chore(deps): rollback docker docker.io/volkerraschek/helm to 3.19.2

The patch add the annotation `checksum/secret-<name of the TLS secret>` with the
sha512 value of the secret. This ensures a rolling update if the TLS secrets has
been updated. Such an update can be triggered by the cert-manager.

.gitea/workflows/generate-readme.yaml

@@ -15,15 +15,14 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:24.10.0-alpine
-    runs-on:
-    - ubuntu-latest
+      image: docker.io/library/node:25.2.1-alpine
+    runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v5.0.1
     - name: Generate parameter section in README
       run: |
         npm install

.gitea/workflows/helm.yaml

@@ -12,31 +12,26 @@ on:
 
 jobs:
   helm-lint:
-    container:
-      image: docker.io/volkerraschek/helm:3.19.0
-    runs-on:
-    - ubuntu-latest
+    runs-on: ubuntu-latest
     steps:
-    - name: Install tooling
-      run: |
-        apk update
-        apk add git npm
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v5.0.1
+    - uses: azure/setup-helm@v4.3.1
+      with:
+        version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
     - name: Lint helm files
       run: |
         helm lint --values values.yaml .
 
   helm-unittest:
-    container:
-      image: docker.io/volkerraschek/helm:3.19.0
-    runs-on:
-    - ubuntu-latest
+    runs-on: ubuntu-latest
     steps:
-    - name: Install tooling
-      run: |
-        apk update
-        apk add git npm
-    - uses: actions/checkout@v5.0.0
-    - name: Unittest
-      run: |
-        helm unittest --strict --file 'unittests/**/*.yaml' ./
+    - uses: actions/checkout@v5.0.1
+    - uses: azure/setup-helm@v4.3.1
+      with:
+        version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
+    - env:
+        HELM_UNITTEST_VERSION: v1.0.0 #renovate: datasource=github-releases depName=helm-unittest/helm-unittest
+      name: Install helm-unittest
+      run: helm plugin install --verify=false --version "${HELM_UNITTEST_VERSION}" https://github.com/helm-unittest/helm-unittest
+    - name: Execute helm unittests
+      run: helm unittest --strict --file 'unittests/**/*.yaml' .

.gitea/workflows/markdown-linters.yaml

@@ -15,15 +15,14 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:24.10.0-alpine
-    runs-on:
-    - ubuntu-latest
+      image: docker.io/library/node:25.2.1-alpine
+    runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v5.0.1
     - name: Verify links in markdown files
       run: |
         npm install
@@ -31,15 +30,14 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:24.10.0-alpine
-    runs-on:
-    - ubuntu-latest
+      image: docker.io/library/node:25.2.1-alpine
+    runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v5.0.1
     - name: Lint markdown files
       run: |
         npm install

.gitea/workflows/release.yaml

@@ -8,7 +8,7 @@ on:
 jobs:
   publish-chart:
     container:
-      image: docker.io/volkerraschek/helm:3.19.0
+      image: docker.io/volkerraschek/helm:3.19.2
     runs-on: ubuntu-latest
     steps:
       - name: Install packages via apk
@@ -16,7 +16,7 @@ jobs:
           apk update
           apk add git npm jq yq
 
-      - uses: actions/checkout@v5.0.0
+      - uses: actions/checkout@v5.0.1
         with:
           fetch-depth: 0
 

.vscode/settings.json

@@ -0,0 +1,8 @@
+{
+  "yaml.schemas": {
+    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.3/schema/helm-testsuite.json": [
+      "/unittests/**/*.yaml"
+    ]
+  },
+  "yaml.schemaStore.enable": true
+}

Makefile

@@ -10,7 +10,7 @@ HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:
 # NODE_IMAGE
 NODE_IMAGE_REGISTRY_HOST?=docker.io
 NODE_IMAGE_REPOSITORY?=library/node
-NODE_IMAGE_VERSION?=24.10.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
+NODE_IMAGE_VERSION?=25.2.1-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
 NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
 
 # MISSING DOT

README.md

@@ -1,4 +1,4 @@
-# athens-proxy-charts
+# Athens - A Go module datastore and proxy
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/volker-raschek)](https://artifacthub.io/packages/search?repo=volker-raschek)
 
@@ -16,10 +16,7 @@ Chapter [configuration and installation](#helm-configuration-and-installation) d
 helm and use it to deploy the exporter. It also contains further configuration examples.
 
 Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this
-helm chart is tested for deployment scenarios with **ArgoCD**, but please keep in mind, that this chart supports the
-*[Automatically Roll Deployment](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments)*
-concept of Helm, which can trigger unexpected rolling releases. Further configuration instructions are described in a
-separate [chapter](#argocd).
+helm chart is tested for deployment scenarios with **ArgoCD**.
 
 ## Helm: configuration and installation
 
@@ -40,21 +37,21 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
 versions can break something!
 
 ```bash
-CHART_VERSION=1.0.3
+CHART_VERSION=1.1.1
 helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml
 ```
 
 A complete list of available helm chart versions can be displayed via the following command:
 
 ```bash
-helm search repo reposilite --versions
+helm search repo athens-proxy --versions
 ```
 
 The helm chart also contains a persistent volume claim definition. It persistent volume claim is not enabled by default.
 Use the `--set` argument to persist your data.
 
 ```bash
-CHART_VERSION=1.0.3
+CHART_VERSION=1.1.1
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
   persistence.enabled=true
 ```
@@ -84,13 +81,73 @@ Further information about this topic can be found in one of Kanishk's blog
 > Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
 
 ```bash
-CHART_VERSION=1.0.3
+CHART_VERSION=1.1.1
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
   --set 'deployment.athensProxy.env.name=GOMAXPROCS' \
   --set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
   --set 'deployment.athensProxy.resources.limits.cpu=1000m'
 ```
 
+#### TLS encryption
+
+The example shows how to deploy the application with TLS encryption. For example when **no** HTTP ingress is used for
+TLS determination and instead the application it self should determinate the TLS handshake. To generate the TLS
+certificate can be used the [cert-manager](https://cert-manager.io/). The chart supports the creation of such a TLS
+certificate via `cert-manager.io/v1 Certificate` resource. Alternatively can be mounted a TLS certificate from a secret.
+The secret must be from type `kubernetes.io/tls`.
+
+> [!WARNING]
+> The following example expects that the [cert-manager](https://cert-manager.io/) is deployed and the `Issuer` named
+> `athens-proxy-ca` is present in the same namespace of the helm deployment.
+
+```bash
+CHART_VERSION=1.1.1
+helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
+  --set 'config.certificate.enabled=true' \
+  --set 'config.certificate.new.issuerRef.kind=Issuer' \
+  --set 'config.certificate.new.issuerRef.name=athens-proxy-ca'
+```
+
+The environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` are automatically added and the TLS certificate
+and private key are mounted to a pre-defined destination inside the container file system.
+
+#### TLS certificate rotation
+
+If the application uses TLS certificates that are mounted as a secret in the container file system like the example
+[above](#tls-encryption), the application will not automatically apply them when the TLS certificates are rotated. Such
+a rotation can be for example triggered, when the [cert-manager](https://cert-manager.io/) issues new TLS certificates
+before expiring.
+
+Until the exporter does not support rotating TLS certificate a workaround can be applied. For example stakater's
+[reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following
+annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted secret has
+been changed.
+
+> [!IMPORTANT]
+> The Helm chart already adds annotations to trigger a rolling release. Helm describes this approach under
+> [Automatically Roll Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
+> For this reason, **only external** configMaps or secrets need to be monitored by reloader.
+
+```yaml
+deployment:
+  annotations:
+    secret.reloader.stakater.com/reload: "athens-proxy-tls"
+```
+
+If the application is rolled out using ArgoCD, a rolling update from stakater's
+[reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state
+with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be
+initiated. Further information are available in the official
+[README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of
+stakater's reloader.
+
+```diff
+  deployment:
+    annotations:
++     reloader.stakater.com/rollout-strategy: "restart"
+      secret.reloader.stakater.com/reload: "athens-proxy-tls"
+```
+
 #### Network policies
 
 Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
@@ -126,6 +183,9 @@ networkPolicies:
       protocol: TCP
     - port: 53
       protocol: UDP
+  - ports:
+    - port: 22
+      protocol: TCP
   - ports:
     - port: 443
       protocol: TCP
@@ -145,31 +205,51 @@ networkPolicies:
 
 ## ArgoCD
 
-### Daily execution of rolling updates
+### Example Application
 
-The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in
-connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll
-Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
+An application resource for the Helm chart is defined below. It serves as an example for your own deployment.
 
-The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the
-content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version,
-Helm render order, different timestamps).
-
-This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this
-can lead to unnecessary notifications from ArgoCD.
-
-To avoid this, the annotation with the shasum must be ignored. Below is a diff that adds the `Application` to ignore all
-annotations with the prefix `checksum`.
-
-```diff
-  apiVersion: argoproj.io/v1alpha1
-  kind: Application
-  spec:
-+   ignoreDifferences:
-+   - group: apps/v1
-+     kind: Deployment
-+     jqPathExpressions:
-+     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))'
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: athens-proxy
+  ignoreDifferences:
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    # When HPA is enabled, ensure that a modification of the replicas does not lead to a
+    # drift.
+      - '.spec.replicas'
+    # Ensure that changes of the annotations or environment variables added or modified by
+    # stakater's reloader does not lead to a drift.
+    - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
+    - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
+  sources:
+  - repoURL: https://charts.cryptic.systems/volker.raschek
+    chart: athens-proxy
+    targetRevision: '0.*'
+    helm:
+      valueFiles:
+      - $values/values.yaml
+      releaseName: athens-proxy
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    managedNamespaceMetadata:
+      annotations: {}
+      labels: {}
+    syncOptions:
+    - ApplyOutOfSyncOnly=true
+    - CreateNamespace=true
+    - FailOnSharedResource=false
+    - Replace=false
+    - RespectIgnoreDifferences=false
+    - ServerSideApply=true
+    - Validate=true
 ```
 
 ## Parameters
@@ -317,8 +397,8 @@ annotations with the prefix `checksum`.
 | -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
 | `persistence.enabled`                                                      | Enable the feature to store the data on a persistent volume claim. If enabled, the volume will be automatically be mounted into the pod. Furthermore, the env `ATHENS_STORAGE_TYPE=disk` will automatically be defined. | `false`                      |
 | `persistence.data.mountPath`                                               | The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`.                                                                                 | `/var/www/athens-proxy/data` |
-| `persistence.data.existingPersistentVolumeClaim.enabled`                   | TODO                                                                                                                                                                                                                    | `false`                      |
-| `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | TODO                                                                                                                                                                                                                    | `""`                         |
+| `persistence.data.existingPersistentVolumeClaim.enabled`                   | Use an existing persistent volume claim.                                                                                                                                                                                | `false`                      |
+| `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | The name of the existing persistent volume claim.                                                                                                                                                                       | `""`                         |
 | `persistence.data.persistentVolumeClaim.annotations`                       | Additional persistent volume claim annotations.                                                                                                                                                                         | `{}`                         |
 | `persistence.data.persistentVolumeClaim.labels`                            | Additional persistent volume claim labels.                                                                                                                                                                              | `{}`                         |
 | `persistence.data.persistentVolumeClaim.accessModes`                       | Access modes of the persistent volume claim.                                                                                                                                                                            | `["ReadWriteMany"]`          |

package.json

@@ -16,6 +16,6 @@
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
     "markdown-link-check": "^3.13.6",
-    "markdownlint-cli": "^0.45.0"
+    "markdownlint-cli": "^0.46.0"
   }
 }

renovate.json

@@ -31,6 +31,16 @@
       "packageNameTemplate": "https://git.cryptic.systems/volker.raschek/athens-proxy-charts",
       "datasourceTemplate": "git-tags",
       "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "datasourceTemplate": "github-releases",
+      "fileMatch": [
+        ".vscode/settings\\.json$"
+      ],
+      "matchStrings": [
+        "https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json"
+      ]
     }
   ],
   "packageRules": [
@@ -41,6 +51,20 @@
         "volkerraschek/helm"
       ]
     },
+    {
+      "automerge": true,
+      "groupName": "Update helm plugin 'unittest'",
+      "matchDepNames": [
+        "helm-unittest/helm-unittest"
+      ],
+      "matchDatasources": [
+        "github-releases"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ]
+    },
     {
       "groupName": "Update docker.io/library/node",
       "matchDepNames": [

templates/_pod.tpl

@@ -4,6 +4,10 @@
 
 {{- define "athens-proxy.pod.annotations" }}
 {{- include "athens-proxy.annotations" . }}
+{{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) }}
+{{- $secretName := include "athens-proxy.certificates.server.name" $ }}
+{{ printf "checksum/secret-%s: %s" $secretName (print (lookup "v1" "Secret" .Release.Namespace $secretName) | sha256sum) }}
+{{- end }}
 {{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }}
 {{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.env.name" $) (include (print $.Template.BasePath "/secretEnv.yaml") . | sha256sum) }}
 {{- end }}
@@ -21,8 +25,6 @@
 {{- end }}
 {{- end }}
 
-
-
 {{/* labels */}}
 
 {{- define "athens-proxy.pod.labels" -}}

templates/certificate.yaml

@@ -48,6 +48,15 @@ spec:
   secretTemplate:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+  {{- if or .Values.certificate.new.subject.countries
+            .Values.certificate.new.subject.localities
+            .Values.certificate.new.subject.organizationalUnits
+            .Values.certificate.new.subject.organizations
+            .Values.certificate.new.subject.postalCodes
+            .Values.certificate.new.subject.provinces
+            .Values.certificate.new.subject.serialNumber
+            .Values.certificate.new.subject.streetAddresses
+  }}
   subject:
     {{- with .Values.certificate.new.subject.countries }}
     countries:
@@ -80,6 +89,7 @@ spec:
     streetAddresses:
     {{- toYaml . | nindent 4 }}
     {{- end }}
+  {{- end }}
   usages:
   {{- range .Values.certificate.new.usages }}
   - {{ . }}

unittests/certificates/certificate.yaml

@@ -99,7 +99,7 @@ tests:
       path: spec.secretTemplate.annotations
   - exists:
       path: spec.secretTemplate.labels
-  - exists:
+  - notExists:
       path: spec.subject
   - notExists:
       path: spec.subject.countries

unittests/deployment/certificate.yaml

@@ -46,6 +46,9 @@ tests:
     certificate.new.issuerRef.kind: ClusterIssuer
     certificate.new.issuerRef.name: MyIssuer
   asserts:
+    - exists:
+        path: spec.template.metadata.annotations["checksum/secret-athens-proxy-unittest-tls"]
+      template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].env
         content:

values.yaml

@@ -550,8 +550,8 @@ persistence:
     ## @param persistence.data.mountPath The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`.
     mountPath: "/var/www/athens-proxy/data"
 
-    ## @param persistence.data.existingPersistentVolumeClaim.enabled TODO
-    ## @param persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName TODO
+    ## @param persistence.data.existingPersistentVolumeClaim.enabled Use an existing persistent volume claim.
+    ## @param persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName The name of the existing persistent volume claim.
     existingPersistentVolumeClaim:
       enabled: false
       persistentVolumeClaimName: ""
@@ -590,6 +590,12 @@ networkPolicy:
   # - Egress
   # - Ingress
   egress: []
+  # Allow outgoing SSH traffic to Source Code Control System's (SCCS') like GitHub or GitLab.
+  #
+  # - ports:
+  #   - port: 22
+  #     protocol: TCP
+
   # Allow outgoing HTTPS traffic to external go module servers
   #
   # - ports: