feat(helm): pod rollout on Secret change + topologySpreadConstraints

- Add checksum/secret pod annotations on app, realtime, and copilot
  Deployments (plus checksum/config on app when branding ConfigMap is
  enabled). Closes the long-standing footgun where 'helm upgrade' with
  a changed Secret would silently leave pods running the old values
  until a manual rollout restart.
- New top-level topologySpreadConstraints value (and sim.topologySpreadConstraints
  helper) applied to app and realtime Deployments. Mirrors how affinity
  and tolerations are plumbed; users supply their own labelSelector
  to mirror Bitnami convention.
- 5 helm-unittest cases cover the checksum annotations and topology
  spread rendering (46 tests total).

Author: waleedlatif1

helm/sim/templates/_helpers.tpl

@@ -526,6 +526,19 @@ affinity:
 {{- end }}
 {{- end }}
 
+{{/*
+Topology spread constraints — spreads pods across failure domains.
+Pass the per-component spec (.Values.app, .Values.realtime, ...). Users supply
+the full constraint list including labelSelector; pattern mirrors affinity.
+Usage: {{ include "sim.topologySpreadConstraints" .Values.app | nindent 6 }}
+*/}}
+{{- define "sim.topologySpreadConstraints" -}}
+{{- if .topologySpreadConstraints }}
+topologySpreadConstraints:
+  {{- toYaml .topologySpreadConstraints | nindent 2 }}
+{{- end }}
+{{- end }}
+
 {{/*
 Copilot environment secret name
 */}}

helm/sim/templates/deployment-app.yaml

@@ -17,6 +17,10 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/secret: {{ include (print $.Template.BasePath "/secrets-app.yaml") . | sha256sum }}
+        {{- if .Values.branding.enabled }}
+        checksum/config: {{ include (print $.Template.BasePath "/configmap-branding.yaml") . | sha256sum }}
+        {{- end }}
         {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -36,6 +40,7 @@ spec:
       {{- include "sim.nodeSelector" .Values.app | nindent 6 }}
       {{- include "sim.tolerations" .Values | nindent 6 }}
       {{- include "sim.affinity" .Values | nindent 6 }}
+      {{- include "sim.topologySpreadConstraints" .Values | nindent 6 }}
       {{- if .Values.migrations.enabled }}
       initContainers:
         - name: migrations

helm/sim/templates/deployment-copilot.yaml

@@ -38,6 +38,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/secret: {{ include (print $.Template.BasePath "/secrets-copilot.yaml") . | sha256sum }}
         {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

helm/sim/templates/deployment-realtime.yaml

@@ -17,6 +17,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/secret: {{ include (print $.Template.BasePath "/secrets-app.yaml") . | sha256sum }}
         {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -36,6 +37,7 @@ spec:
       {{- include "sim.nodeSelector" .Values.realtime | nindent 6 }}
       {{- include "sim.tolerations" .Values | nindent 6 }}
       {{- include "sim.affinity" .Values | nindent 6 }}
+      {{- include "sim.topologySpreadConstraints" .Values | nindent 6 }}
       containers:
         - name: realtime
           image: {{ include "sim.image" (dict "imageRoot" .Values.realtime.image "global" .Values.global "chartAppVersion" .Chart.AppVersion) }}

helm/sim/tests/pod-rollout_test.yaml

@@ -0,0 +1,72 @@
+suite: pod rollout — checksum annotations + topology spread
+release:
+  name: t
+  namespace: sim
+defaults: &defaults
+  app.env.BETTER_AUTH_SECRET: x
+  app.env.ENCRYPTION_KEY: x
+  app.env.INTERNAL_API_SECRET: x
+  app.env.CRON_SECRET: x
+  postgresql.auth.password: x
+
+tests:
+  - it: app pod template has checksum/secret annotation
+    template: deployment-app.yaml
+    set:
+      <<: *defaults
+    asserts:
+      - isNotEmpty:
+          path: spec.template.metadata.annotations["checksum/secret"]
+
+  - it: realtime pod template has checksum/secret annotation
+    template: deployment-realtime.yaml
+    set:
+      <<: *defaults
+    asserts:
+      - isNotEmpty:
+          path: spec.template.metadata.annotations["checksum/secret"]
+
+  - it: changing a secret value changes the app pod checksum (forces rollout)
+    template: deployment-app.yaml
+    set:
+      <<: *defaults
+      app.env.BETTER_AUTH_SECRET: original-value
+    asserts:
+      - notEqual:
+          path: spec.template.metadata.annotations["checksum/secret"]
+          value: ""
+
+  - it: topologySpreadConstraints render on the app pod when set
+    template: deployment-app.yaml
+    set:
+      <<: *defaults
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: sim
+    asserts:
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints[0].topologyKey
+          value: topology.kubernetes.io/zone
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints[0].whenUnsatisfiable
+          value: ScheduleAnyway
+
+  - it: topologySpreadConstraints render on the realtime pod when set
+    template: deployment-realtime.yaml
+    set:
+      <<: *defaults
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: sim
+    asserts:
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints[0].topologyKey
+          value: topology.kubernetes.io/zone

helm/sim/values.yaml

@@ -1051,6 +1051,19 @@ affinity: {}
 # Tolerations for scheduling on tainted nodes
 tolerations: []
 
+# Topology spread constraints — for HA across zones / nodes.
+# Each entry must include its own labelSelector. Common pattern:
+#
+#   topologySpreadConstraints:
+#     - maxSkew: 1
+#       topologyKey: topology.kubernetes.io/zone
+#       whenUnsatisfiable: ScheduleAnyway
+#       labelSelector:
+#         matchLabels:
+#           app.kubernetes.io/name: sim
+#           app.kubernetes.io/instance: my-release
+topologySpreadConstraints: []
+
 # CronJob configuration for scheduled tasks
 cronjobs:
   # Enable/disable all cron jobs