CP-33495: make sure labels/annotations are configurable for all resources (#486)

* CP-33495: add configurable labels and annotations for config-loader and helmless jobs

Allow users to set custom labels and annotations on the config-loader and helmless
Job resources via values.yaml. These component-specific settings are merged with
defaults.labels and defaults.annotations, with component-specific values taking
precedence.

Changes:

- Add components.miscellaneous.configLoader.labels field
- Add components.miscellaneous.configLoader.annotations field
- Add components.miscellaneous.helmless.labels field
- Add components.miscellaneous.helmless.annotations field
- Update config-loader-job.yaml template to merge annotations/labels
- Update helmless-job.yaml template to merge annotations/labels
- Add schema validation for new fields in values.schema.yaml
- Add comprehensive Helm unittest coverage (24 new test cases)
- Add schema validation tests (8 test files: 4 pass, 4 fail cases)

Breaking Change:

This commit changes the app.kubernetes.io/component label for these jobs to
provide clearer resource identification:
- config-loader Job: "webhook-server" → "config-loader"
- config-loader Pod: "<hash>" → "config-loader"
- helmless Job: (none) → "helmless"
- helmless Pod: (none) → "helmless"

The previous behavior was inconsistent (Job used "webhook-server", Pod used a
hash of the job name). The new behavior provides consistent, meaningful component
labels that accurately reflect the actual component identity

Testing:

- All existing tests pass
- New Helm unittests verify label/annotation merging behavior
- New Helm unittests verify component-specific overrides
- New Helm unittests verify empty/null handling
- Schema tests verify correct type validation
- Schema tests verify invalid inputs are rejected

Documentation:

- Added inline comments in values.yaml for new fields
- Added descriptions in values.schema.yaml

* Ensure all Helm resources inherit defaults.labels and defaults.annotations

Fixed PodDisruptionBudgets, aggregator-service, and webhook-serviceaccount
templates to properly inherit defaults.labels and defaults.annotations.

Modified templates:
- helm/templates/_helpers.tpl: Updated generatePodDisruptionBudget helper to accept componentName parameter and use generateLabels/generateAnnotations
- helm/templates/agent-pdb.yaml: Pass componentName to helper
- helm/templates/aggregator-pdb.yaml: Pass componentName to helper
- helm/templates/webhook-pdb.yaml: Pass componentName to helper
- helm/templates/aggregator-service.yaml: Added generateAnnotations call
- helm/templates/webhook-serviceaccount.yaml: Added generateAnnotations call

When implementing configurable labels/annotations for config-loader and helmless
jobs, created a comprehensive test that validates all resources inherit
defaults.labels and defaults.annotations. The test revealed PDBs and two other
templates were not inheriting defaults, causing inconsistent metadata across
deployed resources.

New test helm/tests/defaults_labels_annotations_all_resources_test.yaml validates
28 templates properly inherit defaults by setting sentinel values (foo: "bar") and
verifying they appear in all resource metadata. Test enables optional features
(federation, webhook, persistentVolume) to render conditional templates.

Author: evan-cz

app/functions/helmless/default-values.yaml

@@ -293,6 +293,14 @@ components:
       # For details, see the Kubernetes documentation on security contexts:
       # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
       securityContext: {}
+      # Annotations to add to the config loader job.
+      #
+      # These annotations are merged with defaults.annotations.
+      annotations: {}
+      # Labels to add to the config loader job.
+      #
+      # These labels are merged with defaults.labels.
+      labels: {}
     # The helmless job component generates configuration without Helm.
     helmless:
       # Resource requirements and limits for the helmless job component.
@@ -311,6 +319,14 @@ components:
       # For details, see the Kubernetes documentation on security contexts:
       # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
       securityContext: {}
+      # Annotations to add to the helmless job.
+      #
+      # These annotations are merged with defaults.annotations.
+      annotations: {}
+      # Labels to add to the helmless job.
+      #
+      # These labels are merged with defaults.labels.
+      labels: {}
     # The init cert job component initializes TLS certificates.
     initCert:
       # Resource requirements and limits for the init cert job component.

helm/templates/_helpers.tpl

@@ -912,6 +912,8 @@ kind: PodDisruptionBudget
 metadata:
   name: {{ .name }}
   namespace: {{ .root.Release.Namespace }}
+  {{- include "cloudzero-agent.generateLabels" (dict "globals" .root "component" .componentName) | nindent 2 }}
+  {{- include "cloudzero-agent.generateAnnotations" .root.Values.defaults.annotations | nindent 2 }}
 spec:
   {{- if $pdb.minAvailable }}
   {{- if lt $replicas (int $pdb.minAvailable) -}}

helm/templates/agent-pdb.yaml

@@ -1,5 +1,6 @@
 {{ include "cloudzero-agent.generatePodDisruptionBudget" (dict
     "component" .Values.components.agent
+    "componentName" .Values.server.name
     "name" (include "cloudzero-agent.server.fullname" .)
     "matchLabels" (include "cloudzero-agent.server.matchLabels" .)
     "root" .

helm/templates/aggregator-pdb.yaml

@@ -1,5 +1,6 @@
 {{ include "cloudzero-agent.generatePodDisruptionBudget" (dict
     "component" .Values.components.aggregator
+    "componentName" "aggregator"
     "name" (include "cloudzero-agent.aggregator.name" .)
     "matchLabels" (include "cloudzero-agent.aggregator.matchLabels" .)
     "root" .

helm/templates/aggregator-service.yaml

@@ -5,6 +5,7 @@ metadata:
   name: {{ include "cloudzero-agent.aggregator.name" . }}
   labels:
     {{- include "cloudzero-agent.aggregator.labels" . | nindent 4 }}
+  {{- include "cloudzero-agent.generateAnnotations" .Values.defaults.annotations | nindent 2 }}
 spec:
   selector:
     {{- include "cloudzero-agent.aggregator.matchLabels" . | nindent 4 }}

helm/templates/config-loader-job.yaml

@@ -4,19 +4,21 @@ metadata:
   name: {{ include "cloudzero-agent.configLoaderJobName" . }}
   namespace: {{ .Release.Namespace }}
   {{- include "cloudzero-agent.generateAnnotations" (merge
-      (deepCopy .Values.defaults.annotations)
       (dict "checksum/values" (include "cloudzero-agent.configurationChecksum" .))
+      (.Values.components.miscellaneous.configLoader.annotations | default (dict))
+      (deepCopy .Values.defaults.annotations)
     ) | nindent 2 }}
-  labels:
-    {{- include "cloudzero-agent.insightsController.labels" . | nindent 4 }}
+  {{- include "cloudzero-agent.generateLabels" (dict "globals" . "component" "config-loader" "labels" .Values.components.miscellaneous.configLoader.labels) | nindent 2 }}
 spec:
   template:
     metadata:
       name: {{ include "cloudzero-agent.configLoaderJobName" . }}
       namespace: {{ .Release.Namespace }}
-      labels:
-        {{- include "cloudzero-agent.insightsController.validatorJob.matchLabels" . | nindent 8 }}
-      {{- include "cloudzero-agent.generateAnnotations" .Values.defaults.annotations | nindent 6 }}
+      {{- include "cloudzero-agent.generateLabels" (dict "globals" . "component" "config-loader" "labels" .Values.components.miscellaneous.configLoader.labels) | nindent 6 }}
+      {{- include "cloudzero-agent.generateAnnotations" (merge
+          (.Values.components.miscellaneous.configLoader.annotations | default (dict))
+          (deepCopy .Values.defaults.annotations)
+        ) | nindent 6 }}
     spec:
       {{- include "cloudzero-agent.generateImagePullSecrets" (dict "root" . "image" .Values.validator.image) | nindent 6 }}
       serviceAccountName: {{ include "cloudzero-agent.serviceAccountName" . }}

helm/templates/helmless-job.yaml

@@ -3,15 +3,21 @@ kind: Job
 metadata:
   name: {{ include "cloudzero-agent.helmlessJobName" . }}
   namespace: {{ .Release.Namespace }}
-  {{- include "cloudzero-agent.generateAnnotations" .Values.defaults.annotations | nindent 2 }}
-  {{- include "cloudzero-agent.generateLabels" (dict "globals" . "component" "helmless") | nindent 2 }}
+  {{- include "cloudzero-agent.generateAnnotations" (merge
+      (.Values.components.miscellaneous.helmless.annotations | default (dict))
+      (deepCopy .Values.defaults.annotations)
+    ) | nindent 2 }}
+  {{- include "cloudzero-agent.generateLabels" (dict "globals" . "component" "helmless" "labels" .Values.components.miscellaneous.helmless.labels) | nindent 2 }}
 spec:
   template:
     metadata:
       name: {{ include "cloudzero-agent.helmlessJobName" . }}
       namespace: {{ .Release.Namespace }}
-      {{- include "cloudzero-agent.generateLabels" (dict "globals" . "component" "helmless") | nindent 6 }}
-      {{- include "cloudzero-agent.generateAnnotations" .Values.defaults.annotations | nindent 6 }}
+      {{- include "cloudzero-agent.generateLabels" (dict "globals" . "component" "helmless" "labels" .Values.components.miscellaneous.helmless.labels) | nindent 6 }}
+      {{- include "cloudzero-agent.generateAnnotations" (merge
+          (.Values.components.miscellaneous.helmless.annotations | default (dict))
+          (deepCopy .Values.defaults.annotations)
+        ) | nindent 6 }}
     spec:
       restartPolicy: OnFailure
       {{- include "cloudzero-agent.generateImagePullSecrets" (dict "root" . "image" .Values.components.agent.image) | nindent 6 }}

helm/templates/webhook-pdb.yaml

@@ -1,5 +1,6 @@
 {{ include "cloudzero-agent.generatePodDisruptionBudget" (dict
     "component" .Values.components.webhookServer
+    "componentName" .Values.insightsController.server.name
     "name" (include "cloudzero-agent.insightsController.deploymentName" .)
     "matchLabels" (include "cloudzero-agent.insightsController.server.matchLabels" .)
     "replicas" (.Values.insightsController.server.replicaCount | default .Values.components.webhookServer.replicas)

helm/templates/webhook-serviceaccount.yaml

@@ -4,6 +4,7 @@ kind: ServiceAccount
 metadata:
   labels:
     {{- include "cloudzero-agent.insightsController.labels" . | nindent 4 }}
+  {{- include "cloudzero-agent.generateAnnotations" .Values.defaults.annotations | nindent 2 }}
   name: {{ template "cloudzero-agent.initCertJob.serviceAccountName" . }}
   namespace: {{ include "cloudzero-agent.namespace" . }}
 {{- end }}

helm/tests/config_loader_job_labels_annotations_test.yaml

@@ -0,0 +1,207 @@
+suite: test config-loader job labels and annotations
+templates:
+  - templates/config-loader-job.yaml
+tests:
+  # Test default labels are applied
+  - it: should apply default labels to Job metadata
+    set:
+      defaults.labels:
+        custom-label: "default-value"
+        team: "platform"
+    asserts:
+      - equal:
+          path: metadata.labels["custom-label"]
+          value: "default-value"
+      - equal:
+          path: metadata.labels["team"]
+          value: "platform"
+
+  # Test default labels are applied to Pod template
+  - it: should apply default labels to Pod template metadata
+    set:
+      defaults.labels:
+        custom-label: "default-value"
+        team: "platform"
+    asserts:
+      - equal:
+          path: spec.template.metadata.labels["custom-label"]
+          value: "default-value"
+      - equal:
+          path: spec.template.metadata.labels["team"]
+          value: "platform"
+
+  # Test component-specific labels override defaults
+  - it: should merge component-specific labels with defaults on Job metadata
+    set:
+      defaults.labels:
+        custom-label: "default-value"
+        team: "platform"
+      components.miscellaneous.configLoader.labels:
+        custom-label: "overridden-value"
+        environment: "production"
+    asserts:
+      - equal:
+          path: metadata.labels["custom-label"]
+          value: "overridden-value"
+      - equal:
+          path: metadata.labels["team"]
+          value: "platform"
+      - equal:
+          path: metadata.labels["environment"]
+          value: "production"
+
+  # Test component-specific labels override defaults on Pod template
+  - it: should merge component-specific labels with defaults on Pod template metadata
+    set:
+      defaults.labels:
+        custom-label: "default-value"
+        team: "platform"
+      components.miscellaneous.configLoader.labels:
+        custom-label: "overridden-value"
+        environment: "production"
+    asserts:
+      - equal:
+          path: spec.template.metadata.labels["custom-label"]
+          value: "overridden-value"
+      - equal:
+          path: spec.template.metadata.labels["team"]
+          value: "platform"
+      - equal:
+          path: spec.template.metadata.labels["environment"]
+          value: "production"
+
+  # Test default annotations are applied
+  - it: should apply default annotations to Job metadata
+    set:
+      defaults.annotations:
+        prometheus.io/scrape: "true"
+        monitoring.io/alert: "critical"
+    asserts:
+      - equal:
+          path: metadata.annotations["prometheus.io/scrape"]
+          value: "true"
+      - equal:
+          path: metadata.annotations["monitoring.io/alert"]
+          value: "critical"
+
+  # Test default annotations are applied to Pod template
+  - it: should apply default annotations to Pod template metadata
+    set:
+      defaults.annotations:
+        prometheus.io/scrape: "true"
+        monitoring.io/alert: "critical"
+    asserts:
+      - equal:
+          path: spec.template.metadata.annotations["prometheus.io/scrape"]
+          value: "true"
+      - equal:
+          path: spec.template.metadata.annotations["monitoring.io/alert"]
+          value: "critical"
+
+  # Test component-specific annotations override defaults
+  - it: should merge component-specific annotations with defaults on Job metadata
+    set:
+      defaults.annotations:
+        prometheus.io/scrape: "true"
+        monitoring.io/alert: "critical"
+      components.miscellaneous.configLoader.annotations:
+        prometheus.io/scrape: "false"
+        custom.io/annotation: "value"
+    asserts:
+      - equal:
+          path: metadata.annotations["prometheus.io/scrape"]
+          value: "false"
+      - equal:
+          path: metadata.annotations["monitoring.io/alert"]
+          value: "critical"
+      - equal:
+          path: metadata.annotations["custom.io/annotation"]
+          value: "value"
+
+  # Test component-specific annotations override defaults on Pod template
+  - it: should merge component-specific annotations with defaults on Pod template metadata
+    set:
+      defaults.annotations:
+        prometheus.io/scrape: "true"
+        monitoring.io/alert: "critical"
+      components.miscellaneous.configLoader.annotations:
+        prometheus.io/scrape: "false"
+        custom.io/annotation: "value"
+    asserts:
+      - equal:
+          path: spec.template.metadata.annotations["prometheus.io/scrape"]
+          value: "false"
+      - equal:
+          path: spec.template.metadata.annotations["monitoring.io/alert"]
+          value: "critical"
+      - equal:
+          path: spec.template.metadata.annotations["custom.io/annotation"]
+          value: "value"
+
+  # Test empty labels and annotations
+  - it: should work with empty labels and annotations
+    set:
+      defaults.labels: {}
+      defaults.annotations: {}
+      components.miscellaneous.configLoader.labels: {}
+      components.miscellaneous.configLoader.annotations: {}
+    asserts:
+      - isKind:
+          of: Job
+
+  # Test only component-specific labels without defaults
+  - it: should apply only component-specific labels when defaults are empty
+    set:
+      defaults.labels: {}
+      components.miscellaneous.configLoader.labels:
+        component-label: "config-loader"
+        version: "1.0"
+    asserts:
+      - equal:
+          path: metadata.labels["component-label"]
+          value: "config-loader"
+      - equal:
+          path: metadata.labels["version"]
+          value: "1.0"
+
+  # Test only component-specific annotations without defaults
+  - it: should apply only component-specific annotations when defaults are empty
+    set:
+      defaults.annotations: {}
+      components.miscellaneous.configLoader.annotations:
+        component-annotation: "config-loader"
+        build: "12345"
+    asserts:
+      - equal:
+          path: metadata.annotations["component-annotation"]
+          value: "config-loader"
+      - equal:
+          path: metadata.annotations["build"]
+          value: "12345"
+
+  # Test checksum annotation is preserved
+  - it: should preserve checksum annotation along with custom annotations
+    set:
+      defaults.annotations:
+        custom: "value"
+      components.miscellaneous.configLoader.annotations:
+        another: "annotation"
+    asserts:
+      - isNotEmpty:
+          path: metadata.annotations["checksum/values"]
+      - equal:
+          path: metadata.annotations["custom"]
+          value: "value"
+      - equal:
+          path: metadata.annotations["another"]
+          value: "annotation"
+
+  # Test app.kubernetes.io/component label is set correctly
+  - it: should set app.kubernetes.io/component label to config-loader
+    asserts:
+      - equal:
+          path: metadata.labels["app.kubernetes.io/component"]
+          value: "config-loader"
+      - equal:
+          path: spec.template.metadata.labels["app.kubernetes.io/component"]
+          value: "config-loader"