feat(test): Allow extension of test pod to allow matching local policy

[grimly]

Provides the ability to extends the definition of the connection test pod.

Description

The helm chart uses a pod to test its correct deployment.
There is no ability to extend the definition of this pod and therefore to make the pod match any policy in place.

Such policy preventing the test pod deployment might be (not exhaustive):

• Resource quota without ability to provide a default value with a limit range
• ValidatingWebhookConfiguration based constraints with products such as kyverno or OPA

Here is a working example of a configuration matching the resource quota constraint :

testContainerSpec:
  resources:
    limits:
      cpu: 1
      memory: 250M
    requests:
      cpu: 50m
      memory: 250M
testPodSpec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000

References

This feature is documented by the value schemas.

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

[whoisxx]

@grimly It could lead to unexpected security and deployment issues if we allow such broad configuration. Could you share the specific problem or challenge that led to this PR, so we can better understand the intent behind it?

[grimly]

Hello,

It is specifically security concerns that made me open this PR.

As it is without this PR merged, the test pod run as root while it doesn't need to.

It also lack resource allocation.

My company enforces quota and limit ranges without default values and uses a validating webhook to enforce running as non-root.

My goal was to provide configuration and not to apply limitations from my own experience to the rest of the community.

[whoisxx]

Right now, testContainerSpec seems too broad in scope, allowing arbitrary configurations for the test container.
Since the main goal is to adjust resource limits and security settings, wouldn't it make sense to replace testContainerSpec with explicit resources and securityContext fields like below?

            command: ["grpc_health_probe", '-addr={{ include "openfga.fullname" . }}:{{ (split ":" .Values.grpc.addr)._1 }}']
            {{- with .Values.test.resources }}
            resources:
              {{- toYaml . | nindent 8 }}
            {{- end }}
            {{- with .Values.test.securityContext }}
            securityContext:
              {{- toYaml . | nindent 8 }}
            {{- end }}

[rhamzeh]

Thanks @grimly!