feat(pod): support roll deployment for external TLS certificates

fix(pod): pipe secret correctly to func sha256sum
The privious implemented feature pipe the secret not correctly to the sha256sum function. This leads everytime to the same sha256 sum. This patch fixes this bug.
2025-11-30 13:58:34 +01:00 · 2025-11-30 13:49:15 +01:00 · 2025-11-30 13:35:56 +01:00 · 2025-11-30 13:33:50 +01:00 · 2025-11-30 11:26:09 +00:00 · 2025-11-30 11:25:42 +00:00
3 changed files with 48 additions and 4 deletions
--- a/.gitea/workflows/helm.yaml
+++ b/.gitea/workflows/helm.yaml
@@ -17,7 +17,7 @@ jobs:
    - uses: actions/checkout@v5.0.1
    - uses: azure/setup-helm@v4.3.1
      with:
-        version: v4.0.0 # renovate: datasource=github-releases depName=helm/helm
+        version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
    - name: Lint helm files
      run: |
        helm lint --values values.yaml .
@@ -28,7 +28,7 @@ jobs:
    - uses: actions/checkout@v5.0.1
    - uses: azure/setup-helm@v4.3.1
      with:
-        version: v4.0.0 # renovate: datasource=github-releases depName=helm/helm
+        version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
    - env:
        HELM_UNITTEST_VERSION: v1.0.0 #renovate: datasource=github-releases depName=helm-unittest/helm-unittest
      name: Install helm-unittest
--- a/templates/_pod.tpl
+++ b/templates/_pod.tpl
@@ -4,6 +4,14 @@

 {{- define "athens-proxy.pod.annotations" }}
 {{- include "athens-proxy.annotations" . }}
+{{- if and .Values.certificate.enabled }}
+{{- $secretName := include "athens-proxy.certificates.server.name" $ }}
+{{- if and .Values.certificate.existingSecret.enabled (gt (len .Values.certificate.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.certificate.existingSecret.secretName }}
+{{- end }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | toYaml | sha256sum) }}
+{{- end }}
 {{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }}
 {{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.env.name" $) (include (print $.Template.BasePath "/secretEnv.yaml") . | sha256sum) }}
 {{- end }}
@@ -21,8 +29,6 @@
 {{- end }}
 {{- end }}

-
-
 {{/* labels */}}

 {{- define "athens-proxy.pod.labels" -}}
--- a/unittests/deployment/certificate.yaml
+++ b/unittests/deployment/certificate.yaml
@@ -46,6 +46,44 @@ tests:
    certificate.new.issuerRef.kind: ClusterIssuer
    certificate.new.issuerRef.name: MyIssuer
  asserts:
+    - exists:
+        path: spec.template.metadata.annotations["checksum/secret-athens-proxy-unittest-tls"]
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSCERT_FILE
+          value: /etc/athens-proxy/tls/tls.crt
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSKEY_FILE
+          value: /etc/athens-proxy/tls/tls.key
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: tls
+          mountPath: /etc/athens-proxy/tls
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: tls
+          secret:
+            secretName: athens-proxy-unittest-tls
+      template: templates/deployment.yaml
+
+- it: Rendering with external TLS config
+  set:
+    certificate.enabled: true
+    certificate.existingSecret.enabled: true
+    certificate.existingSecret.secretName: my-own-secret
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations["checksum/secret-my-own-secret"]
+      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].env
        content:
Author	SHA1	Message	Date
Markus Pesch	f54f1aca01	feat(pod): support roll deployment for external TLS certificates All checks were successful Helm / helm-lint (push) Successful in 4s Details Helm / helm-unittest (push) Successful in 18s Details Release / publish-chart (push) Successful in 19s Details	2025-11-30 13:58:34 +01:00
Markus Pesch	502c78296e	fix(pod): pipe secret correctly to func sha256sum The privious implemented feature pipe the secret not correctly to the sha256sum function. This leads everytime to the same sha256 sum. This patch fixes this bug.	2025-11-30 13:49:15 +01:00
Markus Pesch	28c1e37e13	chore(deps): rollback docker docker.io/volkerraschek/helm to 3.19.2 All checks were successful Helm / helm-unittest (push) Successful in 9s Details Helm / helm-lint (push) Successful in 10s Details Release / publish-chart (push) Successful in 8s Details	2025-11-30 13:35:56 +01:00
Markus Pesch	757469762b	feat(pod): roll deployment for TLS certificates Some checks failed Helm / helm-lint (push) Successful in 5s Details Helm / helm-unittest (push) Successful in 9s Details Release / publish-chart (push) Failing after 6s Details The patch add the annotation `checksum/secret-<name of the TLS secret>` with the sha512 value of the secret. This ensures a rolling update if the TLS secrets has been updated. Such an update can be triggered by the cert-manager.	2025-11-30 13:33:50 +01:00
Markus Pesch	f1a47dc0a5	Merge pull request 'chore(deps): update docker.io/volkerraschek/helm docker tag to v4' (#108 ) from renovate/major-update-docker.iovolkerraschekhelm into master All checks were successful Helm / helm-unittest (push) Successful in 7s Details Helm / helm-lint (push) Successful in 9s Details Reviewed-on: #108	2025-11-30 11:26:09 +00:00
Markus Pesch	d86bf91491	Merge branch 'master' into renovate/major-update-docker.iovolkerraschekhelm All checks were successful Helm / helm-lint (push) Successful in 4s Details Helm / helm-unittest (push) Successful in 7s Details Helm / helm-lint (pull_request) Successful in 10s Details Helm / helm-unittest (pull_request) Successful in 6s Details	2025-11-30 11:25:42 +00:00
Markus Pesch	de615c2ff5	Merge pull request 'chore(deps): update dependency helm/helm to v4.0.1' (#114 ) from renovate/helm-helm-4.x into master All checks were successful Helm / helm-lint (push) Successful in 4s Details Helm / helm-unittest (push) Successful in 18s Details Reviewed-on: #114	2025-11-30 11:25:34 +00:00
CSRBot	80d3b9972b	chore(deps): update docker.io/volkerraschek/helm docker tag to v4 All checks were successful Helm / helm-lint (push) Successful in 5s Details Helm / helm-unittest (push) Successful in 7s Details Generate README / generate-parameters (push) Successful in 29s Details Markdown linter / markdown-link-checker (push) Successful in 11s Details Generate README / generate-parameters (pull_request) Successful in 9s Details Helm / helm-lint (pull_request) Successful in 4s Details Helm / helm-unittest (pull_request) Successful in 7s Details Markdown linter / markdown-lint (push) Successful in 29s Details Markdown linter / markdown-link-checker (pull_request) Successful in 11s Details Markdown linter / markdown-lint (pull_request) Successful in 29s Details	2025-11-30 11:01:13 +00:00
CSRBot	080965d513	chore(deps): update dependency helm/helm to v4.0.1 All checks were successful Helm / helm-unittest (push) Successful in 8s Details Helm / helm-lint (pull_request) Successful in 4s Details Helm / helm-lint (push) Successful in 14s Details Helm / helm-unittest (pull_request) Successful in 8s Details	2025-11-30 11:01:07 +00:00