chore(chart): Add missing tests for readinessProbe

[jcpunk]

Problem Statement

Various linters complain about ports that the container uses, but aren't defined. For example, the readiness port is set, but the port is not explicitly listed in the definition.

Related Issue

Fixes #...

Proposed Changes

All the ports used by the deployment should be explicitly defined to ensure traffic patterns are explicitly defined.

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

• charts
• release
• testing
• security
• templating

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Fix: Explicitly Define Container Ports in Helm Chart

Ensures all container ports referenced in readiness, liveness, and startup probes are explicitly declared in the port specifications for the cert-controller, controller, and webhook deployments.

Changes:

• cert-controller-deployment.yaml: Added explicit port definitions for metrics (8080), readiness probe (8081, configurable), and optional startup probe (8083, configurable)
• deployment.yaml: Added explicit port definitions for metrics (8080) and optional liveness probe port (configurable)
• webhook-deployment.yaml: Added explicit port definitions for metrics (8080), webhook (10250), and readiness probe (8081, configurable)
• Test files: Expanded test coverage to verify port definitions for readiness, liveness, and startup probes with proper name, protocol, and containerPort assertions

Rationale: Resolves linter warnings by explicitly declaring all ports used by the deployments, making traffic patterns clearly visible in the container specification.

[coderabbitai]

Walkthrough

This PR expands test coverage in the cert_controller_test.yaml file to verify container port configurations for various probe scenarios, including readiness probe port overrides, metrics port interactions, and startup probe enablement.

Changes

Cohort / File(s)

Change Summary

Test Coverage Expansion deploy/charts/external-secrets/tests/cert_controller_test.yaml

Added assertions for readiness probe port behavior when overridden (ports[1] with name "ready", protocol "TCP", containerPort 8082). Added verification for startup probe port behavior when enabled (ports[2] with name "startup", protocol "TCP", containerPort 8083). Added tests validating port interactions between metrics and readiness/startup probes, including assertions for non-existence of subsequent port entries.

Possibly related PRs

• chore(charts): define and use named ports for probes #5775: Directly related modification to cert_controller_test.yaml asserting probe-related container ports and named-port behavior for readiness and startup probes.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Skarlso]

/ok-to-test sha=55282b9b31468eb2dd8a26b86730bd921b638e35

[eso-service-account-app]

[Bot] - ✅ e2e for 55282b9b31468eb2dd8a26b86730bd921b638e35 passed

[jcpunk]

I'll get to work on the tests.

The PR itself might need some reworking after #5775 (but since they are both my PRs it is easy for me to track them).

[jcpunk]

In theory I have tests that check for the changes under all the branches. In practice....

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

deploy/charts/external-secrets/tests/cert_controller_test.yaml (1)

103-111: Add assertion to verify no startup port exists.

For consistency with the test at lines 243-247, consider adding an assertion to verify that ports[2] doesn't exist when only the readiness port is overridden.

✨ Suggested addition

       - equal:
           path: spec.template.spec.containers[0].ports[1].containerPort
           value: 8082
+      - notExists:
+          path: spec.template.spec.containers[0].ports[2]

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 55282b9 and a54f2f9.

📒 Files selected for processing (2)

• deploy/charts/external-secrets/templates/cert-controller-deployment.yaml
• deploy/charts/external-secrets/tests/cert_controller_test.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• deploy/charts/external-secrets/templates/cert-controller-deployment.yaml

🔇 Additional comments (2)

deploy/charts/external-secrets/tests/cert_controller_test.yaml (2)

243-247: Well-tested scenario for startup probe using readiness port.

The assertions correctly validate that when the startup probe uses the readiness port, only the readiness port entry exists and no separate startup port is created.

---

264-272: Comprehensive validation for custom startup port.

The assertions correctly validate all aspects of the startup port configuration when a custom port is specified.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

deploy/charts/external-secrets/tests/cert_controller_test.yaml (1)

94-113: These assertions are correct, but brittle due to hard-coded array indexes (args[7], ports[1], ports[2]).
Any re-ordering of args or ports will cause test failures even if the rendered manifests remain correct. Use array membership assertions instead:

• For args: contains with the scalar value "--healthz-addr=:8082"
• For ports: contains with an object matching {name: readiness, protocol: TCP, containerPort: 8082}
• For absence checks: replace notExists on ports[2] with notExists on ports[?(@.name=="startup")] to match by property rather than index

helm-unittest supports both contains assertions on arrays of scalars and objects, as well as JSONPath filters like [?(@.name=="startup")].

🧹 Nitpick comments (1)

deploy/charts/external-secrets/tests/cert_controller_test.yaml (1)

231-249: Startup-probe-enabled case: consider asserting the full readiness port object, not just ports[1].name.
Right now the test would still pass if ports[1] is named readiness but points at the wrong port/protocol.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a54f2f9 and a7a65e2.

📒 Files selected for processing (2)

• deploy/charts/external-secrets/templates/cert-controller-deployment.yaml
• deploy/charts/external-secrets/tests/cert_controller_test.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• deploy/charts/external-secrets/templates/cert-controller-deployment.yaml

🔇 Additional comments (1)

deploy/charts/external-secrets/tests/cert_controller_test.yaml (1)

250-274: Verify numeric rendering when values are provided as strings (certController.startupProbe.port: "8083").
The test expects the rendered manifest to use numeric 8083 (good for k8s schema), which requires the template to cast to int; please double-check the deployment template is doing | int for all port fields it emits (containerPort + probe ports).

[jcpunk]

rebased off HEAD

[jcpunk]

#5775 included a lot of this code, so I've updated the patch to just include the missing tests.

[Skarlso]

Perfect. :)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud