Add helm-unittest suites and CI for kafka-ui chart

[nickmaccarthy]

What

Adds helm-unittest as a fast, cluster-free unit-testing harness for the kafka-ui chart, plus a CI job that runs it on every chart PR.

25 tests across 4 suites, covering the core templates:

Suite	Template	Highlights
ingress_test.yaml	ingress.yaml	API version selection, TLS, ingressClassName, templated host
service_test.yaml	service.yaml	type/port, NodePort/LoadBalancer specifics, selector labels
deployment_test.yaml	deployment.yaml	replicas vs. autoscaling, image reference, probes, env wiring
notes_test.yaml	NOTES.txt	ClusterIP port-forward fallback

A charts/kafka-ui/tests/README.md documents how to run the suites locally and the pattern for adding tests when new templates/features land.

Why

The suites render templates and assert on the resulting manifests in milliseconds, with no cluster required. They catch template regressions — missing fields, broken conditionals, failed fail/required guards — as red tests rather than red helm template renders in CI. The new unit-test job runs alongside the existing render/kubeconform job.

Run locally

helm plugin install https://github.com/helm-unittest/helm-unittest
helm unittest charts/kafka-ui

Notes for reviewers

• Relationship to feat: Add HTTPRoute support for Gateway API #67: This is intentionally scoped to the templates already on main. A follow-up will add an httproute_test.yaml suite (including a failedTemplate case for the empty-parentRefs guard) once feat: Add HTTPRoute support for Gateway API #67 merges — that test reproduces and pins the exact guard behavior introduced there.
• Version: bumped to 1.6.6 on the assumption feat: Add HTTPRoute support for Gateway API #67 (1.6.5) merges first. Happy to rebase if the ordering changes.
• Minor finding (not addressed here): NOTES.txt renders the ingress URL from .Values.ingress.hosts[].paths (plural/list), but the chart's values.yaml uses ingress.host (singular). With standard values the ingress NOTES URL renders empty. Flagging for awareness; left out of this PR to avoid scope creep.

Summary by CodeRabbit

• Chores
  • Updated the Kafka UI Helm chart version to 1.6.6
  • Added/updated pre-commit automation for Helm chart unit testing and regenerated chart configuration docs
• Documentation
  • Documented new startup probe parameters (failureThreshold, periodSeconds, timeoutSeconds)
  • Added guidance for running and extending the Helm unit test suites
• Tests
  • Added Helm unit tests for Deployment, Ingress, Service, and NOTES output behavior
  • Added a GitHub Actions job to run chart unit tests on pull requests affecting chart files in charts/** targeting main

---

Update: pre-commit config

Also adds a .pre-commit-config.yaml so contributors can run the same checks CI enforces, before pushing:

• helm-unittest — runs the chart unit tests (matches the new unit-test job)
• readme-generator-for-helm — regenerates CONFIGURATION.md from values.yaml @param metadata (matches the existing Update README from values.yaml metadata workflow, which otherwise auto-commits it)
• hygiene — trailing-whitespace, end-of-file, merge-conflict, large-file and YAML checks (Helm templates excluded; hooks only act on staged files during a normal commit, so they won't churn unrelated files)

pre-commit install

While wiring up the readme-generator hook I noticed CONFIGURATION.md had drifted from values.yaml — the probes.startup.* parameters added in #64 were never regenerated. This PR brings it back in sync.

[kapybro]

AI Summary

The GitHub issue proposes adding Helm unit tests for the kafka-ui chart using helm-unittest, a fast, cluster-free testing framework. The new tests cover 25 cases across 4 suites, validating core templates like ingress, service, deployment, and NOTES.txt for regressions. The solution includes a CI job to run these tests alongside existing validation jobs, ensuring template correctness without requiring a Kubernetes cluster.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 23ec9eb3-d64b-4bab-a29a-1d6329929450

📥 Commits

Reviewing files that changed from the base of the PR and between 8779c36 and a6e110e.

📒 Files selected for processing (1)

• .github/workflows/helm.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/helm.yaml

---

📝 Walkthrough

Walkthrough

Adds four helm-unittest test suites for the kafka-ui chart covering Deployment, Service, Ingress, and NOTES templates, along with a CI workflow job and pre-commit hooks to execute them. Chart version is bumped to 1.6.6, test documentation is provided, and configuration docs are updated to include startup probe parameters.

Changes

Helm Unit Test Infrastructure and Suites

Layer / File(s)	Summary
CI job and pre-commit tooling setup .github/workflows/helm.yaml, .pre-commit-config.yaml	Adds a unit-test GitHub Actions job that installs Helm, installs helm-unittest, and runs it against charts/kafka-ui on PRs targeting charts/**. Introduces .pre-commit-config.yaml with local hooks for helm-unittest execution, README generation from values, and standard hygiene checks with template-aware excludes.
Chart version bump and test documentation charts/kafka-ui/Chart.yaml, charts/kafka-ui/tests/README.md	Chart version is bumped to 1.6.6. A README documents how to run test suites locally, the test-file-to-template mapping, guidelines for authoring new tests, and special handling for include templates and plain-text assertions in NOTES.txt.
Deployment template test suite charts/kafka-ui/tests/deployment_test.yaml, charts/kafka-ui/CONFIGURATION.md	Covers Deployment kind/metadata identity, replica behavior with and without autoscaling, container image construction (registry, tag, global imageRegistry override), HTTP port, service account wiring, liveness/readiness/startup probes, env injection, and SPRING_CONFIG_ADDITIONAL-LOCATION when yamlApplicationConfig is set. Configuration docs are updated with startup probe parameter defaults.
Service and NOTES template test suites charts/kafka-ui/tests/service_test.yaml, charts/kafka-ui/tests/notes_test.yaml	service_test.yaml asserts Service kind/name/namespace, default ClusterIP on port 80, conditional nodePort/loadBalancerIP per service.type, and selector label correctness. notes_test.yaml asserts the rendered NOTES output contains the port-forward pattern.
Ingress template test suite charts/kafka-ui/tests/ingress_test.yaml	Verifies no documents render when ingress is disabled, produces a networking.k8s.io/v1 Ingress with correct metadata and default path routing, sets ingressClassName, renders TLS block, templates host from release name, and applies custom labels/annotations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• kafbat/helm-charts#64: The added deployment_test.yaml asserts that the rendered Deployment includes a startupProbe, directly matching that PR's addition of startupProbe support in charts/kafka-ui/templates/deployment.yaml.
• kafbat/helm-charts#65: Both PRs modify charts/kafka-ui/Chart.yaml to bump the chart version field (main bumps to 1.6.6, retrieved PR bumped to 1.6.4).

Poem

🐇 Hop hop, the tests are here at last,
Deployment, Service, Ingress — nothing past!
With helm unittest the charts are checked,
Pre-commit hooks keep quality in check.
The rabbit says: assert with glee,
Green suites for all eternity! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding helm-unittest test suites and CI for the kafka-ui chart, which is the primary focus of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

.github/workflows/helm.yaml (1)

10-21: ⚡ Quick win

Add explicit permissions block to follow least-privilege principle.

The job inherits default repository permissions, which may be broader than necessary. Explicitly declaring minimal permissions reduces the blast radius if the workflow is compromised.

🛡️ Recommended permissions block

   unit-test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helm.yaml around lines 10 - 21, The unit-test job is
missing an explicit permissions block, which means it inherits default
repository permissions that may be broader than necessary. Add a permissions
block at the job level (before the runs-on property) in the unit-test job to
explicitly declare minimal permissions. For this job that only performs read
operations (checkout and test execution), declare contents: read permission,
which is the minimum required to check out the repository and run the helm unit
tests on the charts/kafka-ui directory.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/helm.yaml:
- Line 13: The actions/checkout action is using version 3 which is deprecated
and has outdated runner infrastructure. Update the uses statement for
actions/checkout to use version 4 instead. Simply change the action reference
from `@v3` to `@v4` to use the current stable version with modern GitHub Actions
infrastructure support.
- Line 13: The actions/checkout@v3 step is missing security hardening. Add
`persist-credentials: false` as a parameter to the checkout action to prevent
GitHub credentials from being persisted in the workspace `.git/config` file,
which could expose sensitive credentials through artifacts or subsequent
workflow steps.
- Around line 13-15: The workflow file uses mutable tag references (`@v3`) for
GitHub Actions which creates supply chain security risks. Replace the mutable
tag references for actions/checkout and Azure/setup-helm with their
corresponding immutable commit SHA references. For each action, determine the
specific commit SHA for the intended version and replace the `@v3` syntax with
@<full-commit-sha> to ensure the workflow always uses the exact pinned version
regardless of any future changes to those tags.

In `@charts/kafka-ui/tests/deployment_test.yaml`:
- Around line 157-172: The environment variable name
SPRING_CONFIG_ADDITIONAL-LOCATION uses hyphens instead of the underscore format
that Spring Boot expects. Update this variable name to
SPRING_CONFIG_ADDITIONAL_LOCATION with underscores in both the test assertion in
this file (around the contains assertion path checking
spec.template.spec.containers[0].env) and in the corresponding deployment
template at charts/kafka-ui/templates/deployment.yaml to comply with Spring
Boot's documented environment variable naming convention.

---

Nitpick comments:
In @.github/workflows/helm.yaml:
- Around line 10-21: The unit-test job is missing an explicit permissions block,
which means it inherits default repository permissions that may be broader than
necessary. Add a permissions block at the job level (before the runs-on
property) in the unit-test job to explicitly declare minimal permissions. For
this job that only performs read operations (checkout and test execution),
declare contents: read permission, which is the minimum required to check out
the repository and run the helm unit tests on the charts/kafka-ui directory.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e3662387-9141-4943-8208-1cc91e866392

📥 Commits

Reviewing files that changed from the base of the PR and between 8f38cec and 18a1546.

📒 Files selected for processing (7)

• .github/workflows/helm.yaml
• charts/kafka-ui/Chart.yaml
• charts/kafka-ui/tests/README.md
• charts/kafka-ui/tests/deployment_test.yaml
• charts/kafka-ui/tests/ingress_test.yaml
• charts/kafka-ui/tests/notes_test.yaml
• charts/kafka-ui/tests/service_test.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Upgrade to actions/checkout@v4.

The actions/checkout@v3 action is deprecated and its runner is too old for current GitHub Actions infrastructure.

⬆️ Recommended upgrade

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v3
	- uses: actions/checkout@v4

🧰 Tools

🪛 actionlint (1.7.12)

[error] 13-13: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 zizmor (1.25.2)

[warning] 13-13: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helm.yaml at line 13, The actions/checkout action is using
version 3 which is deprecated and has outdated runner infrastructure. Update the
uses statement for actions/checkout to use version 4 instead. Simply change the
action reference from `@v3` to `@v4` to use the current stable version with modern
GitHub Actions infrastructure support.

Source: Linters/SAST tools

---

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add persist-credentials: false to prevent credential leakage.

Without this setting, the checkout action persists GitHub credentials in the workspace .git/config, which can be inadvertently exposed through artifacts or subsequent steps.

🔒 Recommended fix

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v3
	- uses: actions/checkout@v4
	with:
	persist-credentials: false

🧰 Tools

🪛 actionlint (1.7.12)

[error] 13-13: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 zizmor (1.25.2)

[warning] 13-13: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helm.yaml at line 13, The actions/checkout@v3 step is
missing security hardening. Add `persist-credentials: false` as a parameter to
the checkout action to prevent GitHub credentials from being persisted in the
workspace `.git/config` file, which could expose sensitive credentials through
artifacts or subsequent workflow steps.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin action references to commit SHAs for supply-chain security.

Using mutable tag references (e.g., @v3, @v4) allows action maintainers to modify the code under those tags. Pinning to immutable SHAs prevents supply-chain attacks.

📌 Recommended pinning

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Helm tool installer
-        uses: Azure/setup-helm@v3
+        uses: Azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0

Note: Verify the SHA digests correspond to the intended action versions before applying.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v3
	- name: Helm tool installer
	uses: Azure/setup-helm@v3
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false
	- name: Helm tool installer
	uses: Azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0

🧰 Tools

🪛 actionlint (1.7.12)

[error] 13-13: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 zizmor (1.25.2)

[warning] 13-13: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helm.yaml around lines 13 - 15, The workflow file uses
mutable tag references (`@v3`) for GitHub Actions which creates supply chain
security risks. Replace the mutable tag references for actions/checkout and
Azure/setup-helm with their corresponding immutable commit SHA references. For
each action, determine the specific commit SHA for the intended version and
replace the `@v3` syntax with @<full-commit-sha> to ensure the workflow always
uses the exact pinned version regardless of any future changes to those tags.

Source: Linters/SAST tools

[nickmaccarthy]

Thanks @coderabbitai — went through all four:

• permissions block ✅ added permissions: contents: read to the unit-test job.
• actions/checkout@v4 ✅ bumped on the unit-test job. Scoped to the new job only — the existing jobs in this workflow still use @v3, and modernizing those felt out of scope for a tests PR (happy to do a separate sweep if a maintainer wants it).
• Pin actions to commit SHAs — skipping: nothing in this repo is SHA-pinned today, so pinning a single new job would be inconsistent. Better as a repo-wide policy change in its own PR.
• SPRING_CONFIG_ADDITIONAL-LOCATION → underscore — skipping: this test deliberately asserts what templates/deployment.yaml:63 actually renders (the hyphenated name). The hyphen vs. underscore question is about the template, not the test, and changing chart behavior is out of scope here. Flagging it for maintainers as a separate consideration.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@nickmaccarthy Thanks for the thorough follow-up! The two addressed items look good, and the reasoning on the skipped ones is sound:

• SHA pinning — agreed, a repo-wide sweep is the right approach rather than spot-pinning one job. Happy to open a tracking issue for that if it would help maintainers prioritize it.
• SPRING_CONFIG_ADDITIONAL-LOCATION hyphen — the test is correct to assert what the template actually emits. The potential env-var naming issue lives in templates/deployment.yaml, not the test. Would you like me to open a separate issue on the repo to flag it for maintainer review?

(っ◔◡◔)っ ♥

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/helm.yaml (1)

15-15: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Disable persisted credentials on checkout in the new unit-test job.

The checkout step still persists the token in local git config. Set persist-credentials: false to reduce credential exposure across later steps/artifacts.

🔒 Proposed fix

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/helm.yaml at line 15, The actions/checkout@v4 step in the
workflow is persisting credentials in the local git config, which poses a
security risk by exposing credentials to later steps and artifacts. Add the
`persist-credentials: false` configuration option to the checkout step to
disable this behavior and reduce credential exposure throughout the workflow
execution.

Source: Linters/SAST tools

🧹 Nitpick comments (1)

.pre-commit-config.yaml (1)

30-30: Pin readme-generator-for-helm to an explicit version.

Line 30 uses npx --yes @bitnami/readme-generator-for-helm`` without a version, making local runs non-reproducible. The CI workflow also installs this tool without version constraints. Pinning a version keeps docs generation deterministic across all environments.

Suggested change

-        entry: npx --yes `@bitnami/readme-generator-for-helm` --values charts/kafka-ui/values.yaml --readme charts/kafka-ui/CONFIGURATION.md
+        entry: npx --yes `@bitnami/readme-generator-for-helm`@<version> --values charts/kafka-ui/values.yaml --readme charts/kafka-ui/CONFIGURATION.md

Also consider pinning the version in .github/workflows/update-config-docs.yaml line 19 (npm install -g @bitnami/readme-generator-for-helm@<version>).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml at line 30, The entry command for
`@bitnami/readme-generator-for-helm` in the pre-commit configuration lacks an
explicit version constraint, causing non-reproducible builds across
environments. Add a specific version number to the package name by appending
@<version> to `@bitnami/readme-generator-for-helm` in the entry command.
Additionally, apply the same version pinning to the npm install command in the
CI workflow file where `@bitnami/readme-generator-for-helm` is installed globally
to maintain consistency across all build environments.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/helm.yaml:
- Line 15: The actions/checkout@v4 step in the workflow is persisting
credentials in the local git config, which poses a security risk by exposing
credentials to later steps and artifacts. Add the `persist-credentials: false`
configuration option to the checkout step to disable this behavior and reduce
credential exposure throughout the workflow execution.

---

Nitpick comments:
In @.pre-commit-config.yaml:
- Line 30: The entry command for `@bitnami/readme-generator-for-helm` in the
pre-commit configuration lacks an explicit version constraint, causing
non-reproducible builds across environments. Add a specific version number to
the package name by appending @<version> to `@bitnami/readme-generator-for-helm`
in the entry command. Additionally, apply the same version pinning to the npm
install command in the CI workflow file where `@bitnami/readme-generator-for-helm`
is installed globally to maintain consistency across all build environments.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 33c5b05f-7f17-499f-b6ff-331a951190aa

📥 Commits

Reviewing files that changed from the base of the PR and between 18a1546 and 8779c36.

📒 Files selected for processing (3)

• .github/workflows/helm.yaml
• .pre-commit-config.yaml
• charts/kafka-ui/CONFIGURATION.md

✅ Files skipped from review due to trivial changes (1)

• charts/kafka-ui/CONFIGURATION.md

[Haarolean]

can we pin a version please?

[nickmaccarthy]

Done — pinned to --version v1.1.1 (the current latest release, which the suite is verified against). Happy to bump it in a follow-up whenever you want to track newer plugin releases.