feat(helm): opt-in PodDisruptionBudget and probes for CNPG plugin sidecars

operator/documentdb-helm-chart/templates/02_documentdb_sidecar_injector.yaml

@@ -85,6 +85,20 @@ spec:
         ports:
         - containerPort: 9090
           protocol: TCP
+        {{- if .Values.pluginProbes.enabled }}
+        readinessProbe:
+          tcpSocket:
+            port: 9090
+          initialDelaySeconds: {{ .Values.pluginProbes.initialDelaySeconds }}
+          periodSeconds: {{ .Values.pluginProbes.periodSeconds }}
+          failureThreshold: {{ .Values.pluginProbes.failureThreshold }}
+        livenessProbe:
+          tcpSocket:
+            port: 9090
+          initialDelaySeconds: {{ .Values.pluginProbes.initialDelaySeconds }}
+          periodSeconds: {{ .Values.pluginProbes.periodSeconds }}
+          failureThreshold: {{ .Values.pluginProbes.failureThreshold }}
+        {{- end }}
         {{- with .Values.sidecarInjector.resources }}
         resources:
           {{- toYaml . | nindent 10 }}

operator/documentdb-helm-chart/templates/03_documentdb_wal_replica.yaml

@@ -125,6 +125,20 @@ spec:
         ports:
         - containerPort: 9090
           protocol: TCP
+        {{- if .Values.pluginProbes.enabled }}
+        readinessProbe:
+          tcpSocket:
+            port: 9090
+          initialDelaySeconds: {{ .Values.pluginProbes.initialDelaySeconds }}
+          periodSeconds: {{ .Values.pluginProbes.periodSeconds }}
+          failureThreshold: {{ .Values.pluginProbes.failureThreshold }}
+        livenessProbe:
+          tcpSocket:
+            port: 9090
+          initialDelaySeconds: {{ .Values.pluginProbes.initialDelaySeconds }}
+          periodSeconds: {{ .Values.pluginProbes.periodSeconds }}
+          failureThreshold: {{ .Values.pluginProbes.failureThreshold }}
+        {{- end }}
         args:
         - receivewal
         - --server-cert=/server/tls.crt

operator/documentdb-helm-chart/templates/11_pdb.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: documentdb-operator
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "documentdb-chart.name" . }}
+    app.kubernetes.io/component: operator
+    app.kubernetes.io/managed-by: "Helm"
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  {{- with .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ . }}
+  {{- end }}
+  {{- with .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ . }}
+  {{- end }}
+{{- end }}

operator/documentdb-helm-chart/tests/02_sidecar_injector_test.yaml

@@ -155,3 +155,61 @@ tests:
           value: cnpg-system
       - isNotNull:
           path: spec.selfSigned
+
+  # -------------------------------------------------------------------
+  # Plugin probes
+  # -------------------------------------------------------------------
+  - it: should render TCP readiness and liveness probes by default
+    documentIndex: 1
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.tcpSocket.port
+          value: 9090
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
+          value: 5
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.periodSeconds
+          value: 10
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.failureThreshold
+          value: 3
+      - equal:
+          path: spec.template.spec.containers[0].livenessProbe.tcpSocket.port
+          value: 9090
+      - equal:
+          path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds
+          value: 5
+      - equal:
+          path: spec.template.spec.containers[0].livenessProbe.periodSeconds
+          value: 10
+      - equal:
+          path: spec.template.spec.containers[0].livenessProbe.failureThreshold
+          value: 3
+
+  - it: should omit probes when pluginProbes.enabled is false
+    set:
+      pluginProbes.enabled: false
+    documentIndex: 1
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].readinessProbe
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe
+
+  - it: should use custom probe settings when overridden
+    set:
+      pluginProbes.initialDelaySeconds: 15
+      pluginProbes.periodSeconds: 30
+      pluginProbes.failureThreshold: 5
+    documentIndex: 1
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
+          value: 15
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.periodSeconds
+          value: 30
+      - equal:
+          path: spec.template.spec.containers[0].livenessProbe.failureThreshold
+          value: 5

operator/documentdb-helm-chart/tests/03_wal_replica_test.yaml

@@ -145,3 +145,56 @@ tests:
       - equal:
           path: metadata.namespace
           value: cnpg-system
+
+  # -------------------------------------------------------------------
+  # Plugin probes
+  # -------------------------------------------------------------------
+  - it: should render TCP readiness and liveness probes by default
+    set:
+      walReplica: true
+    documentIndex: 3
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.tcpSocket.port
+          value: 9090
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
+          value: 5
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.periodSeconds
+          value: 10
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.failureThreshold
+          value: 3
+      - equal:
+          path: spec.template.spec.containers[0].livenessProbe.tcpSocket.port
+          value: 9090
+
+  - it: should omit probes when pluginProbes.enabled is false
+    set:
+      walReplica: true
+      pluginProbes.enabled: false
+    documentIndex: 3
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].readinessProbe
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe
+
+  - it: should use custom probe settings when overridden
+    set:
+      walReplica: true
+      pluginProbes.initialDelaySeconds: 20
+      pluginProbes.periodSeconds: 60
+      pluginProbes.failureThreshold: 10
+    documentIndex: 3
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
+          value: 20
+      - equal:
+          path: spec.template.spec.containers[0].livenessProbe.periodSeconds
+          value: 60
+      - equal:
+          path: spec.template.spec.containers[0].livenessProbe.failureThreshold
+          value: 10

operator/documentdb-helm-chart/tests/11_pdb_test.yaml

@@ -0,0 +1,112 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: pod disruption budget
+templates:
+  - 11_pdb.yaml
+
+capabilities:
+  apiVersions:
+    - cert-manager.io/v1/Certificate
+
+tests:
+  # -------------------------------------------------------------------
+  # Feature gate (podDisruptionBudget.enabled)
+  # -------------------------------------------------------------------
+  - it: should not render PDB when disabled (default)
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should render PDB when enabled
+    set:
+      podDisruptionBudget.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+
+  # -------------------------------------------------------------------
+  # Metadata
+  # -------------------------------------------------------------------
+  - it: should create a PodDisruptionBudget with correct metadata
+    set:
+      podDisruptionBudget.enabled: true
+    asserts:
+      - isKind:
+          of: PodDisruptionBudget
+      - isAPIVersion:
+          of: policy/v1
+      - equal:
+          path: metadata.name
+          value: documentdb-operator
+      - equal:
+          path: metadata.labels["app.kubernetes.io/component"]
+          value: operator
+      - equal:
+          path: metadata.labels["app.kubernetes.io/managed-by"]
+          value: Helm
+
+  - it: should use release namespace when values.namespace is empty
+    set:
+      podDisruptionBudget.enabled: true
+      namespace: ""
+    release:
+      namespace: my-ns
+    asserts:
+      - equal:
+          path: metadata.namespace
+          value: my-ns
+
+  - it: should use custom namespace when set
+    set:
+      podDisruptionBudget.enabled: true
+      namespace: custom-ns
+    asserts:
+      - equal:
+          path: metadata.namespace
+          value: custom-ns
+
+  # -------------------------------------------------------------------
+  # Selector
+  # -------------------------------------------------------------------
+  - it: should select pods by release name
+    set:
+      podDisruptionBudget.enabled: true
+    release:
+      name: my-release
+    asserts:
+      - equal:
+          path: spec.selector.matchLabels.app
+          value: my-release
+
+  # -------------------------------------------------------------------
+  # minAvailable / maxUnavailable
+  # -------------------------------------------------------------------
+  - it: should set minAvailable by default
+    set:
+      podDisruptionBudget.enabled: true
+    asserts:
+      - equal:
+          path: spec.minAvailable
+          value: 1
+      - notExists:
+          path: spec.maxUnavailable
+
+  - it: should use maxUnavailable when set (and minAvailable cleared)
+    set:
+      podDisruptionBudget.enabled: true
+      podDisruptionBudget.minAvailable: ""
+      podDisruptionBudget.maxUnavailable: 1
+    asserts:
+      - equal:
+          path: spec.maxUnavailable
+          value: 1
+      - notExists:
+          path: spec.minAvailable
+
+  - it: should support percentage for minAvailable
+    set:
+      podDisruptionBudget.enabled: true
+      podDisruptionBudget.minAvailable: "50%"
+    asserts:
+      - equal:
+          path: spec.minAvailable
+          value: "50%"

operator/documentdb-helm-chart/values.yaml

@@ -74,6 +74,26 @@ certManager:
   # unreliable. Disabling the check does NOT remove the dependency.
   preflightCheck: true
 
+# PodDisruptionBudget for the operator. Disabled by default because the
+# operator ships with replicaCount: 1 and a PDB on a single-replica deployment
+# blocks node drains. Enable when running multi-replica with leader election.
+# Set exactly one of minAvailable or maxUnavailable; if both are set, only
+# minAvailable is honored.
+podDisruptionBudget:
+  enabled: false
+  minAvailable: 1
+  maxUnavailable: ""
+
+# Probes for the CNPG plugin sidecars (sidecar-injector, wal-replica).
+# Both are gRPC servers on port 9090; TCP socket probes are used because
+# the plugins do not expose an HTTP health endpoint. Set probe.enabled=false
+# to omit the probe (e.g., if you supply your own via a patch).
+pluginProbes:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  failureThreshold: 3
+
 # Per-component pod-level configuration: resources, security contexts, and scheduling.
 # Defaults are conservative and aim to be compatible with Pod Security Admission's
 # `restricted` profile. Override any field per component as needed.