feat: support topologySpreadConstraints in helm chart

nejec · eshepelyuk · commit d20f679da85f · 2025-11-25T16:50:19.000+02:00
- adding support for topologySpreadConstraints to allow configuring
  different topology strategies in OPA deployments

Signed-off-by: Jernej Porenta &lt;jernej.porenta@3fs.si&gt;
diff --git a/charts/opa-kube-mgmt/templates/deployment.yaml b/charts/opa-kube-mgmt/templates/deployment.yaml
@@ -292,3 +292,5 @@ spec:
 {{ toYaml .Values.nodeSelector | indent 8 }}
       tolerations:
 {{ toYaml .Values.tolerations | indent 8 }}
+      topologySpreadConstraints:
+{{ toYaml .Values.topologySpreadConstraints | indent 8 }}
diff --git a/charts/opa-kube-mgmt/values.schema.json b/charts/opa-kube-mgmt/values.schema.json
@@ -46,6 +46,65 @@
           "default": null
         }
       }
+    },
+    "topologySpreadConstraints": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["maxSkew", "topologyKey", "whenUnsatisfiable"],
+        "properties": {
+          "maxSkew": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "topologyKey": {
+            "type": "string",
+            "minLength": 1
+          },
+          "whenUnsatisfiable": {
+            "type": "string",
+            "enum": ["DoNotSchedule", "ScheduleAnyway"]
+          },
+          "labelSelector": {
+            "type": "object",
+            "properties": {
+              "matchLabels": {
+                "type": "object",
+                "additionalProperties": {"type": "string"}
+              },
+              "matchExpressions": {
+                "type": "array",
+                "items": {
+                  "type": "object",
+                  "required": ["key", "operator"],
+                  "properties": {
+                    "key": {"type": "string"},
+                    "operator": {"type": "string", "enum": ["In", "NotIn", "Exists", "DoesNotExist"]},
+                    "values": {"type": "array", "items": {"type": "string"}}
+                  }
+                }
+              }
+            }
+          },
+          "matchLabelKeys": {
+            "type": "array",
+            "items": {"type": "string"}
+          },
+          "minDomains": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "nodeAffinityPolicy": {
+            "type": "string",
+            "enum": ["Honor", "Ignore"]
+          },
+          "nodeTaintsPolicy": {
+            "type": "string",
+            "enum": ["Honor", "Ignore"]
+          }
+        }
+      },
+      "default": []
     }
   }
 }
diff --git a/charts/opa-kube-mgmt/values.yaml b/charts/opa-kube-mgmt/values.yaml
@@ -219,6 +219,18 @@ affinity: {}
 tolerations: []
 nodeSelector: {}
 
+# To control pod distribution across topology domains, set topologySpreadConstraints
+# below.
+#
+# topologySpreadConstraints:
+# - maxSkew: 1
+#   topologyKey: topology.kubernetes.io/zone
+#   whenUnsatisfiable: DoNotSchedule
+#   labelSelector:
+#     matchLabels:
+#       app: opa
+topologySpreadConstraints: []
+
 # To control the CPU and memory resource limits and requests for OPA, set the
 # field below.
 resources: {}
diff --git a/test/lint/tsc.yaml b/test/lint/tsc.yaml
@@ -0,0 +1,79 @@
+suite: lint topologySpreadConstraints
+templates:
+  - deployment.yaml
+tests:
+  - it: fails when maxSkew is missing
+    set:
+      topologySpreadConstraints:
+        - topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+    asserts:
+      - failedTemplate: {}
+
+  - it: fails when maxSkew is null
+    set:
+      topologySpreadConstraints:
+        - maxSkew: null
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+    asserts:
+      - failedTemplate: {}
+
+  - it: fails when topologyKey is missing
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          whenUnsatisfiable: "DoNotSchedule"
+    asserts:
+      - failedTemplate: {}
+
+  - it: fails when whenUnsatisfiable is missing
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+    asserts:
+      - failedTemplate: {}
+
+  - it: fails when maxSkew is not an integer
+    set:
+      topologySpreadConstraints:
+        - maxSkew: "one"
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+    asserts:
+      - failedTemplate: {}
+
+  - it: fails when topologyKey is empty string
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: ""
+          whenUnsatisfiable: "DoNotSchedule"
+    asserts:
+      - failedTemplate: {}
+
+  - it: fails when whenUnsatisfiable has invalid value
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "InvalidOption"
+    asserts:
+      - failedTemplate: {}
+
+  - it: renders with empty topologySpreadConstraints array
+    set:
+      topologySpreadConstraints: []
+    asserts:
+      - isKind:
+          of: Deployment
+      - isEmpty:
+          path: spec.template.spec.topologySpreadConstraints
+
+  - it: renders without topologySpreadConstraints when not set
+    asserts:
+      - isKind:
+          of: Deployment
+      - isEmpty:
+          path: spec.template.spec.topologySpreadConstraints
diff --git a/test/unit/tsc.yaml b/test/unit/tsc.yaml
@@ -0,0 +1,173 @@
+suite: test topologySpreadConstraints
+templates:
+  - deployment.yaml
+tests:
+  - it: renders with DoNotSchedule policy
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+    asserts:
+      - isKind:
+          of: Deployment
+      - contains:
+          path: spec.template.spec.topologySpreadConstraints
+          content:
+            maxSkew: 1
+            topologyKey: "kubernetes.io/hostname"
+            whenUnsatisfiable: "DoNotSchedule"
+
+  - it: renders multiple topologySpreadConstraints
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "traffic.kubernetes.io/region"
+          whenUnsatisfiable: "ScheduleAnyway"
+        - maxSkew: 2
+          topologyKey: "topology.kubernetes.io/zone"
+          whenUnsatisfiable: "DoNotSchedule"
+    asserts:
+      - lengthEqual:
+          path: spec.template.spec.topologySpreadConstraints
+          count: 2
+      - contains:
+          path: spec.template.spec.topologySpreadConstraints
+          content:
+            topologyKey: "traffic.kubernetes.io/region"
+          any: true
+      - contains:
+          path: spec.template.spec.topologySpreadConstraints
+          content:
+            topologyKey: "topology.kubernetes.io/zone"
+          any: true
+
+  - it: renders with labelSelector
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+          labelSelector:
+            matchLabels:
+              app: opa-kube-mgmt
+    asserts:
+      - contains:
+          path: spec.template.spec.topologySpreadConstraints
+          content:
+            maxSkew: 1
+            topologyKey: "kubernetes.io/hostname"
+            whenUnsatisfiable: "DoNotSchedule"
+            labelSelector:
+              matchLabels:
+                app: opa-kube-mgmt
+
+  - it: renders with minDomains
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+          minDomains: 3
+    asserts:
+      - contains:
+          path: spec.template.spec.topologySpreadConstraints
+          content:
+            minDomains: 3
+          any: true
+
+  - it: passes through constraint with labelSelector
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+          labelSelector:
+            matchLabels:
+              app: opa-kube-mgmt
+            matchExpressions:
+              - key: environment
+                operator: In
+                values:
+                  - production
+                  - staging
+    asserts:
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints[0].labelSelector
+          value:
+            matchLabels:
+              app: opa-kube-mgmt
+            matchExpressions:
+              - key: environment
+                operator: In
+                values:
+                  - production
+                  - staging
+
+  - it: passes through constraint with nodeAffinityPolicy
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+          nodeAffinityPolicy: "Honor"
+    asserts:
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints[0].nodeAffinityPolicy
+          value: "Honor"
+
+  - it: passes through constraint with nodeTaintsPolicy
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+          nodeTaintsPolicy: "Ignore"
+    asserts:
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints[0].nodeTaintsPolicy
+          value: "Ignore"
+
+  - it: passes through constraint with matchLabelKeys
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+          matchLabelKeys:
+            - config
+    asserts:
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints[0].matchLabelKeys
+          value:
+            - config
+
+  - it: passes through fully configured constraint
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 2
+          topologyKey: "topology.kubernetes.io/zone"
+          whenUnsatisfiable: "ScheduleAnyway"
+          minDomains: 3
+          nodeAffinityPolicy: "Honor"
+          nodeTaintsPolicy: "Honor"
+          matchLabelKeys:
+            - pod-template-hash
+          labelSelector:
+            matchLabels:
+              app: opa-kube-mgmt
+    asserts:
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints[0]
+          value:
+            maxSkew: 2
+            topologyKey: "topology.kubernetes.io/zone"
+            whenUnsatisfiable: "ScheduleAnyway"
+            minDomains: 3
+            nodeAffinityPolicy: "Honor"
+            nodeTaintsPolicy: "Honor"
+            matchLabelKeys:
+              - pod-template-hash
+            labelSelector:
+              matchLabels:
+                app: opa-kube-mgmt
