fix(ci): respect rc pattern

fix(scripts): adapt regexp for release candidates
fix(scripts): adapt rc pattern
2026-06-01 22:35:55 +02:00 · 2026-06-01 22:12:37 +02:00 · 2026-06-01 21:37:00 +02:00 · 2026-05-31 19:26:37 +00:00 · 2026-05-31 19:26:12 +00:00 · 2026-05-31 19:25:38 +00:00
53 changed files with 2879 additions and 928 deletions
@@ -1,6 +1,6 @@
 #!/bin/bash
-set -e
+set -eo pipefail
 CHART_FILE="Chart.yaml"
 if [ ! -f "${CHART_FILE}" ]; then
@@ -8,8 +8,11 @@ if [ ! -f "${CHART_FILE}" ]; then
  exit 1
 fi
-DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
+rc_pattern="\-rc([-\.][0-9]+)?$"
-DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
+
 # Exclude prerelease tags (matching -rc or -rc.<digits>) from default tag selection
 DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | grep --invert-match --perl-regexp "${rc_pattern}" | head --lines 1)"
 DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | grep --invert-match --perl-regexp "${rc_pattern}" | head --lines 2 | tail --lines 1)"
 if [ -z "${1}" ]; then
  read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
@@ -54,6 +57,13 @@ else
  fi
 fi
 # Check if NEW_TAG is a prerelease (matches -rc or -rc-<digits> suffix)
 if [[ "${NEW_TAG}" =~ ${rc_pattern} ]]; then
  echo "INFO: Tag '${NEW_TAG}' is a prerelease, setting prerelease annotation and skipping changelog."
  yq --no-colors --inplace ".annotations.\"artifacthub.io/prerelease\" = \"true\" | sort_keys(.)" "${CHART_FILE}"
  exit 0
 fi
 CHANGE_LOG_YAML=$(mktemp)
 echo "[]" > "${CHANGE_LOG_YAML}"
@@ -0,0 +1,41 @@
 name: Upload ArtifactHub Metadata
 on:
  schedule:
    - cron: '0 3 1 * *'
  workflow_dispatch:
 jobs:
  upload-metadata:
    name: "Upload artifacthub-repo.yml to OCI registry"
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v6.0.2
    - uses: docker/login-action@v4.2.0
      with:
        registry: ${{ github.server_url }}
        username: ${{ github.repository_owner }}
        password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
    - uses: oras-project/setup-oras@v2.0.0
      with:
        version: 1.3.2 # renovate: datasource=github-tags depName=oras-project/oras extractVersion='^v?(?<version>.*)$'
    - name: Extract meta information
      run: |
        echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut -d '/' -f 3)" >> $GITHUB_ENV
        echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
        echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
        echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)" >> $GITHUB_ENV
    - name: Push artifacthub-repo.yml
      run: |
        oras push ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:artifacthub.io \
          --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
          artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
    - name: Push public cosign key
      env:
        COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
      run: |
        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
        oras push ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:cosign.pub \
          --artifact-type application/vnd.dev.cosign.public-key.v1 \
          --annotation org.opencontainers.image.title=cosign.pub \
          cosign.pub:application/vnd.dev.cosign.public-key.v1
@@ -15,15 +15,14 @@ on:
 jobs:
  generate-parameters:
    container:
-      image: docker.io/library/node:24.10.0-alpine
+      image: docker.io/library/node:26.2.0-alpine
-    runs-on:
+    runs-on: ubuntu-latest
    - ubuntu-latest
    steps:
    - name: Install tooling
      run: |
        apk update
        apk add git npm
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v6.0.2
    - name: Generate parameter section in README
      run: |
        npm install
@@ -12,31 +12,26 @@ on:
 jobs:
  helm-lint:
-    container:
+    runs-on: ubuntu-latest
      image: docker.io/volkerraschek/helm:3.19.0
    runs-on:
    - ubuntu-latest
    steps:
-    - name: Install tooling
+    - uses: actions/checkout@v6.0.2
-      run: |
+    - uses: azure/setup-helm@v5.0.0
-        apk update
+      with:
-        apk add git npm
+        version: v4.2.0 # renovate: datasource=github-releases depName=helm/helm
    - uses: actions/checkout@v5.0.0
    - name: Lint helm files
      run: |
        helm lint --values values.yaml .
  helm-unittest:
-    container:
+    runs-on: ubuntu-latest
      image: docker.io/volkerraschek/helm:3.19.0
    runs-on:
    - ubuntu-latest
    steps:
-    - name: Install tooling
+    - uses: actions/checkout@v6.0.2
-      run: |
+    - uses: azure/setup-helm@v5.0.0
-        apk update
+      with:
-        apk add git npm
+        version: v4.2.0 # renovate: datasource=github-releases depName=helm/helm
-    - uses: actions/checkout@v5.0.0
+    - env:
-    - name: Unittest
+        HELM_UNITTEST_VERSION: v1.0.0 #renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-      run: |
+      name: Install helm-unittest
-        helm unittest --strict --file 'unittests/**/*.yaml' ./
+      run: helm plugin install --verify=false --version "${HELM_UNITTEST_VERSION}" https://github.com/helm-unittest/helm-unittest
    - name: Execute helm unittests
      run: helm unittest --strict --file 'unittests/**/*.yaml' .
@@ -15,15 +15,14 @@ on:
 jobs:
  markdown-link-checker:
    container:
-      image: docker.io/library/node:24.10.0-alpine
+      image: docker.io/library/node:26.2.0-alpine
-    runs-on:
+    runs-on: ubuntu-latest
    - ubuntu-latest
    steps:
    - name: Install tooling
      run: |
        apk update
        apk add git npm
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v6.0.2
    - name: Verify links in markdown files
      run: |
        npm install
@@ -31,15 +30,14 @@ jobs:
  markdown-lint:
    container:
-      image: docker.io/library/node:24.10.0-alpine
+      image: docker.io/library/node:26.2.0-alpine
-    runs-on:
+    runs-on: ubuntu-latest
    - ubuntu-latest
    steps:
    - name: Install tooling
      run: |
        apk update
        apk add git
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v6.0.2
    - name: Lint markdown files
      run: |
        npm install
@@ -1,5 +1,10 @@
 name: Release
 env:
  GPG_PRIVATE_KEY_FILE: ${{ runner.temp }}/private.key
  GPG_PRIVATE_KEY_FINGERPRINT: ${{ vars.GPG_PRIVATE_KEY_FINGERPRINT }}
  GPG_PRIVATE_KEY_PASSPHRASE_FILE: ${{ runner.temp }}/passphrase.txt
 on:
  push:
    tags:
@@ -7,30 +12,76 @@ on:
 jobs:
  publish-chart:
    container:
      image: docker.io/volkerraschek/helm:3.19.0
    runs-on: ubuntu-latest
    steps:
-      - name: Install packages via apk
+      - uses: volker-raschek/cosign-installer@v4.1.2-rc4
-        run: |
+        with:
-          apk update
+          cosign-release: "v3.0.6" # renovate: datasource=github-tags depName=sigstore/cosign
          apk add git npm jq yq
-      - uses: actions/checkout@v5.0.0
+      - uses: azure/setup-helm@v5.0.0
        with:
          version: "v4.2.0" # renovate: datasource=github-tags depName=helm/helm
      - name: Install helm plugins
        env:
          HELM_SIGSTORE_VERSION: "0.3.0" # renovate: datasource=github-tags depName=sigstore/helm-sigstore extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
          HELM_SCHEMA_VALUES_VERSION: "2.4.0" # renovate: datasource=github-tags depName=losisin/helm-values-schema-json extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
          HELM_UNITTEST_VERSION: "1.1.0" # renovate: datasource=github-tags depName=helm-unittest/helm-unittest extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
        run: |
          helm plugin install --verify=false https://github.com/sigstore/helm-sigstore.git --version "${HELM_SIGSTORE_VERSION}" 1> /dev/null
          helm plugin install --verify=false https://github.com/losisin/helm-values-schema-json.git --version "${HELM_SCHEMA_VALUES_VERSION}" 1> /dev/null
          helm plugin install --verify=false https://github.com/helm-unittest/helm-unittest.git --version "${HELM_UNITTEST_VERSION}" 1> /dev/null
          helm plugin list
      - name: GPG configuration
        env:
          GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
        run: |
          # Configure GPG and GPG Agent
          mkdir --parents "${HOME}/.gnupg"
          chmod 0700 "${HOME}/.gnupg"
          cat > "${HOME}/.gnupg/gpg.conf" <<EOF
          use-agent
          pinentry-mode loopback
          EOF
          cat > "${HOME}/.gnupg/gpg-agent.conf" <<EOF
          allow-loopback-pinentry
          max-cache-ttl 86400
          default-cache-ttl 86400
          EOF
          gpgconf --kill gpg-agent
          gpgconf --launch gpg-agent
          # Import GPG private key
          cat 1> "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
          cat 1> "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY}"
          gpg --batch --yes --passphrase-fd 0 --import "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
          # Export GPG keyring
          gpg --batch --yes --export "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/pubring.gpg"
          gpg --batch --yes --passphrase-fd 0 --export-secret-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/secring.gpg" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
      - uses: actions/checkout@v6.0.2
        with:
          fetch-depth: 0
      - name: Add Artifacthub.io annotations
        run: |
-          NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
+          rc_pattern="\-rc([-\.][0-9]+)?$"
-          OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
+          NEW_TAG="$(git tag --sort=-version:refname | grep --invert-match --perl-regexp "${rc_pattern}" | head --lines 1)"
          OLD_TAG="$(git tag --sort=-version:refname | grep --invert-match --perl-regexp "${rc_pattern}" | head --lines 2 | tail --lines 1)"
          .gitea/scripts/add-annotations.sh "${OLD_TAG}" "${NEW_TAG}"
      - name: Extract meta information
        run: |
          echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut --delimiter '/' --fields 3)" >> $GITHUB_ENV
          echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
+          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
-          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)" >> $GITHUB_ENV
+          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 1)" >> $GITHUB_ENV
      - name: Update Helm Chart version in README.md
        run: sed -i -E "s/^CHART_VERSION=.*/CHART_VERSION=${PACKAGE_VERSION}/g" README.md
@@ -38,24 +89,76 @@ jobs:
      - name: Package chart
        run: |
          helm dependency build
-          helm package --version "${PACKAGE_VERSION}" ./
+          helm package \
            --sign \
            --key "$(gpg --with-colons --list-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" | grep uid | cut --delimiter ':' --fields 10)" \
            --keyring "${HOME}/.gnupg/secring.gpg" \
            --passphrase-file "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" \
            --version "${PACKAGE_VERSION}" ./
-      - name: Upload Chart to ChartMuseum
+      - uses: docker/login-action@v4.2.0
        with:
          registry: ${{ github.server_url }}
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
      - name: Upload Chart to Gitea (OCI)
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        run: |
          helm push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz oci://${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}
          cosign sign --yes --upload=true --key=env://COSIGN_PRIVATE_KEY ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:${PACKAGE_VERSION}
      - name: Upload Chart to Gitea (Helm)
        env:
          GITEA_REGISTRY_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
        run: |
          curl \
            --fail \
            --show-error \
            --request POST \
            --user "${REPOSITORY_OWNER}:${GITEA_REGISTRY_TOKEN}" \
            --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
              https://${GITEA_SERVER_HOSTNAME}/api/packages/${REPOSITORY_OWNER}/helm/api/charts
          # NOTE:
          # Gitea does currently not support uploading Helm chart provenance files, so we skip this step for now. Once
          # Gitea supports this, we can simply uncomment the following lines to upload the provenance file as well.
          #
          #   https://github.com/helm/helm/issues/31866
          #
          # if [ -f "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" ]; then
          #   curl \
          #     --fail \
          #     --show-error \
          #     --request POST \
          #     --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
          #     --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" \
          #       https://${GITEA_SERVER_HOSTNAME}/api/packages/${REPOSITORY_OWNER}/helm/api/prov
          # fi
      - name: Upload Chart to Chartmuseum (Helm)
        env:
          CHARTMUSEUM_HOSTNAME: ${{ vars.CHARTMUSEUM_HOSTNAME }}
          CHARTMUSEUM_USERNAME: ${{ secrets.CHARTMUSEUM_USERNAME }}
          CHARTMUSEUM_PASSWORD: ${{ secrets.CHARTMUSEUM_PASSWORD }}
          CHARTMUSEUM_REPOSITORY: ${{ vars.CHARTMUSEUM_REPOSITORY }}
          CHARTMUSEUM_USERNAME: ${{ secrets.CHARTMUSEUM_USERNAME }}
          CHARTMUSEUM_HOSTNAME: ${{ vars.CHARTMUSEUM_HOSTNAME }}
        run: |
-          helm repo add --username ${CHARTMUSEUM_USERNAME} --password ${CHARTMUSEUM_PASSWORD} chartmuseum https://${CHARTMUSEUM_HOSTNAME}/${CHARTMUSEUM_REPOSITORY}
+          curl \
-          helm cm-push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz chartmuseum
+            --fail \
-          helm repo remove chartmuseum
+            --show-error \
            --request POST \
            --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
            --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
              https://${CHARTMUSEUM_HOSTNAME}/api/${CHARTMUSEUM_REPOSITORY}/charts
-      - name: Upload Chart to Gitea
+          if [ -f "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" ]; then
-        env:
+            curl \
-          GITEA_PACKAGE_REGISTRY_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+              --fail \
-          GITEA_SERVER_URL: ${{ github.server_url }}
+              --show-error \
-        run: |
+              --request POST \
-          helm repo add --username ${REPOSITORY_OWNER} --password ${GITEA_PACKAGE_REGISTRY_TOKEN} gitea ${GITEA_SERVER_URL}/api/packages/${REPOSITORY_OWNER}/helm
+              --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
-          helm cm-push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz gitea
+              --upload-file ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov \
-          helm repo remove gitea
+                https://${CHARTMUSEUM_HOSTNAME}/api/${CHARTMUSEUM_REPOSITORY}/prov
          fi
@@ -1,9 +1,9 @@
 charts
 cosign*
 node_modules
 target
-values2.yml
+!values.yaml
-values2.yaml
+!values.yml
 values*.yaml
 values*.yml
 *.tgz
 install.sh
 uninstall.sh
@@ -0,0 +1,8 @@
 {
  "yaml.schemas": {
    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.1.0/schema/helm-testsuite.json": [
      "/unittests/**/*.yaml"
    ]
  },
  "yaml.schemaStore.enable": true
 }
@@ -1,15 +1,21 @@
 annotations:
  artifacthub.io/license: MIT
  artifacthub.io/links: |
    - name: Athens proxy (binary)
      url: https://github.com/gomods/athens
    - name: support
      url: https://git.cryptic.systems/volker.raschek/athens-proxy-charts/issues
  artifacthub.io/operator: "false"
  artifacthub.io/prerelease: "false"
  artifacthub.io/signKey: |
    fingerprint: 3B0CE9853CAD76076260025383D342258456906E
    url: https://keys.openpgp.org/vks/v1/by-fingerprint/3B0CE9853CAD76076260025383D342258456906E
 apiVersion: v2
 name: athens-proxy
 description: Athens proxy server for golang
 type: application
 version: "0.1.0"
-appVersion: "v0.16.1"
+appVersion: "v0.17.1"
 icon: https://github.com/gomods/athens/blob/main/docs/static/banner.png?raw=true
 keywords:
@@ -19,6 +25,6 @@ keywords:
 - go-proxy
 sources:
- https://github.com/volker-raschek/athens-proxy-charts
+- https://git.cryptic.systems/volker.raschek/athens-proxy-charts
 - https://github.com/gomods/athens
 - https://hub.docker.com/r/gomods/athens
@@ -10,7 +10,7 @@ HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:
 # NODE_IMAGE
 NODE_IMAGE_REGISTRY_HOST?=docker.io
 NODE_IMAGE_REPOSITORY?=library/node
-NODE_IMAGE_VERSION?=24.10.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
+NODE_IMAGE_VERSION?=25.2.1-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
 NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
 # MISSING DOT
@@ -18,6 +18,25 @@ NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:
 missing-dot:
 	grep --perl-regexp '## @(param|skip).*[^.]$$' values.yaml
 # README
 # ==============================================================================
 readme: readme/link readme/lint readme/parameters
 readme/link:
 	npm install && npm run readme:link
 readme/lint:
 	npm install && npm run readme:lint
 readme/parameters:
 	npm install && npm run readme:parameters
 # HELM UNITTESTS
 # ==============================================================================
 PHONY+=helm/unittest
 helm/unittest:
 	helm unittest --strict --file 'unittests/**/*.yaml' ./
 # CONTAINER RUN - README
 # ==============================================================================
 PHONY+=container-run/readme
@@ -1,4 +1,4 @@
-# athens-proxy-charts
+# Athens - A Go module datastore and proxy
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/volker-raschek)](https://artifacthub.io/packages/search?repo=volker-raschek)
@@ -16,10 +16,7 @@ Chapter [configuration and installation](#helm-configuration-and-installation) d
 helm and use it to deploy the exporter. It also contains further configuration examples.
 Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this
-helm chart is tested for deployment scenarios with **ArgoCD**, but please keep in mind, that this chart supports the
+helm chart is tested for deployment scenarios with **ArgoCD**.
 *[Automatically Roll Deployment](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments)*
 concept of Helm, which can trigger unexpected rolling releases. Further configuration instructions are described in a
 separate [chapter](#argocd).
 ## Helm: configuration and installation
@@ -40,21 +37,21 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
 versions can break something!
 ```bash
-CHART_VERSION=1.0.0
+CHART_VERSION=1.4.1
 helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml
 ```
 A complete list of available helm chart versions can be displayed via the following command:
 ```bash
-helm search repo reposilite --versions
+helm search repo athens-proxy --versions
 ```
 The helm chart also contains a persistent volume claim definition. It persistent volume claim is not enabled by default.
 Use the `--set` argument to persist your data.
 ```bash
-CHART_VERSION=1.0.0
+CHART_VERSION=1.4.1
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
  persistence.enabled=true
 ```
@@ -84,13 +81,181 @@ Further information about this topic can be found in one of Kanishk's blog
 > Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
 ```bash
-CHART_VERSION=1.0.0
+CHART_VERSION=1.4.1
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
  --set 'deployment.athensProxy.env.name=GOMAXPROCS' \
  --set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
  --set 'deployment.athensProxy.resources.limits.cpu=1000m'
 ```
 #### TLS encryption
 The example shows how to deploy the application with TLS encryption. For example when **no** HTTP ingress is used for
 TLS determination and instead the application it self should determinate the TLS handshake. To generate the TLS
 certificate can be used the [cert-manager](https://cert-manager.io/). The chart supports the creation of such a TLS
 certificate via `cert-manager.io/v1 Certificate` resource. Alternatively can be mounted a TLS certificate from a secret.
 The secret must be from type `kubernetes.io/tls`.
 If athens-proxy is deployed behind a reverse proxy, for example an ingress nginx controller or Gateway API, please
 instruct the reverse proxy to establish a TLS encrypted connection to avoid connection problems. The documentation
 describes configuring [Ingress NGINX](#ingress-nginx) as well as [NGINX Gateway Fabric](#gatewayapi-nginx-fabric).
 > [!WARNING]
 > The following example expects that the [cert-manager](https://cert-manager.io/) is deployed and the `Issuer` named
 > `athens-proxy-ca` is present in the same namespace of the helm deployment.
 ```bash
 CHART_VERSION=1.4.1
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
  --set 'config.certificate.enabled=true' \
  --set 'config.certificate.new.issuerRef.kind=Issuer' \
  --set 'config.certificate.new.issuerRef.name=athens-proxy-ca'
 ```
 The environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` are automatically added and the TLS certificate
 and private key are mounted to a pre-defined destination inside the container file system.
 ##### Ingress NGINX
 The following changes must be applied to enable TLS encryption and authentication on-top between the ingress and backend
 service.
 > [!IMPORTANT]
 > The HTTP Version between the ingress nginx and backend must be set to `1.1`, as well as the TLS protocol must be set
 > to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
 The secret `athens-proxy/ingress-nginx-controller-tls` contains TLS certificates for the nginx ingress controller. The
 TLS certificate must be created manually, for example via [cert-manager](https://cert-manager.io/). It is used by the
 nginx for TLS authentication.
 ```yaml
 ingress:
  enabled: true
  className: "nginx"
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
    nginx.ingress.kubernetes.io/proxy-ssl-secret: athens-proxy/ingress-nginx-controller-tls
    nginx.ingress.kubernetes.io/proxy-ssl-protocols: TLSv1.2
    nginx.ingress.kubernetes.io/proxy-ssl-name: athens-proxy
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
 ```
 ##### GatewayAPI: NGINX Fabric
 The following changes must be applied to enable TLS encryption and authentication on-top between the gateway and backend
 service.
 > [!IMPORTANT]
 > The HTTP Version between the nginx gateway fabric and backend must be set to `1.1`, as well as the TLS protocol must
 > be set to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
 The `gatewayAPI.core.backendTLSPolicy.validation.caCertificateRefs` must contain at least one secret containing the
 root or intermediate certificate of the issued TLS certificate used by athens-proxy to be able to validate the TLS
 certificate.
 ```yaml
 gatewayAPI:
  enabled: true
  core:
    backendTLSPolicy:
      enabled: true
      validation:
        caCertificateRefs:
        - group: ""
          kind: Secret
          name: "athens-proxy-ca"
        hostname: "athens-proxy"
    httpRoute:
      enabled: true
      hostnames:
      - athens-proxy.example.local
      parentRefs:
      - name: nginx
        kind: Gateway
        group: gateway.networking.k8s.io
        namespace: my-gateway-namespace
        sectionName: athens-proxy-https
 ```
 The Gateway resource is not part of the helm chart, but for illustrating the configuration example, here a GatewayAPI
 resource with configured backend TLS certificate. The TLS certificates `gateway-frontend-tls` and `gateway-backend-tls`
 must also be created manually, for example via [cert-manager](https://cert-manager.io/).
 ```yaml
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
  name: nginx
  namespace: my-gateway-namespace
 spec:
  gatewayClassName: nginx
  listeners:
    - allowedRoutes:
        kinds:
          - group: gateway.networking.k8s.io
            kind: HTTPRoute
        namespaces:
          from: All
      hostname: athens-proxy.example.local
      name: https
      port: 443
      protocol: HTTPS
      tls:
        certificateRefs:
          - group: ''
            kind: Secret
            name: gateway-frontend-tls
            namespace: my-gateway-namespace
        mode: Terminate
  tls:
    backend:
      clientCertificateRef:
        group: ''
        kind: Secret
        name: gateway-backend-tls
        namespace: my-gateway-namespace
 ```
 #### TLS certificate rotation
 If the application uses TLS certificates that are mounted as a secret in the container file system like the example
 [above](#tls-encryption), the application will not automatically apply them when the TLS certificates are rotated. Such
 a rotation can be for example triggered, when the [cert-manager](https://cert-manager.io/) issues new TLS certificates
 before expiring.
 Until the exporter does not support rotating TLS certificate a workaround can be applied. For example stakater's
 [reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following
 annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted secret has
 been changed.
 > [!IMPORTANT]
 > The Helm chart already adds annotations to trigger a rolling release. Helm describes this approach under
 > [Automatically Roll Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
 > For this reason, **only external** configMaps or secrets need to be monitored by reloader.
 ```yaml
 deployment:
  annotations:
    secret.reloader.stakater.com/reload: "athens-proxy-tls"
 ```
 If the application is rolled out using ArgoCD, a rolling update from stakater's
 [reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state
 with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be
 initiated. Further information are available in the official
 [README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of
 stakater's reloader.
 ```diff
  deployment:
    annotations:
 +     reloader.stakater.com/rollout-strategy: "restart"
      secret.reloader.stakater.com/reload: "athens-proxy-tls"
 ```
 #### Network policies
 Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
@@ -126,6 +291,9 @@ networkPolicies:
      protocol: TCP
    - port: 53
      protocol: UDP
  - ports:
    - port: 22
      protocol: TCP
  - ports:
    - port: 443
      protocol: TCP
@@ -138,6 +306,13 @@ networkPolicies:
      podSelector:
        matchLabels:
          app.kubernetes.io/name: ingress-nginx
    # NGINX GatewayAPI Fabric
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: gateway-nginx
      podSelector:
        matchLabels:
          app.kubernetes.io/name: gateway-nginx
    ports:
    - port: http
      protocol: TCP
@@ -145,31 +320,51 @@ networkPolicies:
 ## ArgoCD
-### Daily execution of rolling updates
+### Example Application
-The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in
+An application resource for the Helm chart is defined below. It serves as an example for your own deployment.
 connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll
 Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
-The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the
+```yaml
-content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version,
+apiVersion: argoproj.io/v1alpha1
-Helm render order, different timestamps).
+kind: Application
-
+spec:
-This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this
+  destination:
-can lead to unnecessary notifications from ArgoCD.
+    server: https://kubernetes.default.svc
-
+    namespace: athens-proxy
-To avoid this, the annotation with the shasum must be ignored. Below is a diff that adds the `Application` to ignore all
+  ignoreDifferences:
-annotations with the prefix `checksum`.
+  - group: apps
-
+    kind: Deployment
-```diff
+    jqPathExpressions:
-  apiVersion: argoproj.io/v1alpha1
+    # When HPA is enabled, ensure that a modification of the replicas does not lead to a
-  kind: Application
+    # drift.
-  spec:
+      - '.spec.replicas'
-+   ignoreDifferences:
+    # Ensure that changes of the annotations or environment variables added or modified by
-+   - group: apps/v1
+    # stakater's reloader does not lead to a drift.
-+     kind: Deployment
+    - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
-+     jqPathExpressions:
+    - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
-+     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))'
+  sources:
  - repoURL: https://charts.cryptic.systems/volker.raschek
    chart: athens-proxy
    targetRevision: '0.*'
    helm:
      valueFiles:
      - $values/values.yaml
      releaseName: athens-proxy
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    managedNamespaceMetadata:
      annotations: {}
      labels: {}
    syncOptions:
    - ApplyOutOfSyncOnly=true
    - CreateNamespace=true
    - FailOnSharedResource=false
    - Replace=false
    - RespectIgnoreDifferences=false
    - ServerSideApply=true
    - Validate=true
 ```
 ## Parameters
@@ -181,35 +376,71 @@ annotations with the prefix `checksum`.
 | `nameOverride`     | Individual release name suffix.           | `""`  |
 | `fullnameOverride` | Override the complete release name logic. | `""`  |
 ### Certificate
 | Name                                          | Description                                                                                                                                                 | Value                           |
 | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
 | `certificate.enabled`                         | Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. | `false`                         |
 | `certificate.addSHASumAnnotation`             | Add an pod annotation with the sha sum of the secret containing the TLS certificates.                                                                       | `true`                          |
 | `certificate.existingSecret.enabled`          | Use an existing secret of the type `kubernetes.io/tls`.                                                                                                     | `false`                         |
 | `certificate.existingSecret.secretName`       | Name of the secret containing the TLS certificate and private key.                                                                                          | `""`                            |
 | `certificate.new.annotations`                 | Additional certificate annotations.                                                                                                                         | `{}`                            |
 | `certificate.new.labels`                      | Additional certificate labels.                                                                                                                              | `{}`                            |
 | `certificate.new.duration`                    | Duration of the TLS certificate.                                                                                                                            | `744h`                          |
 | `certificate.new.renewBefore`                 | Renew TLS certificate before expiring.                                                                                                                      | `672h`                          |
 | `certificate.new.dnsNames`                    | Overwrites the default of the subject alternative DNS names.                                                                                                | `[]`                            |
 | `certificate.new.ipAddresses`                 | Overwrites the default of the subject alternative IP addresses.                                                                                             | `[]`                            |
 | `certificate.new.issuerRef.kind`              | Issuer kind. Can be `Issuer` or `ClusterIssuer`.                                                                                                            | `""`                            |
 | `certificate.new.issuerRef.name`              | Name of the `Issuer` or `ClusterIssuer`.                                                                                                                    | `""`                            |
 | `certificate.new.privateKey.algorithm`        | Algorithm of the private TLS key.                                                                                                                           | `RSA`                           |
 | `certificate.new.privateKey.rotationPolicy`   | Rotation of the private TLS key.                                                                                                                            | `Never`                         |
 | `certificate.new.privateKey.size`             | Size of the private TLS key.                                                                                                                                | `4096`                          |
 | `certificate.new.secretTemplate.annotations`  | Additional annotation of the created secret.                                                                                                                | `{}`                            |
 | `certificate.new.secretTemplate.labels`       | Additional labels of the created secret.                                                                                                                    | `{}`                            |
 | `certificate.new.subject.countries`           | List of countries.                                                                                                                                          | `[]`                            |
 | `certificate.new.subject.localities`          | List of localities.                                                                                                                                         | `[]`                            |
 | `certificate.new.subject.organizationalUnits` | List of organizationalUnits.                                                                                                                                | `[]`                            |
 | `certificate.new.subject.organizations`       | List of organizations.                                                                                                                                      | `[]`                            |
 | `certificate.new.subject.postalCodes`         | List of postalCodes.                                                                                                                                        | `[]`                            |
 | `certificate.new.subject.provinces`           | List of provinces.                                                                                                                                          | `[]`                            |
 | `certificate.new.subject.serialNumber`        | Serial number.                                                                                                                                              | `""`                            |
 | `certificate.new.subject.streetAddresses`     | List of streetAddresses.                                                                                                                                    | `[]`                            |
 | `certificate.new.usages`                      | Define the usage of the TLS key.                                                                                                                            | `["client auth","server auth"]` |
 ### Configuration
 | Name                                                    | Description                                                                                                                                       | Value            |
 | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
 | `config.env.enabled`                                    | Enable mounting of the secret as environment variables.                                                                                           | `false`          |
 | `config.env.addSHASumAnnotation`                        | Add an pod annotation with the sha sum of the config map containing the configuration.                                                            | `true`           |
 | `config.env.existingSecret.enabled`                     | Mount an existing secret containing the application specific environment variables.                                                               | `false`          |
 | `config.env.existingSecret.secretName`                  | Name of the existing secret containing the application specific environment variables.                                                            | `""`             |
 | `config.env.secret.annotations`                         | Additional annotations of the secret containing the database credentials.                                                                         | `{}`             |
 | `config.env.secret.labels`                              | Additional labels of the secret containing the database credentials.                                                                              | `{}`             |
 | `config.env.secret.envs`                                | List of environment variables stored in a secret and mounted into the container.                                                                  | `{}`             |
 | `config.downloadMode.enabled`                           | Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined. | `false`          |
 | `config.downloadMode.addSHASumAnnotation`               | Add an pod annotation with the sha sum of the config map containing the downloadMode config.                                                      | `true`           |
 | `config.downloadMode.existingConfigMap.enabled`         | Enable to use an external config map for mounting the download mode file.                                                                         | `false`          |
 | `config.downloadMode.existingConfigMap.configMapName`   | The name of the existing config map which should be used to mount the download mode file.                                                         | `""`             |
 | `config.downloadMode.existingConfigMap.downloadModeKey` | The name of the key inside the config map where the content of the download mode file is stored.                                                  | `downloadMode`   |
 | `config.downloadMode.configMap.annotations`             | Additional annotations of the config map containing the download mode file.                                                                       | `{}`             |
 | `config.downloadMode.configMap.labels`                  | Additional labels of the config map containing the download mode file.                                                                            | `{}`             |
 | `config.gitConfig.enabled`                              | Enable mounting of a .gitconfig file into the container file system.                                                                              | `false`          |
 | `config.gitConfig.addSHASumAnnotation`                  | Add an pod annotation with the sha sum of the config map containing the git config.                                                               | `true`           |
 | `config.gitConfig.existingConfigMap.enabled`            | Enable to use an external config map for mounting the .gitconfig file.                                                                            | `false`          |
 | `config.gitConfig.existingConfigMap.configMapName`      | The name of the existing config map which should be used to mount the .gitconfig file.                                                            | `""`             |
 | `config.gitConfig.existingConfigMap.gitConfigKey`       | The name of the key inside the config map where the content of the .gitconfig file is stored.                                                     | `nil`            |
 | `config.gitConfig.configMap.annotations`                | Additional annotations of the config map containing the .gitconfig file.                                                                          | `{}`             |
 | `config.gitConfig.configMap.labels`                     | Additional labels of the config map containing the .gitconfig file.                                                                               | `{}`             |
 | `config.netrc.enabled`                                  | Enable mounting of a .netrc file into the container file system.                                                                                  | `false`          |
 | `config.netrc.addSHASumAnnotation`                      | Add an pod annotation with the sha sum of the secret containing the netrc file.                                                                   | `true`           |
 | `config.netrc.existingSecret.enabled`                   | Enable to use an external secret for mounting the .netrc file.                                                                                    | `false`          |
 | `config.netrc.existingSecret.secretName`                | The name of the existing secret which should be used to mount the .netrc file.                                                                    | `""`             |
 | `config.netrc.existingSecret.netrcKey`                  | The name of the key inside the secret where the content of the .netrc file is stored.                                                             | `.netrc`         |
 | `config.netrc.secret.annotations`                       | Additional annotations of the secret containing the database credentials.                                                                         | `{}`             |
 | `config.netrc.secret.labels`                            | Additional labels of the secret containing the database credentials.                                                                              | `{}`             |
 | `config.ssh.enabled`                                    | Enable mounting of a .netrc file into the container file system.                                                                                  | `false`          |
 | `config.ssh.addSHASumAnnotation`                        | Add an pod annotation with the sha sum of the secret containing the ssh keys.                                                                     | `true`           |
 | `config.ssh.existingSecret.enabled`                     | Enable to use an external secret for mounting the public and private SSH key files.                                                               | `false`          |
 | `config.ssh.existingSecret.secretName`                  | The name of the existing secret which should be used to mount the public and private SSH key files.                                               | `""`             |
 | `config.ssh.existingSecret.configKey`                   | The name of the key inside the secret where the content of the SSH client config file is stored.                                                  | `config`         |
@@ -223,7 +454,7 @@ annotations with the prefix `checksum`.
 ### Deployment
 | Name                                                        | Description                                                                                                | Value           |
-| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------- |
+| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------- |
 | `deployment.annotations`                                    | Additional deployment annotations.                                                                         | `{}`            |
 | `deployment.labels`                                         | Additional deployment labels.                                                                              | `{}`            |
 | `deployment.additionalContainers`                           | List of additional containers.                                                                             | `[]`            |
@@ -243,6 +474,16 @@ annotations with the prefix `checksum`.
 | `deployment.athensProxy.image.repository`                   | Image repository, eg. `library/busybox`.                                                                   | `gomods/athens` |
 | `deployment.athensProxy.image.tag`                          | Custom image tag, eg. `0.1.0`. Defaults to `appVersion`.                                                   | `""`            |
 | `deployment.athensProxy.image.pullPolicy`                   | Image pull policy.                                                                                         | `IfNotPresent`  |
 | `deployment.athensProxy.livenessProbe.failureThreshold`     | Minimum consecutive failures for the probe to be considered failed after having succeeded.                 | `3`             |
 | `deployment.athensProxy.livenessProbe.initialDelaySeconds`  | Number of seconds after the container has started before liveness probes are initiated.                    | `5`             |
 | `deployment.athensProxy.livenessProbe.periodSeconds`        | How often (in seconds) to perform the probe.                                                               | `60`            |
 | `deployment.athensProxy.livenessProbe.successThreshold`     | Minimum consecutive successes for the probe to be considered successful after having failed.               | `1`             |
 | `deployment.athensProxy.livenessProbe.timeoutSeconds`       | Number of seconds after which the probe times out.                                                         | `3`             |
 | `deployment.athensProxy.readinessProbe.failureThreshold`    | Minimum consecutive failures for the probe to be considered failed after having succeeded.                 | `3`             |
 | `deployment.athensProxy.readinessProbe.initialDelaySeconds` | Number of seconds after the container has started before liveness probes are initiated.                    | `5`             |
 | `deployment.athensProxy.readinessProbe.periodSeconds`       | How often (in seconds) to perform the probe.                                                               | `15`            |
 | `deployment.athensProxy.readinessProbe.successThreshold`    | Minimum consecutive successes for the probe to be considered successful after having failed.               | `1`             |
 | `deployment.athensProxy.readinessProbe.timeoutSeconds`      | Number of seconds after which the probe times out.                                                         | `3`             |
 | `deployment.athensProxy.resources`                          | CPU and memory resources of the pod.                                                                       | `{}`            |
 | `deployment.athensProxy.securityContext`                    | Security context of the container of the deployment.                                                       | `{}`            |
 | `deployment.athensProxy.volumeMounts`                       | Additional volume mounts.                                                                                  | `[]`            |
@@ -257,7 +498,31 @@ annotations with the prefix `checksum`.
 | `deployment.terminationGracePeriodSeconds`                  | How long to wait until forcefully kill the pod.                                                            | `60`            |
 | `deployment.tolerations`                                    | Tolerations of the athens-proxy deployment.                                                                | `[]`            |
 | `deployment.topologySpreadConstraints`                      | TopologySpreadConstraints of the athens-proxy deployment.                                                  | `[]`            |
-| `deployment.volumes`                               | Additional volumes to mount into the pods of the prometheus-exporter deployment.                           | `[]`            |
+| `deployment.volumes`                                        | Additional volumes to mount into the pods of the athens-proxy deployment.                                  | `[]`            |
 ### GatewayAPI
 | Name                                                        | Description                                                                                                                                                                                         | Value   |
 | ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
 | `gatewayAPI.enabled`                                        | Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.                                                                               | `false` |
 | `gatewayAPI.core.backendTLSPolicy.enabled`                  | Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.                                                                                                              | `false` |
 | `gatewayAPI.core.backendTLSPolicy.annotations`              | Additional annotations for the BackendTLSPolicy.                                                                                                                                                    | `{}`    |
 | `gatewayAPI.core.backendTLSPolicy.labels`                   | Additional labels for the BackendTLSPolicy.                                                                                                                                                         | `{}`    |
 | `gatewayAPI.core.backendTLSPolicy.validation`               | Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the athens-proxy pod.               | `{}`    |
 | `gatewayAPI.core.httpRoute.enabled`                         | Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `service.enabled` to be `true`.                                                                                               | `false` |
 | `gatewayAPI.core.httpRoute.annotations`                     | Additional annotations for the HTTPRoute.                                                                                                                                                           | `{}`    |
 | `gatewayAPI.core.httpRoute.labels`                          | Additional labels for the HTTPRoute.                                                                                                                                                                | `{}`    |
 | `gatewayAPI.core.httpRoute.hostnames`                       | Hostnames for the HTTPRoute.                                                                                                                                                                        | `[]`    |
 | `gatewayAPI.core.httpRoute.parentRefs`                      | ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.                                                                                       | `[]`    |
 | `gatewayAPI.nginx.clientSettingsPolicy.enabled`             | Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.                                                                                                          | `false` |
 | `gatewayAPI.nginx.clientSettingsPolicy.annotations`         | Additional annotations for the ClientSettingsPolicy.                                                                                                                                                | `{}`    |
 | `gatewayAPI.nginx.clientSettingsPolicy.labels`              | Additional labels for the ClientSettingsPolicy.                                                                                                                                                     | `{}`    |
 | `gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize`   | ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.                                                  | `""`    |
 | `gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout`   | ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.                                                      | `""`    |
 | `gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests`   | KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.                   | `nil`   |
 | `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime`       | KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.                                                             | `""`    |
 | `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout`    | KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.            | `""`    |
 | `gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout` | KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used. | `""`    |
 ### Horizontal Pod Autoscaler (HPA)
@@ -273,13 +538,13 @@ annotations with the prefix `checksum`.
 ### Ingress
 | Name                  | Description                                                                              | Value   |
-| --------------------- | -------------------------------------------------------------------------------------------------------------------- | ------- |
+| --------------------- | ---------------------------------------------------------------------------------------- | ------- |
 | `ingress.enabled`     | Enable creation of an ingress resource. Requires, that the http service is also enabled. | `false` |
 | `ingress.className`   | Ingress class.                                                                           | `nginx` |
 | `ingress.annotations` | Additional ingress annotations.                                                          | `{}`    |
 | `ingress.labels`      | Additional ingress labels.                                                               | `{}`    |
-| `ingress.hosts`       | Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k. | `[]`    |
+| `ingress.hosts`       | Ingress specific configuration.                                                          | `[]`    |
-| `ingress.tls`         | Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``.         | `[]`    |
+| `ingress.tls`         | Ingress TLS settings.                                                                    | `[]`    |
 ### Persistence
@@ -287,14 +552,20 @@ annotations with the prefix `checksum`.
 | -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
 | `persistence.enabled`                                                      | Enable the feature to store the data on a persistent volume claim. If enabled, the volume will be automatically be mounted into the pod. Furthermore, the env `ATHENS_STORAGE_TYPE=disk` will automatically be defined. | `false`                      |
 | `persistence.data.mountPath`                                               | The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`.                                                                                 | `/var/www/athens-proxy/data` |
-| `persistence.data.existingPersistentVolumeClaim.enabled`                   | TODO                                                                                                                                                                                                                    | `false`                      |
+| `persistence.data.existingPersistentVolumeClaim.enabled`                   | Use an existing persistent volume claim.                                                                                                                                                                                | `false`                      |
-| `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | TODO                                                                                                                                                                                                                    | `""`                         |
+| `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | The name of the existing persistent volume claim.                                                                                                                                                                       | `""`                         |
 | `persistence.data.persistentVolumeClaim.annotations`                       | Additional persistent volume claim annotations.                                                                                                                                                                         | `{}`                         |
 | `persistence.data.persistentVolumeClaim.labels`                            | Additional persistent volume claim labels.                                                                                                                                                                              | `{}`                         |
 | `persistence.data.persistentVolumeClaim.accessModes`                       | Access modes of the persistent volume claim.                                                                                                                                                                            | `["ReadWriteMany"]`          |
-| `persistence.data.persistentVolumeClaim.storageClass`                      | Storage class of the persistent volume claim.                                                                                                                                                                           | `""`                         |
+| `persistence.data.persistentVolumeClaim.storageClassName`                  | Storage class of the persistent volume claim.                                                                                                                                                                           | `""`                         |
 | `persistence.data.persistentVolumeClaim.storageSize`                       | Size of the persistent volume claim.                                                                                                                                                                                    | `5Gi`                        |
 ### Network
 | Name            | Description                                                              | Value           |
 | --------------- | ------------------------------------------------------------------------ | --------------- |
 | `clusterDomain` | Domain of the Cluster. Domain is part of internally issued certificates. | `cluster.local` |
 ### Network Policy
 | Name                        | Description                                                               | Value   |
@@ -309,21 +580,21 @@ annotations with the prefix `checksum`.
 ### Service
 | Name                               | Description                                                                                                                                                                                                | Value       |
-| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
+| ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
-| `services.http.enabled`                  | Enable the service.                                                                                                                                                                                        | `true`      |
+| `service.enabled`                  | Enable the service.                                                                                                                                                                                        | `true`      |
-| `services.http.annotations`              | Additional service annotations.                                                                                                                                                                            | `{}`        |
+| `service.annotations`              | Additional service annotations.                                                                                                                                                                            | `{}`        |
-| `services.http.externalIPs`              | External IPs for the service.                                                                                                                                                                              | `[]`        |
+| `service.externalIPs`              | External IPs for the service.                                                                                                                                                                              | `[]`        |
-| `services.http.externalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation. | `Cluster`   |
+| `service.externalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation. | `Cluster`   |
-| `services.http.internalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.                                                   | `Cluster`   |
+| `service.internalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.                                                   | `Cluster`   |
-| `services.http.ipFamilies`               | IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.         | `[]`        |
+| `service.ipFamilies`               | IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.         | `[]`        |
-| `services.http.labels`                   | Additional service labels.                                                                                                                                                                                 | `{}`        |
+| `service.labels`                   | Additional service labels.                                                                                                                                                                                 | `{}`        |
-| `services.http.loadBalancerClass`        | LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.                                                                     | `""`        |
+| `service.loadBalancerClass`        | LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.                                                                     | `""`        |
-| `services.http.loadBalancerIP`           | LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.                                                                                              | `""`        |
+| `service.loadBalancerIP`           | LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.                                                                                              | `""`        |
-| `services.http.loadBalancerSourceRanges` | Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.                                                                                                                           | `[]`        |
+| `service.loadBalancerSourceRanges` | Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.                                                                                                                           | `[]`        |
-| `services.http.port`                     | Port to forward the traffic to.                                                                                                                                                                            | `3000`      |
+| `service.port`                     | Port to forward the traffic to.                                                                                                                                                                            | `3000`      |
-| `services.http.sessionAffinity`          | Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.                                                                                                                    | `None`      |
+| `service.sessionAffinity`          | Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.                                                                                                                    | `None`      |
-| `services.http.sessionAffinityConfig`    | Contains the configuration of the session affinity.                                                                                                                                                        | `{}`        |
+| `service.sessionAffinityConfig`    | Contains the configuration of the session affinity.                                                                                                                                                        | `{}`        |
-| `services.http.type`                     | Kubernetes service type for the traffic.                                                                                                                                                                   | `ClusterIP` |
+| `service.type`                     | Kubernetes service type for the traffic.                                                                                                                                                                   | `ClusterIP` |
 ### ServiceAccount
@@ -0,0 +1 @@
 repositoryID: 4c206fe5-b83a-457a-bcad-7dd664f8b70c
@@ -16,6 +16,6 @@
  "devDependencies": {
    "@bitnami/readme-generator-for-helm": "^2.5.0",
    "markdown-link-check": "^3.13.6",
-    "markdownlint-cli": "^0.45.0"
+    "markdownlint-cli": "^0.48.0"
  }
 }
@@ -31,6 +31,16 @@
      "packageNameTemplate": "https://git.cryptic.systems/volker.raschek/athens-proxy-charts",
      "datasourceTemplate": "git-tags",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "datasourceTemplate": "github-releases",
      "fileMatch": [
        ".vscode/settings\\.json$"
      ],
      "matchStrings": [
        "https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json"
      ]
    }
  ],
  "packageRules": [
@@ -0,0 +1,32 @@
 {{/* vim: set filetype=mustache: */}}
 {{/* annotations */}}
 {{- define "athens-proxy.backendTLSPolicy.annotations" -}}
 {{ include "athens-proxy.annotations" . }}
 {{- if .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
 {{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
 {{- end }}
 {{- end }}
 {{/* enabled */}}
 {{- define "athens-proxy.backendTLSPolicy.enabled" -}}
 {{- if and .Values.gatewayAPI.enabled
           .Values.gatewayAPI.core.backendTLSPolicy.enabled
           .Values.service.enabled
 -}}
 true
 {{- else -}}
 false
 {{- end -}}
 {{- end }}
 {{/* labels */}}
 {{- define "athens-proxy.backendTLSPolicy.labels" -}}
 {{ include "athens-proxy.labels" . }}
 {{- if .Values.gatewayAPI.core.backendTLSPolicy.labels }}
 {{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.labels }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,25 @@
 {{/* vim: set filetype=mustache: */}}
 {{/* annotations */}}
 {{- define "athens-proxy.certificates.server.annotations" -}}
 {{ include "athens-proxy.annotations" . }}
 {{- if .Values.certificate.new.annotations }}
 {{ toYaml .Values.certificate.new.annotations }}
 {{- end }}
 {{- end }}
 {{/* labels */}}
 {{- define "athens-proxy.certificates.server.labels" -}}
 {{ include "athens-proxy.labels" . }}
 {{- if .Values.certificate.new.labels }}
 {{ toYaml .Values.certificate.new.labels }}
 {{- end }}
 {{- end }}
 {{/* names */}}
 {{- define "athens-proxy.certificates.server.name" -}}
 {{ include "athens-proxy.fullname" . }}-tls
 {{- end -}}
@@ -0,0 +1,31 @@
 {{/* vim: set filetype=mustache: */}}
 {{/* annotations */}}
 {{- define "athens-proxy.clientSettingsPolicy.annotations" -}}
 {{ include "athens-proxy.annotations" . }}
 {{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
 {{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
 {{- end }}
 {{- end }}
 {{/* enabled */}}
 {{- define "athens-proxy.clientSettingsPolicy.enabled" -}}
 {{- if and (eq (include "athens-proxy.httpRoute.enabled" $) "true")
           .Values.gatewayAPI.nginx.clientSettingsPolicy.enabled
 -}}
 true
 {{- else -}}
 false
 {{- end -}}
 {{- end }}
 {{/* labels */}}
 {{- define "athens-proxy.clientSettingsPolicy.labels" -}}
 {{ include "athens-proxy.labels" . }}
 {{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
 {{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
 {{- end }}
 {{- end }}
@@ -26,6 +26,13 @@
 {{- $env = concat $env (list (dict "name" "GOMAXPROCS" "valueFrom" (dict "resourceFieldRef" (dict "divisor" "1" "resource" "limits.cpu")))) }}
 {{- end }}
 {{- if .Values.certificate.enabled }}
 {{- $env = concat $env (list
      (dict "name" "ATHENS_TLSCERT_FILE" "value" "/etc/athens-proxy/tls/tls.crt")
      (dict "name" "ATHENS_TLSKEY_FILE" "value" "/etc/athens-proxy/tls/tls.key")
    ) }}
 {{- end }}
 {{ toYaml (dict "env" $env) }}
 {{- end -}}
@@ -124,6 +131,12 @@
 {{- end }}
 {{/* volumeMounts (tls) */}}
 {{- if .Values.certificate.enabled }}
 {{- $volumeMounts = concat $volumeMounts (list (dict "name" "tls" "mountPath" "/etc/athens-proxy/tls" )) }}
 {{- end }}
 {{ toYaml (dict "volumeMounts" $volumeMounts) }}
 {{- end -}}
@@ -252,5 +265,15 @@
 {{- $volumes = concat $volumes (list $projectedSecretVolume) }}
 {{- end }}
 {{/* volumes (tls) */}}
 {{- if .Values.certificate.enabled }}
 {{- $secretName := include "athens-proxy.certificates.server.name" $ }}
 {{- if .Values.certificate.existingSecret.enabled }}
 {{- $secretName := .Values.certificate.existingSecret.secretName }}
 {{- end }}
 {{- $volumes = concat $volumes (list (dict "name" "tls" "secret" (dict "secretName" $secretName))) }}
 {{- end }}
 {{ toYaml (dict "volumes" $volumes) }}
 {{- end -}}
@@ -0,0 +1,32 @@
 {{/* vim: set filetype=mustache: */}}
 {{/* annotations */}}
 {{- define "athens-proxy.httpRoute.annotations" -}}
 {{ include "athens-proxy.annotations" . }}
 {{- if .Values.gatewayAPI.core.httpRoute.annotations }}
 {{ toYaml .Values.gatewayAPI.core.httpRoute.annotations }}
 {{- end }}
 {{- end }}
 {{/* enabled */}}
 {{- define "athens-proxy.httpRoute.enabled" -}}
 {{- if and .Values.gatewayAPI.enabled
           .Values.gatewayAPI.core.httpRoute.enabled
           .Values.service.enabled
 -}}
 true
 {{- else -}}
 false
 {{- end -}}
 {{- end }}
 {{/* labels */}}
 {{- define "athens-proxy.httpRoute.labels" -}}
 {{ include "athens-proxy.labels" . }}
 {{- if .Values.gatewayAPI.core.httpRoute.labels }}
 {{ toYaml .Values.gatewayAPI.core.httpRoute.labels }}
 {{- end }}
 {{- end }}
@@ -1,34 +0,0 @@
 ---
 {{/* annotations */}}
 {{- define "athens-proxy.pod.annotations" }}
 {{- include "athens-proxy.annotations" . }}
 {{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }}
 {{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.env.name" $) (include (print $.Template.BasePath "/secretEnv.yaml") . | sha256sum) }}
 {{- end }}
 {{- if and .Values.config.downloadMode.enabled (not .Values.config.downloadMode.existingConfigMap.enabled) }}
 {{ printf "checksum/config-map-%s: %s" (include "athens-proxy.configMap.downloadMode.name" $) (include (print $.Template.BasePath "/configMapDownloadMode.yaml") . | sha256sum) }}
 {{- end }}
 {{- if and .Values.config.gitConfig.enabled (not .Values.config.gitConfig.existingConfigMap.enabled) }}
 {{ printf "checksum/config-map-%s: %s" (include "athens-proxy.configMap.gitConfig.name" $) (include (print $.Template.BasePath "/configMapGitConfig.yaml") . | sha256sum) }}
 {{- end }}
 {{- if and .Values.config.netrc.enabled (not .Values.config.netrc.existingSecret.enabled) }}
 {{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.netrc.name" $) (include (print $.Template.BasePath "/secretNetRC.yaml") . | sha256sum) }}
 {{- end }}
 {{- if and .Values.config.ssh.enabled (not .Values.config.ssh.existingSecret.enabled) }}
 {{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.ssh.name" $) (include (print $.Template.BasePath "/secretSSH.yaml") . | sha256sum) }}
 {{- end }}
 {{- end }}
 {{/* labels */}}
 {{- define "athens-proxy.pod.labels" -}}
 {{ include "athens-proxy.labels" . }}
 {{- end }}
 {{- define "athens-proxy.pod.selectorLabels" -}}
 {{ include "athens-proxy.selectorLabels" . }}
 {{- end }}
@@ -0,0 +1,76 @@
 ---
 {{/* annotations */}}
 {{- define "athens-proxy.pod.annotations" }}
 {{- include "athens-proxy.annotations" . }}
 {{- if and .Values.certificate.enabled .Values.certificate.addSHASumAnnotation }}
 {{- $secretName := include "athens-proxy.certificates.server.name" $ }}
 {{- if and .Values.certificate.existingSecret.enabled (gt (len .Values.certificate.existingSecret.secretName) 0) }}
 {{- $secretName = .Values.certificate.existingSecret.secretName }}
 {{- end }}
 {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
 {{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
 {{- end }}
 {{- if and .Values.config.env.enabled .Values.config.env.addSHASumAnnotation }}
 {{- $secretName := include "athens-proxy.secrets.env.name" $ }}
 {{- $secret := include (print $.Template.BasePath "/secretEnv.yaml") $ }}
 {{- if and .Values.config.env.existingSecret.enabled (gt (len .Values.config.env.existingSecret.secretName) 0) }}
 {{- $secretName = .Values.config.env.existingSecret.secretName }}
 {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
 {{- end }}
 {{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
 {{- end }}
 {{- if and .Values.config.downloadMode.enabled .Values.config.downloadMode.addSHASumAnnotation }}
 {{- $configMapName := include "athens-proxy.configMap.downloadMode.name" $ }}
 {{- $configMap := include (print $.Template.BasePath "/configMapDownloadMode.yaml") . }}
 {{- if and .Values.config.downloadMode.existingConfigMap.enabled (gt (len .Values.config.downloadMode.existingConfigMap.configMapName) 0) }}
 {{- $configMapName = .Values.config.downloadMode.existingConfigMap.configMapName }}
 {{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace $configMapName | toYaml }}
 {{- end }}
 {{ printf "checksum/config-map-%s: %s" $configMapName ($configMap | sha256sum) }}
 {{- end }}
 {{- if and .Values.config.gitConfig.enabled .Values.config.gitConfig.addSHASumAnnotation }}
 {{- $configMapName := include "athens-proxy.configMap.gitConfig.name" $ }}
 {{- $configMap := include (print $.Template.BasePath "/configMapGitConfig.yaml") . }}
 {{- if and .Values.config.gitConfig.existingConfigMap.enabled (gt (len .Values.config.gitConfig.existingConfigMap.configMapName) 0) }}
 {{- $configMapName = .Values.config.gitConfig.existingConfigMap.configMapName }}
 {{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace $configMapName | toYaml }}
 {{- end }}
 {{ printf "checksum/config-map-%s: %s" $configMapName ($configMap | sha256sum) }}
 {{- end }}
 {{- if and .Values.config.netrc.enabled .Values.config.netrc.addSHASumAnnotation }}
 {{- $secretName := include "athens-proxy.secrets.netrc.name" $ }}
 {{- $secret := include (print $.Template.BasePath "/secretNetRC.yaml") $ }}
 {{- if and .Values.config.netrc.existingSecret.enabled (gt (len .Values.config.netrc.existingSecret.secretName) 0) }}
 {{- $secretName = .Values.config.netrc.existingSecret.secretName }}
 {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
 {{- end }}
 {{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
 {{- end }}
 {{- if and .Values.config.ssh.enabled .Values.config.ssh.addSHASumAnnotation }}
 {{- $secretName := include "athens-proxy.secrets.ssh.name" $ }}
 {{- $secret := include (print $.Template.BasePath "/secretSSH.yaml") $ }}
 {{- if and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.secretName) 0) }}
 {{- $secretName = .Values.config.ssh.existingSecret.secretName }}
 {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
 {{- end }}
 {{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
 {{- end }}
 {{- end }}
 {{/* labels */}}
 {{- define "athens-proxy.pod.labels" -}}
 {{ include "athens-proxy.labels" . }}
 {{- end }}
 {{- define "athens-proxy.pod.selectorLabels" -}}
 {{ include "athens-proxy.selectorLabels" . }}
 {{- end }}
@@ -2,28 +2,28 @@
 {{/* annotations */}}
-{{- define "athens-proxy.services.http.annotations" -}}
+{{- define "athens-proxy.service.annotations" -}}
 {{ include "athens-proxy.annotations" . }}
-{{- if .Values.services.http.annotations }}
+{{- if .Values.service.annotations }}
-{{ toYaml .Values.services.http.annotations }}
+{{ toYaml .Values.service.annotations }}
 {{- end }}
 {{- end }}
 {{/* labels */}}
-{{- define "athens-proxy.services.http.labels" -}}
+{{- define "athens-proxy.service.labels" -}}
 {{ include "athens-proxy.labels" . }}
 {{/* Add label to select the correct service via `selector.matchLabels` of the serviceMonitor resource. */}}
 app.kubernetes.io/service-name: http
-{{- if .Values.services.http.labels }}
+{{- if .Values.service.labels }}
-{{ toYaml .Values.services.http.labels }}
+{{ toYaml .Values.service.labels }}
 {{- end }}
 {{- end }}
 {{/* names */}}
-{{- define "athens-proxy.services.http.name" -}}
+{{- define "athens-proxy.service.name" -}}
-{{- if .Values.services.http.enabled -}}
+{{- if .Values.service.enabled -}}
-{{ include "athens-proxy.fullname" . }}-http
+{{ include "athens-proxy.fullname" . }}
 {{- end -}}
 {{- end -}}
@@ -0,0 +1,25 @@
 {{- if eq (include "athens-proxy.backendTLSPolicy.enabled" $) "true" }}
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: BackendTLSPolicy
 metadata:
  {{- with (include "athens-proxy.backendTLSPolicy.annotations" . | fromYaml) }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- with (include "athens-proxy.backendTLSPolicy.labels" . | fromYaml) }}
  labels:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "athens-proxy.fullname" . }}
  namespace: {{ .Release.Namespace }}
 spec:
  targetRefs:
    - group: ""
      kind: Service
      name: {{ include "athens-proxy.service.name" . }}
  {{- with .Values.gatewayAPI.core.backendTLSPolicy.validation }}
  validation:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- end -}}
@@ -0,0 +1,97 @@
 {{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) -}}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  {{- with (include "athens-proxy.certificates.server.annotations" . | fromYaml) }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- with (include "athens-proxy.certificates.server.labels" . | fromYaml) }}
  labels:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "athens-proxy.certificates.server.name" . }}
  namespace: {{ .Release.Namespace }}
 spec:
  commonName: {{ include "athens-proxy.fullname" . }}
  {{- if empty .Values.certificate.new.dnsNames }}
  dnsNames:
  - {{ include "athens-proxy.fullname" . }}
  - {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}
  - {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc
  - {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
  {{- else }}
  dnsNames:
  {{- range .Values.certificate.new.dnsNames }}
  - {{ . }}
  {{- end }}
  {{- end }}
  duration: {{ .Values.certificate.new.duration }}
  {{- if not (empty .Values.certificate.new.ipAddresses) }}
  ipAddresses:
  {{- range .Values.certificate.new.ipAddresses }}
  - {{ . }}
  {{- end }}
  {{- end }}
  isCA: false
  issuerRef:
    kind: {{ required "No certificate issuer kind defined!" .Values.certificate.new.issuerRef.kind }}
    name: {{ required "No certificate issuer name defined!" .Values.certificate.new.issuerRef.name }}
  privateKey:
    algorithm: {{ .Values.certificate.new.privateKey.algorithm }}
    rotationPolicy: {{ .Values.certificate.new.privateKey.rotationPolicy }}
    size: {{ .Values.certificate.new.privateKey.size }}
  renewBefore: {{ .Values.certificate.new.renewBefore }}
  secretName: {{ include "athens-proxy.certificates.server.name" . }}
  {{- with .Values.certificate.new.secretTemplate }}
  secretTemplate:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- if or .Values.certificate.new.subject.countries
            .Values.certificate.new.subject.localities
            .Values.certificate.new.subject.organizationalUnits
            .Values.certificate.new.subject.organizations
            .Values.certificate.new.subject.postalCodes
            .Values.certificate.new.subject.provinces
            .Values.certificate.new.subject.serialNumber
            .Values.certificate.new.subject.streetAddresses
  }}
  subject:
    {{- with .Values.certificate.new.subject.countries }}
    countries:
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- with .Values.certificate.new.subject.localities }}
    localities:
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- with .Values.certificate.new.subject.organizationalUnits }}
    organizationalUnits:
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- with .Values.certificate.new.subject.organizations }}
    organizations:
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- with .Values.certificate.new.subject.postalCodes }}
    postalCodes:
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- with .Values.certificate.new.subject.provinces }}
    provinces:
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- if .Values.certificate.new.subject.serialNumber }}
    serialNumber: {{ .Values.certificate.new.subject.serialNumber }}
    {{- end }}
    {{- with .Values.certificate.new.subject.streetAddresses }}
    streetAddresses:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- end }}
  usages:
  {{- range .Values.certificate.new.usages }}
  - {{ . }}
  {{- end }}
 {{- end }}
@@ -0,0 +1,50 @@
 {{- if eq (include "athens-proxy.clientSettingsPolicy.enabled" $) "true" }}
 apiVersion: gateway.nginx.org/v1alpha1
 kind: ClientSettingsPolicy
 metadata:
  {{- with (include "athens-proxy.clientSettingsPolicy.annotations" . | fromYaml) }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- with (include "athens-proxy.clientSettingsPolicy.labels" . | fromYaml) }}
  labels:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "athens-proxy.fullname" . }}
  namespace: {{ .Release.Namespace }}
 spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: {{ include "athens-proxy.fullname" . }}
  {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize
            .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout
  }}
  body:
    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize }}
    maxSize: {{ . }}
    {{- end }}
    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout }}
    timeout: {{ . }}
    {{- end }}
  {{- end }}
  {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests
            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime
            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout
            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout
  }}
  keepAlive:
    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests }}
    requests: {{ . }}
    {{- end }}
    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime }}
    time: {{ . }}
    {{- end }}
    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout }}
    timeout: {{ . }}
    {{- end }}
    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout }}
    minTimeout: {{ . }}
    {{- end }}
  {{- end }}
 {{- end -}}
@@ -50,21 +50,29 @@ spec:
        image: {{ include "athens-proxy.deployment.images.athens-proxy.fqin" . | quote }}
        imagePullPolicy: {{ .Values.deployment.athensProxy.image.pullPolicy }}
        livenessProbe:
-          tcpSocket:
+          exec:
-            port: http
+            {{- if not .Values.certificate.enabled }}
-          failureThreshold: 3
+            command: [ "wget", "-T", "{{ .Values.deployment.athensProxy.livenessProbe.timeoutSeconds }}", "-O", "/dev/null", "http://localhost:3000" ]
-          initialDelaySeconds: 5
+            {{- else }}
-          periodSeconds: 60
+            command: [ "wget", "--no-check-certificate", "-T", "{{ .Values.deployment.athensProxy.livenessProbe.timeoutSeconds }}", "-O", "/dev/null", "https://localhost:3000" ]
-          successThreshold: 1
+            {{- end }}
-          timeoutSeconds: 3
+          failureThreshold: {{ .Values.deployment.athensProxy.livenessProbe.failureThreshold }}
          initialDelaySeconds: {{ .Values.deployment.athensProxy.livenessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.deployment.athensProxy.livenessProbe.periodSeconds }}
          successThreshold: {{ .Values.deployment.athensProxy.livenessProbe.successThreshold }}
          timeoutSeconds: {{ .Values.deployment.athensProxy.livenessProbe.timeoutSeconds }}
        readinessProbe:
-          tcpSocket:
+          exec:
-            port: http
+            {{- if not .Values.certificate.enabled }}
-          failureThreshold: 3
+            command: [ "wget", "-T", "{{ .Values.deployment.athensProxy.readinessProbe.timeoutSeconds }}", "-O", "/dev/null", "http://localhost:3000" ]
-          initialDelaySeconds: 5
+            {{- else }}
-          periodSeconds: 15
+            command: [ "wget", "--no-check-certificate", "-T", "{{ .Values.deployment.athensProxy.readinessProbe.timeoutSeconds }}", "-O", "/dev/null", "https://localhost:3000" ]
-          successThreshold: 1
+            {{- end }}
-          timeoutSeconds: 3
+          failureThreshold: {{ .Values.deployment.athensProxy.readinessProbe.failureThreshold }}
          initialDelaySeconds: {{ .Values.deployment.athensProxy.readinessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.deployment.athensProxy.readinessProbe.periodSeconds }}
          successThreshold: {{ .Values.deployment.athensProxy.readinessProbe.successThreshold }}
          timeoutSeconds: {{ .Values.deployment.athensProxy.readinessProbe.timeoutSeconds }}
        ports:
        - name: http
          containerPort: 3000
@@ -0,0 +1,36 @@
 {{- if eq (include "athens-proxy.httpRoute.enabled" $) "true" }}
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  {{- with (include "athens-proxy.httpRoute.annotations" . | fromYaml) }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- with (include "athens-proxy.httpRoute.labels" . | fromYaml) }}
  labels:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "athens-proxy.fullname" . }}
  namespace: {{ .Release.Namespace }}
 spec:
  {{- with .Values.gatewayAPI.core.httpRoute.hostnames }}
  hostnames:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- with .Values.gatewayAPI.core.httpRoute.parentRefs }}
  parentRefs:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  rules:
    - backendRefs:
        - kind: Service
          name: {{ include "athens-proxy.service.name" . }}
          namespace: {{ .Release.Namespace }}
          port: {{ .Values.service.port }}
          weight: 1
      {{- with .Values.gatewayAPI.core.httpRoute.matches }}
      matches:
        {{- toYaml . | nindent 6 }}
      {{- end }}
 {{- end }}
@@ -1,4 +1,4 @@
-{{- if and .Values.services.http.enabled .Values.ingress.enabled }}
+{{- if and .Values.service.enabled .Values.ingress.enabled }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -27,9 +27,9 @@ spec:
        {{- end }}
        backend:
          service:
-            name: {{ include "athens-proxy.services.http.name" $ }}
+            name: {{ include "athens-proxy.service.name" $ }}
            port:
-              number: {{ $.Values.services.http.port }}
+              number: {{ $.Values.service.port }}
      {{- end }}
  {{- end }}
  {{- if .Values.ingress.tls }}
@@ -0,0 +1,57 @@
 {{- if .Values.service.enabled }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  {{- with (include "athens-proxy.service.annotations" . | fromYaml) }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- with (include "athens-proxy.service.labels" . | fromYaml) }}
  labels:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "athens-proxy.service.name" . }}
  namespace: {{ .Release.Namespace }}
 spec:
  {{- if not (empty .Values.service.externalIPs) }}
  externalIPs:
  {{- range .Values.service.externalIPs }}
  - {{ . }}
  {{- end }}
  {{- end }}
  {{- if and (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") ) .Values.service.externalTrafficPolicy }}
  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
  {{- end }}
  internalTrafficPolicy: {{ required "No internal traffic policy defined!" .Values.service.internalTrafficPolicy }}
  {{- if .Values.service.ipFamilies }}
  ipFamilies:
  {{- range .Values.service.ipFamilies }}
  - {{ . }}
  {{- end }}
  {{- end }}
  {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerClass }}
  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
  {{- end }}
  {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }}
  loadBalancerIP: {{ .Values.service.loadBalancerIP }}
  {{- end }}
  {{- if eq .Values.service.type "LoadBalancer" }}
  loadBalancerSourceRanges:
  {{- range .Values.service.loadBalancerSourceRanges }}
  - {{ . }}
  {{- end }}
  {{- end }}
  ports:
  - name: http
    protocol: TCP
    port: {{ required "No service port defined!" .Values.service.port }}
  selector:
    {{- include "athens-proxy.pod.selectorLabels" . | nindent 4 }}
  sessionAffinity: {{ required "No session affinity defined!" .Values.service.sessionAffinity }}
  {{- with .Values.service.sessionAffinityConfig }}
  sessionAffinityConfig:
    {{- toYaml . | nindent 4}}
  {{- end }}
  type: {{ required "No service type defined!" .Values.service.type }}
 {{- end }}
@@ -1,57 +0,0 @@
 {{- if .Values.services.http.enabled }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  {{- with (include "athens-proxy.services.http.annotations" . | fromYaml) }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- with (include "athens-proxy.services.http.labels" . | fromYaml) }}
  labels:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "athens-proxy.services.http.name" . }}
  namespace: {{ .Release.Namespace }}
 spec:
  {{- if not (empty .Values.services.http.externalIPs) }}
  externalIPs:
  {{- range .Values.services.http.externalIPs }}
  - {{ . }}
  {{- end }}
  {{- end }}
  {{- if and (or (eq .Values.services.http.type "LoadBalancer") (eq .Values.services.http.type "NodePort") ) .Values.services.http.externalTrafficPolicy }}
  externalTrafficPolicy: {{ .Values.services.http.externalTrafficPolicy }}
  {{- end }}
  internalTrafficPolicy: {{ required "No internal traffic policy defined!" .Values.services.http.internalTrafficPolicy }}
  {{- if .Values.services.http.ipFamilies }}
  ipFamilies:
  {{- range .Values.services.http.ipFamilies }}
  - {{ . }}
  {{- end }}
  {{- end }}
  {{- if and (eq .Values.services.http.type "LoadBalancer") .Values.services.http.loadBalancerClass }}
  loadBalancerClass: {{ .Values.services.http.loadBalancerClass }}
  {{- end }}
  {{- if and (eq .Values.services.http.type "LoadBalancer") .Values.services.http.loadBalancerIP }}
  loadBalancerIP: {{ .Values.services.http.loadBalancerIP }}
  {{- end }}
  {{- if eq .Values.services.http.type "LoadBalancer" }}
  loadBalancerSourceRanges:
  {{- range .Values.services.http.loadBalancerSourceRanges }}
  - {{ . }}
  {{- end }}
  {{- end }}
  ports:
  - name: http
    protocol: TCP
    port: {{ required "No service port defined!" .Values.services.http.port }}
  selector:
    {{- include "athens-proxy.pod.selectorLabels" . | nindent 4 }}
  sessionAffinity: {{ required "No session affinity defined!" .Values.services.http.sessionAffinity }}
  {{- with .Values.services.http.sessionAffinityConfig }}
  sessionAffinityConfig:
    {{- toYaml . | nindent 4}}
  {{- end }}
  type: {{ required "No service type defined!" .Values.services.http.type }}
 {{- end }}
@@ -0,0 +1,130 @@
 chart:
  appVersion: 0.1.0
  version: 0.1.0
 suite: backendTLSPolicy template
 release:
  name: athens-proxy-unittest
  namespace: testing
 templates:
 - templates/backendTLSPolicy.yaml
 tests:
 - it: Skip rendering when disabled 1/6
  set:
    gatewayAPI.enabled: false
    gatewayAPI.core.backendTLSPolicy.enabled: false
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 2/6
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.backendTLSPolicy.enabled: false
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 3/6
  set:
    gatewayAPI.enabled: false
    gatewayAPI.core.backendTLSPolicy.enabled: true
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 4/6
  set:
    gatewayAPI.enabled: false
    gatewayAPI.core.backendTLSPolicy.enabled: false
    service.enabled: true
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 5/6
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.backendTLSPolicy.enabled: false
    service.enabled: true
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 6/6
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.backendTLSPolicy.enabled: true
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Render default values
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.backendTLSPolicy.enabled: true
    service.enabled: true
  asserts:
  - hasDocuments:
      count: 1
  - containsDocument:
      apiVersion: gateway.networking.k8s.io/v1
      kind: BackendTLSPolicy
      name: athens-proxy-unittest
      namespace: testing
  - contains:
      path: spec.targetRefs
      content:
        group: ""
        kind: Service
        name: athens-proxy-unittest
  - notExists:
      path: spec.validation.caCertificateRefs
 - it: Render with custom annotations and labels
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.backendTLSPolicy:
      enabled: true
      annotations:
        foo: bar
      labels:
        bar: foo
    service.enabled: true
  asserts:
  - equal:
      path: metadata.annotations
      value:
        foo: bar
  - equal:
      path: metadata.labels
      value:
        app.kubernetes.io/instance: athens-proxy-unittest
        app.kubernetes.io/name: athens-proxy
        app.kubernetes.io/version: 0.1.0
        app.kubernetes.io/managed-by: Helm
        helm.sh/chart: athens-proxy-0.1.0
        bar: foo
 - it: Render with custom validation
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.backendTLSPolicy.enabled: true
    gatewayAPI.core.backendTLSPolicy.validation:
      caCertificateRefs:
        - group: ""
          kind: Secret
          name: athens-proxy-ca
      hostname: athens-proxy.svc.cluster.local
    service.enabled: true
  asserts:
  - isSubset:
      path: spec.validation
      content:
        caCertificateRefs:
          - group: ""
            kind: Secret
            name: athens-proxy-ca
@@ -0,0 +1,300 @@
 chart:
  appVersion: 0.1.0
  version: 0.1.0
 suite: Certificate athens-proxy template
 release:
  name: athens-proxy-unittest
  namespace: testing
 templates:
 - templates/certificate.yaml
 tests:
 - it: Skip rendering by default.
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering for existing certificate
  set:
    certificate.enabled: true
    certificate.existingSecret.enabled: true
  asserts:
  - hasDocuments:
      count: 0
 - it: Throw error when issuerKind and IssuerName is not defined
  set:
    certificate.enabled: true
  asserts:
  - failedTemplate:
      errorMessage: "No certificate issuer kind defined!"
 - it: Throw error when issuerKind and IssuerName is not defined
  set:
    certificate.enabled: true
  asserts:
  - failedTemplate: {}
 - it: Throw error when issuerKind not defined
  set:
    certificate.enabled: true
    certificate.new.issuerRef.name: "my-issuer"
  asserts:
  - failedTemplate:
      errorMessage: "No certificate issuer kind defined!"
 - it: Throw error when issuerName not defined
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: "ClusterIssuer"
  asserts:
  - failedTemplate:
      errorMessage: "No certificate issuer name defined!"
 - it: Rendering Certificate object when certificate.enabled=true (default)
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: my-issuer
  asserts:
  - hasDocuments:
      count: 1
  - containsDocument:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      name: athens-proxy-unittest-tls
      namespace: testing
  - equal:
      path: spec.commonName
      value: athens-proxy-unittest
  - equal:
      path: spec.duration
      value: 744h
  - equal:
      path: spec.dnsNames
      value: [ "athens-proxy-unittest", "athens-proxy-unittest.testing", "athens-proxy-unittest.testing.svc", "athens-proxy-unittest.testing.svc.cluster.local" ]
  - notExists:
      path: spec.ipAddresses
  - equal:
      path: spec.isCA
      value: false
  - equal:
      path: spec.issuerRef.kind
      value: ClusterIssuer
  - equal:
      path: spec.issuerRef.name
      value: my-issuer
  - equal:
      path: spec.privateKey.algorithm
      value: RSA
  - equal:
      path: spec.privateKey.size
      value: 4096
  - equal:
      path: spec.privateKey.rotationPolicy
      value: Never
  - equal:
      path: spec.secretName
      value: athens-proxy-unittest-tls
  - exists:
      path: spec.secretTemplate.annotations
  - exists:
      path: spec.secretTemplate.labels
  - notExists:
      path: spec.subject
  - notExists:
      path: spec.subject.countries
  - notExists:
      path: spec.subject.localities
  - notExists:
      path: spec.subject.organizationalUnits
  - notExists:
      path: spec.subject.organizations
  - notExists:
      path: spec.subject.postalCodes
  - notExists:
      path: spec.subject.provinces
  - notExists:
      path: spec.subject.serialNumber
  - notExists:
      path: spec.subject.streetAddresses
  - equal:
      path: spec.renewBefore
      value: 672h
  - equal:
      path: spec.usages
      value: [ "client auth", "server auth" ]
 # metadata.annotations
 - it: Rendering Certificate object with additional annotations and labels
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: my-issuer
    certificate.new.annotations:
      foo: bar
    certificate.new.labels:
      bar: foo
  asserts:
  - isSubset:
      path: metadata.annotations
      content:
        foo: bar
  - isSubset:
      path: metadata.labels
      content:
        bar: foo
 # spec.duration
 - it: Rendering Certificate object with custom `.Values.certificate.new.duration`.
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: my-issuer
    certificate.new.duration: 3000h
  asserts:
  - equal:
      path: spec.duration
      value: 3000h
 # spec.dnsNames
 - it: Rendering Certificate object with custom `.Values.certificate.new.dnsNames`.
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: my-issuer
    certificate.new.dnsNames: [ "app", "app.example.local" ]
  asserts:
  - equal:
      path: spec.dnsNames
      value: [ "app", "app.example.local" ]
 # spec.dnsNames
 - it: Rendering Certificate object with custom `.Values.clusterDomain` as domain.
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: my-issuer
    clusterDomain: k8s.example.local
  asserts:
  - contains:
      path: spec.dnsNames
      content:
        athens-proxy-unittest.testing.svc.k8s.example.local
      count: 1
 # spec.ipAddresses
 - it: RRendering Certificate object with custom `.Values.certificate.new.ipAddresses`.
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: my-issuer
    certificate.new.ipAddresses: [ "10.11.12.13", "fe00:xxyy:xxyy" ]
  asserts:
  - equal:
      path: spec.ipAddresses
      value: [ "10.11.12.13", "fe00:xxyy:xxyy" ]
 # spec.privateKey
 - it: Rendering Certificate object with custom `.Values.certificate.new.privateKey` values.
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: my-issuer
    certificate.new.privateKey.algorithm: ED25519
    certificate.new.privateKey.rotationPolicy: Never
    certificate.new.privateKey.size: 512
  asserts:
  - equal:
      path: spec.privateKey.algorithm
      value: ED25519
  - equal:
      path: spec.privateKey.rotationPolicy
      value: Never
  - equal:
      path: spec.privateKey.size
      value: 512
 # spec.renewBefore
 - it: Rendering Certificate object with custom `.Values.certificate.new.renewBefore`.
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: my-issuer
    certificate.new.renewBefore: 2000h
  asserts:
  - equal:
      path: spec.renewBefore
      value: 2000h
 # spec.secretTemplate
 - it: Rendering Certificate object with custom `.Values.certificate.new.secretTemplate` values.
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: my-issuer
    certificate.new.secretTemplate:
      annotations:
        foo: bar
      labels:
        bar: foo
  asserts:
  - equal:
      path: spec.secretTemplate.annotations
      value:
        foo: bar
  - equal:
      path: spec.secretTemplate.labels
      value:
        bar: foo
 # spec.secretTemplate
 - it: Rendering Certificate object with custom `.Values.certificate.new.subject` values.
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: my-issuer
    certificate.new.subject.countries: [ "Country" ]
    certificate.new.subject.localities: [ "City" ]
    certificate.new.subject.organizationalUnits: [ "IT department" ]
    certificate.new.subject.organizations: [ "My organization" ]
    certificate.new.subject.postalCodes: [ "AB12345", "12345AB" ]
    certificate.new.subject.provinces: [ "Provinces" ]
    certificate.new.subject.serialNumber: "MyNumber"
    certificate.new.subject.streetAddresses: [ "ExampleStreet 1", "StreetExample 2" ]
  asserts:
  - equal:
      path: spec.subject.countries
      value: [ "Country" ]
  - equal:
      path: spec.subject.localities
      value: [ "City" ]
  - equal:
      path: spec.subject.organizationalUnits
      value: [ "IT department" ]
  - equal:
      path: spec.subject.organizations
      value: [ "My organization" ]
  - equal:
      path: spec.subject.postalCodes
      value: [ "AB12345", "12345AB" ]
  - equal:
      path: spec.subject.provinces
      value: [ "Provinces" ]
  - equal:
      path: spec.subject.serialNumber
      value: "MyNumber"
  - equal:
      path: spec.subject.streetAddresses
      value: [ "ExampleStreet 1", "StreetExample 2" ]
 # spec.usages
 - it: Rendering Certificate object with custom `.Values.certificate.new.usages`.
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: my-issuer
    certificate.new.usages: [ "client auth" ]
  asserts:
  - equal:
      path: spec.usages
      value: [ "client auth" ]
@@ -0,0 +1,190 @@
 chart:
  appVersion: 0.1.0
  version: 0.1.0
 suite: ClientSettingsPolicy template
 release:
  name: athens-proxy-unittest
  namespace: testing
 templates:
 - templates/clientSettingsPolicy.yaml
 tests:
 - it: Skip rendering when disabled 1/8
  set:
    gatewayAPI.enabled: false
    gatewayAPI.core.httpRoute.enabled: false
    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 2/8
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: false
    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 3/8
  set:
    gatewayAPI.enabled: false
    gatewayAPI.core.httpRoute.enabled: true
    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 4/8
  set:
    gatewayAPI.enabled: false
    gatewayAPI.core.httpRoute.enabled: false
    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 5/8
  set:
    gatewayAPI.enabled: false
    gatewayAPI.core.httpRoute.enabled: false
    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
    service.enabled: true
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 6/8
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: true
    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 7/8
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: false
    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 8/8
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: false
    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
    service.enabled: true
  asserts:
  - hasDocuments:
      count: 0
 - it: Render default values
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: true
    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
    service.enabled: true
  asserts:
  - hasDocuments:
      count: 1
  - containsDocument:
      apiVersion: gateway.nginx.org/v1alpha1
      kind: ClientSettingsPolicy
      name: athens-proxy-unittest
      namespace: testing
  - notExists:
      path: metadata.annotations
  - equal:
      path: metadata.labels
      value:
        app.kubernetes.io/instance: athens-proxy-unittest
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: athens-proxy
        app.kubernetes.io/version: 0.1.0
        helm.sh/chart: athens-proxy-0.1.0
  - isSubset:
      path: spec.targetRef
      content:
        group: gateway.networking.k8s.io
        kind: HTTPRoute
        name: athens-proxy-unittest
  - notExists:
      path: spec.body
  - notExists:
      path: spec.keepAlive
 - it: Render custom annotations and labels
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: true
    gatewayAPI.nginx.clientSettingsPolicy:
      enabled: true
      annotations:
        foo: "bar"
      labels:
        bar: "foo"
    service.enabled: true
  asserts:
  - equal:
      path: metadata.annotations
      value:
        foo: "bar"
  - equal:
      path: metadata.labels
      value:
        app.kubernetes.io/instance: athens-proxy-unittest
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: athens-proxy
        app.kubernetes.io/version: 0.1.0
        helm.sh/chart: athens-proxy-0.1.0
        bar: "foo"
 - it: Render with custom body settings
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: true
    gatewayAPI.nginx.clientSettingsPolicy:
      enabled: true
      clientMaxBodySize: 10m
      clientBodyTimeout: 30s
    service.enabled: true
  asserts:
  - isSubset:
      path: spec.body
      content:
        maxSize: 10m
        timeout: 30s
  - notExists:
      path: spec.keepAlive
 - it: Render with custom keepAlive settings
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: true
    gatewayAPI.nginx.clientSettingsPolicy:
      enabled: true
      keepaliveRequests: 100
      keepaliveTime: 60s
      keepaliveTimeout: 60s
      keepaliveMinTimeout: 10s
    service.enabled: true
  asserts:
  - notExists:
      path: spec.body
  - isSubset:
      path: spec.keepAlive
      content:
        requests: 100
        time: 60s
        timeout: 60s
        minTimeout: 10s
@@ -0,0 +1,111 @@
 chart:
  appVersion: 0.1.0
  version: 0.1.0
 suite: Deployment template
 release:
  name: athens-proxy-unittest
  namespace: testing
 templates:
 - templates/configMapDownloadMode.yaml
 - templates/configMapGitConfig.yaml
 - templates/deployment.yaml
 - templates/secretNetRC.yaml
 - templates/secretSSH.yaml
 tests:
 - it: Rendering default without tls config
  asserts:
    - notContains:
        path: spec.template.spec.containers[0].env
        content:
          name: ATHENS_TLSCERT_FILE
          value: /etc/athens-proxy/tls/tls.crt
      template: templates/deployment.yaml
    - notContains:
        path: spec.template.spec.containers[0].env
        content:
          name: ATHENS_TLSKEY_FILE
          value: /etc/athens-proxy/tls/tls.key
      template: templates/deployment.yaml
    - notContains:
        path: spec.template.spec.containers[0].volumeMounts
        content:
          name: tls
          mountPath: /etc/athens-proxy/tls
      template: templates/deployment.yaml
    - notContains:
        path: spec.template.spec.volumes
        content:
          name: tls
          secretRef:
            name: athens-proxy-unittest-tls
      template: templates/deployment.yaml
 - it: Rendering with tls config
  set:
    certificate.enabled: true
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: MyIssuer
  asserts:
    - exists:
        path: spec.template.metadata.annotations["checksum/secret-athens-proxy-unittest-tls"]
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].env
        content:
          name: ATHENS_TLSCERT_FILE
          value: /etc/athens-proxy/tls/tls.crt
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].env
        content:
          name: ATHENS_TLSKEY_FILE
          value: /etc/athens-proxy/tls/tls.key
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].volumeMounts
        content:
          name: tls
          mountPath: /etc/athens-proxy/tls
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.volumes
        content:
          name: tls
          secret:
            secretName: athens-proxy-unittest-tls
      template: templates/deployment.yaml
 - it: Rendering with external TLS config
  set:
    certificate.enabled: true
    certificate.existingSecret.enabled: true
    certificate.existingSecret.secretName: my-own-secret
  asserts:
    - exists:
        path: spec.template.metadata.annotations["checksum/secret-my-own-secret"]
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].env
        content:
          name: ATHENS_TLSCERT_FILE
          value: /etc/athens-proxy/tls/tls.crt
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].env
        content:
          name: ATHENS_TLSKEY_FILE
          value: /etc/athens-proxy/tls/tls.key
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].volumeMounts
        content:
          name: tls
          mountPath: /etc/athens-proxy/tls
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.volumes
        content:
          name: tls
          secret:
            secretName: athens-proxy-unittest-tls
      template: templates/deployment.yaml
@@ -67,6 +67,46 @@ tests:
      path: spec.template.spec.containers[0].imagePullPolicy
      value: IfNotPresent
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].livenessProbe.failureThreshold
      value: 3
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds
      value: 5
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].livenessProbe.periodSeconds
      value: 60
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].livenessProbe.successThreshold
      value: 1
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
      value: 3
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].readinessProbe.failureThreshold
      value: 3
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
      value: 5
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].readinessProbe.periodSeconds
      value: 15
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].readinessProbe.successThreshold
      value: 1
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
      value: 3
    template: templates/deployment.yaml
  - notExists:
      path: spec.template.spec.containers[0].resources
    template: templates/deployment.yaml
@@ -221,6 +261,77 @@ tests:
      value: Always
    template: templates/deployment.yaml
 - it: Test custom livenessProbe
  set:
    # Normal test values
    deployment.athensProxy.livenessProbe:
      failureThreshold: 5
      initialDelaySeconds: 10
      periodSeconds: 120
      successThreshold: 3
      timeoutSeconds: 5
  asserts:
  - equal:
      path: spec.template.spec.containers[0].livenessProbe.failureThreshold
      value: 5
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds
      value: 10
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].livenessProbe.periodSeconds
      value: 120
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].livenessProbe.successThreshold
      value: 3
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
      value: 5
    template: templates/deployment.yaml
  - contains:
      path: spec.template.spec.containers[0].livenessProbe.exec.command
      content: "5"
    template: templates/deployment.yaml
 - it: Test custom readinessProbe
  set:
    # Normal test values
    deployment.athensProxy.readinessProbe:
      failureThreshold: 10
      initialDelaySeconds: 10
      periodSeconds: 30
      successThreshold: 5
      timeoutSeconds: 5
  asserts:
  - equal:
      path: spec.template.spec.containers[0].readinessProbe.failureThreshold
      value: 10
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
      value: 10
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].readinessProbe.periodSeconds
      value: 30
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].readinessProbe.successThreshold
      value: 5
    template: templates/deployment.yaml
  - equal:
      path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
      value: 5
    template: templates/deployment.yaml
  - contains:
      path: spec.template.spec.containers[0].readinessProbe.exec.command
      content: "5"
    template: templates/deployment.yaml
 - it: Test custom resource limits and requests
  set:
    # Ensure that the secrets and config maps are well configured.
@@ -40,6 +40,7 @@ tests:
 - it: Rendering default with mounted gitconfig configMap
  set:
    config.downloadMode.enabled: true
    config.downloadMode.addSHASumAnnotation: true
    persistence.enabled: true
  asserts:
    - exists:
@@ -69,16 +70,87 @@ tests:
            name: athens-proxy-unittest-download-mode-file
      template: templates/deployment.yaml
 - it: Rendering default with mounted gitconfig configMap
  set:
    config.downloadMode.enabled: true
    config.downloadMode.addSHASumAnnotation: false
    persistence.enabled: true
  asserts:
    - notExists:
        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].env
        content:
          name: ATHENS_DOWNLOAD_MODE
          value: file:/etc/athens/config/download-mode.d/download-mode
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].volumeMounts
        content:
          name: download-mode
          mountPath: /etc/athens/config/download-mode.d
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.volumes
        content:
          name: download-mode
          configMap:
            items:
              - key: downloadMode
                mode: 0644
                path: download-mode
            name: athens-proxy-unittest-download-mode-file
      template: templates/deployment.yaml
 - it: Rendering with custom download mode configMap
  set:
    config.downloadMode.enabled: true
    config.downloadMode.addSHASumAnnotation: true
    config.downloadMode.existingConfigMap.enabled: true
    config.downloadMode.existingConfigMap.configMapName: "my-custom-configmap"
    config.downloadMode.existingConfigMap.downloadModeKey: "my-custom-download-mode-filename-key"
    persistence.enabled: true
  asserts:
-    - notExists:
+    - exists:
-        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].env
        content:
          name: ATHENS_DOWNLOAD_MODE
          value: file:/etc/athens/config/download-mode.d/download-mode
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].volumeMounts
        content:
          name: download-mode
          mountPath: /etc/athens/config/download-mode.d
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.volumes
        content:
          name: download-mode
          configMap:
            items:
            - key: "my-custom-download-mode-filename-key"
              path: "download-mode"
              mode: 0644
            name: my-custom-configmap
      template: templates/deployment.yaml
 - it: Rendering with custom download mode configMap, but without sha sum annotation
  set:
    config.downloadMode.enabled: true
    config.downloadMode.addSHASumAnnotation: false
    config.downloadMode.existingConfigMap.enabled: true
    config.downloadMode.existingConfigMap.configMapName: "my-custom-configmap"
    config.downloadMode.existingConfigMap.downloadModeKey: "my-custom-download-mode-filename-key"
    persistence.enabled: true
  asserts:
    - notExists:
        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].env
@@ -35,10 +35,10 @@ tests:
            name: athens-proxy-unittest-env
      template: templates/deployment.yaml
- it: Rendering default with mounted env secret
+- it: Rendering default with mounted env secret, but without sha sum annotation
  set:
    config.env.enabled: true
-    config.env.existingSecret.enabled: true
+    config.env.addSHASumAnnotation: false
  asserts:
    - notExists:
        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env
@@ -49,3 +49,36 @@ tests:
          secretRef:
            name: athens-proxy-unittest-env
      template: templates/deployment.yaml
 - it: Rendering default with mounted existing env secret
  set:
    config.env.enabled: true
    config.env.existingSecret.enabled: true
    config.env.existingSecret.secretName: my-secret
  asserts:
    - exists:
        path: spec.template.metadata.annotations.checksum/secret-my-secret
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].envFrom
        content:
          secretRef:
            name: my-secret
      template: templates/deployment.yaml
 - it: Rendering default with mounted existing env secret, but without sha sum annotation
  set:
    config.env.enabled: true
    config.env.addSHASumAnnotation: false
    config.env.existingSecret.enabled: true
    config.env.existingSecret.secretName: my-secret
  asserts:
    - notExists:
        path: spec.template.metadata.annotations.checksum/secret-my-secret
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].envFrom
        content:
          secretRef:
            name: my-secret
      template: templates/deployment.yaml
@@ -41,6 +41,7 @@ tests:
 - it: Rendering default with mounted gitconfig configMap
  set:
    config.gitConfig.enabled: true
    config.gitConfig.addSHASumAnnotation: true
    persistence.enabled: true
  asserts:
    - exists:
@@ -67,16 +68,80 @@ tests:
                name: athens-proxy-unittest-gitconfig
      template: templates/deployment.yaml
 - it: Rendering default with mounted gitconfig configMap, but without sha sum annotation
  set:
    config.gitConfig.enabled: true
    config.gitConfig.addSHASumAnnotation: false
    persistence.enabled: true
  asserts:
    - notExists:
        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].volumeMounts
        content:
          name: secrets
          mountPath: /root/.gitconfig
          subPath: .gitconfig
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.volumes
        content:
          name: secrets
          projected:
            sources:
            - configMap:
                items:
                - key: .gitconfig
                  path: .gitconfig
                  mode: 0644
                name: athens-proxy-unittest-gitconfig
      template: templates/deployment.yaml
 - it: Rendering with custom gitconfig configMap
  set:
    config.gitConfig.enabled: true
    config.gitConfig.addSHASumAnnotation: true
    config.gitConfig.existingConfigMap.enabled: true
    config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
    config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
    persistence.enabled: true
  asserts:
-    - notExists:
+    - exists:
-        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].volumeMounts
        content:
          name: secrets
          mountPath: /root/.gitconfig
          subPath: .gitconfig
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.volumes
        content:
          name: secrets
          projected:
            sources:
            - configMap:
                items:
                - key: my-gitconfig-key
                  path: .gitconfig
                  mode: 0644
                name: my-custom-configmap
      template: templates/deployment.yaml
 - it: Rendering with custom gitconfig configMap, but without sha sum annotations
  set:
    config.gitConfig.enabled: true
    config.gitConfig.addSHASumAnnotation: false
    config.gitConfig.existingConfigMap.enabled: true
    config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
    config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
    persistence.enabled: true
  asserts:
    - notExists:
        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].volumeMounts
@@ -40,6 +40,7 @@ tests:
 - it: Rendering default with mounted netrc secret
  set:
    config.netrc.enabled: true
    config.netrc.addSHASumAnnotation: true
    persistence.enabled: true
  asserts:
    - exists:
@@ -66,16 +67,80 @@ tests:
                name: athens-proxy-unittest-netrc
      template: templates/deployment.yaml
 - it: Rendering default with mounted netrc secret, but without sha sum annotation
  set:
    config.netrc.enabled: true
    config.netrc.addSHASumAnnotation: false
    persistence.enabled: true
  asserts:
    - notExists:
        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netrc
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].volumeMounts
        content:
          name: secrets
          mountPath: /root/.netrc
          subPath: .netrc
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.volumes
        content:
          name: secrets
          projected:
            sources:
            - secret:
                items:
                - key: .netrc
                  path: .netrc
                  mode: 0600
                name: athens-proxy-unittest-netrc
      template: templates/deployment.yaml
 - it: Rendering with custom netrc secret
  set:
    config.netrc.enabled: true
    config.netrc.addSHASumAnnotation: true
    config.netrc.existingSecret.enabled: true
    config.netrc.existingSecret.secretName: "my-custom-secret"
    config.netrc.existingSecret.netrcKey: "my-netrc-key"
    persistence.enabled: true
  asserts:
-    - notExists:
+    - exists:
-        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netc
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].volumeMounts
        content:
          name: secrets
          mountPath: /root/.netrc
          subPath: .netrc
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.volumes
        content:
          name: secrets
          projected:
            sources:
            - secret:
                items:
                - key: my-netrc-key
                  path: .netrc
                  mode: 0600
                name: my-custom-secret
      template: templates/deployment.yaml
 - it: Rendering with custom netrc secret, but without sha sum annotation
  set:
    config.netrc.enabled: true
    config.netrc.addSHASumAnnotation: false
    config.netrc.existingSecret.enabled: true
    config.netrc.existingSecret.secretName: "my-custom-secret"
    config.netrc.existingSecret.netrcKey: "my-netrc-key"
    persistence.enabled: true
  asserts:
    - notExists:
        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].volumeMounts
@@ -107,6 +107,7 @@ tests:
 - it: Rendering default with mounted ssh keys
  set:
    config.ssh.enabled: true
    config.ssh.addSHASumAnnotation: true
    config.ssh.secret.id_ed25519: foo
    config.ssh.secret.id_ed25519_pub: bar
    config.ssh.secret.id_rsa: foo
@@ -180,6 +181,7 @@ tests:
 - it: Rendering with custom ssh secret
  set:
    config.ssh.enabled: true
    config.ssh.addSHASumAnnotation: true
    config.ssh.existingSecret.enabled: true
    config.ssh.existingSecret.secretName: "my-custom-secret"
    config.ssh.existingSecret.configKey : "my-config-key"
@@ -189,8 +191,8 @@ tests:
    config.ssh.existingSecret.id_rsaPubKey : "my-public-rsa-key"
    persistence.enabled: true
  asserts:
-    - notExists:
+    - exists:
-        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-ssh
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].volumeMounts
@@ -252,3 +254,14 @@ tests:
                  mode: 0644
                name: my-custom-secret
      template: templates/deployment.yaml
 - it: Rendering with custom ssh secret, but without sha sum annotation
  set:
    config.ssh.enabled: true
    config.ssh.addSHASumAnnotation: false
    config.ssh.existingSecret.enabled: true
    config.ssh.existingSecret.secretName: "my-custom-secret"
  asserts:
    - notExists:
        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
      template: templates/deployment.yaml
@@ -0,0 +1,194 @@
 chart:
  appVersion: 0.1.0
  version: 0.1.0
 suite: HTTPRoute template
 release:
  name: athens-proxy-unittest
  namespace: testing
 templates:
 - templates/httpRoute.yaml
 tests:
 - it: Skip rendering when disabled 1/6
  set:
    gatewayAPI.enabled: false
    gatewayAPI.core.httpRoute.enabled: false
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 2/6
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: false
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 3/6
  set:
    gatewayAPI.enabled: false
    gatewayAPI.core.httpRoute.enabled: true
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 4/6
  set:
    gatewayAPI.enabled: false
    gatewayAPI.core.httpRoute.enabled: false
    service.enabled: true
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 5/6
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: false
    service.enabled: true
  asserts:
  - hasDocuments:
      count: 0
 - it: Skip rendering when disabled 6/6
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: true
    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
 - it: Rendering default values
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: true
    service.enabled: true
  asserts:
  - hasDocuments:
      count: 1
  - containsDocument:
      apiVersion: gateway.networking.k8s.io/v1
      kind: HTTPRoute
      name: athens-proxy-unittest
      namespace: testing
  - notExists:
      path: metadata.annotations
  - equal:
      path: metadata.labels
      value:
        app.kubernetes.io/instance: athens-proxy-unittest
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: athens-proxy
        app.kubernetes.io/version: 0.1.0
        helm.sh/chart: athens-proxy-0.1.0
  - notExists:
      path: spec.hostnames
  - notExists:
      path: spec.parentRefs
  - contains:
      path: spec.rules[0].backendRefs
      content:
        kind: Service
        name: athens-proxy-unittest
        namespace: testing
        port: 3000
        weight: 1
  - contains:
      path: spec.rules[0].matches
      content:
        path:
          type: PathPrefix
          value: /
 - it: Rendering custom annotations and labels
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute:
      enabled: true
      annotations:
        foo: bar
      labels:
        bar: foo
    service.enabled: true
  asserts:
  - hasDocuments:
      count: 1
  - equal:
      path: metadata.annotations
      value:
        foo: bar
  - equal:
      path: metadata.labels
      value:
        app.kubernetes.io/instance: athens-proxy-unittest
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: athens-proxy
        app.kubernetes.io/version: 0.1.0
        bar: foo
        helm.sh/chart: athens-proxy-0.1.0
 - it: Rendering custom service port
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute.enabled: true
    service:
      enabled: true
      port: 9090
  asserts:
  - equal:
      path: spec.rules[0].backendRefs[0].port
      value: 9090
 - it: Rendering custom matches
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute:
      enabled: true
      matches:
      - path:
          type: PathPrefix
          value: /foo
    service.enabled: true
  asserts:
  - contains:
      path: spec.rules[0].matches
      content:
        path:
          type: PathPrefix
          value: /foo
 - it: Rendering custom hostnames and parentRefs
  set:
    gatewayAPI.enabled: true
    gatewayAPI.core.httpRoute:
      enabled: true
      hostnames:
      - athens-proxy.example.local
      parentRefs:
      - name: gateway
        namespace: testing
        kind: Gateway
        sectionName: athens-proxy-debug-gateway
    service.enabled: true
  asserts:
  - lengthEqual:
      path: spec.hostnames
      count: 1
  - contains:
      path: spec.hostnames
      content:
        athens-proxy.example.local
  - lengthEqual:
      path: spec.parentRefs
      count: 1
  - contains:
      path: spec.parentRefs
      content:
        name: gateway
        namespace: testing
        kind: Gateway
        sectionName: athens-proxy-debug-gateway
@@ -15,7 +15,7 @@ tests:
 - it: Skip ingress, when service is disabled.
  set:
-    services.http.enabled: false
+    service.enabled: false
    ingress.enabled: true
  asserts:
  - hasDocuments:
@@ -65,7 +65,7 @@ tests:
            pathType: Prefix
            backend:
              service:
-                name: athens-proxy-unittest-http
+                name: athens-proxy-unittest
                port:
                  number: 3000
  - contains:
@@ -92,7 +92,7 @@ tests:
    - secretName: athens-proxy-http-tls
      hosts:
      - athens-proxy.example.local
-    services.http.port: 8080
+    service.port: 8080
  asserts:
  - hasDocuments:
@@ -128,7 +128,7 @@ tests:
            pathType: Prefix
            backend:
              service:
-                name: athens-proxy-unittest-http
+                name: athens-proxy-unittest
                port:
                  number: 8080
  - contains:
@@ -6,11 +6,11 @@ release:
  name: athens-proxy-unittest
  namespace: testing
 templates:
- templates/serviceHTTP.yaml
+- templates/service.yaml
 tests:
 - it: Skip service when disabled.
  set:
-    services.http.enabled: false
+    service.enabled: false
  asserts:
  - hasDocuments:
      count: 0
@@ -22,7 +22,7 @@ tests:
  - containsDocument:
      apiVersion: v1
      kind: Service
-      name: athens-proxy-unittest-http
+      name: athens-proxy-unittest
      namespace: testing
  - notExists:
      path: metadata.annotations
@@ -75,37 +75,37 @@ tests:
 - it: Require internalTrafficPolicy.
  set:
-    services.http.internalTrafficPolicy: ""
+    service.internalTrafficPolicy: ""
  asserts:
  - failedTemplate:
      errorMessage: No internal traffic policy defined!
 - it: Require port.
  set:
-    services.http.port: ""
+    service.port: ""
  asserts:
  - failedTemplate:
      errorMessage: No service port defined!
 - it: Require sessionAffinity.
  set:
-    services.http.sessionAffinity: ""
+    service.sessionAffinity: ""
  asserts:
  - failedTemplate:
      errorMessage: No session affinity defined!
 - it: Require service type.
  set:
-    services.http.type: ""
+    service.type: ""
  asserts:
  - failedTemplate:
      errorMessage: No service type defined!
 - it: Render service with custom annotations and labels.
  set:
-    services.http.annotations:
+    service.annotations:
      foo: bar
-    services.http.labels:
+    service.labels:
      bar: foo
  asserts:
  - equal:
@@ -125,19 +125,19 @@ tests:
 - it: Change defaults
  set:
-    services.http.externalIPs:
+    service.externalIPs:
    - "10.11.12.13/32"
-    services.http.externalTrafficPolicy: Local
+    service.externalTrafficPolicy: Local
-    services.http.internalTrafficPolicy: Local
+    service.internalTrafficPolicy: Local
-    services.http.ipFamilies:
+    service.ipFamilies:
    - IPv4
-    services.http.loadBalancerClass: aws
+    service.loadBalancerClass: aws
-    services.http.loadBalancerIP: "11.12.13.14"
+    service.loadBalancerIP: "11.12.13.14"
-    services.http.loadBalancerSourceRanges:
+    service.loadBalancerSourceRanges:
    - "11.12.0.0/17"
-    services.http.port: 10443
+    service.port: 10443
-    services.http.sessionAffinity: ClientIP
+    service.sessionAffinity: ClientIP
-    services.http.type: LoadBalancer
+    service.type: LoadBalancer
  asserts:
  - equal:
      path: spec.externalIPs
@@ -1,15 +1,91 @@
 # Declare variables to be passed into your templates.
 ## @section Global
 ## @param nameOverride Individual release name suffix.
 ## @param fullnameOverride Override the complete release name logic.
 nameOverride: ""
 fullnameOverride: ""
 ## @section Certificate
 certificate:
  ## @param certificate.enabled Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added.
  ## @param certificate.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the TLS certificates.
  enabled: false
  addSHASumAnnotation: true
  ## @param certificate.existingSecret.enabled Use an existing secret of the type `kubernetes.io/tls`.
  ## @param certificate.existingSecret.secretName Name of the secret containing the TLS certificate and private key.
  existingSecret:
    enabled: false
    secretName: ""
  ## @param certificate.new.annotations Additional certificate annotations.
  ## @param certificate.new.labels Additional certificate labels.
  ## @param certificate.new.duration Duration of the TLS certificate.
  ## @param certificate.new.renewBefore Renew TLS certificate before expiring.
  ## @param certificate.new.dnsNames Overwrites the default of the subject alternative DNS names.
  ## @param certificate.new.ipAddresses Overwrites the default of the subject alternative IP addresses.
  ## @param certificate.new.issuerRef.kind Issuer kind. Can be `Issuer` or `ClusterIssuer`.
  ## @param certificate.new.issuerRef.name Name of the `Issuer` or `ClusterIssuer`.
  ## @param certificate.new.privateKey.algorithm Algorithm of the private TLS key.
  ## @param certificate.new.privateKey.rotationPolicy Rotation of the private TLS key.
  ## @param certificate.new.privateKey.size Size of the private TLS key.
  ## @param certificate.new.secretTemplate.annotations Additional annotation of the created secret.
  ## @param certificate.new.secretTemplate.labels Additional labels of the created secret.
  ## @param certificate.new.subject.countries List of countries.
  ## @param certificate.new.subject.localities List of localities.
  ## @param certificate.new.subject.organizationalUnits List of organizationalUnits.
  ## @param certificate.new.subject.organizations List of organizations.
  ## @param certificate.new.subject.postalCodes List of postalCodes.
  ## @param certificate.new.subject.provinces List of provinces.
  ## @param certificate.new.subject.serialNumber Serial number.
  ## @param certificate.new.subject.streetAddresses List of streetAddresses.
  ## @param certificate.new.usages Define the usage of the TLS key.
  new:
    annotations: {}
    labels: {}
    duration: "744h"      # 31 days
    renewBefore: "672h"   # 28 days
    dnsNames: []
    # The following DNS names are already part of the SAN's and serves only as example.
    # - "athens-proxy"
    # - "athens-proxy.svc"
    # - "athens-proxy.svc.namespace"
    # - "athens-proxy.svc.namespace.cluster.local"
    ipAddresses: []
    # The following IP addresses serves only as example.
    # - "10.92.1.10"
    # - "2001:0db8:85a3:08d3:1319:8a2e:0370:7344"
    issuerRef:
      kind: ""
      name: ""
    privateKey:
      algorithm: "RSA"
      rotationPolicy: "Never"
      size: 4096
    secretTemplate:
      annotations: {}
      labels: {}
    subject:
      countries: []
      localities: []
      organizationalUnits: []
      organizations: []
      postalCodes: []
      provinces: []
      serialNumber: ""
      streetAddresses: []
    usages:
    - "client auth"
    - "server auth"
 ## @section Configuration
 config:
  env:
    ## @param config.env.enabled Enable mounting of the secret as environment variables.
    ## @param config.env.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the configuration.
    enabled: false
    addSHASumAnnotation: true
    ## @param config.env.existingSecret.enabled Mount an existing secret containing the application specific environment variables.
    ## @param config.env.existingSecret.secretName Name of the existing secret containing the application specific environment variables.
@@ -78,8 +154,6 @@ config:
        # ATHENS_STORAGE_GCP_JSON_KEY:
        # ATHENS_SUM_DBS:
        # ATHENS_TIMEOUT:
        # ATHENS_TLSCERT_FILE:
        # ATHENS_TLSKEY_FILE:
        # ATHENS_TRACE_EXPORTER_URL:
        # ATHENS_TRACE_EXPORTER:
        # AWS_ACCESS_KEY_ID:
@@ -99,7 +173,9 @@ config:
  downloadMode:
    ## @param config.downloadMode.enabled Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined.
    ## @param config.downloadMode.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the downloadMode config.
    enabled: false
    addSHASumAnnotation: true
    ## @param config.downloadMode.existingConfigMap.enabled Enable to use an external config map for mounting the download mode file.
    ## @param config.downloadMode.existingConfigMap.configMapName The name of the existing config map which should be used to mount the download mode file.
@@ -135,7 +211,9 @@ config:
  gitConfig:
    ## @param config.gitConfig.enabled Enable mounting of a .gitconfig file into the container file system.
    ## @param config.gitConfig.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the git config.
    enabled: false
    addSHASumAnnotation: true
    ## @param config.gitConfig.existingConfigMap.enabled Enable to use an external config map for mounting the .gitconfig file.
    ## @param config.gitConfig.existingConfigMap.configMapName The name of the existing config map which should be used to mount the .gitconfig file.
@@ -161,7 +239,9 @@ config:
  netrc:
    ## @param config.netrc.enabled Enable mounting of a .netrc file into the container file system.
    ## @param config.netrc.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the netrc file.
    enabled: false
    addSHASumAnnotation: true
    ## @param config.netrc.existingSecret.enabled Enable to use an external secret for mounting the .netrc file.
    ## @param config.netrc.existingSecret.secretName The name of the existing secret which should be used to mount the .netrc file.
@@ -193,7 +273,9 @@ config:
  ssh:
    ## @param config.ssh.enabled Enable mounting of a .netrc file into the container file system.
    ## @param config.ssh.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the ssh keys.
    enabled: false
    addSHASumAnnotation: true
    ## @param config.ssh.existingSecret.enabled Enable to use an external secret for mounting the public and private SSH key files.
    ## @param config.ssh.existingSecret.secretName The name of the existing secret which should be used to mount the public and private SSH key files.
@@ -334,6 +416,30 @@ deployment:
      tag: ""
      pullPolicy: IfNotPresent
    ## @param deployment.athensProxy.livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
    ## @param deployment.athensProxy.livenessProbe.initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated.
    ## @param deployment.athensProxy.livenessProbe.periodSeconds How often (in seconds) to perform the probe.
    ## @param deployment.athensProxy.livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
    ## @param deployment.athensProxy.livenessProbe.timeoutSeconds Number of seconds after which the probe times out.
    livenessProbe:
      failureThreshold: 3
      initialDelaySeconds: 5
      periodSeconds: 60
      successThreshold: 1
      timeoutSeconds: 3
    ## @param deployment.athensProxy.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
    ## @param deployment.athensProxy.readinessProbe.initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated.
    ## @param deployment.athensProxy.readinessProbe.periodSeconds How often (in seconds) to perform the probe.
    ## @param deployment.athensProxy.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
    ## @param deployment.athensProxy.readinessProbe.timeoutSeconds Number of seconds after which the probe times out.
    readinessProbe:
      failureThreshold: 3
      initialDelaySeconds: 5
      periodSeconds: 15
      successThreshold: 1
      timeoutSeconds: 3
    ## @param deployment.athensProxy.resources CPU and memory resources of the pod.
    resources: {}
      # limits:
@@ -404,9 +510,9 @@ deployment:
  #   whenUnsatisfiable: DoNotSchedule
  #   labelSelector:
  #     matchLabels:
-  #       app.kubernetes.io/instance: prometheus-athens-proxy
+  #       app.kubernetes.io/instance: athens-proxy
-  ## @param deployment.volumes Additional volumes to mount into the pods of the prometheus-exporter deployment.
+  ## @param deployment.volumes Additional volumes to mount into the pods of the athens-proxy deployment.
  volumes: []
  # - name: my-configmap-volume
  #   config:
@@ -415,6 +521,72 @@ deployment:
  #   secret:
  #     secretName: my-secret
 ## @section GatewayAPI
 gatewayAPI:
  ## @param gatewayAPI.enabled Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.
  enabled: false
  core:
    ## @param gatewayAPI.core.backendTLSPolicy.enabled Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
    ## @param gatewayAPI.core.backendTLSPolicy.annotations Additional annotations for the BackendTLSPolicy.
    ## @param gatewayAPI.core.backendTLSPolicy.labels Additional labels for the BackendTLSPolicy.
    ## @param gatewayAPI.core.backendTLSPolicy.validation Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the athens-proxy pod.
    backendTLSPolicy:
      enabled: false
      annotations: {}
      labels: {}
      validation: {}
        # caCertificateRefs:
        # - group: ""
        #   kind: Secret
        #   name: "athens-proxy-ca"
        # hostname: "athens-proxy"
    ## @param gatewayAPI.core.httpRoute.enabled Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `service.enabled` to be `true`.
    ## @param gatewayAPI.core.httpRoute.annotations Additional annotations for the HTTPRoute.
    ## @param gatewayAPI.core.httpRoute.labels Additional labels for the HTTPRoute.
    ## @param gatewayAPI.core.httpRoute.hostnames Hostnames for the HTTPRoute.
    ## @skip gatewayAPI.core.httpRoute.matches Match conditions for the HTTPRoute. You can specify path based match conditions to route traffic to the athens-proxy service.
    ## @param gatewayAPI.core.httpRoute.parentRefs ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.
    httpRoute:
      enabled: false
      annotations: {}
      labels: {}
      hostnames: []
      matches:
      - path:
          type: PathPrefix
          value: /
      parentRefs: []
      # - name: gateway
      #   kind: Gateway
      #   group: gateway.networking.k8s.io
      #   namespace: default
      #   sectionName: athens-proxy-http
  nginx:
    ## @param gatewayAPI.nginx.clientSettingsPolicy.enabled Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
    ## @param gatewayAPI.nginx.clientSettingsPolicy.annotations Additional annotations for the ClientSettingsPolicy.
    ## @param gatewayAPI.nginx.clientSettingsPolicy.labels Additional labels for the ClientSettingsPolicy.
    ## @param gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.
    ## @param gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.
    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.
    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.
    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
    clientSettingsPolicy:
      enabled: false
      annotations: {}
      labels: {}
      clientMaxBodySize: ""
      clientBodyTimeout: ""
      keepaliveRequests:
      keepaliveTime: ""
      keepaliveTimeout: ""
      keepaliveMinTimeout: ""
 ## @section Horizontal Pod Autoscaler (HPA)
 # In order for the HPA to function successfully, a metric server is required, especially for resource consumption. The
 # metric server enables the CPU and memory utilisation to be recorded. If such a metric server is not available, the HPA
@@ -446,6 +618,7 @@ hpa:
  minReplicas: 1
  maxReplicas: 10
 ## @section Ingress
 ingress:
  ## @param ingress.enabled Enable creation of an ingress resource. Requires, that the http service is also enabled.
@@ -457,7 +630,7 @@ ingress:
  annotations: {}
  labels: {}
-  ## @param ingress.hosts Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k.
+  ## @param ingress.hosts Ingress specific configuration.
  ## @skip ingress.hosts Skip individual host configuration.
  hosts: []
  # - host: athens-proxy.example.local
@@ -465,7 +638,7 @@ ingress:
  #   - path: /
  #     pathType: Prefix
-  ## @param ingress.tls Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``.
+  ## @param ingress.tls Ingress TLS settings.
  ## @skip ingress.tls Skip individual TLS configuration.
  tls: []
  # - secretName: athens-proxy-http-tls
@@ -481,8 +654,8 @@ persistence:
    ## @param persistence.data.mountPath The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`.
    mountPath: "/var/www/athens-proxy/data"
-    ## @param persistence.data.existingPersistentVolumeClaim.enabled TODO
+    ## @param persistence.data.existingPersistentVolumeClaim.enabled Use an existing persistent volume claim.
-    ## @param persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName TODO
+    ## @param persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName The name of the existing persistent volume claim.
    existingPersistentVolumeClaim:
      enabled: false
      persistentVolumeClaimName: ""
@@ -490,16 +663,20 @@ persistence:
    ## @param persistence.data.persistentVolumeClaim.annotations Additional persistent volume claim annotations.
    ## @param persistence.data.persistentVolumeClaim.labels Additional persistent volume claim labels.
    ## @param persistence.data.persistentVolumeClaim.accessModes Access modes of the persistent volume claim.
-    ## @param persistence.data.persistentVolumeClaim.storageClass Storage class of the persistent volume claim.
+    ## @param persistence.data.persistentVolumeClaim.storageClassName Storage class of the persistent volume claim.
    ## @param persistence.data.persistentVolumeClaim.storageSize Size of the persistent volume claim.
    persistentVolumeClaim:
      annotations: {}
      labels: {}
      accessModes:
      - ReadWriteMany
-      storageClass: ""
+      storageClassName: ""
      storageSize: "5Gi"
 ## @section Network
 ## @param clusterDomain Domain of the Cluster. Domain is part of internally issued certificates.
 clusterDomain: "cluster.local"
 ## @section Network Policy
 networkPolicy:
  ## @param networkPolicy.enabled Enable network policies in general.
@@ -517,13 +694,16 @@ networkPolicy:
  # - Egress
  # - Ingress
  egress: []
-  # Allow outgoing traffic to database host
+  # Allow outgoing SSH traffic to Source Code Control System's (SCCS') like GitHub or GitLab.
  #
-  # - to:
+  # - ports:
-  #   - ipBlock:
+  #   - port: 22
-  #       cidr: 192.168.179.1/32
+  #     protocol: TCP
-  #   ports:
+
-  #   - port: 5432
+  # Allow outgoing HTTPS traffic to external go module servers
  #
  # - ports:
  #   - port: 443
  #     protocol: TCP
  # Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns.
@@ -569,22 +749,21 @@ networkPolicy:
  #     protocol: TCP
 ## @section Service
-## @param services.http.enabled Enable the service.
+## @param service.enabled Enable the service.
-## @param services.http.annotations Additional service annotations.
+## @param service.annotations Additional service annotations.
-## @param services.http.externalIPs External IPs for the service.
+## @param service.externalIPs External IPs for the service.
-## @param services.http.externalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation.
+## @param service.externalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation.
-## @param services.http.internalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.
+## @param service.internalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.
-## @param services.http.ipFamilies IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.
+## @param service.ipFamilies IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.
-## @param services.http.labels Additional service labels.
+## @param service.labels Additional service labels.
-## @param services.http.loadBalancerClass LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.
+## @param service.loadBalancerClass LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.
-## @param services.http.loadBalancerIP LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.
+## @param service.loadBalancerIP LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.
-## @param services.http.loadBalancerSourceRanges Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.
+## @param service.loadBalancerSourceRanges Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.
-## @param services.http.port Port to forward the traffic to.
+## @param service.port Port to forward the traffic to.
-## @param services.http.sessionAffinity Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.
+## @param service.sessionAffinity Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.
-## @param services.http.sessionAffinityConfig Contains the configuration of the session affinity.
+## @param service.sessionAffinityConfig Contains the configuration of the session affinity.
-## @param services.http.type Kubernetes service type for the traffic.
+## @param service.type Kubernetes service type for the traffic.
-services:
+service:
  http:
  enabled: true
  annotations: {}
  externalIPs: []
		`@@ -0,0 +1 @@`
							`repositoryID: 4c206fe5-b83a-457a-bcad-7dd664f8b70c`