You've already forked athens-proxy-charts
Compare commits
21 Commits
1.0.2
...
d7222794ca
Author | SHA1 | Date | |
---|---|---|---|
d7222794ca
|
|||
4974d63a8c
|
|||
1bbd0352c3
|
|||
ccdf377aaa
|
|||
64790fc316
|
|||
2c88d6698b
|
|||
9abdb1ca3a
|
|||
81f14405fd | |||
7b37bfc373
|
|||
bba0df90ff
|
|||
cb312817c3
|
|||
fe428d83d2 | |||
4c94529eab
|
|||
297f36920a
|
|||
4102fc9014
|
|||
be923ed95f | |||
f07ff039ce
|
|||
a11be194cc
|
|||
7908de9313
|
|||
adfe40a9c7
|
|||
eadbcf243b
|
@@ -15,7 +15,7 @@ on:
|
|||||||
jobs:
|
jobs:
|
||||||
generate-parameters:
|
generate-parameters:
|
||||||
container:
|
container:
|
||||||
image: docker.io/library/node:24.10.0-alpine
|
image: docker.io/library/node:25.0.0-alpine
|
||||||
runs-on:
|
runs-on:
|
||||||
- ubuntu-latest
|
- ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
@@ -15,7 +15,7 @@ on:
|
|||||||
jobs:
|
jobs:
|
||||||
markdown-link-checker:
|
markdown-link-checker:
|
||||||
container:
|
container:
|
||||||
image: docker.io/library/node:24.10.0-alpine
|
image: docker.io/library/node:25.0.0-alpine
|
||||||
runs-on:
|
runs-on:
|
||||||
- ubuntu-latest
|
- ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
@@ -31,7 +31,7 @@ jobs:
|
|||||||
|
|
||||||
markdown-lint:
|
markdown-lint:
|
||||||
container:
|
container:
|
||||||
image: docker.io/library/node:24.10.0-alpine
|
image: docker.io/library/node:25.0.0-alpine
|
||||||
runs-on:
|
runs-on:
|
||||||
- ubuntu-latest
|
- ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
8
.vscode/settings.json
vendored
Normal file
8
.vscode/settings.json
vendored
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
{
|
||||||
|
"yaml.schemas": {
|
||||||
|
"https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.3/schema/helm-testsuite.json": [
|
||||||
|
"/unittests/**/*.yaml"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"yaml.schemaStore.enable": true
|
||||||
|
}
|
@@ -19,6 +19,6 @@ keywords:
|
|||||||
- go-proxy
|
- go-proxy
|
||||||
|
|
||||||
sources:
|
sources:
|
||||||
- https://github.com/volker-raschek/athens-proxy-charts
|
- https://git.cryptic.systems/volker.raschek/athens-proxy-charts
|
||||||
- https://github.com/gomods/athens
|
- https://github.com/gomods/athens
|
||||||
- https://hub.docker.com/r/gomods/athens
|
- https://hub.docker.com/r/gomods/athens
|
||||||
|
2
Makefile
2
Makefile
@@ -10,7 +10,7 @@ HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:
|
|||||||
# NODE_IMAGE
|
# NODE_IMAGE
|
||||||
NODE_IMAGE_REGISTRY_HOST?=docker.io
|
NODE_IMAGE_REGISTRY_HOST?=docker.io
|
||||||
NODE_IMAGE_REPOSITORY?=library/node
|
NODE_IMAGE_REPOSITORY?=library/node
|
||||||
NODE_IMAGE_VERSION?=24.10.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
|
NODE_IMAGE_VERSION?=25.0.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
|
||||||
NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
|
NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
|
||||||
|
|
||||||
# MISSING DOT
|
# MISSING DOT
|
||||||
|
140
README.md
140
README.md
@@ -40,7 +40,7 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
|
|||||||
versions can break something!
|
versions can break something!
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
CHART_VERSION=1.0.0
|
CHART_VERSION=1.1.1
|
||||||
helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml
|
helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -54,7 +54,7 @@ The helm chart also contains a persistent volume claim definition. It persistent
|
|||||||
Use the `--set` argument to persist your data.
|
Use the `--set` argument to persist your data.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
CHART_VERSION=1.0.0
|
CHART_VERSION=1.1.1
|
||||||
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
|
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
|
||||||
persistence.enabled=true
|
persistence.enabled=true
|
||||||
```
|
```
|
||||||
@@ -84,13 +84,64 @@ Further information about this topic can be found in one of Kanishk's blog
|
|||||||
> Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
|
> Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
CHART_VERSION=1.0.0
|
CHART_VERSION=1.1.1
|
||||||
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
|
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
|
||||||
--set 'deployment.athensProxy.env.name=GOMAXPROCS' \
|
--set 'deployment.athensProxy.env.name=GOMAXPROCS' \
|
||||||
--set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
|
--set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
|
||||||
--set 'deployment.athensProxy.resources.limits.cpu=1000m'
|
--set 'deployment.athensProxy.resources.limits.cpu=1000m'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### TLS encryption
|
||||||
|
|
||||||
|
The example shows how to deploy the application with TLS encryption. For example when **no** HTTP ingress is used for
|
||||||
|
TLS determination and instead the application it self should determinate the TLS handshake. To generate the TLS
|
||||||
|
certificate can be used the [cert-manager](https://cert-manager.io/). The chart supports the creation of such a TLS
|
||||||
|
certificate via `cert-manager.io/v1 Certificate` resource. Alternatively can be mounted a TLS certificate from a secret.
|
||||||
|
The secret must be from type `kubernetes.io/tls`.
|
||||||
|
|
||||||
|
> [!WARNING]
|
||||||
|
> The following example expects that the [cert-manager](https://cert-manager.io/) is deployed and the `Issuer` named
|
||||||
|
> `athens-proxy-ca` is present in the same namespace of the helm deployment.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
CHART_VERSION=1.1.1
|
||||||
|
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
|
||||||
|
--set 'config.certificate.enabled=true' \
|
||||||
|
--set 'config.certificate.new.issuerRef.kind=Issuer' \
|
||||||
|
--set 'config.certificate.new.issuerRef.name=athens-proxy-ca'
|
||||||
|
```
|
||||||
|
|
||||||
|
The environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` are automatically added and the TLS certificate
|
||||||
|
and private key are mounted to a pre-defined destination inside the container file system.
|
||||||
|
|
||||||
|
#### TLS certificate rotation
|
||||||
|
|
||||||
|
If the application uses TLS certificates that are mounted as a secret in the container file system like the example
|
||||||
|
[above](#tls-encryption), the application will not automatically apply them when the TLS certificates are rotated. Such
|
||||||
|
a rotation can be for example triggered, when the [cert-manager](https://cert-manager.io/) issues new TLS certificates
|
||||||
|
before expiring.
|
||||||
|
|
||||||
|
Until the exporter does not support rotating TLS certificate a workaround can be applied. For example stakater's
|
||||||
|
[reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following
|
||||||
|
annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted configMaps
|
||||||
|
and secrets have been changed.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
deployment:
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
```
|
||||||
|
|
||||||
|
Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for
|
||||||
|
individual items. For example, when the secret named `athens-proxy-tls` is mounted and the reloader controller should
|
||||||
|
only listen for changes of this secret:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
deployment:
|
||||||
|
annotations:
|
||||||
|
secret.reloader.stakater.com/reload: "athens-proxy-tls"
|
||||||
|
```
|
||||||
|
|
||||||
#### Network policies
|
#### Network policies
|
||||||
|
|
||||||
Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
|
Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
|
||||||
@@ -149,7 +200,8 @@ networkPolicies:
|
|||||||
|
|
||||||
The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in
|
The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in
|
||||||
connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll
|
connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll
|
||||||
Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
|
Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments). Please ensure, that no
|
||||||
|
third party application modifies the config maps or secret afterwards.
|
||||||
|
|
||||||
The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the
|
The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the
|
||||||
content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version,
|
content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version,
|
||||||
@@ -158,20 +210,50 @@ Helm render order, different timestamps).
|
|||||||
This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this
|
This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this
|
||||||
can lead to unnecessary notifications from ArgoCD.
|
can lead to unnecessary notifications from ArgoCD.
|
||||||
|
|
||||||
To avoid this, the annotation with the shasum must be ignored. Below is a diff that adds the `Application` to ignore all
|
To avoid this, the annotation with the shasum can be ignored. However, this negates the mechanism of [Automatically Roll
|
||||||
annotations with the prefix `checksum`.
|
Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
|
||||||
|
|
||||||
|
Below is a diff that adds the `Application` to ignore all annotations with the prefix `checksum`.
|
||||||
|
|
||||||
|
> [!WARNING]
|
||||||
|
> Configurations of `ignoreDifferences` always refer to the determination of a drift and whether a possible sync is
|
||||||
|
> necessary. If the selected attributes should also be ignored in deployment afterwards, define
|
||||||
|
> `RespectIgnoreDifferences=true` in your `Application` resource. Further information can be found in the ArgoCD
|
||||||
|
> [documentation](https://argo-cd.readthedocs.io/en/latest/user-guide/sync-options/#respect-ignore-differences-configs).
|
||||||
|
|
||||||
```diff
|
```diff
|
||||||
apiVersion: argoproj.io/v1alpha1
|
apiVersion: argoproj.io/v1alpha1
|
||||||
kind: Application
|
kind: Application
|
||||||
spec:
|
spec:
|
||||||
+ ignoreDifferences:
|
+ ignoreDifferences:
|
||||||
+ - group: apps/v1
|
+ - group: apps
|
||||||
+ kind: Deployment
|
+ kind: Deployment
|
||||||
+ jqPathExpressions:
|
+ jqPathExpressions:
|
||||||
+ - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))'
|
+ - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
The definition of ignoreDifferences ensures that annotations with the prefix checksum are ignored during a diff.
|
||||||
|
|
||||||
|
> [!TIP]
|
||||||
|
> If the [reloader](https://github.com/stakater/Reloader) is configured as described in section [TLS certificate
|
||||||
|
> rotation](#tls-certificate-rotation), ensure that the shasum defined as annotation or environment variable is also
|
||||||
|
> ignored. The [reloader](https://github.com/stakater/Reloader) will modify the deployment based on his configuration
|
||||||
|
> and append additional annotations or environment variables containing the shasum. Below are some examples how to adapt
|
||||||
|
> the `ignoreDifferences` configuration to ignore only the annotations and environment variables of stakater's
|
||||||
|
> [reloader](https://github.com/stakater/Reloader).
|
||||||
|
|
||||||
|
```diff
|
||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
spec:
|
||||||
|
ignoreDifferences:
|
||||||
|
- group: apps
|
||||||
|
kind: Deployment
|
||||||
|
jqPathExpressions:
|
||||||
|
+ - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
|
||||||
|
+ - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
|
||||||
|
```
|
||||||
|
|
||||||
## Parameters
|
## Parameters
|
||||||
|
|
||||||
### Global
|
### Global
|
||||||
@@ -181,6 +263,36 @@ annotations with the prefix `checksum`.
|
|||||||
| `nameOverride` | Individual release name suffix. | `""` |
|
| `nameOverride` | Individual release name suffix. | `""` |
|
||||||
| `fullnameOverride` | Override the complete release name logic. | `""` |
|
| `fullnameOverride` | Override the complete release name logic. | `""` |
|
||||||
|
|
||||||
|
### Certificate
|
||||||
|
|
||||||
|
| Name | Description | Value |
|
||||||
|
| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
|
||||||
|
| `certificate.enabled` | Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. | `false` |
|
||||||
|
| `certificate.existingSecret.enabled` | Use an existing secret of the type `kubernetes.io/tls`. | `false` |
|
||||||
|
| `certificate.existingSecret.secretName` | Name of the secret containing the TLS certificate and private key. | `""` |
|
||||||
|
| `certificate.new.annotations` | Additional certificate annotations. | `{}` |
|
||||||
|
| `certificate.new.labels` | Additional certificate labels. | `{}` |
|
||||||
|
| `certificate.new.duration` | Duration of the TLS certificate. | `744h` |
|
||||||
|
| `certificate.new.renewBefore` | Renew TLS certificate before expiring. | `672h` |
|
||||||
|
| `certificate.new.dnsNames` | Overwrites the default of the subject alternative DNS names. | `[]` |
|
||||||
|
| `certificate.new.ipAddresses` | Overwrites the default of the subject alternative IP addresses. | `[]` |
|
||||||
|
| `certificate.new.issuerRef.kind` | Issuer kind. Can be `Issuer` or `ClusterIssuer`. | `""` |
|
||||||
|
| `certificate.new.issuerRef.name` | Name of the `Issuer` or `ClusterIssuer`. | `""` |
|
||||||
|
| `certificate.new.privateKey.algorithm` | Algorithm of the private TLS key. | `RSA` |
|
||||||
|
| `certificate.new.privateKey.rotationPolicy` | Rotation of the private TLS key. | `Never` |
|
||||||
|
| `certificate.new.privateKey.size` | Size of the private TLS key. | `4096` |
|
||||||
|
| `certificate.new.secretTemplate.annotations` | Additional annotation of the created secret. | `{}` |
|
||||||
|
| `certificate.new.secretTemplate.labels` | Additional labels of the created secret. | `{}` |
|
||||||
|
| `certificate.new.subject.countries` | List of countries. | `[]` |
|
||||||
|
| `certificate.new.subject.localities` | List of localities. | `[]` |
|
||||||
|
| `certificate.new.subject.organizationalUnits` | List of organizationalUnits. | `[]` |
|
||||||
|
| `certificate.new.subject.organizations` | List of organizations. | `[]` |
|
||||||
|
| `certificate.new.subject.postalCodes` | List of postalCodes. | `[]` |
|
||||||
|
| `certificate.new.subject.provinces` | List of provinces. | `[]` |
|
||||||
|
| `certificate.new.subject.serialNumber` | Serial number. | `""` |
|
||||||
|
| `certificate.new.subject.streetAddresses` | List of streetAddresses. | `[]` |
|
||||||
|
| `certificate.new.usages` | Define the usage of the TLS key. | `["client auth","server auth"]` |
|
||||||
|
|
||||||
### Configuration
|
### Configuration
|
||||||
|
|
||||||
| Name | Description | Value |
|
| Name | Description | Value |
|
||||||
@@ -257,7 +369,7 @@ annotations with the prefix `checksum`.
|
|||||||
| `deployment.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod. | `60` |
|
| `deployment.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod. | `60` |
|
||||||
| `deployment.tolerations` | Tolerations of the athens-proxy deployment. | `[]` |
|
| `deployment.tolerations` | Tolerations of the athens-proxy deployment. | `[]` |
|
||||||
| `deployment.topologySpreadConstraints` | TopologySpreadConstraints of the athens-proxy deployment. | `[]` |
|
| `deployment.topologySpreadConstraints` | TopologySpreadConstraints of the athens-proxy deployment. | `[]` |
|
||||||
| `deployment.volumes` | Additional volumes to mount into the pods of the prometheus-exporter deployment. | `[]` |
|
| `deployment.volumes` | Additional volumes to mount into the pods of the athens-proxy deployment. | `[]` |
|
||||||
|
|
||||||
### Horizontal Pod Autoscaler (HPA)
|
### Horizontal Pod Autoscaler (HPA)
|
||||||
|
|
||||||
@@ -287,14 +399,20 @@ annotations with the prefix `checksum`.
|
|||||||
| -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
|
| -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
|
||||||
| `persistence.enabled` | Enable the feature to store the data on a persistent volume claim. If enabled, the volume will be automatically be mounted into the pod. Furthermore, the env `ATHENS_STORAGE_TYPE=disk` will automatically be defined. | `false` |
|
| `persistence.enabled` | Enable the feature to store the data on a persistent volume claim. If enabled, the volume will be automatically be mounted into the pod. Furthermore, the env `ATHENS_STORAGE_TYPE=disk` will automatically be defined. | `false` |
|
||||||
| `persistence.data.mountPath` | The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`. | `/var/www/athens-proxy/data` |
|
| `persistence.data.mountPath` | The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`. | `/var/www/athens-proxy/data` |
|
||||||
| `persistence.data.existingPersistentVolumeClaim.enabled` | TODO | `false` |
|
| `persistence.data.existingPersistentVolumeClaim.enabled` | Use an existing persistent volume claim. | `false` |
|
||||||
| `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | TODO | `""` |
|
| `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | The name of the existing persistent volume claim. | `""` |
|
||||||
| `persistence.data.persistentVolumeClaim.annotations` | Additional persistent volume claim annotations. | `{}` |
|
| `persistence.data.persistentVolumeClaim.annotations` | Additional persistent volume claim annotations. | `{}` |
|
||||||
| `persistence.data.persistentVolumeClaim.labels` | Additional persistent volume claim labels. | `{}` |
|
| `persistence.data.persistentVolumeClaim.labels` | Additional persistent volume claim labels. | `{}` |
|
||||||
| `persistence.data.persistentVolumeClaim.accessModes` | Access modes of the persistent volume claim. | `["ReadWriteMany"]` |
|
| `persistence.data.persistentVolumeClaim.accessModes` | Access modes of the persistent volume claim. | `["ReadWriteMany"]` |
|
||||||
| `persistence.data.persistentVolumeClaim.storageClass` | Storage class of the persistent volume claim. | `""` |
|
| `persistence.data.persistentVolumeClaim.storageClassName` | Storage class of the persistent volume claim. | `""` |
|
||||||
| `persistence.data.persistentVolumeClaim.storageSize` | Size of the persistent volume claim. | `5Gi` |
|
| `persistence.data.persistentVolumeClaim.storageSize` | Size of the persistent volume claim. | `5Gi` |
|
||||||
|
|
||||||
|
### Network
|
||||||
|
|
||||||
|
| Name | Description | Value |
|
||||||
|
| --------------- | ------------------------------------------------------------------------ | --------------- |
|
||||||
|
| `clusterDomain` | Domain of the Cluster. Domain is part of internally issued certificates. | `cluster.local` |
|
||||||
|
|
||||||
### Network Policy
|
### Network Policy
|
||||||
|
|
||||||
| Name | Description | Value |
|
| Name | Description | Value |
|
||||||
|
@@ -31,6 +31,16 @@
|
|||||||
"packageNameTemplate": "https://git.cryptic.systems/volker.raschek/athens-proxy-charts",
|
"packageNameTemplate": "https://git.cryptic.systems/volker.raschek/athens-proxy-charts",
|
||||||
"datasourceTemplate": "git-tags",
|
"datasourceTemplate": "git-tags",
|
||||||
"versioningTemplate": "semver"
|
"versioningTemplate": "semver"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"customType": "regex",
|
||||||
|
"datasourceTemplate": "github-releases",
|
||||||
|
"fileMatch": [
|
||||||
|
".vscode/settings\\.json$"
|
||||||
|
],
|
||||||
|
"matchStrings": [
|
||||||
|
"https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"packageRules": [
|
"packageRules": [
|
||||||
@@ -41,6 +51,20 @@
|
|||||||
"volkerraschek/helm"
|
"volkerraschek/helm"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"automerge": true,
|
||||||
|
"groupName": "Update helm plugin 'unittest'",
|
||||||
|
"matchDepNames": [
|
||||||
|
"helm-unittest/helm-unittest"
|
||||||
|
],
|
||||||
|
"matchDatasources": [
|
||||||
|
"github-releases"
|
||||||
|
],
|
||||||
|
"matchUpdateTypes": [
|
||||||
|
"minor",
|
||||||
|
"patch"
|
||||||
|
]
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"groupName": "Update docker.io/library/node",
|
"groupName": "Update docker.io/library/node",
|
||||||
"matchDepNames": [
|
"matchDepNames": [
|
||||||
|
25
templates/_certificate.tpl
Normal file
25
templates/_certificate.tpl
Normal file
@@ -0,0 +1,25 @@
|
|||||||
|
{{/* vim: set filetype=mustache: */}}
|
||||||
|
|
||||||
|
{{/* annotations */}}
|
||||||
|
|
||||||
|
{{- define "athens-proxy.certificates.server.annotations" -}}
|
||||||
|
{{ include "athens-proxy.annotations" . }}
|
||||||
|
{{- if .Values.certificate.new.annotations }}
|
||||||
|
{{ toYaml .Values.certificate.new.annotations }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/* labels */}}
|
||||||
|
|
||||||
|
{{- define "athens-proxy.certificates.server.labels" -}}
|
||||||
|
{{ include "athens-proxy.labels" . }}
|
||||||
|
{{- if .Values.certificate.new.labels }}
|
||||||
|
{{ toYaml .Values.certificate.new.labels }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/* names */}}
|
||||||
|
|
||||||
|
{{- define "athens-proxy.certificates.server.name" -}}
|
||||||
|
{{ include "athens-proxy.fullname" . }}-tls
|
||||||
|
{{- end -}}
|
@@ -26,6 +26,13 @@
|
|||||||
{{- $env = concat $env (list (dict "name" "GOMAXPROCS" "valueFrom" (dict "resourceFieldRef" (dict "divisor" "1" "resource" "limits.cpu")))) }}
|
{{- $env = concat $env (list (dict "name" "GOMAXPROCS" "valueFrom" (dict "resourceFieldRef" (dict "divisor" "1" "resource" "limits.cpu")))) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if .Values.certificate.enabled }}
|
||||||
|
{{- $env = concat $env (list
|
||||||
|
(dict "name" "ATHENS_TLSCERT_FILE" "value" "/etc/athens-proxy/tls/tls.crt")
|
||||||
|
(dict "name" "ATHENS_TLSKEY_FILE" "value" "/etc/athens-proxy/tls/tls.key")
|
||||||
|
) }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{ toYaml (dict "env" $env) }}
|
{{ toYaml (dict "env" $env) }}
|
||||||
|
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
@@ -124,6 +131,12 @@
|
|||||||
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
|
||||||
|
{{/* volumeMounts (tls) */}}
|
||||||
|
{{- if .Values.certificate.enabled }}
|
||||||
|
{{- $volumeMounts = concat $volumeMounts (list (dict "name" "tls" "mountPath" "/etc/athens-proxy/tls" )) }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{ toYaml (dict "volumeMounts" $volumeMounts) }}
|
{{ toYaml (dict "volumeMounts" $volumeMounts) }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
@@ -252,5 +265,15 @@
|
|||||||
{{- $volumes = concat $volumes (list $projectedSecretVolume) }}
|
{{- $volumes = concat $volumes (list $projectedSecretVolume) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
{{/* volumes (tls) */}}
|
||||||
|
{{- if .Values.certificate.enabled }}
|
||||||
|
{{- $secretName := include "athens-proxy.certificates.server.name" $ }}
|
||||||
|
{{- if .Values.certificate.existingSecret.enabled }}
|
||||||
|
{{- $secretName := .Values.certificate.existingSecret.secretName }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $volumes = concat $volumes (list (dict "name" "tls" "secret" (dict "secretName" $secretName))) }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
|
||||||
{{ toYaml (dict "volumes" $volumes) }}
|
{{ toYaml (dict "volumes" $volumes) }}
|
||||||
{{- end -}}
|
{{- end -}}
|
97
templates/certificate.yaml
Normal file
97
templates/certificate.yaml
Normal file
@@ -0,0 +1,97 @@
|
|||||||
|
{{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) -}}
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
{{- with (include "athens-proxy.certificates.server.annotations" . | fromYaml) }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with (include "athens-proxy.certificates.server.labels" . | fromYaml) }}
|
||||||
|
labels:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
name: {{ include "athens-proxy.certificates.server.name" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
spec:
|
||||||
|
commonName: {{ include "athens-proxy.fullname" . }}
|
||||||
|
{{- if empty .Values.certificate.new.dnsNames }}
|
||||||
|
dnsNames:
|
||||||
|
- {{ include "athens-proxy.fullname" . }}
|
||||||
|
- {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}
|
||||||
|
- {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc
|
||||||
|
- {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
|
||||||
|
{{- else }}
|
||||||
|
dnsNames:
|
||||||
|
{{- range .Values.certificate.new.dnsNames }}
|
||||||
|
- {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
duration: {{ .Values.certificate.new.duration }}
|
||||||
|
{{- if not (empty .Values.certificate.new.ipAddresses) }}
|
||||||
|
ipAddresses:
|
||||||
|
{{- range .Values.certificate.new.ipAddresses }}
|
||||||
|
- {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
isCA: false
|
||||||
|
issuerRef:
|
||||||
|
kind: {{ required "No certificate issuer kind defined!" .Values.certificate.new.issuerRef.kind }}
|
||||||
|
name: {{ required "No certificate issuer name defined!" .Values.certificate.new.issuerRef.name }}
|
||||||
|
privateKey:
|
||||||
|
algorithm: {{ .Values.certificate.new.privateKey.algorithm }}
|
||||||
|
rotationPolicy: {{ .Values.certificate.new.privateKey.rotationPolicy }}
|
||||||
|
size: {{ .Values.certificate.new.privateKey.size }}
|
||||||
|
renewBefore: {{ .Values.certificate.new.renewBefore }}
|
||||||
|
secretName: {{ include "athens-proxy.certificates.server.name" . }}
|
||||||
|
{{- with .Values.certificate.new.secretTemplate }}
|
||||||
|
secretTemplate:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.certificate.new.subject.countries
|
||||||
|
.Values.certificate.new.subject.localities
|
||||||
|
.Values.certificate.new.subject.organizationalUnits
|
||||||
|
.Values.certificate.new.subject.organizations
|
||||||
|
.Values.certificate.new.subject.postalCodes
|
||||||
|
.Values.certificate.new.subject.provinces
|
||||||
|
.Values.certificate.new.subject.serialNumber
|
||||||
|
.Values.certificate.new.subject.streetAddresses
|
||||||
|
}}
|
||||||
|
subject:
|
||||||
|
{{- with .Values.certificate.new.subject.countries }}
|
||||||
|
countries:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.certificate.new.subject.localities }}
|
||||||
|
localities:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.certificate.new.subject.organizationalUnits }}
|
||||||
|
organizationalUnits:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.certificate.new.subject.organizations }}
|
||||||
|
organizations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.certificate.new.subject.postalCodes }}
|
||||||
|
postalCodes:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.certificate.new.subject.provinces }}
|
||||||
|
provinces:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.certificate.new.subject.serialNumber }}
|
||||||
|
serialNumber: {{ .Values.certificate.new.subject.serialNumber }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.certificate.new.subject.streetAddresses }}
|
||||||
|
streetAddresses:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
usages:
|
||||||
|
{{- range .Values.certificate.new.usages }}
|
||||||
|
- {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@@ -11,7 +11,7 @@ metadata:
|
|||||||
labels:
|
labels:
|
||||||
{{- toYaml . | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
name: {{ include "athens-proxy.fullname" . }}-git-config
|
name: {{ include "athens-proxy.configMap.gitConfig.name" . }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
data:
|
data:
|
||||||
.gitconfig: |
|
.gitconfig: |
|
||||||
|
@@ -50,16 +50,24 @@ spec:
|
|||||||
image: {{ include "athens-proxy.deployment.images.athens-proxy.fqin" . | quote }}
|
image: {{ include "athens-proxy.deployment.images.athens-proxy.fqin" . | quote }}
|
||||||
imagePullPolicy: {{ .Values.deployment.athensProxy.image.pullPolicy }}
|
imagePullPolicy: {{ .Values.deployment.athensProxy.image.pullPolicy }}
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
tcpSocket:
|
exec:
|
||||||
port: http
|
{{- if not .Values.certificate.enabled }}
|
||||||
|
command: [ "wget", "-T", "3", "-O", "/dev/null", "http://localhost:3000" ]
|
||||||
|
{{- else }}
|
||||||
|
command: [ "wget", "--no-check-certificate", "-T", "3", "-O", "/dev/null", "https://localhost:3000" ]
|
||||||
|
{{- end }}
|
||||||
failureThreshold: 3
|
failureThreshold: 3
|
||||||
initialDelaySeconds: 5
|
initialDelaySeconds: 5
|
||||||
periodSeconds: 60
|
periodSeconds: 60
|
||||||
successThreshold: 1
|
successThreshold: 1
|
||||||
timeoutSeconds: 3
|
timeoutSeconds: 3
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
tcpSocket:
|
exec:
|
||||||
port: http
|
{{- if not .Values.certificate.enabled }}
|
||||||
|
command: [ "wget", "-T", "3", "-O", "/dev/null", "http://localhost:3000" ]
|
||||||
|
{{- else }}
|
||||||
|
command: [ "wget", "--no-check-certificate", "-T", "3", "-O", "/dev/null", "https://localhost:3000" ]
|
||||||
|
{{- end }}
|
||||||
failureThreshold: 3
|
failureThreshold: 3
|
||||||
initialDelaySeconds: 5
|
initialDelaySeconds: 5
|
||||||
periodSeconds: 15
|
periodSeconds: 15
|
||||||
|
300
unittests/certificates/certificate.yaml
Normal file
300
unittests/certificates/certificate.yaml
Normal file
@@ -0,0 +1,300 @@
|
|||||||
|
chart:
|
||||||
|
appVersion: 0.1.0
|
||||||
|
version: 0.1.0
|
||||||
|
suite: Certificate athens-proxy template
|
||||||
|
release:
|
||||||
|
name: athens-proxy-unittest
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/certificate.yaml
|
||||||
|
tests:
|
||||||
|
- it: Skip rendering by default.
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 0
|
||||||
|
|
||||||
|
- it: Skip rendering for existing certificate
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.existingSecret.enabled: true
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 0
|
||||||
|
|
||||||
|
- it: Throw error when issuerKind and IssuerName is not defined
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
asserts:
|
||||||
|
- failedTemplate:
|
||||||
|
errorMessage: "No certificate issuer kind defined!"
|
||||||
|
|
||||||
|
- it: Throw error when issuerKind and IssuerName is not defined
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
asserts:
|
||||||
|
- failedTemplate: {}
|
||||||
|
|
||||||
|
- it: Throw error when issuerKind not defined
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.name: "my-issuer"
|
||||||
|
asserts:
|
||||||
|
- failedTemplate:
|
||||||
|
errorMessage: "No certificate issuer kind defined!"
|
||||||
|
|
||||||
|
- it: Throw error when issuerName not defined
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: "ClusterIssuer"
|
||||||
|
asserts:
|
||||||
|
- failedTemplate:
|
||||||
|
errorMessage: "No certificate issuer name defined!"
|
||||||
|
|
||||||
|
- it: Rendering Certificate object when certificate.enabled=true (default)
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: ClusterIssuer
|
||||||
|
certificate.new.issuerRef.name: my-issuer
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 1
|
||||||
|
- containsDocument:
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
name: athens-proxy-unittest-tls
|
||||||
|
namespace: testing
|
||||||
|
- equal:
|
||||||
|
path: spec.commonName
|
||||||
|
value: athens-proxy-unittest
|
||||||
|
- equal:
|
||||||
|
path: spec.duration
|
||||||
|
value: 744h
|
||||||
|
- equal:
|
||||||
|
path: spec.dnsNames
|
||||||
|
value: [ "athens-proxy-unittest", "athens-proxy-unittest.testing", "athens-proxy-unittest.testing.svc", "athens-proxy-unittest.testing.svc.cluster.local" ]
|
||||||
|
- notExists:
|
||||||
|
path: spec.ipAddresses
|
||||||
|
- equal:
|
||||||
|
path: spec.isCA
|
||||||
|
value: false
|
||||||
|
- equal:
|
||||||
|
path: spec.issuerRef.kind
|
||||||
|
value: ClusterIssuer
|
||||||
|
- equal:
|
||||||
|
path: spec.issuerRef.name
|
||||||
|
value: my-issuer
|
||||||
|
- equal:
|
||||||
|
path: spec.privateKey.algorithm
|
||||||
|
value: RSA
|
||||||
|
- equal:
|
||||||
|
path: spec.privateKey.size
|
||||||
|
value: 4096
|
||||||
|
- equal:
|
||||||
|
path: spec.privateKey.rotationPolicy
|
||||||
|
value: Never
|
||||||
|
- equal:
|
||||||
|
path: spec.secretName
|
||||||
|
value: athens-proxy-unittest-tls
|
||||||
|
- exists:
|
||||||
|
path: spec.secretTemplate.annotations
|
||||||
|
- exists:
|
||||||
|
path: spec.secretTemplate.labels
|
||||||
|
- notExists:
|
||||||
|
path: spec.subject
|
||||||
|
- notExists:
|
||||||
|
path: spec.subject.countries
|
||||||
|
- notExists:
|
||||||
|
path: spec.subject.localities
|
||||||
|
- notExists:
|
||||||
|
path: spec.subject.organizationalUnits
|
||||||
|
- notExists:
|
||||||
|
path: spec.subject.organizations
|
||||||
|
- notExists:
|
||||||
|
path: spec.subject.postalCodes
|
||||||
|
- notExists:
|
||||||
|
path: spec.subject.provinces
|
||||||
|
- notExists:
|
||||||
|
path: spec.subject.serialNumber
|
||||||
|
- notExists:
|
||||||
|
path: spec.subject.streetAddresses
|
||||||
|
- equal:
|
||||||
|
path: spec.renewBefore
|
||||||
|
value: 672h
|
||||||
|
- equal:
|
||||||
|
path: spec.usages
|
||||||
|
value: [ "client auth", "server auth" ]
|
||||||
|
|
||||||
|
# metadata.annotations
|
||||||
|
- it: Rendering Certificate object with additional annotations and labels
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: ClusterIssuer
|
||||||
|
certificate.new.issuerRef.name: my-issuer
|
||||||
|
certificate.new.annotations:
|
||||||
|
foo: bar
|
||||||
|
certificate.new.labels:
|
||||||
|
bar: foo
|
||||||
|
asserts:
|
||||||
|
- isSubset:
|
||||||
|
path: metadata.annotations
|
||||||
|
content:
|
||||||
|
foo: bar
|
||||||
|
- isSubset:
|
||||||
|
path: metadata.labels
|
||||||
|
content:
|
||||||
|
bar: foo
|
||||||
|
|
||||||
|
# spec.duration
|
||||||
|
- it: Rendering Certificate object with custom `.Values.certificate.new.duration`.
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: ClusterIssuer
|
||||||
|
certificate.new.issuerRef.name: my-issuer
|
||||||
|
certificate.new.duration: 3000h
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.duration
|
||||||
|
value: 3000h
|
||||||
|
|
||||||
|
# spec.dnsNames
|
||||||
|
- it: Rendering Certificate object with custom `.Values.certificate.new.dnsNames`.
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: ClusterIssuer
|
||||||
|
certificate.new.issuerRef.name: my-issuer
|
||||||
|
certificate.new.dnsNames: [ "app", "app.example.local" ]
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.dnsNames
|
||||||
|
value: [ "app", "app.example.local" ]
|
||||||
|
|
||||||
|
# spec.dnsNames
|
||||||
|
- it: Rendering Certificate object with custom `.Values.clusterDomain` as domain.
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: ClusterIssuer
|
||||||
|
certificate.new.issuerRef.name: my-issuer
|
||||||
|
clusterDomain: k8s.example.local
|
||||||
|
asserts:
|
||||||
|
- contains:
|
||||||
|
path: spec.dnsNames
|
||||||
|
content:
|
||||||
|
athens-proxy-unittest.testing.svc.k8s.example.local
|
||||||
|
count: 1
|
||||||
|
|
||||||
|
# spec.ipAddresses
|
||||||
|
- it: RRendering Certificate object with custom `.Values.certificate.new.ipAddresses`.
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: ClusterIssuer
|
||||||
|
certificate.new.issuerRef.name: my-issuer
|
||||||
|
certificate.new.ipAddresses: [ "10.11.12.13", "fe00:xxyy:xxyy" ]
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.ipAddresses
|
||||||
|
value: [ "10.11.12.13", "fe00:xxyy:xxyy" ]
|
||||||
|
|
||||||
|
# spec.privateKey
|
||||||
|
- it: Rendering Certificate object with custom `.Values.certificate.new.privateKey` values.
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: ClusterIssuer
|
||||||
|
certificate.new.issuerRef.name: my-issuer
|
||||||
|
certificate.new.privateKey.algorithm: ED25519
|
||||||
|
certificate.new.privateKey.rotationPolicy: Never
|
||||||
|
certificate.new.privateKey.size: 512
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.privateKey.algorithm
|
||||||
|
value: ED25519
|
||||||
|
- equal:
|
||||||
|
path: spec.privateKey.rotationPolicy
|
||||||
|
value: Never
|
||||||
|
- equal:
|
||||||
|
path: spec.privateKey.size
|
||||||
|
value: 512
|
||||||
|
|
||||||
|
# spec.renewBefore
|
||||||
|
- it: Rendering Certificate object with custom `.Values.certificate.new.renewBefore`.
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: ClusterIssuer
|
||||||
|
certificate.new.issuerRef.name: my-issuer
|
||||||
|
certificate.new.renewBefore: 2000h
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.renewBefore
|
||||||
|
value: 2000h
|
||||||
|
|
||||||
|
# spec.secretTemplate
|
||||||
|
- it: Rendering Certificate object with custom `.Values.certificate.new.secretTemplate` values.
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: ClusterIssuer
|
||||||
|
certificate.new.issuerRef.name: my-issuer
|
||||||
|
certificate.new.secretTemplate:
|
||||||
|
annotations:
|
||||||
|
foo: bar
|
||||||
|
labels:
|
||||||
|
bar: foo
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.secretTemplate.annotations
|
||||||
|
value:
|
||||||
|
foo: bar
|
||||||
|
- equal:
|
||||||
|
path: spec.secretTemplate.labels
|
||||||
|
value:
|
||||||
|
bar: foo
|
||||||
|
|
||||||
|
# spec.secretTemplate
|
||||||
|
- it: Rendering Certificate object with custom `.Values.certificate.new.subject` values.
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: ClusterIssuer
|
||||||
|
certificate.new.issuerRef.name: my-issuer
|
||||||
|
certificate.new.subject.countries: [ "Country" ]
|
||||||
|
certificate.new.subject.localities: [ "City" ]
|
||||||
|
certificate.new.subject.organizationalUnits: [ "IT department" ]
|
||||||
|
certificate.new.subject.organizations: [ "My organization" ]
|
||||||
|
certificate.new.subject.postalCodes: [ "AB12345", "12345AB" ]
|
||||||
|
certificate.new.subject.provinces: [ "Provinces" ]
|
||||||
|
certificate.new.subject.serialNumber: "MyNumber"
|
||||||
|
certificate.new.subject.streetAddresses: [ "ExampleStreet 1", "StreetExample 2" ]
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.subject.countries
|
||||||
|
value: [ "Country" ]
|
||||||
|
- equal:
|
||||||
|
path: spec.subject.localities
|
||||||
|
value: [ "City" ]
|
||||||
|
- equal:
|
||||||
|
path: spec.subject.organizationalUnits
|
||||||
|
value: [ "IT department" ]
|
||||||
|
- equal:
|
||||||
|
path: spec.subject.organizations
|
||||||
|
value: [ "My organization" ]
|
||||||
|
- equal:
|
||||||
|
path: spec.subject.postalCodes
|
||||||
|
value: [ "AB12345", "12345AB" ]
|
||||||
|
- equal:
|
||||||
|
path: spec.subject.provinces
|
||||||
|
value: [ "Provinces" ]
|
||||||
|
- equal:
|
||||||
|
path: spec.subject.serialNumber
|
||||||
|
value: "MyNumber"
|
||||||
|
- equal:
|
||||||
|
path: spec.subject.streetAddresses
|
||||||
|
value: [ "ExampleStreet 1", "StreetExample 2" ]
|
||||||
|
|
||||||
|
# spec.usages
|
||||||
|
- it: Rendering Certificate object with custom `.Values.certificate.new.usages`.
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: ClusterIssuer
|
||||||
|
certificate.new.issuerRef.name: my-issuer
|
||||||
|
certificate.new.usages: [ "client auth" ]
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.usages
|
||||||
|
value: [ "client auth" ]
|
@@ -30,7 +30,7 @@ tests:
|
|||||||
- containsDocument:
|
- containsDocument:
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
name: athens-proxy-unittest-git-config
|
name: athens-proxy-unittest-gitconfig
|
||||||
namespace: testing
|
namespace: testing
|
||||||
- notExists:
|
- notExists:
|
||||||
path: metadata.annotations
|
path: metadata.annotations
|
||||||
|
73
unittests/deployment/certificate.yaml
Normal file
73
unittests/deployment/certificate.yaml
Normal file
@@ -0,0 +1,73 @@
|
|||||||
|
chart:
|
||||||
|
appVersion: 0.1.0
|
||||||
|
version: 0.1.0
|
||||||
|
suite: Deployment template
|
||||||
|
release:
|
||||||
|
name: athens-proxy-unittest
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/configMapDownloadMode.yaml
|
||||||
|
- templates/configMapGitConfig.yaml
|
||||||
|
- templates/deployment.yaml
|
||||||
|
- templates/secretNetRC.yaml
|
||||||
|
- templates/secretSSH.yaml
|
||||||
|
tests:
|
||||||
|
- it: Rendering default without tls config
|
||||||
|
asserts:
|
||||||
|
- notContains:
|
||||||
|
path: spec.template.spec.containers[0].env
|
||||||
|
content:
|
||||||
|
name: ATHENS_TLSCERT_FILE
|
||||||
|
value: /etc/athens-proxy/tls/tls.crt
|
||||||
|
template: templates/deployment.yaml
|
||||||
|
- notContains:
|
||||||
|
path: spec.template.spec.containers[0].env
|
||||||
|
content:
|
||||||
|
name: ATHENS_TLSKEY_FILE
|
||||||
|
value: /etc/athens-proxy/tls/tls.key
|
||||||
|
template: templates/deployment.yaml
|
||||||
|
- notContains:
|
||||||
|
path: spec.template.spec.containers[0].volumeMounts
|
||||||
|
content:
|
||||||
|
name: tls
|
||||||
|
mountPath: /etc/athens-proxy/tls
|
||||||
|
template: templates/deployment.yaml
|
||||||
|
- notContains:
|
||||||
|
path: spec.template.spec.volumes
|
||||||
|
content:
|
||||||
|
name: tls
|
||||||
|
secretRef:
|
||||||
|
name: athens-proxy-unittest-tls
|
||||||
|
template: templates/deployment.yaml
|
||||||
|
|
||||||
|
- it: Rendering with tls config
|
||||||
|
set:
|
||||||
|
certificate.enabled: true
|
||||||
|
certificate.new.issuerRef.kind: ClusterIssuer
|
||||||
|
certificate.new.issuerRef.name: MyIssuer
|
||||||
|
asserts:
|
||||||
|
- contains:
|
||||||
|
path: spec.template.spec.containers[0].env
|
||||||
|
content:
|
||||||
|
name: ATHENS_TLSCERT_FILE
|
||||||
|
value: /etc/athens-proxy/tls/tls.crt
|
||||||
|
template: templates/deployment.yaml
|
||||||
|
- contains:
|
||||||
|
path: spec.template.spec.containers[0].env
|
||||||
|
content:
|
||||||
|
name: ATHENS_TLSKEY_FILE
|
||||||
|
value: /etc/athens-proxy/tls/tls.key
|
||||||
|
template: templates/deployment.yaml
|
||||||
|
- contains:
|
||||||
|
path: spec.template.spec.containers[0].volumeMounts
|
||||||
|
content:
|
||||||
|
name: tls
|
||||||
|
mountPath: /etc/athens-proxy/tls
|
||||||
|
template: templates/deployment.yaml
|
||||||
|
- contains:
|
||||||
|
path: spec.template.spec.volumes
|
||||||
|
content:
|
||||||
|
name: tls
|
||||||
|
secret:
|
||||||
|
secretName: athens-proxy-unittest-tls
|
||||||
|
template: templates/deployment.yaml
|
98
values.yaml
98
values.yaml
@@ -5,6 +5,77 @@
|
|||||||
nameOverride: ""
|
nameOverride: ""
|
||||||
fullnameOverride: ""
|
fullnameOverride: ""
|
||||||
|
|
||||||
|
## @section Certificate
|
||||||
|
certificate:
|
||||||
|
## @param certificate.enabled Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added.
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
## @param certificate.existingSecret.enabled Use an existing secret of the type `kubernetes.io/tls`.
|
||||||
|
## @param certificate.existingSecret.secretName Name of the secret containing the TLS certificate and private key.
|
||||||
|
existingSecret:
|
||||||
|
enabled: false
|
||||||
|
secretName: ""
|
||||||
|
|
||||||
|
## @param certificate.new.annotations Additional certificate annotations.
|
||||||
|
## @param certificate.new.labels Additional certificate labels.
|
||||||
|
## @param certificate.new.duration Duration of the TLS certificate.
|
||||||
|
## @param certificate.new.renewBefore Renew TLS certificate before expiring.
|
||||||
|
## @param certificate.new.dnsNames Overwrites the default of the subject alternative DNS names.
|
||||||
|
## @param certificate.new.ipAddresses Overwrites the default of the subject alternative IP addresses.
|
||||||
|
## @param certificate.new.issuerRef.kind Issuer kind. Can be `Issuer` or `ClusterIssuer`.
|
||||||
|
## @param certificate.new.issuerRef.name Name of the `Issuer` or `ClusterIssuer`.
|
||||||
|
## @param certificate.new.privateKey.algorithm Algorithm of the private TLS key.
|
||||||
|
## @param certificate.new.privateKey.rotationPolicy Rotation of the private TLS key.
|
||||||
|
## @param certificate.new.privateKey.size Size of the private TLS key.
|
||||||
|
## @param certificate.new.secretTemplate.annotations Additional annotation of the created secret.
|
||||||
|
## @param certificate.new.secretTemplate.labels Additional labels of the created secret.
|
||||||
|
## @param certificate.new.subject.countries List of countries.
|
||||||
|
## @param certificate.new.subject.localities List of localities.
|
||||||
|
## @param certificate.new.subject.organizationalUnits List of organizationalUnits.
|
||||||
|
## @param certificate.new.subject.organizations List of organizations.
|
||||||
|
## @param certificate.new.subject.postalCodes List of postalCodes.
|
||||||
|
## @param certificate.new.subject.provinces List of provinces.
|
||||||
|
## @param certificate.new.subject.serialNumber Serial number.
|
||||||
|
## @param certificate.new.subject.streetAddresses List of streetAddresses.
|
||||||
|
## @param certificate.new.usages Define the usage of the TLS key.
|
||||||
|
new:
|
||||||
|
annotations: {}
|
||||||
|
labels: {}
|
||||||
|
duration: "744h" # 31 days
|
||||||
|
renewBefore: "672h" # 28 days
|
||||||
|
dnsNames: []
|
||||||
|
# The following DNS names are already part of the SAN's and serves only as example.
|
||||||
|
# - "athens-proxy"
|
||||||
|
# - "athens-proxy.svc"
|
||||||
|
# - "athens-proxy.svc.namespace"
|
||||||
|
# - "athens-proxy.svc.namespace.cluster.local"
|
||||||
|
ipAddresses: []
|
||||||
|
# The following IP addresses serves only as example.
|
||||||
|
# - "10.92.1.10"
|
||||||
|
# - "2001:0db8:85a3:08d3:1319:8a2e:0370:7344"
|
||||||
|
issuerRef:
|
||||||
|
kind: ""
|
||||||
|
name: ""
|
||||||
|
privateKey:
|
||||||
|
algorithm: "RSA"
|
||||||
|
rotationPolicy: "Never"
|
||||||
|
size: 4096
|
||||||
|
secretTemplate:
|
||||||
|
annotations: {}
|
||||||
|
labels: {}
|
||||||
|
subject:
|
||||||
|
countries: []
|
||||||
|
localities: []
|
||||||
|
organizationalUnits: []
|
||||||
|
organizations: []
|
||||||
|
postalCodes: []
|
||||||
|
provinces: []
|
||||||
|
serialNumber: ""
|
||||||
|
streetAddresses: []
|
||||||
|
usages:
|
||||||
|
- "client auth"
|
||||||
|
- "server auth"
|
||||||
|
|
||||||
## @section Configuration
|
## @section Configuration
|
||||||
config:
|
config:
|
||||||
env:
|
env:
|
||||||
@@ -78,8 +149,6 @@ config:
|
|||||||
# ATHENS_STORAGE_GCP_JSON_KEY:
|
# ATHENS_STORAGE_GCP_JSON_KEY:
|
||||||
# ATHENS_SUM_DBS:
|
# ATHENS_SUM_DBS:
|
||||||
# ATHENS_TIMEOUT:
|
# ATHENS_TIMEOUT:
|
||||||
# ATHENS_TLSCERT_FILE:
|
|
||||||
# ATHENS_TLSKEY_FILE:
|
|
||||||
# ATHENS_TRACE_EXPORTER_URL:
|
# ATHENS_TRACE_EXPORTER_URL:
|
||||||
# ATHENS_TRACE_EXPORTER:
|
# ATHENS_TRACE_EXPORTER:
|
||||||
# AWS_ACCESS_KEY_ID:
|
# AWS_ACCESS_KEY_ID:
|
||||||
@@ -404,9 +473,9 @@ deployment:
|
|||||||
# whenUnsatisfiable: DoNotSchedule
|
# whenUnsatisfiable: DoNotSchedule
|
||||||
# labelSelector:
|
# labelSelector:
|
||||||
# matchLabels:
|
# matchLabels:
|
||||||
# app.kubernetes.io/instance: prometheus-athens-proxy
|
# app.kubernetes.io/instance: athens-proxy
|
||||||
|
|
||||||
## @param deployment.volumes Additional volumes to mount into the pods of the prometheus-exporter deployment.
|
## @param deployment.volumes Additional volumes to mount into the pods of the athens-proxy deployment.
|
||||||
volumes: []
|
volumes: []
|
||||||
# - name: my-configmap-volume
|
# - name: my-configmap-volume
|
||||||
# config:
|
# config:
|
||||||
@@ -481,8 +550,8 @@ persistence:
|
|||||||
## @param persistence.data.mountPath The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`.
|
## @param persistence.data.mountPath The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`.
|
||||||
mountPath: "/var/www/athens-proxy/data"
|
mountPath: "/var/www/athens-proxy/data"
|
||||||
|
|
||||||
## @param persistence.data.existingPersistentVolumeClaim.enabled TODO
|
## @param persistence.data.existingPersistentVolumeClaim.enabled Use an existing persistent volume claim.
|
||||||
## @param persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName TODO
|
## @param persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName The name of the existing persistent volume claim.
|
||||||
existingPersistentVolumeClaim:
|
existingPersistentVolumeClaim:
|
||||||
enabled: false
|
enabled: false
|
||||||
persistentVolumeClaimName: ""
|
persistentVolumeClaimName: ""
|
||||||
@@ -490,16 +559,20 @@ persistence:
|
|||||||
## @param persistence.data.persistentVolumeClaim.annotations Additional persistent volume claim annotations.
|
## @param persistence.data.persistentVolumeClaim.annotations Additional persistent volume claim annotations.
|
||||||
## @param persistence.data.persistentVolumeClaim.labels Additional persistent volume claim labels.
|
## @param persistence.data.persistentVolumeClaim.labels Additional persistent volume claim labels.
|
||||||
## @param persistence.data.persistentVolumeClaim.accessModes Access modes of the persistent volume claim.
|
## @param persistence.data.persistentVolumeClaim.accessModes Access modes of the persistent volume claim.
|
||||||
## @param persistence.data.persistentVolumeClaim.storageClass Storage class of the persistent volume claim.
|
## @param persistence.data.persistentVolumeClaim.storageClassName Storage class of the persistent volume claim.
|
||||||
## @param persistence.data.persistentVolumeClaim.storageSize Size of the persistent volume claim.
|
## @param persistence.data.persistentVolumeClaim.storageSize Size of the persistent volume claim.
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
annotations: {}
|
annotations: {}
|
||||||
labels: {}
|
labels: {}
|
||||||
accessModes:
|
accessModes:
|
||||||
- ReadWriteMany
|
- ReadWriteMany
|
||||||
storageClass: ""
|
storageClassName: ""
|
||||||
storageSize: "5Gi"
|
storageSize: "5Gi"
|
||||||
|
|
||||||
|
## @section Network
|
||||||
|
## @param clusterDomain Domain of the Cluster. Domain is part of internally issued certificates.
|
||||||
|
clusterDomain: "cluster.local"
|
||||||
|
|
||||||
## @section Network Policy
|
## @section Network Policy
|
||||||
networkPolicy:
|
networkPolicy:
|
||||||
## @param networkPolicy.enabled Enable network policies in general.
|
## @param networkPolicy.enabled Enable network policies in general.
|
||||||
@@ -517,13 +590,10 @@ networkPolicy:
|
|||||||
# - Egress
|
# - Egress
|
||||||
# - Ingress
|
# - Ingress
|
||||||
egress: []
|
egress: []
|
||||||
# Allow outgoing traffic to database host
|
# Allow outgoing HTTPS traffic to external go module servers
|
||||||
#
|
#
|
||||||
# - to:
|
# - ports:
|
||||||
# - ipBlock:
|
# - port: 443
|
||||||
# cidr: 192.168.179.1/32
|
|
||||||
# ports:
|
|
||||||
# - port: 5432
|
|
||||||
# protocol: TCP
|
# protocol: TCP
|
||||||
|
|
||||||
# Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns.
|
# Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns.
|
||||||
|
Reference in New Issue
Block a user