General MR

Summary

Added 2 shared helpers to chart/templates/_helpers.tpl:

bigbang.helmRelease.chartSpec — Generates the spec.chart.spec block handling git vs helmRepo source selection with cosign verification. Accepts name, package (values object), and root (context).
bigbang.helmRelease.valuesFrom — Generates the standard 3-secret valuesFrom block (common/defaults/overlays). Accepts name (secret suffix) and root (context).

37 standard packages — chart spec + valuesFrom replaced
5 $pkg-variable packages (kyverno-policies, kyverno-reporter, harbor, thanos, fortify) — chart spec + valuesFrom replaced
1 istio-gateway — chart spec only (valuesFrom has unique per-gateway naming)

~1,200 lines of redundant template code removed (net reduction)
Bug fix: nexus-repository-manager had a copy-paste bug referencing .Values.neuvector.helmRepo.repoName in its cosign verify block instead of $nexusValues.helmRepo.repoName. The shared helper now correctly uses the passed package values.
No immutable field changes: All rendered HelmRelease resources are byte-for-byte identical (verified via PyYAML comparison of 17 rendered HelmReleases)
All 33 test suites pass (119 tests)
No Flux recreations: Since the rendered output is identical, existing deployments will see no changes to immutable fields

5 additional bugs detected and fixed:

grafana/helmrelease.yaml — Copy-paste bug: flux settings variable was named $fluxSettingsMonitoring instead of $fluxSettingsGrafana. While the variable value merged .Values.grafana.flux correctly, the misleading name would cause confusion. Both the variable declaration and usage were renamed.
backstage/helmrelease.yaml — The kyverno dependency was hardcoded inside the grafana.enabled block with no check for .Values.kyverno.enabled. If grafana was enabled but kyverno was not, the HelmRelease would block forever waiting for a non-existent kyverno release. Fixed by giving kyverno its own conditional guard and adding it to the outer or condition.
fluentbit/helmrelease.yaml — .Values.loki.enabled was missing from the outer or condition for the dependsOn block. If only loki was enabled (and none of EK, gatekeeper, istio, kyverno, monitoring), the entire dependsOn block would not render, silently dropping the loki dependency. Added loki.enabled to the outer condition.
gitlab-runner/helmrelease.yaml — Same pattern: .Values.kyverno.enabled was missing from the outer or condition. If only kyverno was enabled, the kyverno dependency would be silently dropped. Added kyverno.enabled to the outer condition.
sonarqube/helmrelease.yaml — Orphaned empty values: key (leftover from a refactor). Removed it.

48 new tests in chart/unittests/packages/helmrelease/helmrelease_test.yaml covering:

Enable/disable rendering (core + addon packages)
Chart spec helper — git and helmRepo source types
ValuesFrom helper — 3-secret pattern, correct secret naming
Labels, metadata, and checksum annotations
targetNamespace correctness (monitoring, logging, gatekeeper-system, istio-system, kube-system)
Special cases (gatekeeper persistentClient, loki releaseName, EK name mismatch)
Bug regression tests for all 5 fixes (grafana flux var, backstage kyverno, fluentbit loki, gitlab-runner kyverno, sonarqube values)
DependsOn correctness (unconditional deps, conditional istio deps, no-dep packages)
Compound enable conditions (eck-operator, kyverno, minio-operator)
Nexus sourceRef correctness (validates the earlier shared helper bug fix)
Flux settings merge behavior
Prerequisite fail checks (istiod→istioCRDs, istio-cni→istiod)
Mattermost-operator legacy values merge

N/A