test: Tests for helm chart & some fixes for found issues (#1752)

fix: Fixed a nil pointer error in the Helm chart that occurred when a deployment was configured with custom annotations due to an incorrect reference in the deployment template (#1752).

fix: Updated the admission controller configuration in the Helm chart to align with the redesigned structure done in v0.12.0-alpha release of heimdall (#1752).

fix: Corrected the placement of namespace selector properties in the Helm chart's admission controller configuration (#1752).

.github/workflows/ci.yaml

@@ -213,6 +213,36 @@ jobs:
           helm template --set operationMode=proxy ./charts/heimdall > proxy-config.yaml
           kubeconform --skip RuleSet -kubernetes-version ${{ env.KUBERNETES_API_VERSION }} proxy-config.yaml
 
+  unittest-helm-chart:
+    runs-on: ubuntu-22.04
+    needs:
+      - check-changes
+    if: >
+      needs.check-changes.outputs.helm_chart_changed == 'true' || 
+      needs.check-changes.outputs.ci_config_changed == 'true'
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - name: Setup k8s tools
+        uses: yokawasa/action-setup-kube-tools@5fe385031665158529decddddb51d6224422836e # v0.11.1
+        with:
+          setup-tools: |
+            helm
+            kubeconform
+          helm: '${{ env.HELM_VERSION }}'
+          kubeconform: '${{ env.KUBECONFORM_VERSION }}'
+      - name: Install Helm Unittest
+        run: helm plugin install --version v0.6.0 https://github.com/helm-unittest/helm-unittest.git
+      - name: Run tests
+        run: |
+          helm unittest ./charts/heimdall
+  
+
   test:
     runs-on: ubuntu-22.04
     needs:

charts/heimdall/templates/heimdall/deployment.yaml → charts/heimdall/templates/deployment.yaml

@@ -14,11 +14,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-{{ $opMode := required "operationMode is not set! Call helm with --set operationMode=<decision or proxy>" .Values.operationMode -}}
-{{- if not (or (eq $opMode "decision") (eq $opMode "proxy")) -}}
-{{- required "A valid operationMode is required! Call helm with --set operationMode=<decision or proxy>" .Values.operationMode -}}
-{{- end -}}
-{{- $data := dict "Release" .Release "Values" .Values "Chart" .Chart "Component" "deployment" -}}
+{{- $data := dict "Release" .Release "Values" .Values "Chart" .Chart "Component" "deployment" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -27,9 +23,9 @@ metadata:
   labels:
     {{- include "heimdall.labels" $data | nindent 4 }}
   annotations:
-    checksum/config: {{ include (print $.Template.BasePath "/heimdall/configmap.yaml") . | sha256sum }}
+    checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
     {{- with .Values.deployment.annotations }}
-    {{- toYaml .Values.deployment.annotations | nindent 4 }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
   {{- if not .Values.deployment.autoscaling.enabled }}
@@ -41,7 +37,7 @@ spec:
   template:
     metadata:
       labels:
-        {{- include "heimdall.selectorLabels" $data | nindent 8 }}
+        {{- include "heimdall.labels" $data | nindent 8 }}
       annotations:
         {{- if contains "prometheus" (.Values.env.OTEL_METRICS_EXPORTER | default "") }}
         prometheus.io/scrape: "true"
@@ -77,12 +73,12 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - serve
-            - {{- if eq $opMode "decision" }} decision{{- else }} proxy{{- end }}
+            - {{- if eq .Values.operationMode "decision" }} decision{{- else }} proxy{{- end }}
             {{- with .Values.extraArgs }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
           ports:
-            {{- if eq $opMode "decision" }}
+            {{- if eq .Values.operationMode "decision" }}
             - name: http-decision
               containerPort: {{ .Values.serve.decision.port }}
               protocol: TCP
@@ -104,8 +100,7 @@ spec:
               protocol: TCP
               containerPort: {{ .Values.profiling.port }}
             {{- end }}
-            {{- $rules := .Values.rules | default dict }}
-            {{- $providers := $rules.providers | default dict }}
+            {{- $providers := .Values.providers | default dict }}
             {{- $kubernetes := $providers.kubernetes | default dict}}
             {{- if $kubernetes.tls }}
             - name: https-webhook

charts/heimdall/templates/heimdall/hpa.yaml → charts/heimdall/templates/hpa.yaml

@@ -15,18 +15,22 @@
 # SPDX-License-Identifier: Apache-2.0
 
 {{- if .Values.deployment.autoscaling.enabled }}
+{{- if and (not .Values.deployment.autoscaling.targetCPUUtilizationPercentage) (not .Values.deployment.autoscaling.targetMemoryUtilizationPercentage) }}
+  {{- fail "autoscaling is enabled, but usage of both, the cpu and the memory metrics is disabled" }}
+{{- end }}
+{{- $data := dict "Release" .Release "Values" .Values "Chart" .Chart }}
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
-  name: {{ include "heimdall.fullname" . }}
-  namespace: {{ include "heimdall.namespace" . }}
+  name: {{ include "heimdall.fullname" $data }}
+  namespace: {{ include "heimdall.namespace" $data }}
   labels:
-    {{- include "heimdall.labels" . | nindent 4 }}
+    {{- include "heimdall.labels" $data | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: {{ include "heimdall.fullname" . }}
+    name: {{ include "heimdall.fullname" $data }}
   minReplicas: {{ .Values.deployment.autoscaling.minReplicas }}
   maxReplicas: {{ .Values.deployment.autoscaling.maxReplicas }}
   metrics:

charts/heimdall/templates/heimdall/service.yaml → charts/heimdall/templates/service.yaml

@@ -14,11 +14,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-{{ $opMode := required "operationMode is not set! Call helm with --set operationMode=<decision or proxy>" .Values.operationMode -}}
-{{- if not (or (eq $opMode "decision") (eq $opMode "proxy")) -}}
-  {{- required "A valid operationMode is required! Call helm with --set operationMode=<decision or proxy>" .Values.operationMode -}}
-{{- end -}}
-{{- $data := dict "Release" .Release "Values" .Values "Chart" .Chart "Component" "service" -}}
+{{- $data := dict "Release" .Release "Values" .Values "Chart" .Chart "Component" "service" }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -35,7 +31,7 @@ spec:
       targetPort: http-management
       protocol: TCP
       name: {{ .Values.service.management.name }}
-      {{- if eq $opMode "decision" }}
+      {{- if eq .Values.operationMode "decision" }}
     - port: {{ .Values.service.decision.port }}
       targetPort: http-decision
       protocol: TCP
@@ -46,8 +42,7 @@ spec:
       protocol: TCP
       name: {{ .Values.service.proxy.name }}
       {{- end }}
-      {{- $rules := default dict .Values.rules }}
-      {{- $providers := default dict $rules.providers }}
+      {{- $providers := default dict .Values.providers }}
       {{- $kubernetes := default dict $providers.kubernetes }}
       {{- if $kubernetes.tls }}
     - port: {{ .Values.service.admissionController.port }}

charts/heimdall/templates/heimdall/serviceaccount.yaml → charts/heimdall/templates/serviceaccount.yaml

@@ -21,8 +21,6 @@ metadata:
   namespace: {{ include "heimdall.namespace" . }}
   labels:
     {{- include "heimdall.labels" . | nindent 4 }}
-  annotations:
-    kubernetes.io/service-account.name: {{ include "heimdall.fullname" . }}
 automountServiceAccountToken: false
 
 ---

charts/heimdall/templates/heimdall/admissioncontroller.yaml → charts/heimdall/templates/validating_webhook.yaml

@@ -1,5 +1,4 @@
-{{- $rules := default dict .Values.rules }}
-{{- $providers := default dict $rules.providers }}
+{{- $providers := default dict .Values.providers }}
 {{- $kubernetes := default dict $providers.kubernetes }}
 {{- if $kubernetes.tls }}
 # Only active if .Values.rules.providers.kubernetes.tls is configured
@@ -14,11 +13,12 @@ metadata:
   annotations:
     {{- toYaml .Values.admissionController.annotations | nindent 4 }}
 webhooks:
-  - name: "admission-controller.heimdall.dadrus.github.com"
+  - name: admission-controller.heimdall.dadrus.github.com
     admissionReviewVersions: [ "v1" ]
     sideEffects: None
     timeoutSeconds: {{ .Values.admissionController.timeoutSeconds }}
     {{- with .Values.admissionController.namespaceSelector }}
+    namespaceSelector:
       {{- toYaml . | nindent 8 }}
     {{- end }}
     rules:
@@ -28,9 +28,6 @@ webhooks:
         resources:   ["rulesets"]
         scope:       "Namespaced"
     matchConditions:
-      {{- $rules := .Values.rules | default dict }}
-      {{- $providers := $rules.providers | default dict }}
-      {{- $kubernetes := $providers.kubernetes | default dict}}
       # Match only those rule sets, which relate to the configured auth class
       - name: 'auth-class-filter'
         expression: 'object.spec.authClassName == {{ default (quote "default") (quote $kubernetes.auth_class) }}'
@@ -39,8 +36,8 @@ webhooks:
       caBundle: {{ . }}
       {{- end }}
       service:
-        namespace: {{ include "heimdall.namespace" $data }}
-        name: {{ include "heimdall.fullname" $data }}
+        namespace: {{ include "heimdall.namespace" . }}
+        name: {{ include "heimdall.fullname" . }}
         path: "/validate-ruleset"
         port: {{ .Values.service.admissionController.port }}
 {{- end }}

charts/heimdall/templates/validations/operation_mode.yaml

@@ -0,0 +1,4 @@
+{{ $opMode := required "operationMode is not set! Call helm with --set operationMode=<decision or proxy>" .Values.operationMode }}
+{{- if not (or (eq $opMode "decision") (eq $opMode "proxy")) }}
+  {{- fail "A valid operationMode is required! Call helm with --set operationMode=<decision or proxy>" }}
+{{- end }}