feat(helm): add dynamic labelSelector if not define in topologySpreadConstraints (#5065)

Signed-off-by: fe80 <steffyfort@gmail.com>
Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

deploy/charts/external-secrets/templates/cert-controller-deployment.yaml

@@ -139,7 +139,14 @@ spec:
       {{- end }}
       {{- with .Values.certController.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
       topologySpreadConstraints:
-        {{- toYaml . | nindent 8 }}
+        {{- range $constraint := . }}
+        - {{ toYaml $constraint | nindent 10 | trim }}
+          {{- if not $constraint.labelSelector }}
+          labelSelector:
+            matchLabels:
+              {{- include "external-secrets-cert-controller.selectorLabels" $ | nindent 14 }}
+          {{- end }}
+        {{- end }}
       {{- end }}
       {{- if .Values.certController.priorityClassName }}
       priorityClassName: {{ .Values.certController.priorityClassName }}

deploy/charts/external-secrets/templates/deployment.yaml

@@ -167,7 +167,14 @@ spec:
       {{- end }}
       {{- with .Values.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
       topologySpreadConstraints:
-        {{- toYaml . | nindent 8 }}
+        {{- range $constraint := . }}
+        - {{ toYaml $constraint | nindent 10 | trim }}
+          {{- if not $constraint.labelSelector }}
+          labelSelector:
+            matchLabels:
+              {{- include "external-secrets.selectorLabels" $ | nindent 14 }}
+          {{- end }}
+        {{- end }}
       {{- end }}
       {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}

deploy/charts/external-secrets/templates/webhook-deployment.yaml

@@ -131,7 +131,14 @@ spec:
       {{- end }}
       {{- with .Values.webhook.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
       topologySpreadConstraints:
-        {{- toYaml . | nindent 8 }}
+        {{- range $constraint := . }}
+        - {{ toYaml $constraint | nindent 10 | trim }}
+          {{- if not $constraint.labelSelector }}
+          labelSelector:
+            matchLabels:
+              {{- include "external-secrets-webhook.selectorLabels" $ | nindent 14 }}
+          {{- end }}
+        {{- end }}
       {{- end }}
       {{- if .Values.webhook.priorityClassName }}
       priorityClassName: {{ .Values.webhook.priorityClassName }}

deploy/charts/external-secrets/tests/topology_spread_constaints_test.yaml

@@ -0,0 +1,78 @@
+---
+suite: test global topologySpreadConstraints
+templates:
+  - cert-controller-deployment.yaml
+  - deployment.yaml
+  - webhook-deployment.yaml
+tests:
+  - it: should set topologySpreadConstraints to set value if given
+    set:
+      global.topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          matchLabelKeys:
+            - pod-template-hash
+    asserts:
+      - isSubset:
+          path: spec.template.spec.topologySpreadConstraints[0]
+          content:
+            maxSkew: 1
+            topologyKey: kubernetes.io/hostname
+---
+suite: test global topologySpreadConstraints on deployment.yaml
+templates:
+  - deployment.yaml
+tests:
+  - it: should set topologySpreadConstraints to set value if given
+    set:
+      global.topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          matchLabelKeys:
+            - pod-template-hash
+    asserts:
+      - isSubset:
+          path: spec.template.spec.topologySpreadConstraints[0].labelSelector.matchLabels
+          content:
+            app.kubernetes.io/name: external-secrets
+            app.kubernetes.io/instance: RELEASE-NAME
+---
+suite: test global topologySpreadConstraints on cert-controller-deployment.yaml
+templates:
+  - cert-controller-deployment.yaml
+tests:
+  - it: should set topologySpreadConstraints to set value if given
+    set:
+      global.topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          matchLabelKeys:
+            - pod-template-hash
+    asserts:
+      - isSubset:
+          path: spec.template.spec.topologySpreadConstraints[0].labelSelector.matchLabels
+          content:
+            app.kubernetes.io/name: external-secrets-cert-controller
+            app.kubernetes.io/instance: RELEASE-NAME
+---
+suite: test global topologySpreadConstraints on webhook-deployment.yaml
+templates:
+  - webhook-deployment.yaml
+tests:
+  - it: should set topologySpreadConstraints to set value if given
+    set:
+      global.topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          matchLabelKeys:
+            - pod-template-hash
+    asserts:
+      - isSubset:
+          path: spec.template.spec.topologySpreadConstraints[0].labelSelector.matchLabels
+          content:
+            app.kubernetes.io/name: external-secrets-webhook
+            app.kubernetes.io/instance: RELEASE-NAME

deploy/charts/external-secrets/values.yaml

@@ -1,7 +1,18 @@
+---
 global:
   nodeSelector: {}
   tolerations: []
   topologySpreadConstraints: []
+  #  - maxSkew: 1
+  #    topologyKey: topology.kubernetes.io/zone
+  #    whenUnsatisfiable: ScheduleAnyway
+  #    matchLabelKeys:
+  #      - pod-template-hash
+  #  - maxSkew: 1
+  #    topologyKey: kubernetes.io/hostname
+  #    whenUnsatisfiable: DoNotSchedule
+  #    matchLabelKeys:
+  #      - pod-template-hash
   affinity: {}
   compatibility:
     openshift: