test: add helm-unittest tests for all chart templates

obezpalko · claude · obezpalko · commit fd92191f1cfd · 2026-03-16T17:47:49.000+01:00
31 tests across 5 suites:
- deployment: image tag fallback, namespace scoping, all operator args
- rbac: Role/RoleBinding are namespace-scoped, correct verbs on all resources
- gateway: create flag, namespace, className, allowedRoutes, port
- gatewayclass: create flag, controllerName, keep annotation
- serviceaccount: create flag, custom name, namespace

CI: lint and unit tests run before publish (oci job needs test job).
Makefile: helm-lint and helm-test targets added.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml
@@ -10,8 +10,30 @@ on:
   workflow_dispatch:
 
 jobs:
+  test:
+    name: Lint and unit test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install Helm
+        run: curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+
+      - name: Install helm-unittest plugin
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest
+
+      - name: Lint
+        run: helm lint charts/envoy-router
+
+      - name: Unit tests
+        run: helm unittest charts/envoy-router
+
   oci:
     name: Publish to GHCR (OCI)
+    needs: test
     runs-on: ubuntu-latest
     permissions:
       contents: read
diff --git a/Makefile b/Makefile
@@ -4,7 +4,7 @@ ENVOY_GATEWAY_VERSION ?= v1.7.1
 CHART_NAMESPACE ?= envoy-router
 
 .PHONY: build test lint tidy docker-build docker-push \
-        envoy-gateway-install install upgrade uninstall
+        envoy-gateway-install install upgrade uninstall helm-test helm-lint
 
 build:
 	go build -o bin/manager ./cmd/main.go
@@ -24,6 +24,12 @@ docker-build:
 docker-push: docker-build
 	docker push $(IMAGE_REPO):$(IMAGE_TAG)
 
+helm-lint:
+	helm lint charts/envoy-router
+
+helm-test:
+	helm unittest charts/envoy-router
+
 ## Install Envoy Gateway CRDs and controller (prerequisite)
 envoy-gateway-install:
 	helm install eg oci://docker.io/envoyproxy/gateway-helm \
diff --git a/charts/envoy-router/tests/deployment_test.yaml b/charts/envoy-router/tests/deployment_test.yaml
@@ -0,0 +1,60 @@
+suite: Deployment
+templates:
+  - templates/deployment.yaml
+release:
+  namespace: test-ns
+
+tests:
+  - it: is in release namespace
+    asserts:
+      - equal:
+          path: metadata.namespace
+          value: test-ns
+
+  - it: uses appVersion as image tag when image.tag is empty
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: ghcr.io/comet-ml/envoy-router:0.1.0
+
+  - it: uses custom image tag when set
+    set:
+      image.tag: v1.2.3
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: ghcr.io/comet-ml/envoy-router:v1.2.3
+
+  - it: sets --gateway-namespace to release namespace
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: --gateway-namespace=test-ns
+
+  - it: sets --watch-namespace to release namespace
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: --watch-namespace=test-ns
+
+  - it: sets --pod-port from values
+    set:
+      operator.podPort: 9090
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: --pod-port=9090
+
+  - it: sets --gateway-name from values
+    set:
+      operator.gatewayName: my-gateway
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: --gateway-name=my-gateway
+
+  - it: uses the correct service account
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: RELEASE-NAME-envoy-router
diff --git a/charts/envoy-router/tests/gateway_test.yaml b/charts/envoy-router/tests/gateway_test.yaml
@@ -0,0 +1,52 @@
+suite: Gateway
+templates:
+  - templates/gateway.yaml
+release:
+  namespace: test-ns
+
+tests:
+  - it: is created by default
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Gateway
+
+  - it: is in release namespace
+    asserts:
+      - equal:
+          path: metadata.namespace
+          value: test-ns
+
+  - it: uses gateway.className
+    asserts:
+      - equal:
+          path: spec.gatewayClassName
+          value: envoy-router
+
+  - it: defaults allowedRoutes to Same
+    asserts:
+      - equal:
+          path: spec.listeners[0].allowedRoutes.namespaces.from
+          value: Same
+
+  - it: uses gateway.port for listener
+    asserts:
+      - equal:
+          path: spec.listeners[0].port
+          value: 80
+
+  - it: custom port is reflected in listener
+    set:
+      gateway.port: 8080
+    asserts:
+      - equal:
+          path: spec.listeners[0].port
+          value: 8080
+
+  - it: is not created when gateway.create is false
+    set:
+      gateway.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
diff --git a/charts/envoy-router/tests/gatewayclass_test.yaml b/charts/envoy-router/tests/gatewayclass_test.yaml
@@ -0,0 +1,38 @@
+suite: GatewayClass
+templates:
+  - templates/gatewayclass.yaml
+release:
+  namespace: test-ns
+
+tests:
+  - it: is created by default
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: GatewayClass
+
+  - it: references the Envoy Gateway controller
+    asserts:
+      - equal:
+          path: spec.controllerName
+          value: gateway.envoyproxy.io/gatewayclass-controller
+
+  - it: has helm keep annotation to survive namespace uninstall
+    asserts:
+      - equal:
+          path: metadata.annotations["helm.sh/resource-policy"]
+          value: keep
+
+  - it: uses gateway.className as name
+    asserts:
+      - equal:
+          path: metadata.name
+          value: envoy-router
+
+  - it: is not created when gateway.createClass is false
+    set:
+      gateway.createClass: false
+    asserts:
+      - hasDocuments:
+          count: 0
diff --git a/charts/envoy-router/tests/rbac_test.yaml b/charts/envoy-router/tests/rbac_test.yaml
@@ -0,0 +1,66 @@
+suite: RBAC
+release:
+  namespace: test-ns
+
+tests:
+  - it: Role is namespace-scoped (not ClusterRole)
+    template: templates/role.yaml
+    asserts:
+      - isKind:
+          of: Role
+      - equal:
+          path: metadata.namespace
+          value: test-ns
+
+  - it: RoleBinding is namespace-scoped (not ClusterRoleBinding)
+    template: templates/rolebinding.yaml
+    asserts:
+      - isKind:
+          of: RoleBinding
+      - equal:
+          path: metadata.namespace
+          value: test-ns
+
+  - it: RoleBinding references Role not ClusterRole
+    template: templates/rolebinding.yaml
+    asserts:
+      - equal:
+          path: roleRef.kind
+          value: Role
+
+  - it: RoleBinding subject namespace matches release namespace
+    template: templates/rolebinding.yaml
+    asserts:
+      - equal:
+          path: subjects[0].namespace
+          value: test-ns
+
+  - it: Role grants required verbs on pods
+    template: templates/role.yaml
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups: [""]
+            resources: ["pods"]
+            verbs: ["get", "list", "watch", "update", "patch"]
+
+  - it: Role grants full CRUD on httproutes
+    template: templates/role.yaml
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["gateway.networking.k8s.io"]
+            resources: ["httproutes"]
+            verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+  - it: Role grants full CRUD on services and endpoints
+    template: templates/role.yaml
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups: [""]
+            resources: ["services", "endpoints"]
+            verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
diff --git a/charts/envoy-router/tests/serviceaccount_test.yaml b/charts/envoy-router/tests/serviceaccount_test.yaml
@@ -0,0 +1,34 @@
+suite: ServiceAccount
+templates:
+  - templates/serviceaccount.yaml
+release:
+  namespace: test-ns
+
+tests:
+  - it: is created by default
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+
+  - it: is in release namespace
+    asserts:
+      - equal:
+          path: metadata.namespace
+          value: test-ns
+
+  - it: is not created when serviceAccount.create is false
+    set:
+      serviceAccount.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: uses custom name when serviceAccount.name is set
+    set:
+      serviceAccount.name: my-sa
+    asserts:
+      - equal:
+          path: metadata.name
+          value: my-sa
