chore(deps): update docker.io/library/node docker tag to v25

.gitea/workflows/generate-readme.yaml

@@ -15,14 +15,15 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:25.2.1-alpine
-    runs-on: ubuntu-latest
+      image: docker.io/library/node:25.0.0-alpine
+    runs-on:
+    - ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.1
+    - uses: actions/checkout@v5.0.0
     - name: Generate parameter section in README
       run: |
         npm install

.gitea/workflows/helm.yaml

@@ -12,26 +12,31 @@ on:
 
 jobs:
   helm-lint:
-    runs-on: ubuntu-latest
+    container:
+      image: docker.io/volkerraschek/helm:3.19.0
+    runs-on:
+    - ubuntu-latest
     steps:
-    - uses: actions/checkout@v5.0.1
-    - uses: azure/setup-helm@v4.3.1
-      with:
-        version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
+    - name: Install tooling
+      run: |
+        apk update
+        apk add git npm
+    - uses: actions/checkout@v5.0.0
     - name: Lint helm files
       run: |
         helm lint --values values.yaml .
 
   helm-unittest:
-    runs-on: ubuntu-latest
+    container:
+      image: docker.io/volkerraschek/helm:3.19.0
+    runs-on:
+    - ubuntu-latest
     steps:
-    - uses: actions/checkout@v5.0.1
-    - uses: azure/setup-helm@v4.3.1
-      with:
-        version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
-    - env:
-        HELM_UNITTEST_VERSION: v1.0.0 #renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-      name: Install helm-unittest
-      run: helm plugin install --verify=false --version "${HELM_UNITTEST_VERSION}" https://github.com/helm-unittest/helm-unittest
-    - name: Execute helm unittests
-      run: helm unittest --strict --file 'unittests/**/*.yaml' .
+    - name: Install tooling
+      run: |
+        apk update
+        apk add git npm
+    - uses: actions/checkout@v5.0.0
+    - name: Unittest
+      run: |
+        helm unittest --strict --file 'unittests/**/*.yaml' ./

.gitea/workflows/markdown-linters.yaml

@@ -15,14 +15,15 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:25.2.1-alpine
-    runs-on: ubuntu-latest
+      image: docker.io/library/node:25.0.0-alpine
+    runs-on:
+    - ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.1
+    - uses: actions/checkout@v5.0.0
     - name: Verify links in markdown files
       run: |
         npm install
@@ -30,14 +31,15 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:25.2.1-alpine
-    runs-on: ubuntu-latest
+      image: docker.io/library/node:25.0.0-alpine
+    runs-on:
+    - ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git
-    - uses: actions/checkout@v5.0.1
+    - uses: actions/checkout@v5.0.0
     - name: Lint markdown files
       run: |
         npm install

.gitea/workflows/release.yaml

@@ -8,7 +8,7 @@ on:
 jobs:
   publish-chart:
     container:
-      image: docker.io/volkerraschek/helm:3.19.2
+      image: docker.io/volkerraschek/helm:3.19.0
     runs-on: ubuntu-latest
     steps:
       - name: Install packages via apk
@@ -16,7 +16,7 @@ jobs:
           apk update
           apk add git npm jq yq
 
-      - uses: actions/checkout@v5.0.1
+      - uses: actions/checkout@v5.0.0
         with:
           fetch-depth: 0
 

Makefile

@@ -10,7 +10,7 @@ HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:
 # NODE_IMAGE
 NODE_IMAGE_REGISTRY_HOST?=docker.io
 NODE_IMAGE_REPOSITORY?=library/node
-NODE_IMAGE_VERSION?=25.2.1-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
+NODE_IMAGE_VERSION?=25.0.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
 NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
 
 # MISSING DOT

README.md

@@ -1,4 +1,4 @@
-# Athens - A Go module datastore and proxy
+# athens-proxy-charts
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/volker-raschek)](https://artifacthub.io/packages/search?repo=volker-raschek)
 
@@ -16,7 +16,10 @@ Chapter [configuration and installation](#helm-configuration-and-installation) d
 helm and use it to deploy the exporter. It also contains further configuration examples.
 
 Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this
-helm chart is tested for deployment scenarios with **ArgoCD**.
+helm chart is tested for deployment scenarios with **ArgoCD**, but please keep in mind, that this chart supports the
+*[Automatically Roll Deployment](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments)*
+concept of Helm, which can trigger unexpected rolling releases. Further configuration instructions are described in a
+separate [chapter](#argocd).
 
 ## Helm: configuration and installation
 
@@ -44,7 +47,7 @@ helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > valu
 A complete list of available helm chart versions can be displayed via the following command:
 
 ```bash
-helm search repo athens-proxy --versions
+helm search repo reposilite --versions
 ```
 
 The helm chart also contains a persistent volume claim definition. It persistent volume claim is not enabled by default.
@@ -120,31 +123,22 @@ before expiring.
 
 Until the exporter does not support rotating TLS certificate a workaround can be applied. For example stakater's
 [reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following
-annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted secret has
-been changed.
-
-> [!IMPORTANT]
-> The Helm chart already adds annotations to trigger a rolling release. Helm describes this approach under
-> [Automatically Roll Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
-> For this reason, **only external** configMaps or secrets need to be monitored by reloader.
+annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted configMaps
+and secrets have been changed.
 
 ```yaml
 deployment:
   annotations:
-    secret.reloader.stakater.com/reload: "athens-proxy-tls"
+    reloader.stakater.com/auto: "true"
 ```
 
-If the application is rolled out using ArgoCD, a rolling update from stakater's
-[reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state
-with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be
-initiated. Further information are available in the official
-[README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of
-stakater's reloader.
+Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for
+individual items. For example, when the secret named `athens-proxy-tls` is mounted and the reloader controller should
+only listen for changes of this secret:
 
-```diff
+```yaml
 deployment:
   annotations:
-+     reloader.stakater.com/rollout-strategy: "restart"
     secret.reloader.stakater.com/reload: "athens-proxy-tls"
 ```
 
@@ -183,9 +177,6 @@ networkPolicies:
       protocol: TCP
     - port: 53
       protocol: UDP
-  - ports:
-    - port: 22
-      protocol: TCP
   - ports:
     - port: 443
       protocol: TCP
@@ -205,51 +196,62 @@ networkPolicies:
 
 ## ArgoCD
 
-### Example Application
+### Daily execution of rolling updates
 
-An application resource for the Helm chart is defined below. It serves as an example for your own deployment.
+The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in
+connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll
+Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments). Please ensure, that no
+third party application modifies the config maps or secret afterwards.
 
-```yaml
+The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the
+content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version,
+Helm render order, different timestamps).
+
+This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this
+can lead to unnecessary notifications from ArgoCD.
+
+To avoid this, the annotation with the shasum can be ignored. However, this negates the mechanism of [Automatically Roll
+Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
+
+Below is a diff that adds the `Application` to ignore all annotations with the prefix `checksum`.
+
+> [!WARNING]
+> Configurations of `ignoreDifferences` always refer to the determination of a drift and whether a possible sync is
+> necessary. If the selected attributes should also be ignored in deployment afterwards, define
+> `RespectIgnoreDifferences=true` in your `Application` resource. Further information can be found in the ArgoCD
+> [documentation](https://argo-cd.readthedocs.io/en/latest/user-guide/sync-options/#respect-ignore-differences-configs).
+
+```diff
+  apiVersion: argoproj.io/v1alpha1
+  kind: Application
+  spec:
++   ignoreDifferences:
++   - group: apps
++     kind: Deployment
++     jqPathExpressions:
++     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))'
+```
+
+The definition of ignoreDifferences ensures that annotations with the prefix checksum are ignored during a diff.
+
+> [!TIP]
+> If the [reloader](https://github.com/stakater/Reloader) is configured as described in section [TLS certificate
+> rotation](#tls-certificate-rotation), ensure that the shasum defined as annotation or environment variable is also
+> ignored. The [reloader](https://github.com/stakater/Reloader) will modify the deployment based on his configuration
+> and append additional annotations or environment variables containing the shasum. Below are some examples how to adapt
+> the `ignoreDifferences` configuration to ignore only the annotations and environment variables of stakater's
+> [reloader](https://github.com/stakater/Reloader).
+
+```diff
   apiVersion: argoproj.io/v1alpha1
   kind: Application
   spec:
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: athens-proxy
     ignoreDifferences:
     - group: apps
       kind: Deployment
       jqPathExpressions:
-    # When HPA is enabled, ensure that a modification of the replicas does not lead to a
-    # drift.
-      - '.spec.replicas'
-    # Ensure that changes of the annotations or environment variables added or modified by
-    # stakater's reloader does not lead to a drift.
-    - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
-    - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
-  sources:
-  - repoURL: https://charts.cryptic.systems/volker.raschek
-    chart: athens-proxy
-    targetRevision: '0.*'
-    helm:
-      valueFiles:
-      - $values/values.yaml
-      releaseName: athens-proxy
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    managedNamespaceMetadata:
-      annotations: {}
-      labels: {}
-    syncOptions:
-    - ApplyOutOfSyncOnly=true
-    - CreateNamespace=true
-    - FailOnSharedResource=false
-    - Replace=false
-    - RespectIgnoreDifferences=false
-    - ServerSideApply=true
-    - Validate=true
++     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
++     - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
 ```
 
 ## Parameters

package.json

@@ -16,6 +16,6 @@
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
     "markdown-link-check": "^3.13.6",
-    "markdownlint-cli": "^0.46.0"
+    "markdownlint-cli": "^0.45.0"
   }
 }

templates/_pod.tpl

@@ -4,10 +4,6 @@
 
 {{- define "athens-proxy.pod.annotations" }}
 {{- include "athens-proxy.annotations" . }}
-{{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) }}
-{{- $secretName := include "athens-proxy.certificates.server.name" $ }}
-{{ printf "checksum/secret-%s: %s" $secretName (print (lookup "v1" "Secret" .Release.Namespace $secretName) | sha256sum) }}
-{{- end }}
 {{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }}
 {{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.env.name" $) (include (print $.Template.BasePath "/secretEnv.yaml") . | sha256sum) }}
 {{- end }}
@@ -25,6 +21,8 @@
 {{- end }}
 {{- end }}
 
+
+
 {{/* labels */}}
 
 {{- define "athens-proxy.pod.labels" -}}

unittests/deployment/certificate.yaml

@@ -46,9 +46,6 @@ tests:
     certificate.new.issuerRef.kind: ClusterIssuer
     certificate.new.issuerRef.name: MyIssuer
   asserts:
-    - exists:
-        path: spec.template.metadata.annotations["checksum/secret-athens-proxy-unittest-tls"]
-      template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].env
         content:

values.yaml

@@ -590,12 +590,6 @@ networkPolicy:
   # - Egress
   # - Ingress
   egress: []
-  # Allow outgoing SSH traffic to Source Code Control System's (SCCS') like GitHub or GitLab.
-  #
-  # - ports:
-  #   - port: 22
-  #     protocol: TCP
-
   # Allow outgoing HTTPS traffic to external go module servers
   #
   # - ports: