test(helm): add helm test hook + kind apiserver dry-run in CI

waleedlatif1 · waleedlatif1 · commit 4dc7966876ad · 2026-05-12T09:46:35.000-07:00
- New templates/tests/test-connection.yaml renders a Pod with
  helm.sh/hook=test that wgets the app Service (and realtime when
  enabled). Lets users run `helm test &lt;release&gt;` after install for
  a real in-cluster connectivity check. Restricted PSS context.
- tests.* values block (image, timeoutSeconds, resources) is the
  knob to disable or tune the probe; documented in values.schema.json.
- 3 helm-unittest tests cover the hook annotations, PSS context,
  and tests.enabled=false skip path (41 tests total).
- New CI job spins up a kind v1.30 cluster and runs
  `kubectl apply --dry-run=server` against the rendered manifests
  for the CRD-free ci fixtures (default / existing-secret /
  external-db). Catches admission and validation issues the static
  kubeconform schema check can't see.
diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml
@@ -70,3 +70,44 @@ jobs:
                   -summary
             echo "::endgroup::"
           done
+
+  apiserver-dryrun:
+    name: API-server dry-run on kind
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.16.2
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1
+        with:
+          version: v0.24.0
+          node_image: kindest/node:v1.30.4
+          wait: 120s
+
+      - name: Helm dependency build
+        run: helm dependency build helm/sim
+
+      - name: Server-side dry-run for CRD-free ci values
+        # Skips fixtures that reference CRDs (ExternalSecret, ServiceMonitor)
+        # the kind cluster does not have installed. Those are still covered
+        # by kubeconform in the lint-test job.
+        run: |
+          set -euo pipefail
+          kubectl create namespace sim
+          for f in \
+            helm/sim/ci/default-values.yaml \
+            helm/sim/ci/existing-secret-values.yaml \
+            helm/sim/ci/external-db-values.yaml; do
+            echo "::group::dry-run $f"
+            helm template release helm/sim \
+              --namespace sim \
+              -f "$f" \
+              | kubectl apply --namespace sim --dry-run=server -f -
+            echo "::endgroup::"
+          done
diff --git a/helm/sim/templates/tests/test-connection.yaml b/helm/sim/templates/tests/test-connection.yaml
@@ -0,0 +1,54 @@
+{{- if .Values.tests.enabled }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ include "sim.fullname" . }}-test-connection
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "sim.labels" . | nindent 4 }}
+    app.kubernetes.io/component: test
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  restartPolicy: Never
+  {{- with .Values.tests.image.pullSecrets }}
+  imagePullSecrets:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 65534
+    runAsGroup: 65534
+    fsGroup: 65534
+    seccompProfile:
+      type: RuntimeDefault
+  containers:
+    - name: probe
+      image: "{{ .Values.tests.image.repository }}:{{ .Values.tests.image.tag }}"
+      imagePullPolicy: {{ .Values.tests.image.pullPolicy }}
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 65534
+        capabilities:
+          drop:
+            - ALL
+      command:
+        - sh
+        - -c
+        - |
+          set -eu
+          APP_URL="http://{{ include "sim.fullname" . }}-app:{{ .Values.app.service.port }}/"
+          echo "Probing $APP_URL"
+          wget -q -T {{ .Values.tests.timeoutSeconds }} --tries=1 --spider "$APP_URL"
+          {{- if .Values.realtime.enabled }}
+          RT_URL="http://{{ include "sim.fullname" . }}-realtime:{{ .Values.realtime.service.port }}/health"
+          echo "Probing $RT_URL"
+          wget -q -T {{ .Values.tests.timeoutSeconds }} --tries=1 --spider "$RT_URL"
+          {{- end }}
+          echo "OK"
+      resources:
+        {{- toYaml .Values.tests.resources | nindent 8 }}
+{{- end }}
diff --git a/helm/sim/tests/helm-test-hook_test.yaml b/helm/sim/tests/helm-test-hook_test.yaml
@@ -0,0 +1,55 @@
+suite: helm test hook (helm test) connectivity probe
+release:
+  name: t
+  namespace: sim
+defaults: &defaults
+  app.env.BETTER_AUTH_SECRET: x
+  app.env.ENCRYPTION_KEY: x
+  app.env.INTERNAL_API_SECRET: x
+  app.env.CRON_SECRET: x
+  postgresql.auth.password: x
+
+tests:
+  - it: renders the test pod with helm.sh/hook=test by default
+    template: tests/test-connection.yaml
+    set:
+      <<: *defaults
+    asserts:
+      - isKind:
+          of: Pod
+      - equal:
+          path: 'metadata.annotations["helm.sh/hook"]'
+          value: test
+      - equal:
+          path: 'metadata.annotations["helm.sh/hook-delete-policy"]'
+          value: before-hook-creation,hook-succeeded
+      - equal:
+          path: spec.restartPolicy
+          value: Never
+
+  - it: applies restricted PSS context to the test pod
+    template: tests/test-connection.yaml
+    set:
+      <<: *defaults
+    asserts:
+      - equal:
+          path: spec.securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.containers[0].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.containers[0].securityContext.readOnlyRootFilesystem
+          value: true
+      - contains:
+          path: spec.containers[0].securityContext.capabilities.drop
+          content: ALL
+
+  - it: skips rendering when tests.enabled=false
+    template: tests/test-connection.yaml
+    set:
+      <<: *defaults
+      tests.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
diff --git a/helm/sim/values.schema.json b/helm/sim/values.schema.json
@@ -691,6 +691,24 @@
         }
       }
     },
+    "tests": {
+      "type": "object",
+      "description": "Helm test hook configuration (helm test)",
+      "properties": {
+        "enabled": { "type": "boolean" },
+        "image": {
+          "type": "object",
+          "properties": {
+            "repository": { "type": "string" },
+            "tag": { "type": "string" },
+            "pullPolicy": { "type": "string", "enum": ["Always", "IfNotPresent", "Never"] },
+            "pullSecrets": { "type": "array", "items": { "type": "object" } }
+          }
+        },
+        "timeoutSeconds": { "type": "integer", "minimum": 1 },
+        "resources": { "type": "object" }
+      }
+    },
     "sharedStorage": {
       "type": "object",
       "properties": {
diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml
@@ -1585,4 +1585,22 @@ certManager:
   # CA ClusterIssuer configuration
   # This is the issuer that applications should reference for obtaining certificates
   caIssuer:
-    name: "sim-ca-issuer"
+    name: "sim-ca-issuer"
+# Helm test hook (helm test) connectivity probes.
+# Renders a Pod with helm.sh/hook=test that checks the app and realtime
+# Services are reachable from inside the cluster. Run with: helm test <release>
+tests:
+  enabled: true
+  image:
+    repository: busybox
+    tag: "1.36"
+    pullPolicy: IfNotPresent
+    pullSecrets: []
+  timeoutSeconds: 5
+  resources:
+    limits:
+      cpu: 100m
+      memory: 64Mi
+    requests:
+      cpu: 10m
+      memory: 16Mi
