open-policy-agent · eshepelyuk · Nov 25, 2025 · Nov 24, 2025 · Nov 24, 2025
diff --git a/charts/opa-kube-mgmt/templates/deployment.yaml b/charts/opa-kube-mgmt/templates/deployment.yaml
@@ -292,3 +292,5 @@ spec:
 {{ toYaml .Values.nodeSelector | indent 8 }}
       tolerations:
 {{ toYaml .Values.tolerations | indent 8 }}
+      topologySpreadConstraints:
+{{ toYaml .Values.topologySpreadConstraints | indent 8 }}
diff --git a/charts/opa-kube-mgmt/values.schema.json b/charts/opa-kube-mgmt/values.schema.json
@@ -46,6 +46,65 @@
           "default": null
         }
       }
+    },
+    "topologySpreadConstraints": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["maxSkew", "topologyKey", "whenUnsatisfiable"],
+        "properties": {
+          "maxSkew": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "topologyKey": {
+            "type": "string",
+            "minLength": 1
+          },
+          "whenUnsatisfiable": {
+            "type": "string",
+            "enum": ["DoNotSchedule", "ScheduleAnyway"]
+          },
+          "labelSelector": {
+            "type": "object",
+            "properties": {
+              "matchLabels": {
+                "type": "object",
+                "additionalProperties": {"type": "string"}
+              },
+              "matchExpressions": {
+                "type": "array",
+                "items": {
+                  "type": "object",
+                  "required": ["key", "operator"],
+                  "properties": {
+                    "key": {"type": "string"},
+                    "operator": {"type": "string", "enum": ["In", "NotIn", "Exists", "DoesNotExist"]},
+                    "values": {"type": "array", "items": {"type": "string"}}
+                  }
+                }
+              }
+            }
+          },
+          "matchLabelKeys": {
+            "type": "array",
+            "items": {"type": "string"}
+          },
+          "minDomains": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "nodeAffinityPolicy": {
+            "type": "string",
+            "enum": ["Honor", "Ignore"]
+          },
+          "nodeTaintsPolicy": {
+            "type": "string",
+            "enum": ["Honor", "Ignore"]
+          }
+        }
+      },
+      "default": []
     }
   }
 }
diff --git a/charts/opa-kube-mgmt/values.yaml b/charts/opa-kube-mgmt/values.yaml
@@ -219,6 +219,18 @@ affinity: {}
 tolerations: []
 nodeSelector: {}
 
+# To control pod distribution across topology domains, set topologySpreadConstraints
+# below.
+#
+# topologySpreadConstraints:
+# - maxSkew: 1
+#   topologyKey: topology.kubernetes.io/zone
+#   whenUnsatisfiable: DoNotSchedule
+#   labelSelector:
+#     matchLabels:
+#       app: opa
+topologySpreadConstraints: []
+
 # To control the CPU and memory resource limits and requests for OPA, set the
 # field below.
 resources: {}

diff --git a/justfile b/justfile
@@ -27,7 +27,7 @@ _latest:
   fi
 
 _helm-unittest:
-  helm plugin ls | grep unittest || helm plugin install https://github.com/helm-unittest/helm-unittest --version v0.8.2
+  helm plugin ls | grep unittest || helm plugin install https://github.com/helm-unittest/helm-unittest --version v1.0.3
 
 # golang linter
 lint-go:

diff --git a/test/lint/images.yaml b/test/lint/images.yaml
@@ -10,7 +10,8 @@ tests:
           errorMessage: |
             values don't meet the specifications of the schema(s) in the following chart(s):
             opa-kube-mgmt:
-            - (root): image is required
+            - at '': missing property 'image'
+
   - it: image.repository not string
     set:
       image:
@@ -20,7 +21,8 @@ tests:
           errorMessage: |
             values don't meet the specifications of the schema(s) in the following chart(s):
             opa-kube-mgmt:
-            - image.repository: Invalid type. Expected: string, given: integer
+            - at '/image/repository': got number, want string
+
   - it: image.tag not string
     set:
       image:
@@ -30,7 +32,8 @@ tests:
           errorMessage: |
             values don't meet the specifications of the schema(s) in the following chart(s):
             opa-kube-mgmt:
-            - image.tag: Invalid type. Expected: string, given: integer
+            - at '/image/tag': got number, want string
+
   - it: mgmt.image is null
     set:
       mgmt:
@@ -40,7 +43,8 @@ tests:
           errorMessage: |
             values don't meet the specifications of the schema(s) in the following chart(s):
             opa-kube-mgmt:
-            - mgmt: image is required
+            - at '/mgmt': missing property 'image'
+
   - it: mgmt.image.repository not string
     set:
       mgmt:
@@ -51,7 +55,8 @@ tests:
           errorMessage: |
             values don't meet the specifications of the schema(s) in the following chart(s):
             opa-kube-mgmt:
-            - mgmt.image.repository: Invalid type. Expected: string, given: integer
+            - at '/mgmt/image/repository': got number, want string
+
   - it: mgmt.image.tag not string
     set:
       mgmt:
@@ -62,4 +67,4 @@ tests:
           errorMessage: |
             values don't meet the specifications of the schema(s) in the following chart(s):
             opa-kube-mgmt:
-            - mgmt.image.tag: Invalid type. Expected: string, given: integer
+            - at '/mgmt/image/tag': got number, want string
diff --git a/test/lint/sa.yaml b/test/lint/sa.yaml
@@ -9,7 +9,4 @@ tests:
           foo: 1
     asserts:
       - failedTemplate:
-          errorMessage: |
-            values don't meet the specifications of the schema(s) in the following chart(s):
-            opa-kube-mgmt:
-            - serviceAccount.annotations.foo: Invalid type. Expected: string, given: integer
+          errorPattern: "got number, want string"
diff --git a/test/lint/service.yaml b/test/lint/service.yaml
@@ -2,17 +2,34 @@ suite: lint service
 templates:
   - service.yaml
 tests:
-  - it: service annotations must be a string for foo
+  - it: fails when service annotation is boolean
     set:
       service:
         annotations:
           bar: true
+    asserts:
+      - failedTemplate:
+          errorPattern: "got boolean, want string"
+
+  - it: fails when service annotation is array
+    set:
+      service:
+        annotations:
           baz: ["invalid"]
+    asserts:
+      - failedTemplate:
+          errorPattern: "got array, want string"
+
+  - it: fails when service annotation is object
+    set:
+      service:
+        annotations:
           foo:
             bar: baz
     asserts:
       - failedTemplate:
-          errorPattern: "Invalid type. Expected: string, given"
+          errorPattern: "got object, want string"
+
   - it: trafficDistribution invalid value
     set:
       service:
@@ -22,4 +39,4 @@ tests:
           errorMessage: |
             values don't meet the specifications of the schema(s) in the following chart(s):
             opa-kube-mgmt:
-            - service.trafficDistribution: service.trafficDistribution must be one of the following: "PreferClose", "PreferSameNode", "PreferSameZone", null
+            - at '/service/trafficDistribution': value must be one of 'PreferClose', 'PreferSameNode', 'PreferSameZone', <nil>
diff --git a/test/lint/tsc.yaml b/test/lint/tsc.yaml
@@ -0,0 +1,79 @@
+suite: lint topologySpreadConstraints
+templates:
+  - deployment.yaml
+tests:
+  - it: fails when maxSkew is missing
+    set:
+      topologySpreadConstraints:
+        - topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+    asserts:
+      - failedTemplate: {}
+
+  - it: fails when maxSkew is null
+    set:
+      topologySpreadConstraints:
+        - maxSkew: null
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+    asserts:
+      - failedTemplate: {}
+
+  - it: fails when topologyKey is missing
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          whenUnsatisfiable: "DoNotSchedule"
+    asserts:
+      - failedTemplate: {}
+
+  - it: fails when whenUnsatisfiable is missing
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+    asserts:
+      - failedTemplate: {}
+
+  - it: fails when maxSkew is not an integer
+    set:
+      topologySpreadConstraints:
+        - maxSkew: "one"
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+    asserts:
+      - failedTemplate: {}
+
+  - it: fails when topologyKey is empty string
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: ""
+          whenUnsatisfiable: "DoNotSchedule"
+    asserts:
+      - failedTemplate: {}
+
+  - it: fails when whenUnsatisfiable has invalid value
+    set:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "InvalidOption"
+    asserts:
+      - failedTemplate: {}
+
+  - it: renders with empty topologySpreadConstraints array
+    set:
+      topologySpreadConstraints: []
+    asserts:
+      - isKind:
+          of: Deployment
+      - isEmpty:
+          path: spec.template.spec.topologySpreadConstraints
+
+  - it: renders without topologySpreadConstraints when not set
+    asserts:
+      - isKind:
+          of: Deployment
+      - isEmpty:
+          path: spec.template.spec.topologySpreadConstraints