feat: support topologySpreadConstraints in helm chart

- adding support for topologySpreadConstraints to allow configuring
  different topology strategies in OPA deployments

Author: nejec

charts/opa-kube-mgmt/templates/deployment.yaml

@@ -292,3 +292,5 @@ spec:
 {{ toYaml .Values.nodeSelector | indent 8 }}
       tolerations:
 {{ toYaml .Values.tolerations | indent 8 }}
+      topologySpreadConstraints:
+{{ toYaml .Values.topologySpreadConstraints | indent 8 }}

charts/opa-kube-mgmt/values.schema.json

@@ -46,6 +46,65 @@
           "default": null
         }
       }
+    },
+    "topologySpreadConstraints": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["maxSkew", "topologyKey", "whenUnsatisfiable"],
+        "properties": {
+          "maxSkew": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "topologyKey": {
+            "type": "string",
+            "minLength": 1
+          },
+          "whenUnsatisfiable": {
+            "type": "string",
+            "enum": ["DoNotSchedule", "ScheduleAnyway"]
+          },
+          "labelSelector": {
+            "type": "object",
+            "properties": {
+              "matchLabels": {
+                "type": "object",
+                "additionalProperties": {"type": "string"}
+              },
+              "matchExpressions": {
+                "type": "array",
+                "items": {
+                  "type": "object",
+                  "required": ["key", "operator"],
+                  "properties": {
+                    "key": {"type": "string"},
+                    "operator": {"type": "string", "enum": ["In", "NotIn", "Exists", "DoesNotExist"]},
+                    "values": {"type": "array", "items": {"type": "string"}}
+                  }
+                }
+              }
+            }
+          },
+          "matchLabelKeys": {
+            "type": "array",
+            "items": {"type": "string"}
+          },
+          "minDomains": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "nodeAffinityPolicy": {
+            "type": "string",
+            "enum": ["Honor", "Ignore"]
+          },
+          "nodeTaintsPolicy": {
+            "type": "string",
+            "enum": ["Honor", "Ignore"]
+          }
+        }
+      },
+      "default": []
     }
   }
 }

charts/opa-kube-mgmt/values.yaml

@@ -219,6 +219,18 @@ affinity: {}
 tolerations: []
 nodeSelector: {}
 
+# To control pod distribution across topology domains, set topologySpreadConstraints
+# below.
+#
+# topologySpreadConstraints:
+# - maxSkew: 1
+#   topologyKey: topology.kubernetes.io/zone
+#   whenUnsatisfiable: DoNotSchedule
+#   labelSelector:
+#     matchLabels:
+#       app: opa
+topologySpreadConstraints: []
+
 # To control the CPU and memory resource limits and requests for OPA, set the
 # field below.
 resources: {}

test/lint/tsc.yaml

@@ -0,0 +1,47 @@
+suite: lint topologySpreadConstraints
+templates:
+  - tsc.yaml
+tests:
+  - it: topologySpreadConstraints missing required fields
+    set:
+      pod:
+        topologySpreadConstraints:
+          - maxSkew: null # Invalid value
+    asserts:
+      - failedTemplate:
+          errorPattern: "topologySpreadConstraints.maxSkew is required and must be a valid integer"
+
+  - it: topologySpreadConstraints invalid values
+    set:
+      pod:
+        topologySpreadConstraints:
+          - maxSkew: 1
+            topologyKey: ""
+            whenUnsatisfiable: "InvalidOption"
+    asserts:
+      - failedTemplate:
+          errorMessage: |
+            values don't meet the specifications of the schema(s):
+            - topologySpreadConstraints.topologyKey: topologyKey cannot be empty
+            - topologySpreadConstraints.whenUnsatisfiable: whenUnsatisfiable must be one of the following: "DoNotSchedule", "ScheduleAnyway"
+
+  - it: valid topologySpreadConstraints
+    set:
+      pod:
+        topologySpreadConstraints:
+          - maxSkew: 1
+            topologyKey: "topology.kubernetes.io/zone"
+            whenUnsatisfiable: "DoNotSchedule"
+            labelSelector:
+              matchLabels:
+                app: "opa"
+    asserts:
+      - renderedTemplateContains:
+          text: |
+            topologySpreadConstraints:
+              - maxSkew: 1
+                topologyKey: topology.kubernetes.io/zone
+                whenUnsatisfiable: DoNotSchedule
+                labelSelector:
+                  matchLabels:
+                    app: "opa"

test/unit/tsc.yaml

@@ -0,0 +1,40 @@
+suite: test topologySpreadConstraints
+templates:
+  - tsc.yaml
+tests:
+  - it: should omit topologySpreadConstraints by default
+    asserts:
+      - notExists:
+          path: spec.template.spec.topologySpreadConstraints
+  - it: should omit topologySpreadConstraints when null
+    set:
+      service.topologySpreadConstraints: null
+    asserts:
+      - notExists:
+          path: spec.template.spec.topologySpreadConstraints
+  - it: should set topologySpreadConstraints
+    set:
+      service.topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app: opa
+    asserts:
+      - exists:
+          path: spec.template.spec.topologySpreadConstraints[0]
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints[0].maxSkew
+          value: 1
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints[0].topologyKey
+          value: topology.kubernetes.io/zone
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints[0].whenUnsatisfiable
+          value: DoNotSchedule
+      - exists:
+          path: spec.template.spec.topologySpreadConstraints[0].labelSelector.matchLabels.app
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints[0].labelSelector.matchLabels.app
+          value: opa