fix(helm): allow cron pods through app NetworkPolicy

Cursor flagged that when networkPolicy.enabled=true and cronjobs.enabled=true
(the recommended production config), the app NetworkPolicy only allowed
ingress from realtime and the ingress controller — silently blocking every
cron pod's HTTP call to /api/schedules/execute, webhook polls, etc. All 13
default cronjobs would fail.

Tag cron pods with a stable simstudio.ai/component-group: cronjob label so
the app NetworkPolicy can allow them with a single rule (no per-job
enumeration). Rule is conditional on cronjobs.enabled. Adds positive and
negative regression tests.

Author: waleedlatif1

helm/sim/templates/cronjobs.yaml

@@ -29,6 +29,9 @@ spec:
           labels:
             {{- include "sim.selectorLabels" $ | nindent 12 }}
             app.kubernetes.io/component: cronjob-{{ $jobConfig.name }}
+            # Stable group label so NetworkPolicy can allow all cron pods → app
+            # without enumerating each job's component value.
+            simstudio.ai/component-group: cronjob
         spec:
           serviceAccountName: {{ include "sim.serviceAccountName" $ }}
           automountServiceAccountToken: false

helm/sim/templates/networkpolicy.yaml

@@ -26,6 +26,18 @@ spec:
     - protocol: TCP
       port: {{ .Values.app.service.targetPort }}
   {{- end }}
+  # Allow ingress from cron pods (every cron job curls /api/schedules/execute,
+  # webhook polls, etc. against the app service)
+  {{- if .Values.cronjobs.enabled }}
+  - from:
+    - podSelector:
+        matchLabels:
+          {{- include "sim.selectorLabels" . | nindent 10 }}
+          simstudio.ai/component-group: cronjob
+    ports:
+    - protocol: TCP
+      port: {{ .Values.app.service.targetPort }}
+  {{- end }}
   # Allow ingress from ingress controller (configurable peers; defaults to any)
   {{- if .Values.ingress.enabled }}
   - from:

helm/sim/tests/networkpolicy_test.yaml

@@ -29,7 +29,7 @@ tests:
     documentIndex: 0
     asserts:
       - equal:
-          path: spec.ingress[1].from
+          path: spec.ingress[2].from
           value:
             - {}
 
@@ -43,7 +43,7 @@ tests:
     documentIndex: 0
     asserts:
       - equal:
-          path: spec.ingress[1].from
+          path: spec.ingress[2].from
           value:
             - namespaceSelector:
                 matchLabels:
@@ -91,6 +91,43 @@ tests:
               - protocol: TCP
                 port: 4318
 
+  - it: app NetworkPolicy allows ingress from cron pods when cronjobs.enabled=true
+    set:
+      <<: *defaults
+    documentIndex: 0
+    asserts:
+      - contains:
+          path: spec.ingress
+          content:
+            from:
+              - podSelector:
+                  matchLabels:
+                    app.kubernetes.io/name: sim
+                    app.kubernetes.io/instance: t
+                    simstudio.ai/component-group: cronjob
+            ports:
+              - protocol: TCP
+                port: 3000
+
+  - it: cron→app ingress rule is omitted when cronjobs.enabled=false
+    set:
+      <<: *defaults
+      cronjobs.enabled: false
+    documentIndex: 0
+    asserts:
+      - notContains:
+          path: spec.ingress
+          content:
+            from:
+              - podSelector:
+                  matchLabels:
+                    app.kubernetes.io/name: sim
+                    app.kubernetes.io/instance: t
+                    simstudio.ai/component-group: cronjob
+            ports:
+              - protocol: TCP
+                port: 3000
+
   - it: egress.extraRules are appended to both app and realtime NetworkPolicies
     set:
       <<: *defaults