Trunk Migration Validation
You are the validation skill for trunk-based migration. Run 6 comprehensive checks to verify the migration is correct before and after MR creation.
Reference config schema at: @${CLAUDE_PLUGIN_ROOT}/references/config-schema.md
Input
$ARGUMENTS may contain a path to trunk-migration-config.yaml. If not provided, check for trunk-migration-config.yaml in the repository root.
Validation 1: Kustomize Build Test
Test all region/environment combinations build correctly:
for region in us uk; do
for env in dev staging prod; do
echo "Testing $region/$env..."
kustomize build k8s/$region/$env > /tmp/test-$region-$env.yaml
# Verify output contains expected resources
if grep -q "kind: Deployment" /tmp/test-$region-$env.yaml && \
grep -q "kind: Service" /tmp/test-$region-$env.yaml && \
grep -q "kind: IngressRoute" /tmp/test-$region-$env.yaml; then
echo "PASS: $region/$env builds correctly"
else
echo "FAIL: $region/$env missing resources"
fi
done
done
Additionally verify:
- •Each build output contains the correct ACR registry for that region/environment
- •Each build output has the correct domain in IngressRoute
- •Each build output has the correct
NEW_RELIC_APP_NAMEsuffix - •Security context is present (
runAsNonRoot: true) - •Port is
8080in all probes - •
allowPrivilegeEscalation: falseis set
Validation 2: MR Pipeline Component Verification
Read .gitlab-ci.yml and verify all expected components are present:
Required for ALL migrations:
- • Workflow rules target
mainbranch - • YAML anchors for regions and lower-environments
- • All required stages present
- • Core template includes with correct versions
- •
docker-build-jobpresent - •
test-jobpresent - •
coverage-jobpresent (extends.coveragefromdotnet/coverage.yml) - •
deploy-k8s-lowerwith correct needs - •
deploy-prod-jobwithmanual-approval-prodin needs - •
push-docker-images-prodwithmanual-approval-prodin needs - • Review app jobs (deploy + cleanup)
- •
NAMESPACE: platformis job-level (NOT global)
Conditional checks (based on config decision trees):
If api_versioning.multi_version:
- • Swagger generation uses parallel matrix
- • APIM deployment has per-version matrix entries
- • Each version has unique
API_ID
If auth0.enabled:
- •
auth0-deploy-lowerjob exists - •
auth0-deploy-prodjob exists withmanual-approval-prodin needs - • Uses
node:20-alpineimage - • Secure secret injection with printenv and sed escaping
- • Replacement verification (
grep -q "##PLACEHOLDER##")
If nuget.enabled:
- • NuGet pack jobs exist for each package
- • Rules restrict to
mainbranch only
If ui_tests.enabled:
- •
test-ui-stagingjob exists inprod-gatestage - •
needsincludes bothdeploy-k8s-lowerandupload-api-lower(both withartifacts: false) - •
SCHEDULE_NAMEvariable matches config value - • Triggers
web-ui-framework-2-platformproject
If ef_migrations.enabled:
- •
validate-migration-script-jobpresent - •
deploy-migrations-lowerpresent - •
deploy-migrations-prodpresent withmanual-approval-prod - •
.config/dotnet-tools.jsonexists - •
migration.sqlfile exists
Validation 3: Review App Deployment Check
Verify review overlay structure:
- •
k8s/overlays/review/kustomization.yaml.templateexists - •
k8s/overlays/review/add-nodeselector.patch.yaml.templateexists - •
k8s/overlays/review/patch-api-deployment.yaml.templateexists - •
k8s/overlays/review/patch-api-service.yaml.templateexists - •
k8s/overlays/review/patch-api-hpa.yaml.templateexists - •
k8s/overlays/review/patch-https-route.yaml.templateexists - •
k8s/overlays/review/resources/https-route.yamlexists - •
k8s/overlays/review/resources/http-to-https-redirect.yamlexists
In all patch templates (deployment, service, hpa, https-route):
- •
namespace:field present in metadata (must match base namespace for kustomize strategic merge patch matching)
In HTTPRoute resources and patches:
- •
parentRefsuses correct gateway controller (checkgateway.nameandgateway.namespacefrom config) - •
parentRefsincludesgroup: gateway.networking.k8s.ioandkind: Gateway - •
sectionNameishttps-listenerfor HTTPS route,http-listenerfor redirect - •
backendRefsuses full spec (group,kind,weight,matches)
In patch-api-deployment.yaml.template:
- •
valueFrom: nullpresent for every env var (prevents secretKeyRef override) - •
ASPNETCORE_FORWARDEDHEADERS_ENABLED: "true"present (required for HTTPS behind gateway) - • Resource limits are review-appropriate (300Mi/200m)
- • Uses spot node pool (
reviewspotnp) - • HPA max is 1 replica
Validation 4: Secrets Configuration Verification
Verify secrets are correctly referenced:
In k8s/base/deployment.yaml:
- • All env vars use
secretKeyReftoSERVICE_NAME-secrets - • Secret keys match expected names (azure-appconfig-endpoint, azure-client-id, etc.)
In .gitlab-ci.yml deploy jobs:
- •
SECRET_NAMEvariable matches deployment secretKeyRef name - • Secret creation
before_scriptfetches all required values from Key Vault - •
kubectl create secret genericincludes all keys from deployment
Validation 5: Main Branch Pipeline Checklist
After MR merges and first main pipeline runs, verify:
- • Semantic release calculates version correctly
- • Git tag created
- • Docker images tagged with version
- • Deployments to dev succeed (all regions)
- • Deployments to staging succeed (all regions)
- • NuGet packages published (if applicable)
- • Auth0 configs deployed (if applicable)
- • Migrations applied (if applicable)
- • APIM APIs updated (not duplicated)
Note: This check requires the pipeline to have run. If checking before merge, report these as pending items.
Validation 6: Production Gate Workflow Check
Verify the production approval workflow:
In .gitlab-ci.yml:
- •
manual-approval-prodjob exists (fromprod-gate-manual-approval.ymltemplate) - • ALL production-stage jobs have
manual-approval-prodinneeds:- •
push-docker-images-prod - •
deploy-prod-job - •
deploy-migrations-prod(if applicable) - •
auth0-deploy-prod(if applicable) - •
upload-api-prod
- •
Execution order after approval:
- •Docker push + Auth0 + Migrations (parallel)
- •K8s deployment (waits for Docker + Migrations)
- •APIM upload (waits for K8s deployment)
Output
Present results as a checklist with PASS/FAIL/PENDING status:
Trunk Migration Validation Results =================================== 1. Kustomize Build Test ✓ us/dev ✓ us/staging ✓ us/prod ✓ uk/dev ✓ uk/staging ✓ uk/prod 2. Pipeline Components ✓ Core templates ✓ Build jobs ✓ Deploy jobs ✓ Review apps ✓ Auth0 ✓ NuGet ✗ APIM API_IDs missing for uk/staging 3. Review App Structure ✓ All 8 template files present ✓ valueFrom: null on all env vars 4. Secrets Configuration ✓ secretKeyRef matches secret creation 5. Main Branch Pipeline ⏳ Pending (run after MR merge) 6. Production Gate ✓ All prod jobs require manual-approval-prod Overall: 5/6 PASS, 1 PENDING Issues found: 1 (APIM API_IDs)
If issues are found, suggest running /dotnet:trunk-troubleshoot with a description of the problem.