chore(deps): update docker.io/volkerraschek/helm docker tag to v4

Depending on the environment or tooling in which the chart is deployed, you may
or may not want to have the checksum annotation.

In the past, these were enforced. The default remains that the checksum
annotation is added. It now only contains a switch that allows you to optionally
disable it.

.gitea/workflows/generate-readme.yaml

@@ -22,7 +22,7 @@ jobs:
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.1
+    - uses: actions/checkout@v6.0.1
     - name: Generate parameter section in README
       run: |
         npm install

.gitea/workflows/helm.yaml

@@ -14,7 +14,7 @@ jobs:
   helm-lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5.0.1
+    - uses: actions/checkout@v6.0.1
     - uses: azure/setup-helm@v4.3.1
       with:
         version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
@@ -25,7 +25,7 @@ jobs:
   helm-unittest:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5.0.1
+    - uses: actions/checkout@v6.0.1
     - uses: azure/setup-helm@v4.3.1
       with:
         version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm

.gitea/workflows/markdown-linters.yaml

@@ -22,7 +22,7 @@ jobs:
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.1
+    - uses: actions/checkout@v6.0.1
     - name: Verify links in markdown files
       run: |
         npm install
@@ -37,7 +37,7 @@ jobs:
       run: |
         apk update
         apk add git
-    - uses: actions/checkout@v5.0.1
+    - uses: actions/checkout@v6.0.1
     - name: Lint markdown files
       run: |
         npm install

.gitea/workflows/release.yaml

@@ -8,7 +8,7 @@ on:
 jobs:
   publish-chart:
     container:
-      image: docker.io/volkerraschek/helm:3.19.2
+      image: docker.io/volkerraschek/helm:4.0.1
     runs-on: ubuntu-latest
     steps:
       - name: Install packages via apk
@@ -16,7 +16,7 @@ jobs:
           apk update
           apk add git npm jq yq
 
-      - uses: actions/checkout@v5.0.1
+      - uses: actions/checkout@v6.0.1
         with:
           fetch-depth: 0
 

README.md

@@ -37,7 +37,7 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
 versions can break something!
 
 ```bash
-CHART_VERSION=1.1.1
+CHART_VERSION=1.3.0
 helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml
 ```
 
@@ -51,7 +51,7 @@ The helm chart also contains a persistent volume claim definition. It persistent
 Use the `--set` argument to persist your data.
 
 ```bash
-CHART_VERSION=1.1.1
+CHART_VERSION=1.3.0
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
   persistence.enabled=true
 ```
@@ -81,7 +81,7 @@ Further information about this topic can be found in one of Kanishk's blog
 > Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
 
 ```bash
-CHART_VERSION=1.1.1
+CHART_VERSION=1.3.0
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
   --set 'deployment.athensProxy.env.name=GOMAXPROCS' \
   --set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
@@ -101,7 +101,7 @@ The secret must be from type `kubernetes.io/tls`.
 > `athens-proxy-ca` is present in the same namespace of the helm deployment.
 
 ```bash
-CHART_VERSION=1.1.1
+CHART_VERSION=1.3.0
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
   --set 'config.certificate.enabled=true' \
   --set 'config.certificate.new.issuerRef.kind=Issuer' \
@@ -266,6 +266,7 @@ spec:
 | Name                                          | Description                                                                                                                                                 | Value                           |
 | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
 | `certificate.enabled`                         | Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. | `false`                         |
+| `certificate.addSHASumAnnotation`             | Add an pod annotation with the sha sum of the secret containing the TLS certificates.                                                                       | `true`                          |
 | `certificate.existingSecret.enabled`          | Use an existing secret of the type `kubernetes.io/tls`.                                                                                                     | `false`                         |
 | `certificate.existingSecret.secretName`       | Name of the secret containing the TLS certificate and private key.                                                                                          | `""`                            |
 | `certificate.new.annotations`                 | Additional certificate annotations.                                                                                                                         | `{}`                            |
@@ -296,30 +297,35 @@ spec:
 | Name                                                    | Description                                                                                                                                       | Value            |
 | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
 | `config.env.enabled`                                    | Enable mounting of the secret as environment variables.                                                                                           | `false`          |
+| `config.env.addSHASumAnnotation`                        | Add an pod annotation with the sha sum of the config map containing the configuration.                                                            | `true`           |
 | `config.env.existingSecret.enabled`                     | Mount an existing secret containing the application specific environment variables.                                                               | `false`          |
 | `config.env.existingSecret.secretName`                  | Name of the existing secret containing the application specific environment variables.                                                            | `""`             |
 | `config.env.secret.annotations`                         | Additional annotations of the secret containing the database credentials.                                                                         | `{}`             |
 | `config.env.secret.labels`                              | Additional labels of the secret containing the database credentials.                                                                              | `{}`             |
 | `config.env.secret.envs`                                | List of environment variables stored in a secret and mounted into the container.                                                                  | `{}`             |
 | `config.downloadMode.enabled`                           | Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined. | `false`          |
+| `config.downloadMode.addSHASumAnnotation`               | Add an pod annotation with the sha sum of the config map containing the downloadMode config.                                                      | `true`           |
 | `config.downloadMode.existingConfigMap.enabled`         | Enable to use an external config map for mounting the download mode file.                                                                         | `false`          |
 | `config.downloadMode.existingConfigMap.configMapName`   | The name of the existing config map which should be used to mount the download mode file.                                                         | `""`             |
 | `config.downloadMode.existingConfigMap.downloadModeKey` | The name of the key inside the config map where the content of the download mode file is stored.                                                  | `downloadMode`   |
 | `config.downloadMode.configMap.annotations`             | Additional annotations of the config map containing the download mode file.                                                                       | `{}`             |
 | `config.downloadMode.configMap.labels`                  | Additional labels of the config map containing the download mode file.                                                                            | `{}`             |
 | `config.gitConfig.enabled`                              | Enable mounting of a .gitconfig file into the container file system.                                                                              | `false`          |
+| `config.gitConfig.addSHASumAnnotation`                  | Add an pod annotation with the sha sum of the config map containing the git config.                                                               | `true`           |
 | `config.gitConfig.existingConfigMap.enabled`            | Enable to use an external config map for mounting the .gitconfig file.                                                                            | `false`          |
 | `config.gitConfig.existingConfigMap.configMapName`      | The name of the existing config map which should be used to mount the .gitconfig file.                                                            | `""`             |
 | `config.gitConfig.existingConfigMap.gitConfigKey`       | The name of the key inside the config map where the content of the .gitconfig file is stored.                                                     | `nil`            |
 | `config.gitConfig.configMap.annotations`                | Additional annotations of the config map containing the .gitconfig file.                                                                          | `{}`             |
 | `config.gitConfig.configMap.labels`                     | Additional labels of the config map containing the .gitconfig file.                                                                               | `{}`             |
 | `config.netrc.enabled`                                  | Enable mounting of a .netrc file into the container file system.                                                                                  | `false`          |
+| `config.netrc.addSHASumAnnotation`                      | Add an pod annotation with the sha sum of the secret containing the netrc file.                                                                   | `true`           |
 | `config.netrc.existingSecret.enabled`                   | Enable to use an external secret for mounting the .netrc file.                                                                                    | `false`          |
 | `config.netrc.existingSecret.secretName`                | The name of the existing secret which should be used to mount the .netrc file.                                                                    | `""`             |
 | `config.netrc.existingSecret.netrcKey`                  | The name of the key inside the secret where the content of the .netrc file is stored.                                                             | `.netrc`         |
 | `config.netrc.secret.annotations`                       | Additional annotations of the secret containing the database credentials.                                                                         | `{}`             |
 | `config.netrc.secret.labels`                            | Additional labels of the secret containing the database credentials.                                                                              | `{}`             |
 | `config.ssh.enabled`                                    | Enable mounting of a .netrc file into the container file system.                                                                                  | `false`          |
+| `config.ssh.addSHASumAnnotation`                        | Add an pod annotation with the sha sum of the secret containing the ssh keys.                                                                     | `true`           |
 | `config.ssh.existingSecret.enabled`                     | Enable to use an external secret for mounting the public and private SSH key files.                                                               | `false`          |
 | `config.ssh.existingSecret.secretName`                  | The name of the existing secret which should be used to mount the public and private SSH key files.                                               | `""`             |
 | `config.ssh.existingSecret.configKey`                   | The name of the key inside the secret where the content of the SSH client config file is stored.                                                  | `config`         |

templates/_pod.tpl

@@ -4,25 +4,65 @@
 
 {{- define "athens-proxy.pod.annotations" }}
 {{- include "athens-proxy.annotations" . }}
-{{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) }}
+{{- if and .Values.certificate.enabled .Values.certificate.addSHASumAnnotation }}
 {{- $secretName := include "athens-proxy.certificates.server.name" $ }}
-{{ printf "checksum/secret-%s: %s" $secretName (print (lookup "v1" "Secret" .Release.Namespace $secretName) | sha256sum) }}
+{{- if and .Values.certificate.existingSecret.enabled (gt (len .Values.certificate.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.certificate.existingSecret.secretName }}
 {{- end }}
-{{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
-{{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.env.name" $) (include (print $.Template.BasePath "/secretEnv.yaml") . | sha256sum) }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
 {{- end }}
-{{- if and .Values.config.downloadMode.enabled (not .Values.config.downloadMode.existingConfigMap.enabled) }}
+
-{{ printf "checksum/config-map-%s: %s" (include "athens-proxy.configMap.downloadMode.name" $) (include (print $.Template.BasePath "/configMapDownloadMode.yaml") . | sha256sum) }}
+{{- if and .Values.config.env.enabled .Values.config.env.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.secrets.env.name" $ }}
+{{- $secret := include (print $.Template.BasePath "/secretEnv.yaml") $ }}
+{{- if and .Values.config.env.existingSecret.enabled (gt (len .Values.config.env.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.config.env.existingSecret.secretName }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
 {{- end }}
-{{- if and .Values.config.gitConfig.enabled (not .Values.config.gitConfig.existingConfigMap.enabled) }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
-{{ printf "checksum/config-map-%s: %s" (include "athens-proxy.configMap.gitConfig.name" $) (include (print $.Template.BasePath "/configMapGitConfig.yaml") . | sha256sum) }}
 {{- end }}
-{{- if and .Values.config.netrc.enabled (not .Values.config.netrc.existingSecret.enabled) }}
+
-{{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.netrc.name" $) (include (print $.Template.BasePath "/secretNetRC.yaml") . | sha256sum) }}
+{{- if and .Values.config.downloadMode.enabled .Values.config.downloadMode.addSHASumAnnotation }}
+{{- $configMapName := include "athens-proxy.configMap.downloadMode.name" $ }}
+{{- $configMap := include (print $.Template.BasePath "/configMapDownloadMode.yaml") . }}
+{{- if and .Values.config.downloadMode.existingConfigMap.enabled (gt (len .Values.config.downloadMode.existingConfigMap.configMapName) 0) }}
+{{- $configMapName = .Values.config.downloadMode.existingConfigMap.configMapName }}
+{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace $configMapName | toYaml }}
 {{- end }}
-{{- if and .Values.config.ssh.enabled (not .Values.config.ssh.existingSecret.enabled) }}
+{{ printf "checksum/config-map-%s: %s" $configMapName ($configMap | sha256sum) }}
-{{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.ssh.name" $) (include (print $.Template.BasePath "/secretSSH.yaml") . | sha256sum) }}
 {{- end }}
+
+{{- if and .Values.config.gitConfig.enabled .Values.config.gitConfig.addSHASumAnnotation }}
+{{- $configMapName := include "athens-proxy.configMap.gitConfig.name" $ }}
+{{- $configMap := include (print $.Template.BasePath "/configMapGitConfig.yaml") . }}
+{{- if and .Values.config.gitConfig.existingConfigMap.enabled (gt (len .Values.config.gitConfig.existingConfigMap.configMapName) 0) }}
+{{- $configMapName = .Values.config.gitConfig.existingConfigMap.configMapName }}
+{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace $configMapName | toYaml }}
+{{- end }}
+{{ printf "checksum/config-map-%s: %s" $configMapName ($configMap | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.netrc.enabled .Values.config.netrc.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.secrets.netrc.name" $ }}
+{{- $secret := include (print $.Template.BasePath "/secretNetRC.yaml") $ }}
+{{- if and .Values.config.netrc.existingSecret.enabled (gt (len .Values.config.netrc.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.config.netrc.existingSecret.secretName }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{- end }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.ssh.enabled .Values.config.ssh.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.secrets.ssh.name" $ }}
+{{- $secret := include (print $.Template.BasePath "/secretSSH.yaml") $ }}
+{{- if and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.config.ssh.existingSecret.secretName }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{- end }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
+
 {{- end }}
 
 {{/* labels */}}

unittests/deployment/certificate.yaml

@@ -74,3 +74,38 @@ tests:
           secret:
             secretName: athens-proxy-unittest-tls
       template: templates/deployment.yaml
+
+- it: Rendering with external TLS config
+  set:
+    certificate.enabled: true
+    certificate.existingSecret.enabled: true
+    certificate.existingSecret.secretName: my-own-secret
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations["checksum/secret-my-own-secret"]
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSCERT_FILE
+          value: /etc/athens-proxy/tls/tls.crt
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSKEY_FILE
+          value: /etc/athens-proxy/tls/tls.key
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: tls
+          mountPath: /etc/athens-proxy/tls
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: tls
+          secret:
+            secretName: athens-proxy-unittest-tls
+      template: templates/deployment.yaml

unittests/deployment/downloadMode.yaml

@@ -40,6 +40,7 @@ tests:
 - it: Rendering default with mounted gitconfig configMap
   set:
     config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: true
     persistence.enabled: true
   asserts:
     - exists:
@@ -69,16 +70,87 @@ tests:
             name: athens-proxy-unittest-download-mode-file
       template: templates/deployment.yaml
 
+- it: Rendering default with mounted gitconfig configMap
+  set:
+    config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: false
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_DOWNLOAD_MODE
+          value: file:/etc/athens/config/download-mode.d/download-mode
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: download-mode
+          mountPath: /etc/athens/config/download-mode.d
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: download-mode
+          configMap:
+            items:
+              - key: downloadMode
+                mode: 0644
+                path: download-mode
+            name: athens-proxy-unittest-download-mode-file
+      template: templates/deployment.yaml
+
+
 - it: Rendering with custom download mode configMap
   set:
     config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: true
     config.downloadMode.existingConfigMap.enabled: true
     config.downloadMode.existingConfigMap.configMapName: "my-custom-configmap"
     config.downloadMode.existingConfigMap.downloadModeKey: "my-custom-download-mode-filename-key"
     persistence.enabled: true
   asserts:
-    - notExists:
+    - exists:
-        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_DOWNLOAD_MODE
+          value: file:/etc/athens/config/download-mode.d/download-mode
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: download-mode
+          mountPath: /etc/athens/config/download-mode.d
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: download-mode
+          configMap:
+            items:
+            - key: "my-custom-download-mode-filename-key"
+              path: "download-mode"
+              mode: 0644
+            name: my-custom-configmap
+      template: templates/deployment.yaml
+
+- it: Rendering with custom download mode configMap, but without sha sum annotation
+  set:
+    config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: false
+    config.downloadMode.existingConfigMap.enabled: true
+    config.downloadMode.existingConfigMap.configMapName: "my-custom-configmap"
+    config.downloadMode.existingConfigMap.downloadModeKey: "my-custom-download-mode-filename-key"
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
       template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].env

unittests/deployment/env.yaml

@@ -35,10 +35,10 @@ tests:
             name: athens-proxy-unittest-env
       template: templates/deployment.yaml
 
-- it: Rendering default with mounted env secret
+- it: Rendering default with mounted env secret, but without sha sum annotation
   set:
     config.env.enabled: true
-    config.env.existingSecret.enabled: true
+    config.env.addSHASumAnnotation: false
   asserts:
     - notExists:
         path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env
@@ -49,3 +49,36 @@ tests:
           secretRef:
             name: athens-proxy-unittest-env
       template: templates/deployment.yaml
+
+- it: Rendering default with mounted existing env secret
+  set:
+    config.env.enabled: true
+    config.env.existingSecret.enabled: true
+    config.env.existingSecret.secretName: my-secret
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/secret-my-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: my-secret
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted existing env secret, but without sha sum annotation
+  set:
+    config.env.enabled: true
+    config.env.addSHASumAnnotation: false
+    config.env.existingSecret.enabled: true
+    config.env.existingSecret.secretName: my-secret
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-my-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: my-secret
+      template: templates/deployment.yaml

unittests/deployment/gitConfig.yaml

@@ -41,6 +41,7 @@ tests:
 - it: Rendering default with mounted gitconfig configMap
   set:
     config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: true
     persistence.enabled: true
   asserts:
     - exists:
@@ -67,16 +68,80 @@ tests:
                 name: athens-proxy-unittest-gitconfig
       template: templates/deployment.yaml
 
+- it: Rendering default with mounted gitconfig configMap, but without sha sum annotation
+  set:
+    config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: false
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.gitconfig
+          subPath: .gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - configMap:
+                items:
+                - key: .gitconfig
+                  path: .gitconfig
+                  mode: 0644
+                name: athens-proxy-unittest-gitconfig
+      template: templates/deployment.yaml
+
 - it: Rendering with custom gitconfig configMap
   set:
     config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: true
     config.gitConfig.existingConfigMap.enabled: true
     config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
     config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
     persistence.enabled: true
   asserts:
-    - notExists:
+    - exists:
-        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.gitconfig
+          subPath: .gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - configMap:
+                items:
+                - key: my-gitconfig-key
+                  path: .gitconfig
+                  mode: 0644
+                name: my-custom-configmap
+      template: templates/deployment.yaml
+
+- it: Rendering with custom gitconfig configMap, but without sha sum annotations
+  set:
+    config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: false
+    config.gitConfig.existingConfigMap.enabled: true
+    config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
+    config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
       template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].volumeMounts

unittests/deployment/netrc.yaml

@@ -40,6 +40,7 @@ tests:
 - it: Rendering default with mounted netrc secret
   set:
     config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: true
     persistence.enabled: true
   asserts:
     - exists:
@@ -66,16 +67,80 @@ tests:
                 name: athens-proxy-unittest-netrc
       template: templates/deployment.yaml
 
+- it: Rendering default with mounted netrc secret, but without sha sum annotation
+  set:
+    config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: false
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.netrc
+          subPath: .netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: .netrc
+                  path: .netrc
+                  mode: 0600
+                name: athens-proxy-unittest-netrc
+      template: templates/deployment.yaml
+
 - it: Rendering with custom netrc secret
   set:
     config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: true
     config.netrc.existingSecret.enabled: true
     config.netrc.existingSecret.secretName: "my-custom-secret"
     config.netrc.existingSecret.netrcKey: "my-netrc-key"
     persistence.enabled: true
   asserts:
-    - notExists:
+    - exists:
-        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netc
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.netrc
+          subPath: .netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: my-netrc-key
+                  path: .netrc
+                  mode: 0600
+                name: my-custom-secret
+      template: templates/deployment.yaml
+
+- it: Rendering with custom netrc secret, but without sha sum annotation
+  set:
+    config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: false
+    config.netrc.existingSecret.enabled: true
+    config.netrc.existingSecret.secretName: "my-custom-secret"
+    config.netrc.existingSecret.netrcKey: "my-netrc-key"
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
       template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].volumeMounts

unittests/deployment/ssh.yaml

@@ -107,6 +107,7 @@ tests:
 - it: Rendering default with mounted ssh keys
   set:
     config.ssh.enabled: true
+    config.ssh.addSHASumAnnotation: true
     config.ssh.secret.id_ed25519: foo
     config.ssh.secret.id_ed25519_pub: bar
     config.ssh.secret.id_rsa: foo
@@ -180,6 +181,7 @@ tests:
 - it: Rendering with custom ssh secret
   set:
     config.ssh.enabled: true
+    config.ssh.addSHASumAnnotation: true
     config.ssh.existingSecret.enabled: true
     config.ssh.existingSecret.secretName: "my-custom-secret"
     config.ssh.existingSecret.configKey : "my-config-key"
@@ -189,8 +191,8 @@ tests:
     config.ssh.existingSecret.id_rsaPubKey : "my-public-rsa-key"
     persistence.enabled: true
   asserts:
-    - notExists:
+    - exists:
-        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-ssh
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
       template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].volumeMounts
@@ -252,3 +254,14 @@ tests:
                   mode: 0644
                 name: my-custom-secret
       template: templates/deployment.yaml
+
+- it: Rendering with custom ssh secret, but without sha sum annotation
+  set:
+    config.ssh.enabled: true
+    config.ssh.addSHASumAnnotation: false
+    config.ssh.existingSecret.enabled: true
+    config.ssh.existingSecret.secretName: "my-custom-secret"
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
+      template: templates/deployment.yaml

values.yaml

@@ -8,7 +8,9 @@ fullnameOverride: ""
 ## @section Certificate
 certificate:
   ## @param certificate.enabled Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added.
+  ## @param certificate.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the TLS certificates.
   enabled: false
+  addSHASumAnnotation: true
 
   ## @param certificate.existingSecret.enabled Use an existing secret of the type `kubernetes.io/tls`.
   ## @param certificate.existingSecret.secretName Name of the secret containing the TLS certificate and private key.
@@ -80,7 +82,9 @@ certificate:
 config:
   env:
     ## @param config.env.enabled Enable mounting of the secret as environment variables.
+    ## @param config.env.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the configuration.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.env.existingSecret.enabled Mount an existing secret containing the application specific environment variables.
     ## @param config.env.existingSecret.secretName Name of the existing secret containing the application specific environment variables.
@@ -168,7 +172,9 @@ config:
 
   downloadMode:
     ## @param config.downloadMode.enabled Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined.
+    ## @param config.downloadMode.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the downloadMode config.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.downloadMode.existingConfigMap.enabled Enable to use an external config map for mounting the download mode file.
     ## @param config.downloadMode.existingConfigMap.configMapName The name of the existing config map which should be used to mount the download mode file.
@@ -204,7 +210,9 @@ config:
 
   gitConfig:
     ## @param config.gitConfig.enabled Enable mounting of a .gitconfig file into the container file system.
+    ## @param config.gitConfig.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the git config.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.gitConfig.existingConfigMap.enabled Enable to use an external config map for mounting the .gitconfig file.
     ## @param config.gitConfig.existingConfigMap.configMapName The name of the existing config map which should be used to mount the .gitconfig file.
@@ -230,7 +238,9 @@ config:
 
   netrc:
     ## @param config.netrc.enabled Enable mounting of a .netrc file into the container file system.
+    ## @param config.netrc.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the netrc file.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.netrc.existingSecret.enabled Enable to use an external secret for mounting the .netrc file.
     ## @param config.netrc.existingSecret.secretName The name of the existing secret which should be used to mount the .netrc file.
@@ -262,7 +272,9 @@ config:
 
   ssh:
     ## @param config.ssh.enabled Enable mounting of a .netrc file into the container file system.
+    ## @param config.ssh.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the ssh keys.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.ssh.existingSecret.enabled Enable to use an external secret for mounting the public and private SSH key files.
     ## @param config.ssh.existingSecret.secretName The name of the existing secret which should be used to mount the public and private SSH key files.