOMAIN_NAME under Environment '${{ github.ref_name }}'")
           fi

Option 2 - Add esignet-specific validation in deploy job after profile detection (preferred for push events).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [ -z "$PROFILE" ] || [ "$PROFILE" = "esignet" ]; then
	CRE_DOMAIN="${{ github.event.inputs.cre_domain_name || vars.CRE_DOMAIN_NAME }}"
	QABASE_DOMAIN="${{ github.event.inputs.qabase_domain_name || vars.QABASE_DOMAIN_NAME }}"
	[ -z "$CRE_DOMAIN" ] && errors+=("cre_domain_name is empty — set vars.CRE_DOMAIN_NAME under Environment '${{ github.ref_name }}'")
	[ -z "$QABASE_DOMAIN" ] && errors+=("qabase_domain_name is empty — set vars.QABASE_DOMAIN_NAME under Environment '${{ github.ref_name }}'")
	fi
	if [ "$PROFILE" = "esignet" ]; then
	CRE_DOMAIN="${{ github.event.inputs.cre_domain_name || vars.CRE_DOMAIN_NAME }}"
	QABASE_DOMAIN="${{ github.event.inputs.qabase_domain_name || vars.QABASE_DOMAIN_NAME }}"
	[ -z "$CRE_DOMAIN" ] && errors+=("cre_domain_name is empty — set vars.CRE_DOMAIN_NAME under Environment '${{ github.ref_name }}'")
	[ -z "$QABASE_DOMAIN" ] && errors+=("qabase_domain_name is empty — set vars.QABASE_DOMAIN_NAME under Environment '${{ github.ref_name }}'")
	fi

🧰 Tools

🪛 zizmor (1.25.2)

[error] 84-84: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

---

[info] 84-84: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

---

[error] 85-85: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

---

[info] 85-85: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

---

[error] 86-86: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

---

[error] 86-86: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helmsman_testrigs.yml around lines 83 - 88, The validation
block incorrectly runs when PROFILE is empty (e.g., on push events), causing
esignet-only checks to fail; modify the condition that guards
CRE_DOMAIN/QABASE_DOMAIN validation so it only runs for an actual esignet
profile (e.g., change if [ -z "$PROFILE" ] || [ "$PROFILE" = "esignet" ]; then
to if [ "$PROFILE" = "esignet" ]; then) or remove these checks from this step
and move them into the deploy job after PROFILE detection; update references to
PROFILE, CRE_DOMAIN, and QABASE_DOMAIN accordingly so esignet-specific
validation is deferred until the profile is known.

Source: Coding guidelines