test(charts): add helm-unittest suite for ingestion-authz-configmap

[saadqbal]

What

Adds a helm-unittest suite for the previously-untested templates/ingestion-authz-configmap.yaml.

This ConfigMap is the authorization policy that decides which ServiceAccount(s) may call POST /internal/submit-ingestion-run on jobs-manager, scoped to table-name prefixes (client-runtime#21). jobs-manager loads it at startup as the single source of truth, so its fail-safe behaviour and fallbacks are security-relevant.

Coverage delta

• +1 template suite (ingestion-authz-configmap) — chart suites 15 → 16
• 8 assertions/tests, all green locally (full chart: 167 tests pass)

The suite asserts:

1. Release-scoped name (RELEASE-NAME-ingestion-authz) + namespace
2. Standard tracebloc.labels
3. Default wildcard policy entry (default SA, release namespace, "*")
4. Verbatim rendering of an explicit multi-prefix entry
5. Per-entry service_account fallback to ingestionAuthz.serviceAccountName (Move ingestor ServiceAccount into parent client chart (shared resource) #129)
6. Per-entry omitted namespace defaulting to the release namespace
7. Fail-safe deny-all when ingestionAuthz is absent (pre-feat(#86): ingestor Helm subchart + companion RBAC/service/authz for new ingestion endpoint #123 --reuse-values upgrade) → empty allowed:, no service_account
8. Fail-safe deny-all when ingestionAuthz.allowed is empty

Notes

• Tests-only; no source/template/values changes.
• Security invariants unchanged — the suite asserts the fail-safe deny-all default rather than relaxing it.

Refs #193

---

Note

Low Risk
Test-only change with no runtime or policy template modifications.

Overview
Adds a helm-unittest suite for templates/ingestion-authz-configmap.yaml, which was previously untested. The chart gains 8 cases (167 total tests) that lock in ConfigMap metadata/labels, default wildcard policy rendering, explicit multi-prefix entries, service_account fallback to ingestionAuthz.serviceAccountName, omitted namespace defaulting to the release namespace, and fail-safe deny-all when ingestionAuthz is null or allowed is empty.

Tests only — no Helm template or values changes; behavior is asserted, not modified.

^{Reviewed by Cursor Bugbot for commit b7f0b2d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[LukasWodka]

👋 Heads-up — Code review queue is at 17 / 8

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

• averaging-service#102 — chore(kanban): declare staging as prod-truth branch via .kanban.yml · author: @LukasWodka · no reviewer assigned
• averaging-service#103 — fix(averaging): correctness foundations — DP, shape guard, sklearn weighting, bounded ensembles (chore: add default CODEOWNERS for auto-reviewer assignment #73) · author: @LukasWodka · reviewer: @shujaatTracebloc
• averaging-service#98 — ci: add fr-gate caller workflow · author: @LukasWodka · no reviewer assigned
• backend#732 — feat(experiments): add per-experiment aggregation_strategy field (#730) · author: @LukasWodka · reviewer: @saqlainsyed007, @shujaatTracebloc
• data-ingestors#146 — test(schema): lock category enum to the engine's TaskCategory (anti-drift) · author: @LukasWodka · reviewer: @saadqbal
• data-ingestors#148 — Develop to prod · author: @divyasinghds · reviewer: @saadqbal
• design-system#19 — fix: un-track coverage/ and node_modules/ from git · author: @LukasWodka · no reviewer assigned
• design-system#22 — ci: add Vitest test workflow · author: @LukasWodka · reviewer: @aptracebloc
• design-system#23 — ci: add fr-gate caller workflow · author: @LukasWodka · no reviewer assigned
• docs#47 — docs(environment-setup): Installer UX: drop PriorityClass, fix namespace, one-per-machine guard, surface version #192 namespace/workspace flow (hold for client#192) · author: @LukasWodka · reviewer: @saadqbal

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)