Add chart validation CI + helm-unittest suite (CE-272)

[Eric Hibbs (flowstate)]

Summary

• Adds .github/workflows/validate.yaml: on PRs touching helm/**, runs helm lint, helm template | kubeconform -strict (default render + every example values file), and helm unittest. This gates the release.yaml publish, which previously fired on a Chart.yaml version bump with no pre-publish validation.
• Adds helm/tests/ unittest suites asserting the chart's pass-through plumbing:
  • scheduling_test.yaml — topologySpreadConstraints, affinity, tolerations, nodeSelector (absent by default, rendered verbatim when set).
  • upstream_tokens_test.yaml — a path route's upstreamToken produces the right secretKeyRef env var.

Stacked on #8

This branches off the CE-271 (topologySpread) branch because the suite asserts the topologySpreadConstraints behavior added there. Merge #8 first; GitHub will retarget this PR to main automatically. (Base is set to the CE-271 branch so the diff here shows only the CI/test additions.)

Validation (local)

• helm unittest helm — 5/5 pass across 2 suites
• helm lint clean
• helm template | kubeconform -strict (k8s 1.30) — default + corporate/forward-proxy/remote-first examples all valid
• Confirmed the suite fails against the feature being absent (caught that this had to stack on Add topologySpreadConstraints support + pin to 1.1.341 (CE-271) #8)

Notes

• Actions pinned to the same SHAs as release.yaml; permissions: contents: read.
• kubeconform and helm-unittest pinned by version (v0.8.0, v1.1.1).

Linear: CE-272

Made with Cursor