Cloudzero · evan-cz · Dec 18, 2025
@@ -1122,6 +1122,12 @@ Example usage:
 {{/*
 Generate imagePullSecrets block
 Accepts a dictionary with "root" (the top-level chart context) and "image" (the component's image configuration object)
+
+Fallback chain:
+1. Component-specific: .image.pullSecrets
+2. Defaults: .root.Values.defaults.image.pullSecrets
+3. Deprecated root-level: .root.Values.imagePullSecrets
+
 Example usage:
 {{- include "cloudzero-agent.generateImagePullSecrets" (dict
       "root" .
@@ -1131,7 +1137,7 @@ Example usage:
 {{- define "cloudzero-agent.generateImagePullSecrets" -}}
 {{- include "cloudzero-agent.maybeGenerateSection" (dict
       "name" "imagePullSecrets"
-      "value" (.image.pullSecrets | default .root.Values.defaults.image.pullSecrets)
+      "value" (.image.pullSecrets | default .root.Values.defaults.image.pullSecrets | default .root.Values.imagePullSecrets)
     ) -}}
 {{- end -}}
 

@@ -187,7 +187,7 @@ spec:
           (.Values.components.agent.federatedNode.securityContext | default (dict))
         ) | nindent 6 }}
       {{- include "cloudzero-agent.generateDNSInfo" (dict "defaults" .Values.defaults.dns) | nindent 6 }}
-      {{- include "cloudzero-agent.server.imagePullSecrets" . | nindent 6 -}}
+      {{- include "cloudzero-agent.generateImagePullSecrets" (dict "root" . "image" .Values.components.prometheus.image) | nindent 6 }}
       {{- include "cloudzero-agent.generateNodeSelector" (dict "default" .Values.defaults.nodeSelector "nodeSelector" .Values.server.nodeSelector) | nindent 6 }}
       {{- include "cloudzero-agent.generateTolerations" (concat .Values.defaults.tolerations .Values.server.tolerations) | nindent 6 }}
       {{- include "cloudzero-agent.generateAffinity" (dict "default" .Values.defaults.affinity "affinity" .Values.server.affinity) | nindent 6 }}

@@ -307,7 +307,7 @@ spec:
           (.Values.components.agent.securityContext | default (dict))
         ) | nindent 6 }}
       {{- include "cloudzero-agent.generateDNSInfo" (dict "defaults" .Values.defaults.dns) | nindent 6 }}
-      {{- include "cloudzero-agent.server.imagePullSecrets" . | nindent 6 -}}
+      {{- include "cloudzero-agent.generateImagePullSecrets" (dict "root" . "image" .Values.components.prometheus.image) | nindent 6 }}
       {{- include "cloudzero-agent.generateNodeSelector" (dict "default" .Values.defaults.nodeSelector "nodeSelector" .Values.server.nodeSelector) | nindent 6 }}
       {{- include "cloudzero-agent.generateTolerations" (concat .Values.defaults.tolerations .Values.server.tolerations) | nindent 6 }}
       {{- include "cloudzero-agent.generateAffinity" (dict "default" .Values.defaults.affinity "affinity" .Values.server.affinity) | nindent 6 }}

@@ -156,7 +156,7 @@ spec:
           (.Values.components.aggregator.securityContext | default (dict))
         ) | nindent 6 }}
       {{- include "cloudzero-agent.generateDNSInfo" (dict "defaults" .Values.defaults.dns) | nindent 6 }}
-      {{- include "cloudzero-agent.server.imagePullSecrets" . | nindent 6 -}}
+      {{- include "cloudzero-agent.generateImagePullSecrets" (dict "root" . "image" .Values.components.agent.image) | nindent 6 }}
       {{- include "cloudzero-agent.generateNodeSelector" (dict "default" .Values.defaults.nodeSelector "nodeSelector" .Values.aggregator.nodeSelector) | nindent 6 }}
       {{- include "cloudzero-agent.generateAffinity" (dict "default" .Values.defaults.affinity) | nindent 6 }}
       {{- include "cloudzero-agent.generateTolerations" (concat .Values.defaults.tolerations) | nindent 6 }}

@@ -3,8 +3,15 @@ kind: Service
 metadata:
   namespace: {{ .Release.Namespace }}
   name: {{ include "cloudzero-agent.aggregator.name" . }}
-  labels:
-    {{- include "cloudzero-agent.aggregator.labels" . | nindent 4 }}
+  {{- include "cloudzero-agent.generateLabels" (dict
+      "root" .
+      "name" "aggregator"
+      "labels" (list
+        .Values.defaults.labels
+        .Values.commonMetaLabels
+        .Values.components.aggregator.labels
+      )
+    ) | nindent 2 }}
   {{- include "cloudzero-agent.generateAnnotations" (dict
       "root" .
       "annotations" (list

@@ -119,7 +119,7 @@ spec:
           serviceAccountName: {{ include "cloudzero-agent.serviceAccountName" $ }}
           restartPolicy: OnFailure
           {{- include "cloudzero-agent.generateDNSInfo" (dict "defaults" $.Values.defaults.dns) | nindent 10 }}
-          {{- include  "cloudzero-agent.initBackfillJob.imagePullSecrets" $ | nindent 10 }}
+          {{- include "cloudzero-agent.generateImagePullSecrets" (dict "root" $ "image" $.Values.components.agent.image) | nindent 10 }}
           {{- include "cloudzero-agent.generatePriorityClassName" $.Values.defaults.priorityClassName | nindent 10 }}
           {{- include "cloudzero-agent.generatePodSecurityContext" (mergeOverwrite
               ($.Values.defaults.securityContext | default (dict))

@@ -51,7 +51,7 @@ spec:
       serviceAccountName: {{ include "cloudzero-agent.initCertJob.serviceAccountName" . }}
       restartPolicy: Never
       {{- include "cloudzero-agent.generateDNSInfo" (dict "defaults" .Values.defaults.dns) | nindent 6 }}
-      {{- include  "cloudzero-agent.initCertJob.imagePullSecrets" . | nindent 6 }}
+      {{- include "cloudzero-agent.generateImagePullSecrets" (dict "root" . "image" .Values.components.agent.image) | nindent 6 }}
       {{- include "cloudzero-agent.generatePriorityClassName" .Values.defaults.priorityClassName | nindent 6 }}
       {{- include "cloudzero-agent.generatePodSecurityContext" (mergeOverwrite
           (.Values.defaults.securityContext | default (dict))

@@ -83,7 +83,7 @@ spec:
         ) | nindent 6 }}
     spec:
       serviceAccountName: {{ include "cloudzero-agent.serviceAccountName" . }}
-      {{- include "cloudzero-agent.insightsController.server.imagePullSecrets" . | nindent 6 }}
+      {{- include "cloudzero-agent.generateImagePullSecrets" (dict "root" . "image" .Values.components.agent.image) | nindent 6 }}
       {{- include "cloudzero-agent.generatePodSecurityContext" (mergeOverwrite
             (.Values.defaults.securityContext | default (dict))
             (.Values.components.webhookServer.securityContext | default (dict))

@@ -1,35 +1,12 @@
-suite: test config-loader job labels and annotations
+# Test config-loader job label/annotation merge and override behavior
+#
+# This file tests that component-specific labels/annotations properly merge with
+# and override defaults. For basic "defaults apply" tests, see defaults_job_test.yaml
+# and defaults_labels_annotations_all_resources_test.yaml.
+suite: test config-loader job labels and annotations merge behavior
 templates:
   - templates/config-loader-job.yaml
 tests:
-  # Test default labels are applied
-  - it: should apply default labels to Job metadata
-    set:
-      defaults.labels:
-        custom-label: "default-value"
-        team: "platform"
-    asserts:
-      - equal:
-          path: metadata.labels["custom-label"]
-          value: "default-value"
-      - equal:
-          path: metadata.labels["team"]
-          value: "platform"
-
-  # Test default labels are applied to Pod template
-  - it: should apply default labels to Pod template metadata
-    set:
-      defaults.labels:
-        custom-label: "default-value"
-        team: "platform"
-    asserts:
-      - equal:
-          path: spec.template.metadata.labels["custom-label"]
-          value: "default-value"
-      - equal:
-          path: spec.template.metadata.labels["team"]
-          value: "platform"
-
   # Test component-specific labels override defaults
   - it: should merge component-specific labels with defaults on Job metadata
     set:
@@ -70,34 +47,6 @@ tests:
           path: spec.template.metadata.labels["environment"]
           value: "production"
 
-  # Test default annotations are applied
-  - it: should apply default annotations to Job metadata
-    set:
-      defaults.annotations:
-        prometheus.io/scrape: "true"
-        monitoring.io/alert: "critical"
-    asserts:
-      - equal:
-          path: metadata.annotations["prometheus.io/scrape"]
-          value: "true"
-      - equal:
-          path: metadata.annotations["monitoring.io/alert"]
-          value: "critical"
-
-  # Test default annotations are applied to Pod template
-  - it: should apply default annotations to Pod template metadata
-    set:
-      defaults.annotations:
-        prometheus.io/scrape: "true"
-        monitoring.io/alert: "critical"
-    asserts:
-      - equal:
-          path: spec.template.metadata.annotations["prometheus.io/scrape"]
-          value: "true"
-      - equal:
-          path: spec.template.metadata.annotations["monitoring.io/alert"]
-          value: "critical"
-
   # Test component-specific annotations override defaults
   - it: should merge component-specific annotations with defaults on Job metadata
     set:

@@ -0,0 +1,41 @@
+# Test defaults.* properties for Certificate resources
+#
+# This test validates that Certificate resources properly inherit
+# defaults.labels and defaults.annotations from the chart's defaults section.
+#
+# Certificates only support metadata-level defaults (labels and annotations).
+# PodSpec defaults (affinity, tolerations, etc.) do not apply to Certificates.
+#
+# Templates tested:
+# - webhook-certificate.yaml (only renders when insightsController.tls.useCertManager is true)
+suite: defaults.* properties apply to Certificate resources
+templates:
+  - webhook-certificate.yaml
+tests:
+  # ============================================================================
+  # defaults.labels tests (resource metadata)
+  # ============================================================================
+  - it: should apply defaults.labels to Certificate metadata
+    set:
+      defaults.labels:
+        test-defaults-label: sentinel-value-label
+      insightsController.enabled: true
+      insightsController.tls.useCertManager: true
+    asserts:
+      - equal:
+          path: metadata.labels.test-defaults-label
+          value: sentinel-value-label
+
+  # ============================================================================
+  # defaults.annotations tests (resource metadata)
+  # ============================================================================
+  - it: should apply defaults.annotations to Certificate metadata
+    set:
+      defaults.annotations:
+        test-defaults-annotation: sentinel-value-annotation
+      insightsController.enabled: true
+      insightsController.tls.useCertManager: true
+    asserts:
+      - equal:
+          path: metadata.annotations.test-defaults-annotation
+          value: sentinel-value-annotation
@@ -0,0 +1,101 @@
+# Test defaults.* properties for ClusterRole resources
+#
+# This test validates that ClusterRole resources properly inherit
+# defaults.labels and defaults.annotations from the chart's defaults section.
+#
+# ClusterRoles only support metadata-level defaults (labels and annotations).
+# PodSpec defaults (affinity, tolerations, etc.) do not apply to ClusterRoles.
+#
+# Templates tested:
+# - agent-clusterrole.yaml
+# - init-cert-clusterrole.yaml
+suite: defaults.* properties apply to ClusterRole resources
+templates:
+  - agent-clusterrole.yaml
+  - init-cert-clusterrole.yaml
+tests:
+  # ============================================================================
+  # defaults.labels tests (resource metadata)
+  # ============================================================================
+  - it: should apply defaults.labels to all ClusterRole metadata
+    documentSelector:
+      matchMany: true
+      path: kind
+      skipEmptyTemplates: true
+      value: ClusterRole
+    set:
+      defaults.labels:
+        test-defaults-label: sentinel-value-label
+      rbac.create: true
+      initCertJob.enabled: true
+      initCertJob.rbac.create: true
+    asserts:
+      - equal:
+          path: metadata.labels.test-defaults-label
+          value: sentinel-value-label
+
+  - it: should apply defaults.labels to agent-clusterrole metadata
+    template: agent-clusterrole.yaml
+    set:
+      defaults.labels:
+        test-defaults-label: sentinel-value-label
+      rbac.create: true
+    asserts:
+      - equal:
+          path: metadata.labels.test-defaults-label
+          value: sentinel-value-label
+
+  - it: should apply defaults.labels to init-cert-clusterrole metadata
+    template: init-cert-clusterrole.yaml
+    set:
+      defaults.labels:
+        test-defaults-label: sentinel-value-label
+      initCertJob.enabled: true
+      initCertJob.rbac.create: true
+    asserts:
+      - equal:
+          path: metadata.labels.test-defaults-label
+          value: sentinel-value-label
+
+  # ============================================================================
+  # defaults.annotations tests (resource metadata)
+  # ============================================================================
+  - it: should apply defaults.annotations to all ClusterRole metadata
+    documentSelector:
+      matchMany: true
+      path: kind
+      skipEmptyTemplates: true
+      value: ClusterRole
+    set:
+      defaults.annotations:
+        test-defaults-annotation: sentinel-value-annotation
+      rbac.create: true
+      initCertJob.enabled: true
+      initCertJob.rbac.create: true
+    asserts:
+      - equal:
+          path: metadata.annotations.test-defaults-annotation
+          value: sentinel-value-annotation
+
+  - it: should apply defaults.annotations to agent-clusterrole metadata
+    template: agent-clusterrole.yaml
+    set:
+      defaults.annotations:
+        test-defaults-annotation: sentinel-value-annotation
+      rbac.create: true
+    asserts:
+      - equal:
+          path: metadata.annotations.test-defaults-annotation
+          value: sentinel-value-annotation
+
+  - it: should apply defaults.annotations to init-cert-clusterrole metadata
+    template: init-cert-clusterrole.yaml
+    set:
+      defaults.annotations:
+        test-defaults-annotation: sentinel-value-annotation
+      initCertJob.enabled: true
+      initCertJob.rbac.create: true
+    asserts:
+      - equal:
+          path: metadata.annotations.test-defaults-annotation
+          value: sentinel-value-annotation