You've already forked athens-proxy-charts
							
							Compare commits
	
		
			15 Commits
		
	
	
		
			1.1.0
			...
			3f7476afc6
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 3f7476afc6 | |||
| 530316e910 | |||
| 4974d63a8c | |||
| 1bbd0352c3 | |||
| ccdf377aaa | |||
| 64790fc316 | |||
| 2c88d6698b | |||
| 9abdb1ca3a | |||
| 81f14405fd | |||
| 7b37bfc373 | |||
| bba0df90ff | |||
| cb312817c3 | |||
| fe428d83d2 | |||
| 4c94529eab | |||
| 297f36920a | 
| @@ -15,7 +15,7 @@ on: | ||||
| jobs: | ||||
|   generate-parameters: | ||||
|     container: | ||||
|       image: docker.io/library/node:24.10.0-alpine | ||||
|       image: docker.io/library/node:25.0.0-alpine | ||||
|     runs-on: | ||||
|     - ubuntu-latest | ||||
|     steps: | ||||
|   | ||||
| @@ -15,7 +15,7 @@ on: | ||||
| jobs: | ||||
|   markdown-link-checker: | ||||
|     container: | ||||
|       image: docker.io/library/node:24.10.0-alpine | ||||
|       image: docker.io/library/node:25.0.0-alpine | ||||
|     runs-on: | ||||
|     - ubuntu-latest | ||||
|     steps: | ||||
| @@ -31,7 +31,7 @@ jobs: | ||||
|  | ||||
|   markdown-lint: | ||||
|     container: | ||||
|       image: docker.io/library/node:24.10.0-alpine | ||||
|       image: docker.io/library/node:25.0.0-alpine | ||||
|     runs-on: | ||||
|     - ubuntu-latest | ||||
|     steps: | ||||
|   | ||||
							
								
								
									
										8
									
								
								.vscode/settings.json
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								.vscode/settings.json
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | ||||
| { | ||||
|   "yaml.schemas": { | ||||
|     "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.3/schema/helm-testsuite.json": [ | ||||
|       "/unittests/**/*.yaml" | ||||
|     ] | ||||
|   }, | ||||
|   "yaml.schemaStore.enable": true | ||||
| } | ||||
							
								
								
									
										2
									
								
								Makefile
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								Makefile
									
									
									
									
									
								
							| @@ -10,7 +10,7 @@ HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}: | ||||
| # NODE_IMAGE | ||||
| NODE_IMAGE_REGISTRY_HOST?=docker.io | ||||
| NODE_IMAGE_REPOSITORY?=library/node | ||||
| NODE_IMAGE_VERSION?=24.10.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node | ||||
| NODE_IMAGE_VERSION?=25.0.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node | ||||
| NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION} | ||||
|  | ||||
| # MISSING DOT | ||||
|   | ||||
							
								
								
									
										148
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										148
									
								
								README.md
									
									
									
									
									
								
							| @@ -16,10 +16,7 @@ Chapter [configuration and installation](#helm-configuration-and-installation) d | ||||
| helm and use it to deploy the exporter. It also contains further configuration examples. | ||||
|  | ||||
| Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this | ||||
| helm chart is tested for deployment scenarios with **ArgoCD**, but please keep in mind, that this chart supports the | ||||
| *[Automatically Roll Deployment](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments)* | ||||
| concept of Helm, which can trigger unexpected rolling releases. Further configuration instructions are described in a | ||||
| separate [chapter](#argocd). | ||||
| helm chart is tested for deployment scenarios with **ArgoCD**. | ||||
|  | ||||
| ## Helm: configuration and installation | ||||
|  | ||||
| @@ -40,21 +37,21 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi | ||||
| versions can break something! | ||||
|  | ||||
| ```bash | ||||
| CHART_VERSION=1.0.3 | ||||
| CHART_VERSION=1.1.1 | ||||
| helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml | ||||
| ``` | ||||
|  | ||||
| A complete list of available helm chart versions can be displayed via the following command: | ||||
|  | ||||
| ```bash | ||||
| helm search repo reposilite --versions | ||||
| helm search repo athens-proxy --versions | ||||
| ``` | ||||
|  | ||||
| The helm chart also contains a persistent volume claim definition. It persistent volume claim is not enabled by default. | ||||
| Use the `--set` argument to persist your data. | ||||
|  | ||||
| ```bash | ||||
| CHART_VERSION=1.0.3 | ||||
| CHART_VERSION=1.1.1 | ||||
| helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \ | ||||
|   persistence.enabled=true | ||||
| ``` | ||||
| @@ -84,13 +81,78 @@ Further information about this topic can be found in one of Kanishk's blog | ||||
| > Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully. | ||||
|  | ||||
| ```bash | ||||
| CHART_VERSION=1.0.3 | ||||
| CHART_VERSION=1.1.1 | ||||
| helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \ | ||||
|   --set 'deployment.athensProxy.env.name=GOMAXPROCS' \ | ||||
|   --set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \ | ||||
|   --set 'deployment.athensProxy.resources.limits.cpu=1000m' | ||||
| ``` | ||||
|  | ||||
| #### TLS encryption | ||||
|  | ||||
| The example shows how to deploy the application with TLS encryption. For example when **no** HTTP ingress is used for | ||||
| TLS determination and instead the application it self should determinate the TLS handshake. To generate the TLS | ||||
| certificate can be used the [cert-manager](https://cert-manager.io/). The chart supports the creation of such a TLS | ||||
| certificate via `cert-manager.io/v1 Certificate` resource. Alternatively can be mounted a TLS certificate from a secret. | ||||
| The secret must be from type `kubernetes.io/tls`. | ||||
|  | ||||
| > [!WARNING] | ||||
| > The following example expects that the [cert-manager](https://cert-manager.io/) is deployed and the `Issuer` named | ||||
| > `athens-proxy-ca` is present in the same namespace of the helm deployment. | ||||
|  | ||||
| ```bash | ||||
| CHART_VERSION=1.1.1 | ||||
| helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \ | ||||
|   --set 'config.certificate.enabled=true' \ | ||||
|   --set 'config.certificate.new.issuerRef.kind=Issuer' \ | ||||
|   --set 'config.certificate.new.issuerRef.name=athens-proxy-ca' | ||||
| ``` | ||||
|  | ||||
| The environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` are automatically added and the TLS certificate | ||||
| and private key are mounted to a pre-defined destination inside the container file system. | ||||
|  | ||||
| #### TLS certificate rotation | ||||
|  | ||||
| If the application uses TLS certificates that are mounted as a secret in the container file system like the example | ||||
| [above](#tls-encryption), the application will not automatically apply them when the TLS certificates are rotated. Such | ||||
| a rotation can be for example triggered, when the [cert-manager](https://cert-manager.io/) issues new TLS certificates | ||||
| before expiring. | ||||
|  | ||||
| Until the exporter does not support rotating TLS certificate a workaround can be applied. For example stakater's | ||||
| [reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following | ||||
| annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted configMaps | ||||
| and secrets have been changed. | ||||
|  | ||||
| ```yaml | ||||
| deployment: | ||||
|   annotations: | ||||
|     reloader.stakater.com/auto: "true" | ||||
| ``` | ||||
|  | ||||
| Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for | ||||
| individual items. For example, when the secret named `athens-proxy-tls` is mounted and the reloader controller should | ||||
| only listen for changes of this secret: | ||||
|  | ||||
| ```yaml | ||||
| deployment: | ||||
|   annotations: | ||||
|     secret.reloader.stakater.com/reload: "athens-proxy-tls" | ||||
| ``` | ||||
|  | ||||
| If the application is rolled out using ArgoCD, a rolling update from stakater's | ||||
| [reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state | ||||
| with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be | ||||
| initiated. Further information are available in the official | ||||
| [README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of | ||||
| stakater's reloader. | ||||
|  | ||||
| ```diff | ||||
|   deployment: | ||||
|     annotations: | ||||
|       reloader.stakater.com/auto: "true" | ||||
| +     reloader.stakater.com/rollout-strategy: "restart" | ||||
| ``` | ||||
|  | ||||
| #### Network policies | ||||
|  | ||||
| Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom | ||||
| @@ -145,31 +207,51 @@ networkPolicies: | ||||
|  | ||||
| ## ArgoCD | ||||
|  | ||||
| ### Daily execution of rolling updates | ||||
| ### Example Application | ||||
|  | ||||
| The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in | ||||
| connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll | ||||
| Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments). | ||||
| An application resource for the Helm chart is defined below. It serves as an example for your own deployment. | ||||
|  | ||||
| The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the | ||||
| content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version, | ||||
| Helm render order, different timestamps). | ||||
|  | ||||
| This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this | ||||
| can lead to unnecessary notifications from ArgoCD. | ||||
|  | ||||
| To avoid this, the annotation with the shasum must be ignored. Below is a diff that adds the `Application` to ignore all | ||||
| annotations with the prefix `checksum`. | ||||
|  | ||||
| ```diff | ||||
|   apiVersion: argoproj.io/v1alpha1 | ||||
|   kind: Application | ||||
|   spec: | ||||
| +   ignoreDifferences: | ||||
| +   - group: apps/v1 | ||||
| +     kind: Deployment | ||||
| +     jqPathExpressions: | ||||
| +     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))' | ||||
| ```yaml | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| spec: | ||||
|   destination: | ||||
|     server: https://kubernetes.default.svc | ||||
|     namespace: athens-proxy | ||||
|   ignoreDifferences: | ||||
|   - group: apps | ||||
|     kind: Deployment | ||||
|     jqPathExpressions: | ||||
|     # When HPA is enabled, ensure that a modification of the replicas does not lead to a | ||||
|     # drift. | ||||
|       - '.spec.replicas' | ||||
|     # Ensure that changes of the annotations or environment variables added or modified by | ||||
|     # stakater's reloader does not lead to a drift. | ||||
|     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))' | ||||
|     - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))' | ||||
|   sources: | ||||
|   - repoURL: https://charts.cryptic.systems/volker.raschek | ||||
|     chart: athens-proxy | ||||
|     targetRevision: '0.*' | ||||
|     helm: | ||||
|       valueFiles: | ||||
|       - $values/values.yaml | ||||
|       releaseName: athens-proxy | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|       selfHeal: true | ||||
|     managedNamespaceMetadata: | ||||
|       annotations: {} | ||||
|       labels: {} | ||||
|     syncOptions: | ||||
|     - ApplyOutOfSyncOnly=true | ||||
|     - CreateNamespace=true | ||||
|     - FailOnSharedResource=false | ||||
|     - Replace=false | ||||
|     - RespectIgnoreDifferences=false | ||||
|     - ServerSideApply=true | ||||
|     - Validate=true | ||||
| ``` | ||||
|  | ||||
| ## Parameters | ||||
| @@ -317,8 +399,8 @@ annotations with the prefix `checksum`. | ||||
| | -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | | ||||
| | `persistence.enabled`                                                      | Enable the feature to store the data on a persistent volume claim. If enabled, the volume will be automatically be mounted into the pod. Furthermore, the env `ATHENS_STORAGE_TYPE=disk` will automatically be defined. | `false`                      | | ||||
| | `persistence.data.mountPath`                                               | The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`.                                                                                 | `/var/www/athens-proxy/data` | | ||||
| | `persistence.data.existingPersistentVolumeClaim.enabled`                   | TODO                                                                                                                                                                                                                    | `false`                      | | ||||
| | `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | TODO                                                                                                                                                                                                                    | `""`                         | | ||||
| | `persistence.data.existingPersistentVolumeClaim.enabled`                   | Use an existing persistent volume claim.                                                                                                                                                                                | `false`                      | | ||||
| | `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | The name of the existing persistent volume claim.                                                                                                                                                                       | `""`                         | | ||||
| | `persistence.data.persistentVolumeClaim.annotations`                       | Additional persistent volume claim annotations.                                                                                                                                                                         | `{}`                         | | ||||
| | `persistence.data.persistentVolumeClaim.labels`                            | Additional persistent volume claim labels.                                                                                                                                                                              | `{}`                         | | ||||
| | `persistence.data.persistentVolumeClaim.accessModes`                       | Access modes of the persistent volume claim.                                                                                                                                                                            | `["ReadWriteMany"]`          | | ||||
|   | ||||
| @@ -31,6 +31,16 @@ | ||||
|       "packageNameTemplate": "https://git.cryptic.systems/volker.raschek/athens-proxy-charts", | ||||
|       "datasourceTemplate": "git-tags", | ||||
|       "versioningTemplate": "semver" | ||||
|     }, | ||||
|     { | ||||
|       "customType": "regex", | ||||
|       "datasourceTemplate": "github-releases", | ||||
|       "fileMatch": [ | ||||
|         ".vscode/settings\\.json$" | ||||
|       ], | ||||
|       "matchStrings": [ | ||||
|         "https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json" | ||||
|       ] | ||||
|     } | ||||
|   ], | ||||
|   "packageRules": [ | ||||
| @@ -41,6 +51,20 @@ | ||||
|         "volkerraschek/helm" | ||||
|       ] | ||||
|     }, | ||||
|     { | ||||
|       "automerge": true, | ||||
|       "groupName": "Update helm plugin 'unittest'", | ||||
|       "matchDepNames": [ | ||||
|         "helm-unittest/helm-unittest" | ||||
|       ], | ||||
|       "matchDatasources": [ | ||||
|         "github-releases" | ||||
|       ], | ||||
|       "matchUpdateTypes": [ | ||||
|         "minor", | ||||
|         "patch" | ||||
|       ] | ||||
|     }, | ||||
|     { | ||||
|       "groupName": "Update docker.io/library/node", | ||||
|       "matchDepNames": [ | ||||
|   | ||||
| @@ -48,6 +48,15 @@ spec: | ||||
|   secretTemplate: | ||||
|     {{- toYaml . | nindent 4 }} | ||||
|   {{- end }} | ||||
|   {{- if or .Values.certificate.new.subject.countries | ||||
|             .Values.certificate.new.subject.localities | ||||
|             .Values.certificate.new.subject.organizationalUnits | ||||
|             .Values.certificate.new.subject.organizations | ||||
|             .Values.certificate.new.subject.postalCodes | ||||
|             .Values.certificate.new.subject.provinces | ||||
|             .Values.certificate.new.subject.serialNumber | ||||
|             .Values.certificate.new.subject.streetAddresses | ||||
|   }} | ||||
|   subject: | ||||
|     {{- with .Values.certificate.new.subject.countries }} | ||||
|     countries: | ||||
| @@ -80,6 +89,7 @@ spec: | ||||
|     streetAddresses: | ||||
|     {{- toYaml . | nindent 4 }} | ||||
|     {{- end }} | ||||
|   {{- end }} | ||||
|   usages: | ||||
|   {{- range .Values.certificate.new.usages }} | ||||
|   - {{ . }} | ||||
|   | ||||
| @@ -99,7 +99,7 @@ tests: | ||||
|       path: spec.secretTemplate.annotations | ||||
|   - exists: | ||||
|       path: spec.secretTemplate.labels | ||||
|   - exists: | ||||
|   - notExists: | ||||
|       path: spec.subject | ||||
|   - notExists: | ||||
|       path: spec.subject.countries | ||||
|   | ||||
| @@ -550,8 +550,8 @@ persistence: | ||||
|     ## @param persistence.data.mountPath The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`. | ||||
|     mountPath: "/var/www/athens-proxy/data" | ||||
|  | ||||
|     ## @param persistence.data.existingPersistentVolumeClaim.enabled TODO | ||||
|     ## @param persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName TODO | ||||
|     ## @param persistence.data.existingPersistentVolumeClaim.enabled Use an existing persistent volume claim. | ||||
|     ## @param persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName The name of the existing persistent volume claim. | ||||
|     existingPersistentVolumeClaim: | ||||
|       enabled: false | ||||
|       persistentVolumeClaimName: "" | ||||
|   | ||||
		Reference in New Issue
	
	Block a user