Fix multiple topologySpreadConstraints

[pdiroot]

Helm chart's deployment template is broken when using multiple topologySpreadConstraints.

Steps to reproduce:

cat > custom.values.yaml <<EOF
controller:
  topologySpreadConstraints:
    - topologyKey: topology.kubernetes.io/zone
      maxSkew: 1
      whenUnsatisfiable: ScheduleAnyway
    - topologyKey: kubernetes.io/hostname
      maxSkew: 1
      whenUnsatisfiable: ScheduleAnyway
      labelSelector:
        matchLabels:
          app.kubernetes.io/name: example
EOF

helm template vault-secrets-operator ./chart -f custom.values.yaml

Error: YAML parse error on vault-secrets-operator/templates/deployment.yaml: error converting YAML to JSON: yaml: line 119: mapping values are not allowed in this context

Use --debug flag to render out invalid YAML

Let's see what broken YAML was actually produced here:

helm template vault-secrets-operator ./chart -f custom.values.yaml --debug | grep -B1 -A15 'topologySpreadConstraints'

      terminationGracePeriodSeconds: 120
      topologySpreadConstraints:
        - labelSelector:
            matchLabels:
              app.kubernetes.io/instance: vault-secrets-operator
              app.kubernetes.io/name: vault-secrets-operator
          maxSkew: 1
          topologyKey: topology.kubernetes.io/zone
          whenUnsatisfiable: ScheduleAnyway- labelSelector:
            matchLabels:
              app.kubernetes.io/name: example
          maxSkew: 1
          topologyKey: kubernetes.io/hostname
          whenUnsatisfiable: ScheduleAnyway
      volumes:
      - downwardAPI:
          items:

You can see the new-line being removed and 2 constraints merged into one block:

whenUnsatisfiable: ScheduleAnyway- labelSelector:

Let's apply the fix and try again:

helm template vault-secrets-operator ./chart -f custom.values.yaml | grep -B1 -A15 'topologySpreadConstraints'

      terminationGracePeriodSeconds: 120
      topologySpreadConstraints:
        - labelSelector:
            matchLabels:
              app.kubernetes.io/instance: vault-secrets-operator
              app.kubernetes.io/name: vault-secrets-operator
          maxSkew: 1
          topologyKey: topology.kubernetes.io/zone
          whenUnsatisfiable: ScheduleAnyway
        - labelSelector:
            matchLabels:
              app.kubernetes.io/name: example
          maxSkew: 1
          topologyKey: kubernetes.io/hostname
          whenUnsatisfiable: ScheduleAnyway
      volumes:
      - downwardAPI:

The fix works fine with multiple topologySpreadConstraints, a single one or no at all.
Please merge the proposed changes.

[hashicorp-cla-app]

All committers have signed the CLA.

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[Copilot]

Pull Request Overview

This PR refactors the vso.topologySpreadConstraints Helm template helper to improve its structure and correctness. The template processes topology spread constraints and automatically adds default label selectors when not explicitly provided.

Key changes:

• Accumulates all topology spread constraints in a list before outputting YAML
• Adds a conditional check to only output YAML if constraints exist
• Improves code readability by using intermediate variables

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JohnLahr]

I have also filed !1131 in hopes of resolving this. Hashicorp, please recognize that this is a legitimate issue affecting multiple users.