fix(helm): make topologySpreadConstraints per-component to match docstring

waleedlatif1 · waleedlatif1 · commit a4837deb54cd · 2026-05-12T10:28:51.000-07:00
Greptile flagged that sim.topologySpreadConstraints helper docstring promised
per-component config (.Values.app, .Values.realtime, ...) but call sites
passed .Values, so any app.topologySpreadConstraints / realtime.topologySpreadConstraints
set by the user was silently dropped. The single global key also prevented
distinct app-vs-realtime spread rules.

Pass .Values.app / .Values.realtime to the helper at each call site; move
the top-level topologySpreadConstraints key into both component sections in
values.yaml. Adds a regression test that app constraints don't leak onto
the realtime pod.
diff --git a/helm/sim/templates/deployment-app.yaml b/helm/sim/templates/deployment-app.yaml
@@ -40,7 +40,7 @@ spec:
       {{- include "sim.nodeSelector" .Values.app | nindent 6 }}
       {{- include "sim.tolerations" .Values | nindent 6 }}
       {{- include "sim.affinity" .Values | nindent 6 }}
-      {{- include "sim.topologySpreadConstraints" .Values | nindent 6 }}
+      {{- include "sim.topologySpreadConstraints" .Values.app | nindent 6 }}
       {{- if .Values.migrations.enabled }}
       initContainers:
         - name: migrations
diff --git a/helm/sim/templates/deployment-realtime.yaml b/helm/sim/templates/deployment-realtime.yaml
@@ -37,7 +37,7 @@ spec:
       {{- include "sim.nodeSelector" .Values.realtime | nindent 6 }}
       {{- include "sim.tolerations" .Values | nindent 6 }}
       {{- include "sim.affinity" .Values | nindent 6 }}
-      {{- include "sim.topologySpreadConstraints" .Values | nindent 6 }}
+      {{- include "sim.topologySpreadConstraints" .Values.realtime | nindent 6 }}
       containers:
         - name: realtime
           image: {{ include "sim.image" (dict "imageRoot" .Values.realtime.image "global" .Values.global "chartAppVersion" .Chart.AppVersion) }}
diff --git a/helm/sim/tests/pod-rollout_test.yaml b/helm/sim/tests/pod-rollout_test.yaml
@@ -40,7 +40,7 @@ tests:
     template: deployment-app.yaml
     set:
       <<: *defaults
-      topologySpreadConstraints:
+      app.topologySpreadConstraints:
         - maxSkew: 1
           topologyKey: topology.kubernetes.io/zone
           whenUnsatisfiable: ScheduleAnyway
@@ -59,7 +59,7 @@ tests:
     template: deployment-realtime.yaml
     set:
       <<: *defaults
-      topologySpreadConstraints:
+      realtime.topologySpreadConstraints:
         - maxSkew: 1
           topologyKey: topology.kubernetes.io/zone
           whenUnsatisfiable: ScheduleAnyway
@@ -70,3 +70,18 @@ tests:
       - equal:
           path: spec.template.spec.topologySpreadConstraints[0].topologyKey
           value: topology.kubernetes.io/zone
+
+  - it: app topologySpreadConstraints do not leak onto realtime pod
+    template: deployment-realtime.yaml
+    set:
+      <<: *defaults
+      app.topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: sim
+    asserts:
+      - isNull:
+          path: spec.template.spec.topologySpreadConstraints
diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml
@@ -41,6 +41,10 @@ app:
   # Node selector for pod scheduling (leave empty to allow scheduling on any node)
   nodeSelector: {}
 
+  # Topology spread constraints for app pods (HA across zones / nodes).
+  # Each entry must include its own labelSelector.
+  topologySpreadConstraints: []
+
   # Pod security context
   podSecurityContext:
     fsGroup: 1001
@@ -409,11 +413,15 @@ realtime:
   
   # Node selector for pod scheduling (leave empty to allow scheduling on any node)
   nodeSelector: {}
-  
+
+  # Topology spread constraints for realtime pods (HA across zones / nodes).
+  # Each entry must include its own labelSelector.
+  topologySpreadConstraints: []
+
   # Pod security context
   podSecurityContext:
     fsGroup: 1001
-  
+
   # Container security context
   securityContext:
     runAsNonRoot: true
@@ -1051,19 +1059,6 @@ affinity: {}
 # Tolerations for scheduling on tainted nodes
 tolerations: []
 
-# Topology spread constraints — for HA across zones / nodes.
-# Each entry must include its own labelSelector. Common pattern:
-#
-#   topologySpreadConstraints:
-#     - maxSkew: 1
-#       topologyKey: topology.kubernetes.io/zone
-#       whenUnsatisfiable: ScheduleAnyway
-#       labelSelector:
-#         matchLabels:
-#           app.kubernetes.io/name: sim
-#           app.kubernetes.io/instance: my-release
-topologySpreadConstraints: []
-
 # CronJob configuration for scheduled tasks
 cronjobs:
   # Enable/disable all cron jobs
