You've already forked athens-proxy-charts
							
							Compare commits
	
		
			21 Commits
		
	
	
		
			1.0.3
			...
			3f7476afc6
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 3f7476afc6 | |||
| 530316e910 | |||
| 4974d63a8c | |||
| 1bbd0352c3 | |||
| ccdf377aaa | |||
| 64790fc316 | |||
| 2c88d6698b | |||
| 9abdb1ca3a | |||
| 81f14405fd | |||
| 7b37bfc373 | |||
| bba0df90ff | |||
| cb312817c3 | |||
| fe428d83d2 | |||
| 4c94529eab | |||
| 297f36920a | |||
| 4102fc9014 | |||
| be923ed95f | |||
| f07ff039ce | |||
| a11be194cc | |||
| 7908de9313 | |||
| adfe40a9c7 | 
| @@ -15,7 +15,7 @@ on: | |||||||
| jobs: | jobs: | ||||||
|   generate-parameters: |   generate-parameters: | ||||||
|     container: |     container: | ||||||
|       image: docker.io/library/node:24.10.0-alpine |       image: docker.io/library/node:25.0.0-alpine | ||||||
|     runs-on: |     runs-on: | ||||||
|     - ubuntu-latest |     - ubuntu-latest | ||||||
|     steps: |     steps: | ||||||
|   | |||||||
| @@ -15,7 +15,7 @@ on: | |||||||
| jobs: | jobs: | ||||||
|   markdown-link-checker: |   markdown-link-checker: | ||||||
|     container: |     container: | ||||||
|       image: docker.io/library/node:24.10.0-alpine |       image: docker.io/library/node:25.0.0-alpine | ||||||
|     runs-on: |     runs-on: | ||||||
|     - ubuntu-latest |     - ubuntu-latest | ||||||
|     steps: |     steps: | ||||||
| @@ -31,7 +31,7 @@ jobs: | |||||||
|  |  | ||||||
|   markdown-lint: |   markdown-lint: | ||||||
|     container: |     container: | ||||||
|       image: docker.io/library/node:24.10.0-alpine |       image: docker.io/library/node:25.0.0-alpine | ||||||
|     runs-on: |     runs-on: | ||||||
|     - ubuntu-latest |     - ubuntu-latest | ||||||
|     steps: |     steps: | ||||||
|   | |||||||
							
								
								
									
										8
									
								
								.vscode/settings.json
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								.vscode/settings.json
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | |||||||
|  | { | ||||||
|  |   "yaml.schemas": { | ||||||
|  |     "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.3/schema/helm-testsuite.json": [ | ||||||
|  |       "/unittests/**/*.yaml" | ||||||
|  |     ] | ||||||
|  |   }, | ||||||
|  |   "yaml.schemaStore.enable": true | ||||||
|  | } | ||||||
| @@ -19,6 +19,6 @@ keywords: | |||||||
| - go-proxy | - go-proxy | ||||||
|  |  | ||||||
| sources: | sources: | ||||||
| - https://github.com/volker-raschek/athens-proxy-charts | - https://git.cryptic.systems/volker.raschek/athens-proxy-charts | ||||||
| - https://github.com/gomods/athens | - https://github.com/gomods/athens | ||||||
| - https://hub.docker.com/r/gomods/athens | - https://hub.docker.com/r/gomods/athens | ||||||
|   | |||||||
							
								
								
									
										2
									
								
								Makefile
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								Makefile
									
									
									
									
									
								
							| @@ -10,7 +10,7 @@ HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}: | |||||||
| # NODE_IMAGE | # NODE_IMAGE | ||||||
| NODE_IMAGE_REGISTRY_HOST?=docker.io | NODE_IMAGE_REGISTRY_HOST?=docker.io | ||||||
| NODE_IMAGE_REPOSITORY?=library/node | NODE_IMAGE_REPOSITORY?=library/node | ||||||
| NODE_IMAGE_VERSION?=24.10.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node | NODE_IMAGE_VERSION?=25.0.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node | ||||||
| NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION} | NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION} | ||||||
|  |  | ||||||
| # MISSING DOT | # MISSING DOT | ||||||
|   | |||||||
							
								
								
									
										182
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										182
									
								
								README.md
									
									
									
									
									
								
							| @@ -16,10 +16,7 @@ Chapter [configuration and installation](#helm-configuration-and-installation) d | |||||||
| helm and use it to deploy the exporter. It also contains further configuration examples. | helm and use it to deploy the exporter. It also contains further configuration examples. | ||||||
|  |  | ||||||
| Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this | Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this | ||||||
| helm chart is tested for deployment scenarios with **ArgoCD**, but please keep in mind, that this chart supports the | helm chart is tested for deployment scenarios with **ArgoCD**. | ||||||
| *[Automatically Roll Deployment](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments)* |  | ||||||
| concept of Helm, which can trigger unexpected rolling releases. Further configuration instructions are described in a |  | ||||||
| separate [chapter](#argocd). |  | ||||||
|  |  | ||||||
| ## Helm: configuration and installation | ## Helm: configuration and installation | ||||||
|  |  | ||||||
| @@ -40,21 +37,21 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi | |||||||
| versions can break something! | versions can break something! | ||||||
|  |  | ||||||
| ```bash | ```bash | ||||||
| CHART_VERSION=1.0.0 | CHART_VERSION=1.1.1 | ||||||
| helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml | helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
| A complete list of available helm chart versions can be displayed via the following command: | A complete list of available helm chart versions can be displayed via the following command: | ||||||
|  |  | ||||||
| ```bash | ```bash | ||||||
| helm search repo reposilite --versions | helm search repo athens-proxy --versions | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
| The helm chart also contains a persistent volume claim definition. It persistent volume claim is not enabled by default. | The helm chart also contains a persistent volume claim definition. It persistent volume claim is not enabled by default. | ||||||
| Use the `--set` argument to persist your data. | Use the `--set` argument to persist your data. | ||||||
|  |  | ||||||
| ```bash | ```bash | ||||||
| CHART_VERSION=1.0.0 | CHART_VERSION=1.1.1 | ||||||
| helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \ | helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \ | ||||||
|   persistence.enabled=true |   persistence.enabled=true | ||||||
| ``` | ``` | ||||||
| @@ -84,13 +81,78 @@ Further information about this topic can be found in one of Kanishk's blog | |||||||
| > Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully. | > Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully. | ||||||
|  |  | ||||||
| ```bash | ```bash | ||||||
| CHART_VERSION=1.0.0 | CHART_VERSION=1.1.1 | ||||||
| helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \ | helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \ | ||||||
|   --set 'deployment.athensProxy.env.name=GOMAXPROCS' \ |   --set 'deployment.athensProxy.env.name=GOMAXPROCS' \ | ||||||
|   --set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \ |   --set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \ | ||||||
|   --set 'deployment.athensProxy.resources.limits.cpu=1000m' |   --set 'deployment.athensProxy.resources.limits.cpu=1000m' | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
|  | #### TLS encryption | ||||||
|  |  | ||||||
|  | The example shows how to deploy the application with TLS encryption. For example when **no** HTTP ingress is used for | ||||||
|  | TLS determination and instead the application it self should determinate the TLS handshake. To generate the TLS | ||||||
|  | certificate can be used the [cert-manager](https://cert-manager.io/). The chart supports the creation of such a TLS | ||||||
|  | certificate via `cert-manager.io/v1 Certificate` resource. Alternatively can be mounted a TLS certificate from a secret. | ||||||
|  | The secret must be from type `kubernetes.io/tls`. | ||||||
|  |  | ||||||
|  | > [!WARNING] | ||||||
|  | > The following example expects that the [cert-manager](https://cert-manager.io/) is deployed and the `Issuer` named | ||||||
|  | > `athens-proxy-ca` is present in the same namespace of the helm deployment. | ||||||
|  |  | ||||||
|  | ```bash | ||||||
|  | CHART_VERSION=1.1.1 | ||||||
|  | helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \ | ||||||
|  |   --set 'config.certificate.enabled=true' \ | ||||||
|  |   --set 'config.certificate.new.issuerRef.kind=Issuer' \ | ||||||
|  |   --set 'config.certificate.new.issuerRef.name=athens-proxy-ca' | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | The environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` are automatically added and the TLS certificate | ||||||
|  | and private key are mounted to a pre-defined destination inside the container file system. | ||||||
|  |  | ||||||
|  | #### TLS certificate rotation | ||||||
|  |  | ||||||
|  | If the application uses TLS certificates that are mounted as a secret in the container file system like the example | ||||||
|  | [above](#tls-encryption), the application will not automatically apply them when the TLS certificates are rotated. Such | ||||||
|  | a rotation can be for example triggered, when the [cert-manager](https://cert-manager.io/) issues new TLS certificates | ||||||
|  | before expiring. | ||||||
|  |  | ||||||
|  | Until the exporter does not support rotating TLS certificate a workaround can be applied. For example stakater's | ||||||
|  | [reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following | ||||||
|  | annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted configMaps | ||||||
|  | and secrets have been changed. | ||||||
|  |  | ||||||
|  | ```yaml | ||||||
|  | deployment: | ||||||
|  |   annotations: | ||||||
|  |     reloader.stakater.com/auto: "true" | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for | ||||||
|  | individual items. For example, when the secret named `athens-proxy-tls` is mounted and the reloader controller should | ||||||
|  | only listen for changes of this secret: | ||||||
|  |  | ||||||
|  | ```yaml | ||||||
|  | deployment: | ||||||
|  |   annotations: | ||||||
|  |     secret.reloader.stakater.com/reload: "athens-proxy-tls" | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | If the application is rolled out using ArgoCD, a rolling update from stakater's | ||||||
|  | [reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state | ||||||
|  | with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be | ||||||
|  | initiated. Further information are available in the official | ||||||
|  | [README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of | ||||||
|  | stakater's reloader. | ||||||
|  |  | ||||||
|  | ```diff | ||||||
|  |   deployment: | ||||||
|  |     annotations: | ||||||
|  |       reloader.stakater.com/auto: "true" | ||||||
|  | +     reloader.stakater.com/rollout-strategy: "restart" | ||||||
|  | ``` | ||||||
|  |  | ||||||
| #### Network policies | #### Network policies | ||||||
|  |  | ||||||
| Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom | Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom | ||||||
| @@ -145,31 +207,51 @@ networkPolicies: | |||||||
|  |  | ||||||
| ## ArgoCD | ## ArgoCD | ||||||
|  |  | ||||||
| ### Daily execution of rolling updates | ### Example Application | ||||||
|  |  | ||||||
| The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in | An application resource for the Helm chart is defined below. It serves as an example for your own deployment. | ||||||
| connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll |  | ||||||
| Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments). |  | ||||||
|  |  | ||||||
| The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the | ```yaml | ||||||
| content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version, |  | ||||||
| Helm render order, different timestamps). |  | ||||||
|  |  | ||||||
| This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this |  | ||||||
| can lead to unnecessary notifications from ArgoCD. |  | ||||||
|  |  | ||||||
| To avoid this, the annotation with the shasum must be ignored. Below is a diff that adds the `Application` to ignore all |  | ||||||
| annotations with the prefix `checksum`. |  | ||||||
|  |  | ||||||
| ```diff |  | ||||||
| apiVersion: argoproj.io/v1alpha1 | apiVersion: argoproj.io/v1alpha1 | ||||||
| kind: Application | kind: Application | ||||||
| spec: | spec: | ||||||
| +   ignoreDifferences: |   destination: | ||||||
| +   - group: apps/v1 |     server: https://kubernetes.default.svc | ||||||
| +     kind: Deployment |     namespace: athens-proxy | ||||||
| +     jqPathExpressions: |   ignoreDifferences: | ||||||
| +     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))' |   - group: apps | ||||||
|  |     kind: Deployment | ||||||
|  |     jqPathExpressions: | ||||||
|  |     # When HPA is enabled, ensure that a modification of the replicas does not lead to a | ||||||
|  |     # drift. | ||||||
|  |       - '.spec.replicas' | ||||||
|  |     # Ensure that changes of the annotations or environment variables added or modified by | ||||||
|  |     # stakater's reloader does not lead to a drift. | ||||||
|  |     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))' | ||||||
|  |     - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))' | ||||||
|  |   sources: | ||||||
|  |   - repoURL: https://charts.cryptic.systems/volker.raschek | ||||||
|  |     chart: athens-proxy | ||||||
|  |     targetRevision: '0.*' | ||||||
|  |     helm: | ||||||
|  |       valueFiles: | ||||||
|  |       - $values/values.yaml | ||||||
|  |       releaseName: athens-proxy | ||||||
|  |   syncPolicy: | ||||||
|  |     automated: | ||||||
|  |       prune: true | ||||||
|  |       selfHeal: true | ||||||
|  |     managedNamespaceMetadata: | ||||||
|  |       annotations: {} | ||||||
|  |       labels: {} | ||||||
|  |     syncOptions: | ||||||
|  |     - ApplyOutOfSyncOnly=true | ||||||
|  |     - CreateNamespace=true | ||||||
|  |     - FailOnSharedResource=false | ||||||
|  |     - Replace=false | ||||||
|  |     - RespectIgnoreDifferences=false | ||||||
|  |     - ServerSideApply=true | ||||||
|  |     - Validate=true | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
| ## Parameters | ## Parameters | ||||||
| @@ -181,6 +263,36 @@ annotations with the prefix `checksum`. | |||||||
| | `nameOverride`     | Individual release name suffix.           | `""`  | | | `nameOverride`     | Individual release name suffix.           | `""`  | | ||||||
| | `fullnameOverride` | Override the complete release name logic. | `""`  | | | `fullnameOverride` | Override the complete release name logic. | `""`  | | ||||||
|  |  | ||||||
|  | ### Certificate | ||||||
|  |  | ||||||
|  | | Name                                          | Description                                                                                                                                                 | Value                           | | ||||||
|  | | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | | ||||||
|  | | `certificate.enabled`                         | Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. | `false`                         | | ||||||
|  | | `certificate.existingSecret.enabled`          | Use an existing secret of the type `kubernetes.io/tls`.                                                                                                     | `false`                         | | ||||||
|  | | `certificate.existingSecret.secretName`       | Name of the secret containing the TLS certificate and private key.                                                                                          | `""`                            | | ||||||
|  | | `certificate.new.annotations`                 | Additional certificate annotations.                                                                                                                         | `{}`                            | | ||||||
|  | | `certificate.new.labels`                      | Additional certificate labels.                                                                                                                              | `{}`                            | | ||||||
|  | | `certificate.new.duration`                    | Duration of the TLS certificate.                                                                                                                            | `744h`                          | | ||||||
|  | | `certificate.new.renewBefore`                 | Renew TLS certificate before expiring.                                                                                                                      | `672h`                          | | ||||||
|  | | `certificate.new.dnsNames`                    | Overwrites the default of the subject alternative DNS names.                                                                                                | `[]`                            | | ||||||
|  | | `certificate.new.ipAddresses`                 | Overwrites the default of the subject alternative IP addresses.                                                                                             | `[]`                            | | ||||||
|  | | `certificate.new.issuerRef.kind`              | Issuer kind. Can be `Issuer` or `ClusterIssuer`.                                                                                                            | `""`                            | | ||||||
|  | | `certificate.new.issuerRef.name`              | Name of the `Issuer` or `ClusterIssuer`.                                                                                                                    | `""`                            | | ||||||
|  | | `certificate.new.privateKey.algorithm`        | Algorithm of the private TLS key.                                                                                                                           | `RSA`                           | | ||||||
|  | | `certificate.new.privateKey.rotationPolicy`   | Rotation of the private TLS key.                                                                                                                            | `Never`                         | | ||||||
|  | | `certificate.new.privateKey.size`             | Size of the private TLS key.                                                                                                                                | `4096`                          | | ||||||
|  | | `certificate.new.secretTemplate.annotations`  | Additional annotation of the created secret.                                                                                                                | `{}`                            | | ||||||
|  | | `certificate.new.secretTemplate.labels`       | Additional labels of the created secret.                                                                                                                    | `{}`                            | | ||||||
|  | | `certificate.new.subject.countries`           | List of countries.                                                                                                                                          | `[]`                            | | ||||||
|  | | `certificate.new.subject.localities`          | List of localities.                                                                                                                                         | `[]`                            | | ||||||
|  | | `certificate.new.subject.organizationalUnits` | List of organizationalUnits.                                                                                                                                | `[]`                            | | ||||||
|  | | `certificate.new.subject.organizations`       | List of organizations.                                                                                                                                      | `[]`                            | | ||||||
|  | | `certificate.new.subject.postalCodes`         | List of postalCodes.                                                                                                                                        | `[]`                            | | ||||||
|  | | `certificate.new.subject.provinces`           | List of provinces.                                                                                                                                          | `[]`                            | | ||||||
|  | | `certificate.new.subject.serialNumber`        | Serial number.                                                                                                                                              | `""`                            | | ||||||
|  | | `certificate.new.subject.streetAddresses`     | List of streetAddresses.                                                                                                                                    | `[]`                            | | ||||||
|  | | `certificate.new.usages`                      | Define the usage of the TLS key.                                                                                                                            | `["client auth","server auth"]` | | ||||||
|  |  | ||||||
| ### Configuration | ### Configuration | ||||||
|  |  | ||||||
| | Name                                                    | Description                                                                                                                                       | Value            | | | Name                                                    | Description                                                                                                                                       | Value            | | ||||||
| @@ -257,7 +369,7 @@ annotations with the prefix `checksum`. | |||||||
| | `deployment.terminationGracePeriodSeconds`         | How long to wait until forcefully kill the pod.                                                            | `60`            | | | `deployment.terminationGracePeriodSeconds`         | How long to wait until forcefully kill the pod.                                                            | `60`            | | ||||||
| | `deployment.tolerations`                           | Tolerations of the athens-proxy deployment.                                                                | `[]`            | | | `deployment.tolerations`                           | Tolerations of the athens-proxy deployment.                                                                | `[]`            | | ||||||
| | `deployment.topologySpreadConstraints`             | TopologySpreadConstraints of the athens-proxy deployment.                                                  | `[]`            | | | `deployment.topologySpreadConstraints`             | TopologySpreadConstraints of the athens-proxy deployment.                                                  | `[]`            | | ||||||
| | `deployment.volumes`                               | Additional volumes to mount into the pods of the prometheus-exporter deployment.                           | `[]`            | | | `deployment.volumes`                               | Additional volumes to mount into the pods of the athens-proxy deployment.                                  | `[]`            | | ||||||
|  |  | ||||||
| ### Horizontal Pod Autoscaler (HPA) | ### Horizontal Pod Autoscaler (HPA) | ||||||
|  |  | ||||||
| @@ -287,14 +399,20 @@ annotations with the prefix `checksum`. | |||||||
| | -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | | | -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | | ||||||
| | `persistence.enabled`                                                      | Enable the feature to store the data on a persistent volume claim. If enabled, the volume will be automatically be mounted into the pod. Furthermore, the env `ATHENS_STORAGE_TYPE=disk` will automatically be defined. | `false`                      | | | `persistence.enabled`                                                      | Enable the feature to store the data on a persistent volume claim. If enabled, the volume will be automatically be mounted into the pod. Furthermore, the env `ATHENS_STORAGE_TYPE=disk` will automatically be defined. | `false`                      | | ||||||
| | `persistence.data.mountPath`                                               | The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`.                                                                                 | `/var/www/athens-proxy/data` | | | `persistence.data.mountPath`                                               | The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`.                                                                                 | `/var/www/athens-proxy/data` | | ||||||
| | `persistence.data.existingPersistentVolumeClaim.enabled`                   | TODO                                                                                                                                                                                                                    | `false`                      | | | `persistence.data.existingPersistentVolumeClaim.enabled`                   | Use an existing persistent volume claim.                                                                                                                                                                                | `false`                      | | ||||||
| | `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | TODO                                                                                                                                                                                                                    | `""`                         | | | `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | The name of the existing persistent volume claim.                                                                                                                                                                       | `""`                         | | ||||||
| | `persistence.data.persistentVolumeClaim.annotations`                       | Additional persistent volume claim annotations.                                                                                                                                                                         | `{}`                         | | | `persistence.data.persistentVolumeClaim.annotations`                       | Additional persistent volume claim annotations.                                                                                                                                                                         | `{}`                         | | ||||||
| | `persistence.data.persistentVolumeClaim.labels`                            | Additional persistent volume claim labels.                                                                                                                                                                              | `{}`                         | | | `persistence.data.persistentVolumeClaim.labels`                            | Additional persistent volume claim labels.                                                                                                                                                                              | `{}`                         | | ||||||
| | `persistence.data.persistentVolumeClaim.accessModes`                       | Access modes of the persistent volume claim.                                                                                                                                                                            | `["ReadWriteMany"]`          | | | `persistence.data.persistentVolumeClaim.accessModes`                       | Access modes of the persistent volume claim.                                                                                                                                                                            | `["ReadWriteMany"]`          | | ||||||
| | `persistence.data.persistentVolumeClaim.storageClass`                      | Storage class of the persistent volume claim.                                                                                                                                                                           | `""`                         | | | `persistence.data.persistentVolumeClaim.storageClassName`                  | Storage class of the persistent volume claim.                                                                                                                                                                           | `""`                         | | ||||||
| | `persistence.data.persistentVolumeClaim.storageSize`                       | Size of the persistent volume claim.                                                                                                                                                                                    | `5Gi`                        | | | `persistence.data.persistentVolumeClaim.storageSize`                       | Size of the persistent volume claim.                                                                                                                                                                                    | `5Gi`                        | | ||||||
|  |  | ||||||
|  | ### Network | ||||||
|  |  | ||||||
|  | | Name            | Description                                                              | Value           | | ||||||
|  | | --------------- | ------------------------------------------------------------------------ | --------------- | | ||||||
|  | | `clusterDomain` | Domain of the Cluster. Domain is part of internally issued certificates. | `cluster.local` | | ||||||
|  |  | ||||||
| ### Network Policy | ### Network Policy | ||||||
|  |  | ||||||
| | Name                        | Description                                                               | Value   | | | Name                        | Description                                                               | Value   | | ||||||
|   | |||||||
| @@ -31,6 +31,16 @@ | |||||||
|       "packageNameTemplate": "https://git.cryptic.systems/volker.raschek/athens-proxy-charts", |       "packageNameTemplate": "https://git.cryptic.systems/volker.raschek/athens-proxy-charts", | ||||||
|       "datasourceTemplate": "git-tags", |       "datasourceTemplate": "git-tags", | ||||||
|       "versioningTemplate": "semver" |       "versioningTemplate": "semver" | ||||||
|  |     }, | ||||||
|  |     { | ||||||
|  |       "customType": "regex", | ||||||
|  |       "datasourceTemplate": "github-releases", | ||||||
|  |       "fileMatch": [ | ||||||
|  |         ".vscode/settings\\.json$" | ||||||
|  |       ], | ||||||
|  |       "matchStrings": [ | ||||||
|  |         "https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json" | ||||||
|  |       ] | ||||||
|     } |     } | ||||||
|   ], |   ], | ||||||
|   "packageRules": [ |   "packageRules": [ | ||||||
| @@ -41,6 +51,20 @@ | |||||||
|         "volkerraschek/helm" |         "volkerraschek/helm" | ||||||
|       ] |       ] | ||||||
|     }, |     }, | ||||||
|  |     { | ||||||
|  |       "automerge": true, | ||||||
|  |       "groupName": "Update helm plugin 'unittest'", | ||||||
|  |       "matchDepNames": [ | ||||||
|  |         "helm-unittest/helm-unittest" | ||||||
|  |       ], | ||||||
|  |       "matchDatasources": [ | ||||||
|  |         "github-releases" | ||||||
|  |       ], | ||||||
|  |       "matchUpdateTypes": [ | ||||||
|  |         "minor", | ||||||
|  |         "patch" | ||||||
|  |       ] | ||||||
|  |     }, | ||||||
|     { |     { | ||||||
|       "groupName": "Update docker.io/library/node", |       "groupName": "Update docker.io/library/node", | ||||||
|       "matchDepNames": [ |       "matchDepNames": [ | ||||||
|   | |||||||
							
								
								
									
										25
									
								
								templates/_certificate.tpl
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								templates/_certificate.tpl
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | |||||||
|  | {{/* vim: set filetype=mustache: */}} | ||||||
|  |  | ||||||
|  | {{/* annotations */}} | ||||||
|  |  | ||||||
|  | {{- define "athens-proxy.certificates.server.annotations" -}} | ||||||
|  | {{ include "athens-proxy.annotations" . }} | ||||||
|  | {{- if .Values.certificate.new.annotations }} | ||||||
|  | {{ toYaml .Values.certificate.new.annotations }} | ||||||
|  | {{- end }} | ||||||
|  | {{- end }} | ||||||
|  |  | ||||||
|  | {{/* labels */}} | ||||||
|  |  | ||||||
|  | {{- define "athens-proxy.certificates.server.labels" -}} | ||||||
|  | {{ include "athens-proxy.labels" . }} | ||||||
|  | {{- if .Values.certificate.new.labels }} | ||||||
|  | {{ toYaml .Values.certificate.new.labels }} | ||||||
|  | {{- end }} | ||||||
|  | {{- end }} | ||||||
|  |  | ||||||
|  | {{/* names */}} | ||||||
|  |  | ||||||
|  | {{- define "athens-proxy.certificates.server.name" -}} | ||||||
|  | {{ include "athens-proxy.fullname" . }}-tls | ||||||
|  | {{- end -}} | ||||||
| @@ -26,6 +26,13 @@ | |||||||
| {{- $env = concat $env (list (dict "name" "GOMAXPROCS" "valueFrom" (dict "resourceFieldRef" (dict "divisor" "1" "resource" "limits.cpu")))) }} | {{- $env = concat $env (list (dict "name" "GOMAXPROCS" "valueFrom" (dict "resourceFieldRef" (dict "divisor" "1" "resource" "limits.cpu")))) }} | ||||||
| {{- end }} | {{- end }} | ||||||
|  |  | ||||||
|  | {{- if .Values.certificate.enabled }} | ||||||
|  | {{- $env = concat $env (list | ||||||
|  |       (dict "name" "ATHENS_TLSCERT_FILE" "value" "/etc/athens-proxy/tls/tls.crt") | ||||||
|  |       (dict "name" "ATHENS_TLSKEY_FILE" "value" "/etc/athens-proxy/tls/tls.key") | ||||||
|  |     ) }} | ||||||
|  | {{- end }} | ||||||
|  |  | ||||||
| {{ toYaml (dict "env" $env) }} | {{ toYaml (dict "env" $env) }} | ||||||
|  |  | ||||||
| {{- end -}} | {{- end -}} | ||||||
| @@ -124,6 +131,12 @@ | |||||||
|  |  | ||||||
| {{- end }} | {{- end }} | ||||||
|  |  | ||||||
|  |  | ||||||
|  | {{/* volumeMounts (tls) */}} | ||||||
|  | {{- if .Values.certificate.enabled }} | ||||||
|  | {{- $volumeMounts = concat $volumeMounts (list (dict "name" "tls" "mountPath" "/etc/athens-proxy/tls" )) }} | ||||||
|  | {{- end }} | ||||||
|  |  | ||||||
| {{ toYaml (dict "volumeMounts" $volumeMounts) }} | {{ toYaml (dict "volumeMounts" $volumeMounts) }} | ||||||
| {{- end -}} | {{- end -}} | ||||||
|  |  | ||||||
| @@ -252,5 +265,15 @@ | |||||||
| {{- $volumes = concat $volumes (list $projectedSecretVolume) }} | {{- $volumes = concat $volumes (list $projectedSecretVolume) }} | ||||||
| {{- end }} | {{- end }} | ||||||
|  |  | ||||||
|  | {{/* volumes (tls) */}} | ||||||
|  | {{- if .Values.certificate.enabled }} | ||||||
|  | {{- $secretName := include "athens-proxy.certificates.server.name" $ }} | ||||||
|  | {{- if .Values.certificate.existingSecret.enabled }} | ||||||
|  | {{- $secretName := .Values.certificate.existingSecret.secretName }} | ||||||
|  | {{- end }} | ||||||
|  | {{- $volumes = concat $volumes (list (dict "name" "tls" "secret" (dict "secretName" $secretName))) }} | ||||||
|  | {{- end }} | ||||||
|  |  | ||||||
|  |  | ||||||
| {{ toYaml (dict "volumes" $volumes) }} | {{ toYaml (dict "volumes" $volumes) }} | ||||||
| {{- end -}} | {{- end -}} | ||||||
							
								
								
									
										97
									
								
								templates/certificate.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										97
									
								
								templates/certificate.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,97 @@ | |||||||
|  | {{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) -}} | ||||||
|  | --- | ||||||
|  | apiVersion: cert-manager.io/v1 | ||||||
|  | kind: Certificate | ||||||
|  | metadata: | ||||||
|  |   {{- with (include "athens-proxy.certificates.server.annotations" . | fromYaml) }} | ||||||
|  |   annotations: | ||||||
|  |     {{- toYaml . | nindent 4 }} | ||||||
|  |   {{- end }} | ||||||
|  |   {{- with (include "athens-proxy.certificates.server.labels" . | fromYaml) }} | ||||||
|  |   labels: | ||||||
|  |     {{- toYaml . | nindent 4 }} | ||||||
|  |   {{- end }} | ||||||
|  |   name: {{ include "athens-proxy.certificates.server.name" . }} | ||||||
|  |   namespace: {{ .Release.Namespace }} | ||||||
|  | spec: | ||||||
|  |   commonName: {{ include "athens-proxy.fullname" . }} | ||||||
|  |   {{- if empty .Values.certificate.new.dnsNames }} | ||||||
|  |   dnsNames: | ||||||
|  |   - {{ include "athens-proxy.fullname" . }} | ||||||
|  |   - {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }} | ||||||
|  |   - {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc | ||||||
|  |   - {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} | ||||||
|  |   {{- else }} | ||||||
|  |   dnsNames: | ||||||
|  |   {{- range .Values.certificate.new.dnsNames }} | ||||||
|  |   - {{ . }} | ||||||
|  |   {{- end }} | ||||||
|  |   {{- end }} | ||||||
|  |   duration: {{ .Values.certificate.new.duration }} | ||||||
|  |   {{- if not (empty .Values.certificate.new.ipAddresses) }} | ||||||
|  |   ipAddresses: | ||||||
|  |   {{- range .Values.certificate.new.ipAddresses }} | ||||||
|  |   - {{ . }} | ||||||
|  |   {{- end }} | ||||||
|  |   {{- end }} | ||||||
|  |   isCA: false | ||||||
|  |   issuerRef: | ||||||
|  |     kind: {{ required "No certificate issuer kind defined!" .Values.certificate.new.issuerRef.kind }} | ||||||
|  |     name: {{ required "No certificate issuer name defined!" .Values.certificate.new.issuerRef.name }} | ||||||
|  |   privateKey: | ||||||
|  |     algorithm: {{ .Values.certificate.new.privateKey.algorithm }} | ||||||
|  |     rotationPolicy: {{ .Values.certificate.new.privateKey.rotationPolicy }} | ||||||
|  |     size: {{ .Values.certificate.new.privateKey.size }} | ||||||
|  |   renewBefore: {{ .Values.certificate.new.renewBefore }} | ||||||
|  |   secretName: {{ include "athens-proxy.certificates.server.name" . }} | ||||||
|  |   {{- with .Values.certificate.new.secretTemplate }} | ||||||
|  |   secretTemplate: | ||||||
|  |     {{- toYaml . | nindent 4 }} | ||||||
|  |   {{- end }} | ||||||
|  |   {{- if or .Values.certificate.new.subject.countries | ||||||
|  |             .Values.certificate.new.subject.localities | ||||||
|  |             .Values.certificate.new.subject.organizationalUnits | ||||||
|  |             .Values.certificate.new.subject.organizations | ||||||
|  |             .Values.certificate.new.subject.postalCodes | ||||||
|  |             .Values.certificate.new.subject.provinces | ||||||
|  |             .Values.certificate.new.subject.serialNumber | ||||||
|  |             .Values.certificate.new.subject.streetAddresses | ||||||
|  |   }} | ||||||
|  |   subject: | ||||||
|  |     {{- with .Values.certificate.new.subject.countries }} | ||||||
|  |     countries: | ||||||
|  |     {{- toYaml . | nindent 4 }} | ||||||
|  |     {{- end }} | ||||||
|  |     {{- with .Values.certificate.new.subject.localities }} | ||||||
|  |     localities: | ||||||
|  |     {{- toYaml . | nindent 4 }} | ||||||
|  |     {{- end }} | ||||||
|  |     {{- with .Values.certificate.new.subject.organizationalUnits }} | ||||||
|  |     organizationalUnits: | ||||||
|  |     {{- toYaml . | nindent 4 }} | ||||||
|  |     {{- end }} | ||||||
|  |     {{- with .Values.certificate.new.subject.organizations }} | ||||||
|  |     organizations: | ||||||
|  |     {{- toYaml . | nindent 4 }} | ||||||
|  |     {{- end }} | ||||||
|  |     {{- with .Values.certificate.new.subject.postalCodes }} | ||||||
|  |     postalCodes: | ||||||
|  |     {{- toYaml . | nindent 4 }} | ||||||
|  |     {{- end }} | ||||||
|  |     {{- with .Values.certificate.new.subject.provinces }} | ||||||
|  |     provinces: | ||||||
|  |     {{- toYaml . | nindent 4 }} | ||||||
|  |     {{- end }} | ||||||
|  |     {{- if .Values.certificate.new.subject.serialNumber }} | ||||||
|  |     serialNumber: {{ .Values.certificate.new.subject.serialNumber }} | ||||||
|  |     {{- end }} | ||||||
|  |     {{- with .Values.certificate.new.subject.streetAddresses }} | ||||||
|  |     streetAddresses: | ||||||
|  |     {{- toYaml . | nindent 4 }} | ||||||
|  |     {{- end }} | ||||||
|  |   {{- end }} | ||||||
|  |   usages: | ||||||
|  |   {{- range .Values.certificate.new.usages }} | ||||||
|  |   - {{ . }} | ||||||
|  |   {{- end }} | ||||||
|  | {{- end }} | ||||||
| @@ -50,16 +50,24 @@ spec: | |||||||
|         image: {{ include "athens-proxy.deployment.images.athens-proxy.fqin" . | quote }} |         image: {{ include "athens-proxy.deployment.images.athens-proxy.fqin" . | quote }} | ||||||
|         imagePullPolicy: {{ .Values.deployment.athensProxy.image.pullPolicy }} |         imagePullPolicy: {{ .Values.deployment.athensProxy.image.pullPolicy }} | ||||||
|         livenessProbe: |         livenessProbe: | ||||||
|           tcpSocket: |           exec: | ||||||
|             port: http |             {{- if not .Values.certificate.enabled }} | ||||||
|  |             command: [ "wget", "-T", "3", "-O", "/dev/null", "http://localhost:3000" ] | ||||||
|  |             {{- else }} | ||||||
|  |             command: [ "wget", "--no-check-certificate", "-T", "3", "-O", "/dev/null", "https://localhost:3000" ] | ||||||
|  |             {{- end }} | ||||||
|           failureThreshold: 3 |           failureThreshold: 3 | ||||||
|           initialDelaySeconds: 5 |           initialDelaySeconds: 5 | ||||||
|           periodSeconds: 60 |           periodSeconds: 60 | ||||||
|           successThreshold: 1 |           successThreshold: 1 | ||||||
|           timeoutSeconds: 3 |           timeoutSeconds: 3 | ||||||
|         readinessProbe: |         readinessProbe: | ||||||
|           tcpSocket: |           exec: | ||||||
|             port: http |             {{- if not .Values.certificate.enabled }} | ||||||
|  |             command: [ "wget", "-T", "3", "-O", "/dev/null", "http://localhost:3000" ] | ||||||
|  |             {{- else }} | ||||||
|  |             command: [ "wget", "--no-check-certificate", "-T", "3", "-O", "/dev/null", "https://localhost:3000" ] | ||||||
|  |             {{- end }} | ||||||
|           failureThreshold: 3 |           failureThreshold: 3 | ||||||
|           initialDelaySeconds: 5 |           initialDelaySeconds: 5 | ||||||
|           periodSeconds: 15 |           periodSeconds: 15 | ||||||
|   | |||||||
							
								
								
									
										300
									
								
								unittests/certificates/certificate.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										300
									
								
								unittests/certificates/certificate.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,300 @@ | |||||||
|  | chart: | ||||||
|  |   appVersion: 0.1.0 | ||||||
|  |   version: 0.1.0 | ||||||
|  | suite: Certificate athens-proxy template | ||||||
|  | release: | ||||||
|  |   name: athens-proxy-unittest | ||||||
|  |   namespace: testing | ||||||
|  | templates: | ||||||
|  | - templates/certificate.yaml | ||||||
|  | tests: | ||||||
|  | - it: Skip rendering by default. | ||||||
|  |   asserts: | ||||||
|  |   - hasDocuments: | ||||||
|  |       count: 0 | ||||||
|  |  | ||||||
|  | - it: Skip rendering for existing certificate | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.existingSecret.enabled: true | ||||||
|  |   asserts: | ||||||
|  |   - hasDocuments: | ||||||
|  |       count: 0 | ||||||
|  |  | ||||||
|  | - it: Throw error when issuerKind and IssuerName is not defined | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |   asserts: | ||||||
|  |   - failedTemplate: | ||||||
|  |       errorMessage: "No certificate issuer kind defined!" | ||||||
|  |  | ||||||
|  | - it: Throw error when issuerKind and IssuerName is not defined | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |   asserts: | ||||||
|  |   - failedTemplate: {} | ||||||
|  |  | ||||||
|  | - it: Throw error when issuerKind not defined | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.name: "my-issuer" | ||||||
|  |   asserts: | ||||||
|  |   - failedTemplate: | ||||||
|  |       errorMessage: "No certificate issuer kind defined!" | ||||||
|  |  | ||||||
|  | - it: Throw error when issuerName not defined | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: "ClusterIssuer" | ||||||
|  |   asserts: | ||||||
|  |   - failedTemplate: | ||||||
|  |       errorMessage: "No certificate issuer name defined!" | ||||||
|  |  | ||||||
|  | - it: Rendering Certificate object when certificate.enabled=true (default) | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: ClusterIssuer | ||||||
|  |     certificate.new.issuerRef.name: my-issuer | ||||||
|  |   asserts: | ||||||
|  |   - hasDocuments: | ||||||
|  |       count: 1 | ||||||
|  |   - containsDocument: | ||||||
|  |       apiVersion: cert-manager.io/v1 | ||||||
|  |       kind: Certificate | ||||||
|  |       name: athens-proxy-unittest-tls | ||||||
|  |       namespace: testing | ||||||
|  |   - equal: | ||||||
|  |       path: spec.commonName | ||||||
|  |       value: athens-proxy-unittest | ||||||
|  |   - equal: | ||||||
|  |       path: spec.duration | ||||||
|  |       value: 744h | ||||||
|  |   - equal: | ||||||
|  |       path: spec.dnsNames | ||||||
|  |       value: [ "athens-proxy-unittest", "athens-proxy-unittest.testing", "athens-proxy-unittest.testing.svc", "athens-proxy-unittest.testing.svc.cluster.local" ] | ||||||
|  |   - notExists: | ||||||
|  |       path: spec.ipAddresses | ||||||
|  |   - equal: | ||||||
|  |       path: spec.isCA | ||||||
|  |       value: false | ||||||
|  |   - equal: | ||||||
|  |       path: spec.issuerRef.kind | ||||||
|  |       value: ClusterIssuer | ||||||
|  |   - equal: | ||||||
|  |       path: spec.issuerRef.name | ||||||
|  |       value: my-issuer | ||||||
|  |   - equal: | ||||||
|  |       path: spec.privateKey.algorithm | ||||||
|  |       value: RSA | ||||||
|  |   - equal: | ||||||
|  |       path: spec.privateKey.size | ||||||
|  |       value: 4096 | ||||||
|  |   - equal: | ||||||
|  |       path: spec.privateKey.rotationPolicy | ||||||
|  |       value: Never | ||||||
|  |   - equal: | ||||||
|  |       path: spec.secretName | ||||||
|  |       value: athens-proxy-unittest-tls | ||||||
|  |   - exists: | ||||||
|  |       path: spec.secretTemplate.annotations | ||||||
|  |   - exists: | ||||||
|  |       path: spec.secretTemplate.labels | ||||||
|  |   - notExists: | ||||||
|  |       path: spec.subject | ||||||
|  |   - notExists: | ||||||
|  |       path: spec.subject.countries | ||||||
|  |   - notExists: | ||||||
|  |       path: spec.subject.localities | ||||||
|  |   - notExists: | ||||||
|  |       path: spec.subject.organizationalUnits | ||||||
|  |   - notExists: | ||||||
|  |       path: spec.subject.organizations | ||||||
|  |   - notExists: | ||||||
|  |       path: spec.subject.postalCodes | ||||||
|  |   - notExists: | ||||||
|  |       path: spec.subject.provinces | ||||||
|  |   - notExists: | ||||||
|  |       path: spec.subject.serialNumber | ||||||
|  |   - notExists: | ||||||
|  |       path: spec.subject.streetAddresses | ||||||
|  |   - equal: | ||||||
|  |       path: spec.renewBefore | ||||||
|  |       value: 672h | ||||||
|  |   - equal: | ||||||
|  |       path: spec.usages | ||||||
|  |       value: [ "client auth", "server auth" ] | ||||||
|  |  | ||||||
|  | # metadata.annotations | ||||||
|  | - it: Rendering Certificate object with additional annotations and labels | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: ClusterIssuer | ||||||
|  |     certificate.new.issuerRef.name: my-issuer | ||||||
|  |     certificate.new.annotations: | ||||||
|  |       foo: bar | ||||||
|  |     certificate.new.labels: | ||||||
|  |       bar: foo | ||||||
|  |   asserts: | ||||||
|  |   - isSubset: | ||||||
|  |       path: metadata.annotations | ||||||
|  |       content: | ||||||
|  |         foo: bar | ||||||
|  |   - isSubset: | ||||||
|  |       path: metadata.labels | ||||||
|  |       content: | ||||||
|  |         bar: foo | ||||||
|  |  | ||||||
|  | # spec.duration | ||||||
|  | - it: Rendering Certificate object with custom `.Values.certificate.new.duration`. | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: ClusterIssuer | ||||||
|  |     certificate.new.issuerRef.name: my-issuer | ||||||
|  |     certificate.new.duration: 3000h | ||||||
|  |   asserts: | ||||||
|  |   - equal: | ||||||
|  |       path: spec.duration | ||||||
|  |       value: 3000h | ||||||
|  |  | ||||||
|  | # spec.dnsNames | ||||||
|  | - it: Rendering Certificate object with custom `.Values.certificate.new.dnsNames`. | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: ClusterIssuer | ||||||
|  |     certificate.new.issuerRef.name: my-issuer | ||||||
|  |     certificate.new.dnsNames: [ "app", "app.example.local" ] | ||||||
|  |   asserts: | ||||||
|  |   - equal: | ||||||
|  |       path: spec.dnsNames | ||||||
|  |       value: [ "app", "app.example.local" ] | ||||||
|  |  | ||||||
|  | # spec.dnsNames | ||||||
|  | - it: Rendering Certificate object with custom `.Values.clusterDomain` as domain. | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: ClusterIssuer | ||||||
|  |     certificate.new.issuerRef.name: my-issuer | ||||||
|  |     clusterDomain: k8s.example.local | ||||||
|  |   asserts: | ||||||
|  |   - contains: | ||||||
|  |       path: spec.dnsNames | ||||||
|  |       content: | ||||||
|  |         athens-proxy-unittest.testing.svc.k8s.example.local | ||||||
|  |       count: 1 | ||||||
|  |  | ||||||
|  | # spec.ipAddresses | ||||||
|  | - it: RRendering Certificate object with custom `.Values.certificate.new.ipAddresses`. | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: ClusterIssuer | ||||||
|  |     certificate.new.issuerRef.name: my-issuer | ||||||
|  |     certificate.new.ipAddresses: [ "10.11.12.13", "fe00:xxyy:xxyy" ] | ||||||
|  |   asserts: | ||||||
|  |   - equal: | ||||||
|  |       path: spec.ipAddresses | ||||||
|  |       value: [ "10.11.12.13", "fe00:xxyy:xxyy" ] | ||||||
|  |  | ||||||
|  | # spec.privateKey | ||||||
|  | - it: Rendering Certificate object with custom `.Values.certificate.new.privateKey` values. | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: ClusterIssuer | ||||||
|  |     certificate.new.issuerRef.name: my-issuer | ||||||
|  |     certificate.new.privateKey.algorithm: ED25519 | ||||||
|  |     certificate.new.privateKey.rotationPolicy: Never | ||||||
|  |     certificate.new.privateKey.size: 512 | ||||||
|  |   asserts: | ||||||
|  |   - equal: | ||||||
|  |       path: spec.privateKey.algorithm | ||||||
|  |       value: ED25519 | ||||||
|  |   - equal: | ||||||
|  |       path: spec.privateKey.rotationPolicy | ||||||
|  |       value: Never | ||||||
|  |   - equal: | ||||||
|  |       path: spec.privateKey.size | ||||||
|  |       value: 512 | ||||||
|  |  | ||||||
|  | # spec.renewBefore | ||||||
|  | - it: Rendering Certificate object with custom `.Values.certificate.new.renewBefore`. | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: ClusterIssuer | ||||||
|  |     certificate.new.issuerRef.name: my-issuer | ||||||
|  |     certificate.new.renewBefore: 2000h | ||||||
|  |   asserts: | ||||||
|  |   - equal: | ||||||
|  |       path: spec.renewBefore | ||||||
|  |       value: 2000h | ||||||
|  |  | ||||||
|  | # spec.secretTemplate | ||||||
|  | - it: Rendering Certificate object with custom `.Values.certificate.new.secretTemplate` values. | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: ClusterIssuer | ||||||
|  |     certificate.new.issuerRef.name: my-issuer | ||||||
|  |     certificate.new.secretTemplate: | ||||||
|  |       annotations: | ||||||
|  |         foo: bar | ||||||
|  |       labels: | ||||||
|  |         bar: foo | ||||||
|  |   asserts: | ||||||
|  |   - equal: | ||||||
|  |       path: spec.secretTemplate.annotations | ||||||
|  |       value: | ||||||
|  |         foo: bar | ||||||
|  |   - equal: | ||||||
|  |       path: spec.secretTemplate.labels | ||||||
|  |       value: | ||||||
|  |         bar: foo | ||||||
|  |  | ||||||
|  | # spec.secretTemplate | ||||||
|  | - it: Rendering Certificate object with custom `.Values.certificate.new.subject` values. | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: ClusterIssuer | ||||||
|  |     certificate.new.issuerRef.name: my-issuer | ||||||
|  |     certificate.new.subject.countries: [ "Country" ] | ||||||
|  |     certificate.new.subject.localities: [ "City" ] | ||||||
|  |     certificate.new.subject.organizationalUnits: [ "IT department" ] | ||||||
|  |     certificate.new.subject.organizations: [ "My organization" ] | ||||||
|  |     certificate.new.subject.postalCodes: [ "AB12345", "12345AB" ] | ||||||
|  |     certificate.new.subject.provinces: [ "Provinces" ] | ||||||
|  |     certificate.new.subject.serialNumber: "MyNumber" | ||||||
|  |     certificate.new.subject.streetAddresses: [ "ExampleStreet 1", "StreetExample 2" ] | ||||||
|  |   asserts: | ||||||
|  |   - equal: | ||||||
|  |       path: spec.subject.countries | ||||||
|  |       value: [ "Country" ] | ||||||
|  |   - equal: | ||||||
|  |       path: spec.subject.localities | ||||||
|  |       value: [ "City" ] | ||||||
|  |   - equal: | ||||||
|  |       path: spec.subject.organizationalUnits | ||||||
|  |       value: [ "IT department" ] | ||||||
|  |   - equal: | ||||||
|  |       path: spec.subject.organizations | ||||||
|  |       value: [ "My organization" ] | ||||||
|  |   - equal: | ||||||
|  |       path: spec.subject.postalCodes | ||||||
|  |       value: [ "AB12345", "12345AB" ] | ||||||
|  |   - equal: | ||||||
|  |       path: spec.subject.provinces | ||||||
|  |       value: [ "Provinces" ] | ||||||
|  |   - equal: | ||||||
|  |       path: spec.subject.serialNumber | ||||||
|  |       value: "MyNumber" | ||||||
|  |   - equal: | ||||||
|  |       path: spec.subject.streetAddresses | ||||||
|  |       value: [ "ExampleStreet 1", "StreetExample 2" ] | ||||||
|  |  | ||||||
|  | # spec.usages | ||||||
|  | - it: Rendering Certificate object with custom `.Values.certificate.new.usages`. | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: ClusterIssuer | ||||||
|  |     certificate.new.issuerRef.name: my-issuer | ||||||
|  |     certificate.new.usages: [ "client auth" ] | ||||||
|  |   asserts: | ||||||
|  |   - equal: | ||||||
|  |       path: spec.usages | ||||||
|  |       value: [ "client auth" ] | ||||||
							
								
								
									
										73
									
								
								unittests/deployment/certificate.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										73
									
								
								unittests/deployment/certificate.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,73 @@ | |||||||
|  | chart: | ||||||
|  |   appVersion: 0.1.0 | ||||||
|  |   version: 0.1.0 | ||||||
|  | suite: Deployment template | ||||||
|  | release: | ||||||
|  |   name: athens-proxy-unittest | ||||||
|  |   namespace: testing | ||||||
|  | templates: | ||||||
|  | - templates/configMapDownloadMode.yaml | ||||||
|  | - templates/configMapGitConfig.yaml | ||||||
|  | - templates/deployment.yaml | ||||||
|  | - templates/secretNetRC.yaml | ||||||
|  | - templates/secretSSH.yaml | ||||||
|  | tests: | ||||||
|  | - it: Rendering default without tls config | ||||||
|  |   asserts: | ||||||
|  |     - notContains: | ||||||
|  |         path: spec.template.spec.containers[0].env | ||||||
|  |         content: | ||||||
|  |           name: ATHENS_TLSCERT_FILE | ||||||
|  |           value: /etc/athens-proxy/tls/tls.crt | ||||||
|  |       template: templates/deployment.yaml | ||||||
|  |     - notContains: | ||||||
|  |         path: spec.template.spec.containers[0].env | ||||||
|  |         content: | ||||||
|  |           name: ATHENS_TLSKEY_FILE | ||||||
|  |           value: /etc/athens-proxy/tls/tls.key | ||||||
|  |       template: templates/deployment.yaml | ||||||
|  |     - notContains: | ||||||
|  |         path: spec.template.spec.containers[0].volumeMounts | ||||||
|  |         content: | ||||||
|  |           name: tls | ||||||
|  |           mountPath: /etc/athens-proxy/tls | ||||||
|  |       template: templates/deployment.yaml | ||||||
|  |     - notContains: | ||||||
|  |         path: spec.template.spec.volumes | ||||||
|  |         content: | ||||||
|  |           name: tls | ||||||
|  |           secretRef: | ||||||
|  |             name: athens-proxy-unittest-tls | ||||||
|  |       template: templates/deployment.yaml | ||||||
|  |  | ||||||
|  | - it: Rendering with tls config | ||||||
|  |   set: | ||||||
|  |     certificate.enabled: true | ||||||
|  |     certificate.new.issuerRef.kind: ClusterIssuer | ||||||
|  |     certificate.new.issuerRef.name: MyIssuer | ||||||
|  |   asserts: | ||||||
|  |     - contains: | ||||||
|  |         path: spec.template.spec.containers[0].env | ||||||
|  |         content: | ||||||
|  |           name: ATHENS_TLSCERT_FILE | ||||||
|  |           value: /etc/athens-proxy/tls/tls.crt | ||||||
|  |       template: templates/deployment.yaml | ||||||
|  |     - contains: | ||||||
|  |         path: spec.template.spec.containers[0].env | ||||||
|  |         content: | ||||||
|  |           name: ATHENS_TLSKEY_FILE | ||||||
|  |           value: /etc/athens-proxy/tls/tls.key | ||||||
|  |       template: templates/deployment.yaml | ||||||
|  |     - contains: | ||||||
|  |         path: spec.template.spec.containers[0].volumeMounts | ||||||
|  |         content: | ||||||
|  |           name: tls | ||||||
|  |           mountPath: /etc/athens-proxy/tls | ||||||
|  |       template: templates/deployment.yaml | ||||||
|  |     - contains: | ||||||
|  |         path: spec.template.spec.volumes | ||||||
|  |         content: | ||||||
|  |           name: tls | ||||||
|  |           secret: | ||||||
|  |             secretName: athens-proxy-unittest-tls | ||||||
|  |       template: templates/deployment.yaml | ||||||
							
								
								
									
										98
									
								
								values.yaml
									
									
									
									
									
								
							
							
						
						
									
										98
									
								
								values.yaml
									
									
									
									
									
								
							| @@ -5,6 +5,77 @@ | |||||||
| nameOverride: "" | nameOverride: "" | ||||||
| fullnameOverride: "" | fullnameOverride: "" | ||||||
|  |  | ||||||
|  | ## @section Certificate | ||||||
|  | certificate: | ||||||
|  |   ## @param certificate.enabled Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. | ||||||
|  |   enabled: false | ||||||
|  |  | ||||||
|  |   ## @param certificate.existingSecret.enabled Use an existing secret of the type `kubernetes.io/tls`. | ||||||
|  |   ## @param certificate.existingSecret.secretName Name of the secret containing the TLS certificate and private key. | ||||||
|  |   existingSecret: | ||||||
|  |     enabled: false | ||||||
|  |     secretName: "" | ||||||
|  |  | ||||||
|  |   ## @param certificate.new.annotations Additional certificate annotations. | ||||||
|  |   ## @param certificate.new.labels Additional certificate labels. | ||||||
|  |   ## @param certificate.new.duration Duration of the TLS certificate. | ||||||
|  |   ## @param certificate.new.renewBefore Renew TLS certificate before expiring. | ||||||
|  |   ## @param certificate.new.dnsNames Overwrites the default of the subject alternative DNS names. | ||||||
|  |   ## @param certificate.new.ipAddresses Overwrites the default of the subject alternative IP addresses. | ||||||
|  |   ## @param certificate.new.issuerRef.kind Issuer kind. Can be `Issuer` or `ClusterIssuer`. | ||||||
|  |   ## @param certificate.new.issuerRef.name Name of the `Issuer` or `ClusterIssuer`. | ||||||
|  |   ## @param certificate.new.privateKey.algorithm Algorithm of the private TLS key. | ||||||
|  |   ## @param certificate.new.privateKey.rotationPolicy Rotation of the private TLS key. | ||||||
|  |   ## @param certificate.new.privateKey.size Size of the private TLS key. | ||||||
|  |   ## @param certificate.new.secretTemplate.annotations Additional annotation of the created secret. | ||||||
|  |   ## @param certificate.new.secretTemplate.labels Additional labels of the created secret. | ||||||
|  |   ## @param certificate.new.subject.countries List of countries. | ||||||
|  |   ## @param certificate.new.subject.localities List of localities. | ||||||
|  |   ## @param certificate.new.subject.organizationalUnits List of organizationalUnits. | ||||||
|  |   ## @param certificate.new.subject.organizations List of organizations. | ||||||
|  |   ## @param certificate.new.subject.postalCodes List of postalCodes. | ||||||
|  |   ## @param certificate.new.subject.provinces List of provinces. | ||||||
|  |   ## @param certificate.new.subject.serialNumber Serial number. | ||||||
|  |   ## @param certificate.new.subject.streetAddresses List of streetAddresses. | ||||||
|  |   ## @param certificate.new.usages Define the usage of the TLS key. | ||||||
|  |   new: | ||||||
|  |     annotations: {} | ||||||
|  |     labels: {} | ||||||
|  |     duration: "744h"      # 31 days | ||||||
|  |     renewBefore: "672h"   # 28 days | ||||||
|  |     dnsNames: [] | ||||||
|  |     # The following DNS names are already part of the SAN's and serves only as example. | ||||||
|  |     # - "athens-proxy" | ||||||
|  |     # - "athens-proxy.svc" | ||||||
|  |     # - "athens-proxy.svc.namespace" | ||||||
|  |     # - "athens-proxy.svc.namespace.cluster.local" | ||||||
|  |     ipAddresses: [] | ||||||
|  |     # The following IP addresses serves only as example. | ||||||
|  |     # - "10.92.1.10" | ||||||
|  |     # - "2001:0db8:85a3:08d3:1319:8a2e:0370:7344" | ||||||
|  |     issuerRef: | ||||||
|  |       kind: "" | ||||||
|  |       name: "" | ||||||
|  |     privateKey: | ||||||
|  |       algorithm: "RSA" | ||||||
|  |       rotationPolicy: "Never" | ||||||
|  |       size: 4096 | ||||||
|  |     secretTemplate: | ||||||
|  |       annotations: {} | ||||||
|  |       labels: {} | ||||||
|  |     subject: | ||||||
|  |       countries: [] | ||||||
|  |       localities: [] | ||||||
|  |       organizationalUnits: [] | ||||||
|  |       organizations: [] | ||||||
|  |       postalCodes: [] | ||||||
|  |       provinces: [] | ||||||
|  |       serialNumber: "" | ||||||
|  |       streetAddresses: [] | ||||||
|  |     usages: | ||||||
|  |     - "client auth" | ||||||
|  |     - "server auth" | ||||||
|  |  | ||||||
| ## @section Configuration | ## @section Configuration | ||||||
| config: | config: | ||||||
|   env: |   env: | ||||||
| @@ -78,8 +149,6 @@ config: | |||||||
|         # ATHENS_STORAGE_GCP_JSON_KEY: |         # ATHENS_STORAGE_GCP_JSON_KEY: | ||||||
|         # ATHENS_SUM_DBS: |         # ATHENS_SUM_DBS: | ||||||
|         # ATHENS_TIMEOUT: |         # ATHENS_TIMEOUT: | ||||||
|         # ATHENS_TLSCERT_FILE: |  | ||||||
|         # ATHENS_TLSKEY_FILE: |  | ||||||
|         # ATHENS_TRACE_EXPORTER_URL: |         # ATHENS_TRACE_EXPORTER_URL: | ||||||
|         # ATHENS_TRACE_EXPORTER: |         # ATHENS_TRACE_EXPORTER: | ||||||
|         # AWS_ACCESS_KEY_ID: |         # AWS_ACCESS_KEY_ID: | ||||||
| @@ -404,9 +473,9 @@ deployment: | |||||||
|   #   whenUnsatisfiable: DoNotSchedule |   #   whenUnsatisfiable: DoNotSchedule | ||||||
|   #   labelSelector: |   #   labelSelector: | ||||||
|   #     matchLabels: |   #     matchLabels: | ||||||
|   #       app.kubernetes.io/instance: prometheus-athens-proxy |   #       app.kubernetes.io/instance: athens-proxy | ||||||
|  |  | ||||||
|   ## @param deployment.volumes Additional volumes to mount into the pods of the prometheus-exporter deployment. |   ## @param deployment.volumes Additional volumes to mount into the pods of the athens-proxy deployment. | ||||||
|   volumes: [] |   volumes: [] | ||||||
|   # - name: my-configmap-volume |   # - name: my-configmap-volume | ||||||
|   #   config: |   #   config: | ||||||
| @@ -481,8 +550,8 @@ persistence: | |||||||
|     ## @param persistence.data.mountPath The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`. |     ## @param persistence.data.mountPath The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`. | ||||||
|     mountPath: "/var/www/athens-proxy/data" |     mountPath: "/var/www/athens-proxy/data" | ||||||
|  |  | ||||||
|     ## @param persistence.data.existingPersistentVolumeClaim.enabled TODO |     ## @param persistence.data.existingPersistentVolumeClaim.enabled Use an existing persistent volume claim. | ||||||
|     ## @param persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName TODO |     ## @param persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName The name of the existing persistent volume claim. | ||||||
|     existingPersistentVolumeClaim: |     existingPersistentVolumeClaim: | ||||||
|       enabled: false |       enabled: false | ||||||
|       persistentVolumeClaimName: "" |       persistentVolumeClaimName: "" | ||||||
| @@ -490,16 +559,20 @@ persistence: | |||||||
|     ## @param persistence.data.persistentVolumeClaim.annotations Additional persistent volume claim annotations. |     ## @param persistence.data.persistentVolumeClaim.annotations Additional persistent volume claim annotations. | ||||||
|     ## @param persistence.data.persistentVolumeClaim.labels Additional persistent volume claim labels. |     ## @param persistence.data.persistentVolumeClaim.labels Additional persistent volume claim labels. | ||||||
|     ## @param persistence.data.persistentVolumeClaim.accessModes Access modes of the persistent volume claim. |     ## @param persistence.data.persistentVolumeClaim.accessModes Access modes of the persistent volume claim. | ||||||
|     ## @param persistence.data.persistentVolumeClaim.storageClass Storage class of the persistent volume claim. |     ## @param persistence.data.persistentVolumeClaim.storageClassName Storage class of the persistent volume claim. | ||||||
|     ## @param persistence.data.persistentVolumeClaim.storageSize Size of the persistent volume claim. |     ## @param persistence.data.persistentVolumeClaim.storageSize Size of the persistent volume claim. | ||||||
|     persistentVolumeClaim: |     persistentVolumeClaim: | ||||||
|       annotations: {} |       annotations: {} | ||||||
|       labels: {} |       labels: {} | ||||||
|       accessModes: |       accessModes: | ||||||
|       - ReadWriteMany |       - ReadWriteMany | ||||||
|       storageClass: "" |       storageClassName: "" | ||||||
|       storageSize: "5Gi" |       storageSize: "5Gi" | ||||||
|  |  | ||||||
|  | ## @section Network | ||||||
|  | ## @param clusterDomain Domain of the Cluster. Domain is part of internally issued certificates. | ||||||
|  | clusterDomain: "cluster.local" | ||||||
|  |  | ||||||
| ## @section Network Policy | ## @section Network Policy | ||||||
| networkPolicy: | networkPolicy: | ||||||
|   ## @param networkPolicy.enabled Enable network policies in general. |   ## @param networkPolicy.enabled Enable network policies in general. | ||||||
| @@ -517,13 +590,10 @@ networkPolicy: | |||||||
|   # - Egress |   # - Egress | ||||||
|   # - Ingress |   # - Ingress | ||||||
|   egress: [] |   egress: [] | ||||||
|   # Allow outgoing traffic to database host |   # Allow outgoing HTTPS traffic to external go module servers | ||||||
|   # |   # | ||||||
|   # - to: |   # - ports: | ||||||
|   #   - ipBlock: |   #   - port: 443 | ||||||
|   #       cidr: 192.168.179.1/32 |  | ||||||
|   #   ports: |  | ||||||
|   #   - port: 5432 |  | ||||||
|   #     protocol: TCP |   #     protocol: TCP | ||||||
|  |  | ||||||
|   # Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns. |   # Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns. | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user