From cb402009fe684172c0912c6d0453522cad3c70ac Mon Sep 17 00:00:00 2001
From: moilanik <niko.moilanen@tietoevry.com>
Date: Tue, 10 Mar 2026 08:43:43 +0200
Subject: [PATCH] feat(helm): forbid hardcoded namespaces and release names
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add hard rule: charts must be fully agnostic about installation target.
- Never hardcode namespace in any template — use .Release.Namespace or omit
- Never hardcode release name — use .Release.Name / fullname helper
- Enforce IaC principle: deployer decides where, chart describes what
---
 .ai/instructions/skills/helm.instructions.md | 55 ++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/.ai/instructions/skills/helm.instructions.md b/.ai/instructions/skills/helm.instructions.md
index 2edc568..1e0a7cc 100644
--- a/.ai/instructions/skills/helm.instructions.md
+++ b/.ai/instructions/skills/helm.instructions.md
@@ -11,6 +11,61 @@ Before writing a new template, config, or resource:
 
 ---
 
+## 🚫 Never Hardcode Namespace, Release Name, or Installation-Specific Values
+
+**A Helm chart must be fully agnostic about where and how it is installed.**
+
+This is a hard rule — no exceptions.
+
+### Namespace
+
+Never hardcode a namespace in any template. The namespace is set by the deployer at install time.
+
+```yaml
+# ❌ FORBIDDEN — always
+metadata:
+  namespace: my-app
+  namespace: production
+  namespace: default
+
+# ✅ Required — or omit namespace entirely and let Helm inject it
+metadata:
+  namespace: {{ .Release.Namespace }}
+```
+
+If a resource must reference another namespace (e.g. a NetworkPolicy peer), expose it as a required value:
+
+```yaml
+metadata:
+  namespace: {{ required "global.namespace is required" .Values.global.targetNamespace }}
+```
+
+### Release Name
+
+Never hardcode a release name. Use `.Release.Name` to derive resource names:
+
+```yaml
+# ❌ FORBIDDEN
+name: my-app-service
+name: myapp-ingress
+
+# ✅ Required
+name: {{ include "mychart.fullname" . }}
+# or
+name: {{ .Release.Name }}-service
+```
+
+### Why — IaC Principle
+
+The chart is infrastructure code. It must be deployable to any cluster, any namespace, any environment, by any deployer — without editing the chart itself. Installation-specific decisions belong exclusively in `values.<installation>.yaml` in the deployment repo.
+
+```
+❌ Wrong: chart decides where it lives
+✅ Right: deployer decides where it lives — chart only describes what it is
+```
+
+---
+
 ## 🏠 Resource Ownership
 
 **Every Kubernetes resource must have exactly one owner. Never duplicate.**