fix(scripts): adapt rc pattern

Depending on the environment or tooling in which the chart is deployed, you may
or may not want to have the checksum annotation.

In the past, these were enforced. The default remains that the checksum
annotation is added. It now only contains a switch that allows you to optionally
disable it.

.gitea/scripts/add-annotations.sh

@@ -8,8 +8,11 @@ if [ ! -f "${CHART_FILE}" ]; then
   exit 1
 fi
 
-DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
-DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
+rc_pattern='-rc(\.[0-9]+)?$'
+
+# Exclude prerelease tags (matching -rc or -rc-<digits>) from default tag selection
+DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | grep --invert-match --perl-regexp "${rc_pattern}" | head --lines 1)"
+DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | grep --invert-match --perl-regexp "${rc_pattern}" | head --lines 2 | tail --lines 1)"
 
 if [ -z "${1}" ]; then
   read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
@@ -54,6 +57,13 @@ else
   fi
 fi
 
+# Check if NEW_TAG is a prerelease (matches -rc or -rc-<digits> suffix)
+if [[ "${NEW_TAG}" =~ ${rc_pattern} ]]; then
+  echo "INFO: Tag '${NEW_TAG}' is a prerelease, setting prerelease annotation and skipping changelog."
+  yq --no-colors --inplace ".annotations.\"artifacthub.io/prerelease\" = \"true\" | sort_keys(.)" "${CHART_FILE}"
+  exit 0
+fi
+
 CHANGE_LOG_YAML=$(mktemp)
 echo "[]" > "${CHANGE_LOG_YAML}"
 

.gitea/workflows/artifacthub-metadata.yaml

@@ -0,0 +1,41 @@
+name: Upload ArtifactHub Metadata
+
+on:
+  schedule:
+    - cron: '0 3 1 * *'
+  workflow_dispatch:
+
+jobs:
+  upload-metadata:
+    name: "Upload artifacthub-repo.yml to OCI registry"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6.0.2
+    - uses: docker/login-action@v4.2.0
+      with:
+        registry: ${{ github.server_url }}
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+    - uses: oras-project/setup-oras@v2.0.0
+      with:
+        version: 1.3.2 # renovate: datasource=github-tags depName=oras-project/oras extractVersion='^v?(?<version>.*)$'
+    - name: Extract meta information
+      run: |
+        echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut -d '/' -f 3)" >> $GITHUB_ENV
+        echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+        echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
+        echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)" >> $GITHUB_ENV
+    - name: Push artifacthub-repo.yml
+      run: |
+        oras push ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:artifacthub.io \
+          --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
+          artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+    - name: Push public cosign key
+      env:
+        COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
+      run: |
+        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
+        oras push ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:cosign.pub \
+          --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          --annotation org.opencontainers.image.title=cosign.pub \
+          cosign.pub:application/vnd.dev.cosign.public-key.v1

.gitea/workflows/generate-readme.yaml

@@ -15,15 +15,14 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:24.10.0-alpine
-    runs-on:
-    - ubuntu-latest
+      image: docker.io/library/node:26.2.0-alpine
+    runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v6.0.2
     - name: Generate parameter section in README
       run: |
         npm install

.gitea/workflows/helm.yaml

@@ -12,31 +12,26 @@ on:
 
 jobs:
   helm-lint:
-    container:
-      image: docker.io/volkerraschek/helm:3.19.0
-    runs-on:
-    - ubuntu-latest
+    runs-on: ubuntu-latest
     steps:
-    - name: Install tooling
-      run: |
-        apk update
-        apk add git npm
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v6.0.2
+    - uses: azure/setup-helm@v5.0.0
+      with:
+        version: v4.2.0 # renovate: datasource=github-releases depName=helm/helm
     - name: Lint helm files
       run: |
         helm lint --values values.yaml .
 
   helm-unittest:
-    container:
-      image: docker.io/volkerraschek/helm:3.19.0
-    runs-on:
-    - ubuntu-latest
+    runs-on: ubuntu-latest
     steps:
-    - name: Install tooling
-      run: |
-        apk update
-        apk add git npm
-    - uses: actions/checkout@v5.0.0
-    - name: Unittest
-      run: |
-        helm unittest --strict --file 'unittests/**/*.yaml' ./
+    - uses: actions/checkout@v6.0.2
+    - uses: azure/setup-helm@v5.0.0
+      with:
+        version: v4.2.0 # renovate: datasource=github-releases depName=helm/helm
+    - env:
+        HELM_UNITTEST_VERSION: v1.0.0 #renovate: datasource=github-releases depName=helm-unittest/helm-unittest
+      name: Install helm-unittest
+      run: helm plugin install --verify=false --version "${HELM_UNITTEST_VERSION}" https://github.com/helm-unittest/helm-unittest
+    - name: Execute helm unittests
+      run: helm unittest --strict --file 'unittests/**/*.yaml' .

.gitea/workflows/markdown-linters.yaml

@@ -15,15 +15,14 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:24.10.0-alpine
-    runs-on:
-    - ubuntu-latest
+      image: docker.io/library/node:26.2.0-alpine
+    runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v6.0.2
     - name: Verify links in markdown files
       run: |
         npm install
@@ -31,15 +30,14 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:24.10.0-alpine
-    runs-on:
-    - ubuntu-latest
+      image: docker.io/library/node:26.2.0-alpine
+    runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v6.0.2
     - name: Lint markdown files
       run: |
         npm install

.gitea/workflows/release.yaml

@@ -1,5 +1,10 @@
 name: Release
 
+env:
+  GPG_PRIVATE_KEY_FILE: ${{ runner.temp }}/private.key
+  GPG_PRIVATE_KEY_FINGERPRINT: ${{ vars.GPG_PRIVATE_KEY_FINGERPRINT }}
+  GPG_PRIVATE_KEY_PASSPHRASE_FILE: ${{ runner.temp }}/passphrase.txt
+
 on:
   push:
     tags:
@@ -7,16 +12,60 @@ on:
 
 jobs:
   publish-chart:
-    container:
-      image: docker.io/volkerraschek/helm:3.19.0
     runs-on: ubuntu-latest
     steps:
-      - name: Install packages via apk
-        run: |
-          apk update
-          apk add git npm jq yq
+      - uses: volker-raschek/cosign-installer@v4.1.2-rc4
+        with:
+          cosign-release: "v3.0.6" # renovate: datasource=github-tags depName=sigstore/cosign
 
-      - uses: actions/checkout@v5.0.0
+      - uses: azure/setup-helm@v5.0.0
+        with:
+          version: "v4.2.0" # renovate: datasource=github-tags depName=helm/helm
+
+      - name: Install helm plugins
+        env:
+          HELM_SIGSTORE_VERSION: "0.3.0" # renovate: datasource=github-tags depName=sigstore/helm-sigstore extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+          HELM_SCHEMA_VALUES_VERSION: "2.4.0" # renovate: datasource=github-tags depName=losisin/helm-values-schema-json extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+          HELM_UNITTEST_VERSION: "1.1.0" # renovate: datasource=github-tags depName=helm-unittest/helm-unittest extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+        run: |
+          helm plugin install --verify=false https://github.com/sigstore/helm-sigstore.git --version "${HELM_SIGSTORE_VERSION}" 1> /dev/null
+          helm plugin install --verify=false https://github.com/losisin/helm-values-schema-json.git --version "${HELM_SCHEMA_VALUES_VERSION}" 1> /dev/null
+          helm plugin install --verify=false https://github.com/helm-unittest/helm-unittest.git --version "${HELM_UNITTEST_VERSION}" 1> /dev/null
+          helm plugin list
+
+      - name: GPG configuration
+        env:
+          GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+        run: |
+          # Configure GPG and GPG Agent
+          mkdir --parents "${HOME}/.gnupg"
+          chmod 0700 "${HOME}/.gnupg"
+
+          cat > "${HOME}/.gnupg/gpg.conf" <<EOF
+          use-agent
+          pinentry-mode loopback
+          EOF
+
+          cat > "${HOME}/.gnupg/gpg-agent.conf" <<EOF
+          allow-loopback-pinentry
+          max-cache-ttl 86400
+          default-cache-ttl 86400
+          EOF
+
+          gpgconf --kill gpg-agent
+          gpgconf --launch gpg-agent
+
+          # Import GPG private key
+          cat 1> "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+          cat 1> "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY}"
+          gpg --batch --yes --passphrase-fd 0 --import "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+
+          # Export GPG keyring
+          gpg --batch --yes --export "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/pubring.gpg"
+          gpg --batch --yes --passphrase-fd 0 --export-secret-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/secring.gpg" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+
+      - uses: actions/checkout@v6.0.2
         with:
           fetch-depth: 0
 
@@ -28,9 +77,10 @@ jobs:
 
       - name: Extract meta information
         run: |
+          echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut --delimiter '/' --fields 3)" >> $GITHUB_ENV
           echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
-          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)" >> $GITHUB_ENV
+          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
+          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 1)" >> $GITHUB_ENV
 
       - name: Update Helm Chart version in README.md
         run: sed -i -E "s/^CHART_VERSION=.*/CHART_VERSION=${PACKAGE_VERSION}/g" README.md
@@ -38,35 +88,76 @@ jobs:
       - name: Package chart
         run: |
           helm dependency build
-          helm package --version "${PACKAGE_VERSION}" ./
+          helm package \
+            --sign \
+            --key "$(gpg --with-colons --list-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" | grep uid | cut --delimiter ':' --fields 10)" \
+            --keyring "${HOME}/.gnupg/secring.gpg" \
+            --passphrase-file "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" \
+            --version "${PACKAGE_VERSION}" ./
 
-      - name: Upload Chart to ChartMuseum
+      - uses: docker/login-action@v4.2.0
+        with:
+          registry: ${{ github.server_url }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+
+      - name: Upload Chart to Gitea (OCI)
         env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          helm push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz oci://${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}
+          cosign sign --yes --upload=true --key=env://COSIGN_PRIVATE_KEY ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:${PACKAGE_VERSION}
+
+      - name: Upload Chart to Gitea (Helm)
+        env:
+          GITEA_REGISTRY_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+        run: |
+          curl \
+            --fail \
+            --show-error \
+            --request POST \
+            --user "${REPOSITORY_OWNER}:${GITEA_REGISTRY_TOKEN}" \
+            --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
+              https://${GITEA_SERVER_HOSTNAME}/api/packages/${REPOSITORY_OWNER}/helm/api/charts
+
+          # NOTE:
+          # Gitea does currently not support uploading Helm chart provenance files, so we skip this step for now. Once
+          # Gitea supports this, we can simply uncomment the following lines to upload the provenance file as well.
+          #
+          #   https://github.com/helm/helm/issues/31866
+          #
+          # if [ -f "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" ]; then
+          #   curl \
+          #     --fail \
+          #     --show-error \
+          #     --request POST \
+          #     --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+          #     --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" \
+          #       https://${GITEA_SERVER_HOSTNAME}/api/packages/${REPOSITORY_OWNER}/helm/api/prov
+          # fi
+
+      - name: Upload Chart to Chartmuseum (Helm)
+        env:
+          CHARTMUSEUM_HOSTNAME: ${{ vars.CHARTMUSEUM_HOSTNAME }}
+          CHARTMUSEUM_USERNAME: ${{ secrets.CHARTMUSEUM_USERNAME }}
           CHARTMUSEUM_PASSWORD: ${{ secrets.CHARTMUSEUM_PASSWORD }}
           CHARTMUSEUM_REPOSITORY: ${{ vars.CHARTMUSEUM_REPOSITORY }}
-          CHARTMUSEUM_USERNAME: ${{ secrets.CHARTMUSEUM_USERNAME }}
-          CHARTMUSEUM_HOSTNAME: ${{ vars.CHARTMUSEUM_HOSTNAME }}
-
-          GITEA_PACKAGE_REGISTRY_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
-          GITEA_SERVER_URL: ${{ github.server_url }}
         run: |
-          PACKAGE_VERSION=${GITHUB_REF#refs/tags/}
-          REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2)
-          REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)
+          curl \
+            --fail \
+            --show-error \
+            --request POST \
+            --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+            --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
+              https://${CHARTMUSEUM_HOSTNAME}/api/${CHARTMUSEUM_REPOSITORY}/charts
 
-          helm dependency build
-          helm package --version "${PACKAGE_VERSION}" ./
-
-          # chart-museum
-          helm repo add --username ${CHARTMUSEUM_USERNAME} --password ${CHARTMUSEUM_PASSWORD} chartmuseum https://${CHARTMUSEUM_HOSTNAME}/${CHARTMUSEUM_REPOSITORY}
-          helm cm-push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz chartmuseum
-          helm repo remove chartmuseum
-
-      - name: Upload Chart to Gitea
-        env:
-          GITEA_PACKAGE_REGISTRY_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
-          GITEA_SERVER_URL: ${{ github.server_url }}
-        run: |
-          helm repo add --username ${REPOSITORY_OWNER} --password ${GITEA_PACKAGE_REGISTRY_TOKEN} gitea ${GITEA_SERVER_URL}/api/packages/${REPOSITORY_OWNER}/helm
-          helm cm-push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz gitea
-          helm repo remove gitea
+          if [ -f "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" ]; then
+            curl \
+              --fail \
+              --show-error \
+              --request POST \
+              --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+              --upload-file ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov \
+                https://${CHARTMUSEUM_HOSTNAME}/api/${CHARTMUSEUM_REPOSITORY}/prov
+          fi

.gitignore

@@ -1,9 +1,9 @@
 charts
+cosign*
 node_modules
 target
-values2.yml
-values2.yaml
+!values.yaml
+!values.yml
+values*.yaml
+values*.yml
 *.tgz
-
-install.sh
-uninstall.sh

.vscode/settings.json

@@ -1,6 +1,6 @@
 {
   "yaml.schemas": {
-    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [
+    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.1.0/schema/helm-testsuite.json": [
       "/unittests/**/*.yaml"
     ]
   },

Chart.yaml

@@ -1,15 +1,21 @@
 annotations:
+  artifacthub.io/license: MIT
   artifacthub.io/links: |
     - name: Athens proxy (binary)
       url: https://github.com/gomods/athens
     - name: support
-      url: https://git.cryptic.systems/volker.raschek/athens-proxy/issues
+      url: https://git.cryptic.systems/volker.raschek/athens-proxy-charts/issues
+  artifacthub.io/operator: "false"
+  artifacthub.io/prerelease: "false"
+  artifacthub.io/signKey: |
+    fingerprint: 3B0CE9853CAD76076260025383D342258456906E
+    url: https://keys.openpgp.org/vks/v1/by-fingerprint/3B0CE9853CAD76076260025383D342258456906E
 apiVersion: v2
 name: athens-proxy
 description: Athens proxy server for golang
 type: application
 version: "0.1.0"
-appVersion: "v0.16.1"
+appVersion: "v0.17.1"
 icon: https://github.com/gomods/athens/blob/main/docs/static/banner.png?raw=true
 
 keywords:
@@ -19,10 +25,6 @@ keywords:
 - go-proxy
 
 sources:
-- https://github.com/volker-raschek/athens-proxy-charts
+- https://git.cryptic.systems/volker.raschek/athens-proxy-charts
 - https://github.com/gomods/athens
 - https://hub.docker.com/r/gomods/athens
-
-maintainers:
-- name: Markus Pesch
-  email: markus.pesch+apps@cryptic.systems

Makefile

@@ -4,13 +4,13 @@ CONTAINER_RUNTIME?=$(shell which podman)
 # HELM_IMAGE
 HELM_IMAGE_REGISTRY_HOST?=docker.io
 HELM_IMAGE_REPOSITORY?=volkerraschek/helm
-HELM_IMAGE_VERSION?=3.19.0 # renovate: datasource=docker registryUrl=https://docker.io depName=volkerraschek/helm
+HELM_IMAGE_VERSION?=3.19.0 # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/volkerraschek/helm
 HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:${HELM_IMAGE_VERSION}
 
 # NODE_IMAGE
 NODE_IMAGE_REGISTRY_HOST?=docker.io
 NODE_IMAGE_REPOSITORY?=library/node
-NODE_IMAGE_VERSION?=24.10.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
+NODE_IMAGE_VERSION?=25.2.1-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
 NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
 
 # MISSING DOT
@@ -18,6 +18,25 @@ NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:
 missing-dot:
 	grep --perl-regexp '## @(param|skip).*[^.]$$' values.yaml
 
+# README
+# ==============================================================================
+readme: readme/link readme/lint readme/parameters
+
+readme/link:
+	npm install && npm run readme:link
+
+readme/lint:
+	npm install && npm run readme:lint
+
+readme/parameters:
+	npm install && npm run readme:parameters
+
+# HELM UNITTESTS
+# ==============================================================================
+PHONY+=helm/unittest
+helm/unittest:
+	helm unittest --strict --file 'unittests/**/*.yaml' ./
+
 # CONTAINER RUN - README
 # ==============================================================================
 PHONY+=container-run/readme
@@ -88,4 +107,4 @@ container-run/helm-lint:
 # ==============================================================================
 # Declare the contents of the PHONY variable as phony. We keep that information
 # in a variable so we can use it in if_changed.
-.PHONY: ${PHONY}
+.PHONY: ${PHONY}

README.md

@@ -1,168 +1,609 @@
-# athens-proxy-charts
+# Athens - A Go module datastore and proxy
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/volker-raschek)](https://artifacthub.io/packages/search?repo=volker-raschek)
 
-This is an inofficial helm chart of the go-proxy
-[athens](https://github.com/gomods/athens) which supports more complex
-configuration options.
+> [!NOTE]
+> This is not the official helm chart of Athens Go Proxy. If you are looking for the official helm chart, checkout the
+> GitHub project [gomods/athens-charts](https://github.com/gomods/athens-charts).
 
-This helm chart can be found on [artifacthub.io](https://artifacthub.io/) and
-can be installed via helm.
+This helm chart enables the deployment of [Athens Go Proxy](https://github.com/gomods/athens), a module datastore and
+proxy for Golang.
+
+The helm chart supports the individual configuration of additional containers/initContainers, mounting of volumes,
+defining additional environment variables and much more.
+
+Chapter [configuration and installation](#helm-configuration-and-installation) describes the basics how to configure
+helm and use it to deploy the exporter. It also contains further configuration examples.
+
+Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this
+helm chart is tested for deployment scenarios with **ArgoCD**.
+
+## Helm: configuration and installation
+
+1. A helm chart repository must be configured, to pull the helm charts from.
+2. All available [parameters](#parameters) are documented in detail below. The parameters can be defined via the helm
+   `--set` flag or directly as part of a `values.yaml` file. The following example defines the repository and use the
+   `--set` flag for a basic deployment.
 
 ```bash
 helm repo add volker.raschek https://charts.cryptic.systems/volker.raschek
+helm repo update
 helm install athens-proxy volker.raschek/athens-proxy
 ```
 
-## Customization
+Instead of passing all parameters via the *set* flag, it is also possible to define them as part of the `values.yaml`.
+The following command downloads the `values.yaml` for a specific version of this chart. Please keep in mind, that the
+version of the chart must be in sync with the `values.yaml`. Newer *minor* versions can have new features. New *major*
+versions can break something!
 
-The complete deployment can be adapted via the `values.yaml` files. The
-configuration of the proxy can be done via the environment variables described
-below or via mounting the config.toml as additional persistent volume to
-`/config/config.toml`
+```bash
+CHART_VERSION=1.4.1
+helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml
+```
 
-## Access private repositories via SSH
+A complete list of available helm chart versions can be displayed via the following command:
 
-Create a `configmap.yaml` with multiple keys. One key describe the content of
-the `.gitconfig` file and another of `config` of the ssh client. All requests
-Git clone comands with the prefix `http://github.com/` will be replaced by
-`git@github.com:` to use SSH instead of HTTPS. The SSH keys are stored in a
-separate secret.
+```bash
+helm search repo athens-proxy --versions
+```
+
+The helm chart also contains a persistent volume claim definition. It persistent volume claim is not enabled by default.
+Use the `--set` argument to persist your data.
+
+```bash
+CHART_VERSION=1.4.1
+helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
+  persistence.enabled=true
+```
+
+### Examples
+
+The following examples serve as individual configurations and as inspiration for how deployment problems can be solved.
+
+#### Avoid CPU throttling by defining a CPU limit
+
+If the application is deployed with a CPU resource limit, Prometheus may throw a CPU throttling warning for the
+application. This has more or less to do with the fact that the application finds the number of CPUs of the host, but
+cannot use the available CPU time to perform computing operations.
+
+The application must be informed that despite several CPUs only a part (limit) of the available computing time is
+available. As this is a Golang application, this can be implemented using `GOMAXPROCS`. The following example is one way
+of defining `GOMAXPROCS` automatically based on the defined CPU limit like `1000m`. Please keep in mind, that the CFS
+rate of `100ms` - default on each kubernetes node, is also very important to avoid CPU throttling.
+
+Further information about this topic can be found in one of Kanishk's blog
+[posts](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
+
+> [!NOTE]
+> The environment variable `GOMAXPROCS` is set automatically, when a CPU limit is defined. An explicit configuration is
+> not anymore required.
+>
+> Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
+
+```bash
+CHART_VERSION=1.4.1
+helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
+  --set 'deployment.athensProxy.env.name=GOMAXPROCS' \
+  --set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
+  --set 'deployment.athensProxy.resources.limits.cpu=1000m'
+```
+
+#### TLS encryption
+
+The example shows how to deploy the application with TLS encryption. For example when **no** HTTP ingress is used for
+TLS determination and instead the application it self should determinate the TLS handshake. To generate the TLS
+certificate can be used the [cert-manager](https://cert-manager.io/). The chart supports the creation of such a TLS
+certificate via `cert-manager.io/v1 Certificate` resource. Alternatively can be mounted a TLS certificate from a secret.
+The secret must be from type `kubernetes.io/tls`.
+
+If athens-proxy is deployed behind a reverse proxy, for example an ingress nginx controller or Gateway API, please
+instruct the reverse proxy to establish a TLS encrypted connection to avoid connection problems. The documentation
+describes configuring [Ingress NGINX](#ingress-nginx) as well as [NGINX Gateway Fabric](#gatewayapi-nginx-fabric).
+
+> [!WARNING]
+> The following example expects that the [cert-manager](https://cert-manager.io/) is deployed and the `Issuer` named
+> `athens-proxy-ca` is present in the same namespace of the helm deployment.
+
+```bash
+CHART_VERSION=1.4.1
+helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
+  --set 'config.certificate.enabled=true' \
+  --set 'config.certificate.new.issuerRef.kind=Issuer' \
+  --set 'config.certificate.new.issuerRef.name=athens-proxy-ca'
+```
+
+The environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` are automatically added and the TLS certificate
+and private key are mounted to a pre-defined destination inside the container file system.
+
+##### Ingress NGINX
+
+The following changes must be applied to enable TLS encryption and authentication on-top between the ingress and backend
+service.
+
+> [!IMPORTANT]
+> The HTTP Version between the ingress nginx and backend must be set to `1.1`, as well as the TLS protocol must be set
+> to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
+
+The secret `athens-proxy/ingress-nginx-controller-tls` contains TLS certificates for the nginx ingress controller. The
+TLS certificate must be created manually, for example via [cert-manager](https://cert-manager.io/). It is used by the
+nginx for TLS authentication.
 
 ```yaml
-apiVersion: v1
-kind: ConfigMap
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
+    nginx.ingress.kubernetes.io/proxy-ssl-secret: athens-proxy/ingress-nginx-controller-tls
+    nginx.ingress.kubernetes.io/proxy-ssl-protocols: TLSv1.2
+    nginx.ingress.kubernetes.io/proxy-ssl-name: athens-proxy
+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
+```
+
+##### GatewayAPI: NGINX Fabric
+
+The following changes must be applied to enable TLS encryption and authentication on-top between the gateway and backend
+service.
+
+> [!IMPORTANT]
+> The HTTP Version between the nginx gateway fabric and backend must be set to `1.1`, as well as the TLS protocol must
+> be set to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
+
+The `gatewayAPI.core.backendTLSPolicy.validation.caCertificateRefs` must contain at least one secret containing the
+root or intermediate certificate of the issued TLS certificate used by athens-proxy to be able to validate the TLS
+certificate.
+
+```yaml
+gatewayAPI:
+  enabled: true
+  core:
+    backendTLSPolicy:
+      enabled: true
+      validation:
+        caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: "athens-proxy-ca"
+        hostname: "athens-proxy"
+
+    httpRoute:
+      enabled: true
+      hostnames:
+      - athens-proxy.example.local
+      parentRefs:
+      - name: nginx
+        kind: Gateway
+        group: gateway.networking.k8s.io
+        namespace: my-gateway-namespace
+        sectionName: athens-proxy-https
+```
+
+The Gateway resource is not part of the helm chart, but for illustrating the configuration example, here a GatewayAPI
+resource with configured backend TLS certificate. The TLS certificates `gateway-frontend-tls` and `gateway-backend-tls`
+must also be created manually, for example via [cert-manager](https://cert-manager.io/).
+
+```yaml
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
 metadata:
-  name: custom-configs
-data:
-  sshconfig: |
-    Host github.com
-      IdentityFile /root/.ssh/id_ed25519
-      StrictHostKeyChecking no
-  gitconfig: |
-    [url "git@github.com:"]
-      insteadOf = https://github.com/
+  name: nginx
+  namespace: my-gateway-namespace
+spec:
+  gatewayClassName: nginx
+  listeners:
+    - allowedRoutes:
+        kinds:
+          - group: gateway.networking.k8s.io
+            kind: HTTPRoute
+        namespaces:
+          from: All
+      hostname: athens-proxy.example.local
+      name: https
+      port: 443
+      protocol: HTTPS
+      tls:
+        certificateRefs:
+          - group: ''
+            kind: Secret
+            name: gateway-frontend-tls
+            namespace: my-gateway-namespace
+        mode: Terminate
+  tls:
+    backend:
+      clientCertificateRef:
+        group: ''
+        kind: Secret
+        name: gateway-backend-tls
+        namespace: my-gateway-namespace
 ```
 
-The secret definition below contains the SSH private and public key.
+#### TLS certificate rotation
+
+If the application uses TLS certificates that are mounted as a secret in the container file system like the example
+[above](#tls-encryption), the application will not automatically apply them when the TLS certificates are rotated. Such
+a rotation can be for example triggered, when the [cert-manager](https://cert-manager.io/) issues new TLS certificates
+before expiring.
+
+Until the exporter does not support rotating TLS certificate a workaround can be applied. For example stakater's
+[reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following
+annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted secret has
+been changed.
+
+> [!IMPORTANT]
+> The Helm chart already adds annotations to trigger a rolling release. Helm describes this approach under
+> [Automatically Roll Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
+> For this reason, **only external** configMaps or secrets need to be monitored by reloader.
 
 ```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: custom-ssh-keys
-type: Opaque
-stringData:
-  id_ed25519: |
-    -----BEGIN OPENSSH PRIVATE KEY-----
-    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-    QyNTUxOQAAACCpf/10TWlksg6/5mZF067fTGvW71I5QVJEp/nyC8hVHgAAAJgwWWNdMFlj
-    XQAAAAtzc2gtZWQyNTUxOQAAACCpf/10TWlksg6/5mZF067fTGvW71I5QVJEp/nyC8hVHg
-    AAAEDzTPitanzgl6iThoFCx8AXwsGLS5Q+3+K66ZOmN0p6+6l//XRNaWSyDr/mZkXTrt9M
-    a9bvUjlBUkSn+fILyFUeAAAAEG1hcmt1c0BtYXJrdXMtcGMBAgMEBQ==
-    -----END OPENSSH PRIVATE KEY-----
-  id_ed25519.pub: |
-    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKl//XRNaWSyDr/mZkXTrt9Ma9bvUjlBUkSn+fILyFUe
+deployment:
+  annotations:
+    secret.reloader.stakater.com/reload: "athens-proxy-tls"
 ```
 
-The item `config` of the configmap will be merged with the items of the secret
-as virtual volume. This volume can than be mounted with special permissions
-required for the ssh client.
+If the application is rolled out using ArgoCD, a rolling update from stakater's
+[reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state
+with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be
+initiated. Further information are available in the official
+[README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of
+stakater's reloader.
 
-```yaml
-extraVolumes:
-- name: ssh
-  projected:
-    defaultMode: 0644
-    sources:
-    - configMap:
-        name: custom-configs
-        items:
-        - key: sshconfig
-          path: config
-    - secret:
-        name: custom-ssh-keys
-        items:
-        - key: id_ed25519
-          path: id_ed25519
-          mode: 0600
-        - key: id_ed25519.pub
-          path: id_ed25519.pub
-- name: gitconfig
-  configMap:
-    name: custom-configs
-    items:
-    - key: gitconfig
-      path: config
-      mode: 0644
-
-extraVolumeMounts:
-- name: ssh
-  mountPath: /root/.ssh
-- name: gitconfig
-  mountPath: /root/.config/git
+```diff
+  deployment:
+    annotations:
++     reloader.stakater.com/rollout-strategy: "restart"
+      secret.reloader.stakater.com/reload: "athens-proxy-tls"
 ```
 
-## Access private GitHub.com repositories via developer token
+#### Network policies
 
-Another way to access private GitHub repositories is via a GitHub token, which
-can be set via the environment variable `GITHUB_TOKEN`. Athens automatically
-creates a `.netrc` file to access private GitHub repositories.
+Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
+network policy implementation of CNI plugins. It's support only the official API resource of `networking.k8s.io/v1`.
 
-## Access private repositories via .netrc configuration
+The example below is an excerpt of the `values.yaml` file. The network policy contains ingress rules to allow incoming
+traffic from an ingress controller. Additionally two egress rules are defined. The first one to allow the application
+outgoing access to the internal running DNS server `core-dns`. The second rule to be able to access the upstream Go
+proxy `https://proxy.golang.org` via HTTPS.
 
-As describe above, a `.netrc` file is responsible for the authentication via
-HTTP. The file can also be defined via a custom secret and mounted into the home
-directory of `root` for general authentication purpose.
-
-The example below describe the definition and mounting of a custom `.netrc` file
-to access private repositories hosted on GitHub and GitLab.
+> [!IMPORTANT]
+> Please keep in mind, that the namespace and pod selector labels can be different from environment to environment. For
+> this reason, there is are not default network policy rules defined.
 
 ```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: custom-netrc
-type: Opaque
-stringData:
-  netrc: |
-    machine github.com login USERNAME password API-KEY
-    machine gitlab.com login USERNAME password API-KEY
+networkPolicies:
+  enabled: true
+  annotations: {}
+  labels: {}
+  policyTypes:
+  - Egress
+  - Ingress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - port: 53
+      protocol: TCP
+    - port: 53
+      protocol: UDP
+  - ports:
+    - port: 22
+      protocol: TCP
+  - ports:
+    - port: 443
+      protocol: TCP
+
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: ingress-nginx
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: ingress-nginx
+    # NGINX GatewayAPI Fabric
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: gateway-nginx
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: gateway-nginx
+    ports:
+    - port: http
+      protocol: TCP
 ```
 
-The file must then be mounted via extraVolumes and extraVolumeMounts.
+## ArgoCD
+
+### Example Application
+
+An application resource for the Helm chart is defined below. It serves as an example for your own deployment.
 
 ```yaml
-extraVolumes:
-- name: netrc
-  secret:
-    secretName: custom-netrc
-    items:
-    - key: netrc
-      path: .netrc
-      mode: 0600
-
-extraVolumeMounts:
-- name: netrc
-  mountPath: /root
-```
-
-## Persistent storage
-
-Unlike the athens default, the default here is `disk` - i.e. the files are
-written to the container. Therefore, it is advisable to outsource the
-corresponding storage location to persistent storage. The following example
-describes the integration of a persistent storage claim.
-
-```yaml
-extraVolumes:
-- name: gomodules
-  persistentVolumeClaim:
-    claimName: custom-gomodules-pvc
-
-extraVolumeMounts:
-- name: gomodules
-  mountPath: /var/lib/athens
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: athens-proxy
+  ignoreDifferences:
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    # When HPA is enabled, ensure that a modification of the replicas does not lead to a
+    # drift.
+      - '.spec.replicas'
+    # Ensure that changes of the annotations or environment variables added or modified by
+    # stakater's reloader does not lead to a drift.
+    - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
+    - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
+  sources:
+  - repoURL: https://charts.cryptic.systems/volker.raschek
+    chart: athens-proxy
+    targetRevision: '0.*'
+    helm:
+      valueFiles:
+      - $values/values.yaml
+      releaseName: athens-proxy
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    managedNamespaceMetadata:
+      annotations: {}
+      labels: {}
+    syncOptions:
+    - ApplyOutOfSyncOnly=true
+    - CreateNamespace=true
+    - FailOnSharedResource=false
+    - Replace=false
+    - RespectIgnoreDifferences=false
+    - ServerSideApply=true
+    - Validate=true
 ```
 
 ## Parameters
+
+### Global
+
+| Name               | Description                               | Value |
+| ------------------ | ----------------------------------------- | ----- |
+| `nameOverride`     | Individual release name suffix.           | `""`  |
+| `fullnameOverride` | Override the complete release name logic. | `""`  |
+
+### Certificate
+
+| Name                                          | Description                                                                                                                                                 | Value                           |
+| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
+| `certificate.enabled`                         | Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. | `false`                         |
+| `certificate.addSHASumAnnotation`             | Add an pod annotation with the sha sum of the secret containing the TLS certificates.                                                                       | `true`                          |
+| `certificate.existingSecret.enabled`          | Use an existing secret of the type `kubernetes.io/tls`.                                                                                                     | `false`                         |
+| `certificate.existingSecret.secretName`       | Name of the secret containing the TLS certificate and private key.                                                                                          | `""`                            |
+| `certificate.new.annotations`                 | Additional certificate annotations.                                                                                                                         | `{}`                            |
+| `certificate.new.labels`                      | Additional certificate labels.                                                                                                                              | `{}`                            |
+| `certificate.new.duration`                    | Duration of the TLS certificate.                                                                                                                            | `744h`                          |
+| `certificate.new.renewBefore`                 | Renew TLS certificate before expiring.                                                                                                                      | `672h`                          |
+| `certificate.new.dnsNames`                    | Overwrites the default of the subject alternative DNS names.                                                                                                | `[]`                            |
+| `certificate.new.ipAddresses`                 | Overwrites the default of the subject alternative IP addresses.                                                                                             | `[]`                            |
+| `certificate.new.issuerRef.kind`              | Issuer kind. Can be `Issuer` or `ClusterIssuer`.                                                                                                            | `""`                            |
+| `certificate.new.issuerRef.name`              | Name of the `Issuer` or `ClusterIssuer`.                                                                                                                    | `""`                            |
+| `certificate.new.privateKey.algorithm`        | Algorithm of the private TLS key.                                                                                                                           | `RSA`                           |
+| `certificate.new.privateKey.rotationPolicy`   | Rotation of the private TLS key.                                                                                                                            | `Never`                         |
+| `certificate.new.privateKey.size`             | Size of the private TLS key.                                                                                                                                | `4096`                          |
+| `certificate.new.secretTemplate.annotations`  | Additional annotation of the created secret.                                                                                                                | `{}`                            |
+| `certificate.new.secretTemplate.labels`       | Additional labels of the created secret.                                                                                                                    | `{}`                            |
+| `certificate.new.subject.countries`           | List of countries.                                                                                                                                          | `[]`                            |
+| `certificate.new.subject.localities`          | List of localities.                                                                                                                                         | `[]`                            |
+| `certificate.new.subject.organizationalUnits` | List of organizationalUnits.                                                                                                                                | `[]`                            |
+| `certificate.new.subject.organizations`       | List of organizations.                                                                                                                                      | `[]`                            |
+| `certificate.new.subject.postalCodes`         | List of postalCodes.                                                                                                                                        | `[]`                            |
+| `certificate.new.subject.provinces`           | List of provinces.                                                                                                                                          | `[]`                            |
+| `certificate.new.subject.serialNumber`        | Serial number.                                                                                                                                              | `""`                            |
+| `certificate.new.subject.streetAddresses`     | List of streetAddresses.                                                                                                                                    | `[]`                            |
+| `certificate.new.usages`                      | Define the usage of the TLS key.                                                                                                                            | `["client auth","server auth"]` |
+
+### Configuration
+
+| Name                                                    | Description                                                                                                                                       | Value            |
+| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
+| `config.env.enabled`                                    | Enable mounting of the secret as environment variables.                                                                                           | `false`          |
+| `config.env.addSHASumAnnotation`                        | Add an pod annotation with the sha sum of the config map containing the configuration.                                                            | `true`           |
+| `config.env.existingSecret.enabled`                     | Mount an existing secret containing the application specific environment variables.                                                               | `false`          |
+| `config.env.existingSecret.secretName`                  | Name of the existing secret containing the application specific environment variables.                                                            | `""`             |
+| `config.env.secret.annotations`                         | Additional annotations of the secret containing the database credentials.                                                                         | `{}`             |
+| `config.env.secret.labels`                              | Additional labels of the secret containing the database credentials.                                                                              | `{}`             |
+| `config.env.secret.envs`                                | List of environment variables stored in a secret and mounted into the container.                                                                  | `{}`             |
+| `config.downloadMode.enabled`                           | Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined. | `false`          |
+| `config.downloadMode.addSHASumAnnotation`               | Add an pod annotation with the sha sum of the config map containing the downloadMode config.                                                      | `true`           |
+| `config.downloadMode.existingConfigMap.enabled`         | Enable to use an external config map for mounting the download mode file.                                                                         | `false`          |
+| `config.downloadMode.existingConfigMap.configMapName`   | The name of the existing config map which should be used to mount the download mode file.                                                         | `""`             |
+| `config.downloadMode.existingConfigMap.downloadModeKey` | The name of the key inside the config map where the content of the download mode file is stored.                                                  | `downloadMode`   |
+| `config.downloadMode.configMap.annotations`             | Additional annotations of the config map containing the download mode file.                                                                       | `{}`             |
+| `config.downloadMode.configMap.labels`                  | Additional labels of the config map containing the download mode file.                                                                            | `{}`             |
+| `config.gitConfig.enabled`                              | Enable mounting of a .gitconfig file into the container file system.                                                                              | `false`          |
+| `config.gitConfig.addSHASumAnnotation`                  | Add an pod annotation with the sha sum of the config map containing the git config.                                                               | `true`           |
+| `config.gitConfig.existingConfigMap.enabled`            | Enable to use an external config map for mounting the .gitconfig file.                                                                            | `false`          |
+| `config.gitConfig.existingConfigMap.configMapName`      | The name of the existing config map which should be used to mount the .gitconfig file.                                                            | `""`             |
+| `config.gitConfig.existingConfigMap.gitConfigKey`       | The name of the key inside the config map where the content of the .gitconfig file is stored.                                                     | `nil`            |
+| `config.gitConfig.configMap.annotations`                | Additional annotations of the config map containing the .gitconfig file.                                                                          | `{}`             |
+| `config.gitConfig.configMap.labels`                     | Additional labels of the config map containing the .gitconfig file.                                                                               | `{}`             |
+| `config.netrc.enabled`                                  | Enable mounting of a .netrc file into the container file system.                                                                                  | `false`          |
+| `config.netrc.addSHASumAnnotation`                      | Add an pod annotation with the sha sum of the secret containing the netrc file.                                                                   | `true`           |
+| `config.netrc.existingSecret.enabled`                   | Enable to use an external secret for mounting the .netrc file.                                                                                    | `false`          |
+| `config.netrc.existingSecret.secretName`                | The name of the existing secret which should be used to mount the .netrc file.                                                                    | `""`             |
+| `config.netrc.existingSecret.netrcKey`                  | The name of the key inside the secret where the content of the .netrc file is stored.                                                             | `.netrc`         |
+| `config.netrc.secret.annotations`                       | Additional annotations of the secret containing the database credentials.                                                                         | `{}`             |
+| `config.netrc.secret.labels`                            | Additional labels of the secret containing the database credentials.                                                                              | `{}`             |
+| `config.ssh.enabled`                                    | Enable mounting of a .netrc file into the container file system.                                                                                  | `false`          |
+| `config.ssh.addSHASumAnnotation`                        | Add an pod annotation with the sha sum of the secret containing the ssh keys.                                                                     | `true`           |
+| `config.ssh.existingSecret.enabled`                     | Enable to use an external secret for mounting the public and private SSH key files.                                                               | `false`          |
+| `config.ssh.existingSecret.secretName`                  | The name of the existing secret which should be used to mount the public and private SSH key files.                                               | `""`             |
+| `config.ssh.existingSecret.configKey`                   | The name of the key inside the secret where the content of the SSH client config file is stored.                                                  | `config`         |
+| `config.ssh.existingSecret.id_ed25519Key`               | The name of the key inside the secret where the content of the id_ed25519 key file is stored.                                                     | `id_ed25519`     |
+| `config.ssh.existingSecret.id_ed25519PubKey`            | The name of the key inside the secret where the content of the id_ed25519.pub key file is stored.                                                 | `id_ed25519.pub` |
+| `config.ssh.existingSecret.id_rsaKey`                   | The name of the key inside the secret where the content of the id_rsa key file is stored.                                                         | `id_rsa`         |
+| `config.ssh.existingSecret.id_rsaPubKey`                | The name of the key inside the secret where the content of the id_ed25519.pub key file is stored.                                                 | `id_rsa.pub`     |
+| `config.ssh.secret.annotations`                         | Additional annotations of the secret containing the public and private SSH key files.                                                             | `{}`             |
+| `config.ssh.secret.labels`                              | Additional labels of the secret containing the public and private SSH key files.                                                                  | `{}`             |
+
+### Deployment
+
+| Name                                                        | Description                                                                                                | Value           |
+| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------- |
+| `deployment.annotations`                                    | Additional deployment annotations.                                                                         | `{}`            |
+| `deployment.labels`                                         | Additional deployment labels.                                                                              | `{}`            |
+| `deployment.additionalContainers`                           | List of additional containers.                                                                             | `[]`            |
+| `deployment.affinity`                                       | Affinity for the athens-proxy deployment.                                                                  | `{}`            |
+| `deployment.initContainers`                                 | List of additional init containers.                                                                        | `[]`            |
+| `deployment.dnsConfig`                                      | dnsConfig of the athens-proxy deployment.                                                                  | `{}`            |
+| `deployment.dnsPolicy`                                      | dnsPolicy of the athens-proxy deployment.                                                                  | `""`            |
+| `deployment.hostname`                                       | Individual hostname of the pod.                                                                            | `""`            |
+| `deployment.subdomain`                                      | Individual domain of the pod.                                                                              | `""`            |
+| `deployment.hostNetwork`                                    | Use the kernel network namespace of the host system.                                                       | `false`         |
+| `deployment.imagePullSecrets`                               | Secret to use for pulling the image.                                                                       | `[]`            |
+| `deployment.athensProxy.args`                               | Arguments passed to the athens-proxy container.                                                            | `[]`            |
+| `deployment.athensProxy.command`                            | Command passed to the athens-proxy container.                                                              | `[]`            |
+| `deployment.athensProxy.env`                                | List of environment variables for the athens-proxy container.                                              | `[]`            |
+| `deployment.athensProxy.envFrom`                            | List of environment variables mounted from configMaps or secrets for the athens-proxy container.           | `[]`            |
+| `deployment.athensProxy.image.registry`                     | Image registry, eg. `docker.io`.                                                                           | `docker.io`     |
+| `deployment.athensProxy.image.repository`                   | Image repository, eg. `library/busybox`.                                                                   | `gomods/athens` |
+| `deployment.athensProxy.image.tag`                          | Custom image tag, eg. `0.1.0`. Defaults to `appVersion`.                                                   | `""`            |
+| `deployment.athensProxy.image.pullPolicy`                   | Image pull policy.                                                                                         | `IfNotPresent`  |
+| `deployment.athensProxy.livenessProbe.failureThreshold`     | Minimum consecutive failures for the probe to be considered failed after having succeeded.                 | `3`             |
+| `deployment.athensProxy.livenessProbe.initialDelaySeconds`  | Number of seconds after the container has started before liveness probes are initiated.                    | `5`             |
+| `deployment.athensProxy.livenessProbe.periodSeconds`        | How often (in seconds) to perform the probe.                                                               | `60`            |
+| `deployment.athensProxy.livenessProbe.successThreshold`     | Minimum consecutive successes for the probe to be considered successful after having failed.               | `1`             |
+| `deployment.athensProxy.livenessProbe.timeoutSeconds`       | Number of seconds after which the probe times out.                                                         | `3`             |
+| `deployment.athensProxy.readinessProbe.failureThreshold`    | Minimum consecutive failures for the probe to be considered failed after having succeeded.                 | `3`             |
+| `deployment.athensProxy.readinessProbe.initialDelaySeconds` | Number of seconds after the container has started before liveness probes are initiated.                    | `5`             |
+| `deployment.athensProxy.readinessProbe.periodSeconds`       | How often (in seconds) to perform the probe.                                                               | `15`            |
+| `deployment.athensProxy.readinessProbe.successThreshold`    | Minimum consecutive successes for the probe to be considered successful after having failed.               | `1`             |
+| `deployment.athensProxy.readinessProbe.timeoutSeconds`      | Number of seconds after which the probe times out.                                                         | `3`             |
+| `deployment.athensProxy.resources`                          | CPU and memory resources of the pod.                                                                       | `{}`            |
+| `deployment.athensProxy.securityContext`                    | Security context of the container of the deployment.                                                       | `{}`            |
+| `deployment.athensProxy.volumeMounts`                       | Additional volume mounts.                                                                                  | `[]`            |
+| `deployment.nodeSelector`                                   | NodeSelector of the athens-proxy deployment.                                                               | `{}`            |
+| `deployment.priorityClassName`                              | PriorityClassName of the athens-proxy deployment.                                                          | `""`            |
+| `deployment.replicas`                                       | Number of replicas for the athens-proxy deployment.                                                        | `1`             |
+| `deployment.restartPolicy`                                  | Restart policy of the athens-proxy deployment.                                                             | `""`            |
+| `deployment.securityContext`                                | Security context of the athens-proxy deployment.                                                           | `{}`            |
+| `deployment.strategy.type`                                  | Strategy type - `Recreate` or `RollingUpdate`.                                                             | `RollingUpdate` |
+| `deployment.strategy.rollingUpdate.maxSurge`                | The maximum number of pods that can be scheduled above the desired number of pods during a rolling update. | `1`             |
+| `deployment.strategy.rollingUpdate.maxUnavailable`          | The maximum number of pods that can be unavailable during a rolling update.                                | `1`             |
+| `deployment.terminationGracePeriodSeconds`                  | How long to wait until forcefully kill the pod.                                                            | `60`            |
+| `deployment.tolerations`                                    | Tolerations of the athens-proxy deployment.                                                                | `[]`            |
+| `deployment.topologySpreadConstraints`                      | TopologySpreadConstraints of the athens-proxy deployment.                                                  | `[]`            |
+| `deployment.volumes`                                        | Additional volumes to mount into the pods of the athens-proxy deployment.                                  | `[]`            |
+
+### GatewayAPI
+
+| Name                                                        | Description                                                                                                                                                                                         | Value   |
+| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `gatewayAPI.enabled`                                        | Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.                                                                               | `false` |
+| `gatewayAPI.core.backendTLSPolicy.enabled`                  | Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.                                                                                                              | `false` |
+| `gatewayAPI.core.backendTLSPolicy.annotations`              | Additional annotations for the BackendTLSPolicy.                                                                                                                                                    | `{}`    |
+| `gatewayAPI.core.backendTLSPolicy.labels`                   | Additional labels for the BackendTLSPolicy.                                                                                                                                                         | `{}`    |
+| `gatewayAPI.core.backendTLSPolicy.validation`               | Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the athens-proxy pod.               | `{}`    |
+| `gatewayAPI.core.httpRoute.enabled`                         | Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `service.enabled` to be `true`.                                                                                               | `false` |
+| `gatewayAPI.core.httpRoute.annotations`                     | Additional annotations for the HTTPRoute.                                                                                                                                                           | `{}`    |
+| `gatewayAPI.core.httpRoute.labels`                          | Additional labels for the HTTPRoute.                                                                                                                                                                | `{}`    |
+| `gatewayAPI.core.httpRoute.hostnames`                       | Hostnames for the HTTPRoute.                                                                                                                                                                        | `[]`    |
+| `gatewayAPI.core.httpRoute.parentRefs`                      | ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.                                                                                       | `[]`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.enabled`             | Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.                                                                                                          | `false` |
+| `gatewayAPI.nginx.clientSettingsPolicy.annotations`         | Additional annotations for the ClientSettingsPolicy.                                                                                                                                                | `{}`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.labels`              | Additional labels for the ClientSettingsPolicy.                                                                                                                                                     | `{}`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize`   | ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.                                                  | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout`   | ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.                                                      | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests`   | KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.                   | `nil`   |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime`       | KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.                                                             | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout`    | KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.            | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout` | KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used. | `""`    |
+
+### Horizontal Pod Autoscaler (HPA)
+
+| Name              | Description                                                                                        | Value       |
+| ----------------- | -------------------------------------------------------------------------------------------------- | ----------- |
+| `hpa.enabled`     | Enable the horizontal pod autoscaler (HPA).                                                        | `false`     |
+| `hpa.annotations` | Additional annotations for the HPA.                                                                | `{}`        |
+| `hpa.labels`      | Additional labels for the HPA.                                                                     | `{}`        |
+| `hpa.metrics`     | Metrics contains the specifications for which to use to calculate the desired replica count.       | `undefined` |
+| `hpa.minReplicas` | Min replicas is the lower limit for the number of replicas to which the autoscaler can scale down. | `1`         |
+| `hpa.maxReplicas` | Upper limit for the number of pods that can be set by the autoscaler.                              | `10`        |
+
+### Ingress
+
+| Name                  | Description                                                                              | Value   |
+| --------------------- | ---------------------------------------------------------------------------------------- | ------- |
+| `ingress.enabled`     | Enable creation of an ingress resource. Requires, that the http service is also enabled. | `false` |
+| `ingress.className`   | Ingress class.                                                                           | `nginx` |
+| `ingress.annotations` | Additional ingress annotations.                                                          | `{}`    |
+| `ingress.labels`      | Additional ingress labels.                                                               | `{}`    |
+| `ingress.hosts`       | Ingress specific configuration.                                                          | `[]`    |
+| `ingress.tls`         | Ingress TLS settings.                                                                    | `[]`    |
+
+### Persistence
+
+| Name                                                                       | Description                                                                                                                                                                                                             | Value                        |
+| -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
+| `persistence.enabled`                                                      | Enable the feature to store the data on a persistent volume claim. If enabled, the volume will be automatically be mounted into the pod. Furthermore, the env `ATHENS_STORAGE_TYPE=disk` will automatically be defined. | `false`                      |
+| `persistence.data.mountPath`                                               | The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`.                                                                                 | `/var/www/athens-proxy/data` |
+| `persistence.data.existingPersistentVolumeClaim.enabled`                   | Use an existing persistent volume claim.                                                                                                                                                                                | `false`                      |
+| `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | The name of the existing persistent volume claim.                                                                                                                                                                       | `""`                         |
+| `persistence.data.persistentVolumeClaim.annotations`                       | Additional persistent volume claim annotations.                                                                                                                                                                         | `{}`                         |
+| `persistence.data.persistentVolumeClaim.labels`                            | Additional persistent volume claim labels.                                                                                                                                                                              | `{}`                         |
+| `persistence.data.persistentVolumeClaim.accessModes`                       | Access modes of the persistent volume claim.                                                                                                                                                                            | `["ReadWriteMany"]`          |
+| `persistence.data.persistentVolumeClaim.storageClassName`                  | Storage class of the persistent volume claim.                                                                                                                                                                           | `""`                         |
+| `persistence.data.persistentVolumeClaim.storageSize`                       | Size of the persistent volume claim.                                                                                                                                                                                    | `5Gi`                        |
+
+### Network
+
+| Name            | Description                                                              | Value           |
+| --------------- | ------------------------------------------------------------------------ | --------------- |
+| `clusterDomain` | Domain of the Cluster. Domain is part of internally issued certificates. | `cluster.local` |
+
+### Network Policy
+
+| Name                        | Description                                                               | Value   |
+| --------------------------- | ------------------------------------------------------------------------- | ------- |
+| `networkPolicy.enabled`     | Enable network policies in general.                                       | `false` |
+| `networkPolicy.annotations` | Additional network policy annotations.                                    | `{}`    |
+| `networkPolicy.labels`      | Additional network policy labels.                                         | `{}`    |
+| `networkPolicy.policyTypes` | List of policy types. Supported is ingress, egress or ingress and egress. | `[]`    |
+| `networkPolicy.egress`      | Concrete egress network policy implementation.                            | `[]`    |
+| `networkPolicy.ingress`     | Concrete ingress network policy implementation.                           | `[]`    |
+
+### Service
+
+| Name                               | Description                                                                                                                                                                                                | Value       |
+| ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
+| `service.enabled`                  | Enable the service.                                                                                                                                                                                        | `true`      |
+| `service.annotations`              | Additional service annotations.                                                                                                                                                                            | `{}`        |
+| `service.externalIPs`              | External IPs for the service.                                                                                                                                                                              | `[]`        |
+| `service.externalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation. | `Cluster`   |
+| `service.internalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.                                                   | `Cluster`   |
+| `service.ipFamilies`               | IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.         | `[]`        |
+| `service.labels`                   | Additional service labels.                                                                                                                                                                                 | `{}`        |
+| `service.loadBalancerClass`        | LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.                                                                     | `""`        |
+| `service.loadBalancerIP`           | LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.                                                                                              | `""`        |
+| `service.loadBalancerSourceRanges` | Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.                                                                                                                           | `[]`        |
+| `service.port`                     | Port to forward the traffic to.                                                                                                                                                                            | `3000`      |
+| `service.sessionAffinity`          | Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.                                                                                                                    | `None`      |
+| `service.sessionAffinityConfig`    | Contains the configuration of the session affinity.                                                                                                                                                        | `{}`        |
+| `service.type`                     | Kubernetes service type for the traffic.                                                                                                                                                                   | `ClusterIP` |
+
+### ServiceAccount
+
+| Name                                              | Description                                                                                                                                         | Value   |
+| ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `serviceAccount.existing.enabled`                 | Use an existing service account instead of creating a new one. Assumes that the user has all the necessary kubernetes API authorizations.           | `false` |
+| `serviceAccount.existing.serviceAccountName`      | Name of the existing service account.                                                                                                               | `""`    |
+| `serviceAccount.new.annotations`                  | Additional service account annotations.                                                                                                             | `{}`    |
+| `serviceAccount.new.labels`                       | Additional service account labels.                                                                                                                  | `{}`    |
+| `serviceAccount.new.automountServiceAccountToken` | Enable/disable auto mounting of the service account token.                                                                                          | `true`  |
+| `serviceAccount.new.imagePullSecrets`             | ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this serviceAccount. | `[]`    |
+| `serviceAccount.new.secrets`                      | Secrets is the list of secrets allowed to be used by pods running using this ServiceAccount.                                                        | `[]`    |

artifacthub-repo.yml

@@ -0,0 +1 @@
+repositoryID: 4c206fe5-b83a-457a-bcad-7dd664f8b70c

examples/configmap.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: custom-configs
-data:
-  sshconfig: |
-    Host github.com
-      IdentityFile /root/.ssh/id_ed25519
-      StrictHostKeyChecking no
-  gitconfig: |
-    [url "git@github.com:"]
-      insteadOf = https://github.com/

examples/secret.yaml

@@ -1,26 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: custom-ssh-keys
-type: Opaque
-stringData:
-  id_ed25519: |
-    -----BEGIN OPENSSH PRIVATE KEY-----
-    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-    QyNTUxOQAAACCpf/10TWlksg6/5mZF067fTGvW71I5QVJEp/nyC8hVHgAAAJgwWWNdMFlj
-    XQAAAAtzc2gtZWQyNTUxOQAAACCpf/10TWlksg6/5mZF067fTGvW71I5QVJEp/nyC8hVHg
-    AAAEDzTPitanzgl6iThoFCx8AXwsGLS5Q+3+K66ZOmN0p6+6l//XRNaWSyDr/mZkXTrt9M
-    a9bvUjlBUkSn+fILyFUeAAAAEG1hcmt1c0BtYXJrdXMtcGMBAgMEBQ==
-    -----END OPENSSH PRIVATE KEY-----
-  id_ed25519.pub: |
-    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKl//XRNaWSyDr/mZkXTrt9Ma9bvUjlBUkSn+fILyFUe
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: custom-netrc
-type: Opaque
-stringData:
-  netrc: |
-    machine github.com login USERNAME password API-KEY
-    machine gitlab.com login USERNAME password API-KEY

package.json

@@ -16,6 +16,6 @@
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
     "markdown-link-check": "^3.13.6",
-    "markdownlint-cli": "^0.45.0"
+    "markdownlint-cli": "^0.48.0"
   }
 }

renovate.json

@@ -9,6 +9,7 @@
   ],
   "customManagers": [
     {
+      "customType": "regex",
       "fileMatch": [
         "^Chart\\.yaml$"
       ],
@@ -21,6 +22,7 @@
       "versioningTemplate": "semver"
     },
     {
+      "customType": "regex",
       "fileMatch": ["^README\\.md$"],
       "matchStrings": [
         "VERSION=(?<currentValue>.*)"
@@ -29,9 +31,33 @@
       "packageNameTemplate": "https://git.cryptic.systems/volker.raschek/athens-proxy-charts",
       "datasourceTemplate": "git-tags",
       "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "datasourceTemplate": "github-releases",
+      "fileMatch": [
+        ".vscode/settings\\.json$"
+      ],
+      "matchStrings": [
+        "https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json"
+      ]
     }
   ],
   "packageRules": [
+    {
+      "groupName": "Update docker.io/volkerraschek/helm",
+      "matchDepNames": [
+        "docker.io/volkerraschek/helm",
+        "volkerraschek/helm"
+      ]
+    },
+    {
+      "groupName": "Update docker.io/library/node",
+      "matchDepNames": [
+        "docker.io/library/node",
+        "library/node"
+      ]
+    },
     {
       "addLabels": [
         "renovate/automerge",

templates/_backendTLSPolicies.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.backendTLSPolicy.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
+{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "athens-proxy.backendTLSPolicy.enabled" -}}
+{{- if and .Values.gatewayAPI.enabled
+           .Values.gatewayAPI.core.backendTLSPolicy.enabled
+           .Values.service.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.backendTLSPolicy.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- if .Values.gatewayAPI.core.backendTLSPolicy.labels }}
+{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_certificates.tpl

@@ -0,0 +1,25 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.certificates.server.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.certificate.new.annotations }}
+{{ toYaml .Values.certificate.new.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.certificates.server.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- if .Values.certificate.new.labels }}
+{{ toYaml .Values.certificate.new.labels }}
+{{- end }}
+{{- end }}
+
+{{/* names */}}
+
+{{- define "athens-proxy.certificates.server.name" -}}
+{{ include "athens-proxy.fullname" . }}-tls
+{{- end -}}

templates/_clientSettingsPolicies.tpl

@@ -0,0 +1,31 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.clientSettingsPolicy.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
+{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "athens-proxy.clientSettingsPolicy.enabled" -}}
+{{- if and (eq (include "athens-proxy.httpRoute.enabled" $) "true")
+           .Values.gatewayAPI.nginx.clientSettingsPolicy.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.clientSettingsPolicy.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
+{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_configMaps.tpl

@@ -34,6 +34,10 @@
 
 {{/* name */}}
 
+{{- define "athens-proxy.configMap.downloadMode.name" -}}
+{{ include "athens-proxy.fullname" . }}-download-mode-file
+{{- end }}
+
 {{- define "athens-proxy.configMap.gitConfig.name" -}}
 {{ include "athens-proxy.fullname" . }}-gitconfig
 {{- end }}

templates/_deployments.tpl

@@ -0,0 +1,279 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.deployment.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.deployment.annotations }}
+{{ toYaml .Values.deployment.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* env */}}
+
+{{- define "athens-proxy.deployment.env" -}}
+{{- $env := .Values.deployment.athensProxy.env | default (list) }}
+
+{{- if and .Values.persistence.enabled }}
+{{- $env = concat $env (list (dict "name" "ATHENS_STORAGE_TYPE" "value" "disk") (dict "name" "ATHENS_DISK_STORAGE_ROOT" "value" .Values.persistence.data.mountPath)) }}
+{{- end }}
+
+{{- if .Values.config.downloadMode.enabled }}
+{{- $env = concat $env (list (dict "name" "ATHENS_DOWNLOAD_MODE" "value" "file:/etc/athens/config/download-mode.d/download-mode")) }}
+{{- end }}
+
+{{- if and (hasKey .Values.deployment.athensProxy.resources "limits") (hasKey .Values.deployment.athensProxy.resources.limits "cpu") }}
+{{- $env = concat $env (list (dict "name" "GOMAXPROCS" "valueFrom" (dict "resourceFieldRef" (dict "divisor" "1" "resource" "limits.cpu")))) }}
+{{- end }}
+
+{{- if .Values.certificate.enabled }}
+{{- $env = concat $env (list
+      (dict "name" "ATHENS_TLSCERT_FILE" "value" "/etc/athens-proxy/tls/tls.crt")
+      (dict "name" "ATHENS_TLSKEY_FILE" "value" "/etc/athens-proxy/tls/tls.key")
+    ) }}
+{{- end }}
+
+{{ toYaml (dict "env" $env) }}
+
+{{- end -}}
+
+
+{{/* envFrom */}}
+
+{{- define "athens-proxy.deployment.envFrom" -}}
+{{- $envFrom := .Values.deployment.athensProxy.envFrom | default (list) }}
+
+{{- if .Values.config.env.enabled }}
+{{- $secretName := include "athens-proxy.secrets.env.name" $ }}
+{{- if and .Values.config.env.existingSecret.enabled (gt (len .Values.config.env.existingSecret.secretName) 0)}}
+{{- $secretName = .Values.config.env.existingSecret.secretName }}
+{{- end }}
+{{- $envFrom = concat $envFrom (list (dict "secretRef" (dict "name" $secretName))) }}
+{{- end }}
+
+{{ toYaml (dict "envFrom" $envFrom) }}
+
+{{- end -}}
+
+{{/* image */}}
+
+{{- define "athens-proxy.deployment.images.athens-proxy.fqin" -}}
+{{- $registry := .Values.deployment.athensProxy.image.registry -}}
+{{- $repository := .Values.deployment.athensProxy.image.repository -}}
+{{- $tag := default .Chart.AppVersion .Values.deployment.athensProxy.image.tag -}}
+{{- printf "%s/%s:%s" $registry $repository $tag -}}
+{{- end -}}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.deployment.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- if .Values.deployment.labels }}
+{{ toYaml .Values.deployment.labels }}
+{{- end }}
+{{- end }}
+
+{{/* serviceAccount */}}
+
+{{- define "athens-proxy.deployment.serviceAccount" -}}
+{{- if .Values.serviceAccount.existing.enabled -}}
+{{- printf "%s" .Values.serviceAccount.existing.serviceAccountName -}}
+{{- else -}}
+{{- include "athens-proxy.fullname" . -}}
+{{- end -}}
+{{- end }}
+
+{{/* volumeMounts */}}
+
+{{- define "athens-proxy.deployment.volumeMounts" -}}
+{{- $volumeMounts := .Values.deployment.athensProxy.volumeMounts | default (list) }}
+
+{{- if .Values.persistence.enabled }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "data" "mountPath" .Values.persistence.data.mountPath)) }}
+{{- end }}
+
+{{/* volumes (download mode) */}}
+{{- if .Values.config.downloadMode.enabled }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "download-mode" "mountPath" "/etc/athens/config/download-mode.d" )) }}
+{{- end }}
+
+{{/* volumeMount (git config) */}}
+{{- if .Values.config.gitConfig.enabled }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.gitconfig" "subPath" ".gitconfig" )) }}
+{{- end }}
+
+{{/* volumeMount (netrc) */}}
+{{- if .Values.config.netrc.enabled }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.netrc" "subPath" ".netrc" )) }}
+{{- end }}
+
+{{/* volumeMount (ssh) */}}
+{{- if and .Values.config.ssh.enabled }}
+{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.config) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.configKey) 0)) }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/config" "subPath" "config" )) }}
+{{- end }}
+
+{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.id_ed25519) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.id_ed25519Key) 0)) }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/id_ed25519" "subPath" "id_ed25519" )) }}
+{{- end }}
+
+{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.id_ed25519_pub) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.id_ed25519PubKey) 0)) }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/id_ed25519.pub" "subPath" "id_ed25519.pub" )) }}
+{{- end }}
+
+{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.id_rsa) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.id_rsaKey) 0)) }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/id_rsa" "subPath" "id_rsa" )) }}
+{{- end }}
+
+{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.id_rsa_pub) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.id_rsaPubKey) 0)) }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/id_rsa.pub" "subPath" "id_rsa.pub" )) }}
+{{- end }}
+
+{{- end }}
+
+
+{{/* volumeMounts (tls) */}}
+{{- if .Values.certificate.enabled }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "tls" "mountPath" "/etc/athens-proxy/tls" )) }}
+{{- end }}
+
+{{ toYaml (dict "volumeMounts" $volumeMounts) }}
+{{- end -}}
+
+{{/* volumes */}}
+
+{{- define "athens-proxy.deployment.volumes" -}}
+{{- $volumes := .Values.deployment.volumes | default (list) }}
+
+
+{{/* volumes (data) */}}
+{{- if .Values.persistence.enabled }}
+{{- $claimName := include "athens-proxy.persistentVolumeClaim.data.name" $ }}
+{{- if .Values.persistence.data.existingPersistentVolumeClaim.enabled }}
+{{- $claimName = .Values.persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName }}
+{{- end }}
+{{- $volumes = concat $volumes (list (dict "name" "data" "persistentVolumeClaim" (dict "claimName" $claimName))) }}
+{{- end }}
+
+
+{{/* volumes (download mode) */}}
+{{- if .Values.config.downloadMode.enabled }}
+{{- $itemList := list (dict "key" "downloadMode" "path" "download-mode" "mode" 0644) }}
+{{- $configMapName := include "athens-proxy.configMap.downloadMode.name" $ }}
+{{- if and .Values.config.downloadMode.existingConfigMap.enabled (gt (len .Values.config.downloadMode.existingConfigMap.configMapName) 0) }}
+{{- $itemList = list (dict "key" .Values.config.downloadMode.existingConfigMap.downloadModeKey "path" "download-mode" "mode" 0644) }}
+{{- $configMapName = .Values.config.downloadMode.existingConfigMap.configMapName }}
+{{- end }}
+{{- $volumes = concat $volumes (list (dict "name" "download-mode" "configMap" (dict "name" $configMapName "items" $itemList))) }}
+{{- end }}
+
+
+{{/* volumes (git config) */}}
+{{- $projectedSecretSources := list -}}
+
+{{- if .Values.config.gitConfig.enabled }}
+{{- $itemList := list (dict "key" ".gitconfig" "path" ".gitconfig" "mode" 0644) }}
+{{- $configMapName := include "athens-proxy.configMap.gitConfig.name" . }}
+{{- if .Values.config.gitConfig.existingConfigMap.enabled }}
+{{- $itemList = list (dict "key" .Values.config.gitConfig.existingConfigMap.gitConfigKey "path" ".gitconfig" "mode" 0644) }}
+{{- $configMapName = .Values.config.gitConfig.existingConfigMap.configMapName }}
+{{- end }}
+{{- $projectedSecretSources = concat $projectedSecretSources (list (dict "configMap" (dict "name" $configMapName "items" $itemList))) }}
+
+{{- end }}
+
+{{/* volumes (netrc) */}}
+
+{{- if .Values.config.netrc.enabled }}
+{{- $itemList := list (dict "key" ".netrc" "path" ".netrc" "mode" 0600) }}
+{{- $secretName := include "athens-proxy.secrets.netrc.name" . }}
+{{- if .Values.config.netrc.existingSecret.enabled }}
+{{- $itemList = list (dict "key" .Values.config.netrc.existingSecret.netrcKey "path" ".netrc" "mode" 0600) }}
+{{- $secretName = .Values.config.netrc.existingSecret.secretName }}
+{{- end }}
+{{- $projectedSecretSources = concat $projectedSecretSources (list (dict "secret" (dict "name" $secretName "items" $itemList))) }}
+
+{{- end }}
+
+{{/* volumes (ssh) */}}
+{{- if .Values.config.ssh.enabled }}
+
+{{- $itemList := list -}}
+{{- $secretName := include "athens-proxy.secrets.ssh.name" . }}
+
+{{- if and .Values.config.ssh.existingSecret.enabled .Values.config.ssh.existingSecret.secretName }}
+{{- $secretName = .Values.config.ssh.existingSecret.secretName }}
+
+{{- if gt (len .Values.config.ssh.existingSecret.configKey) 0 }}
+{{- $configItem := dict "key" .Values.config.ssh.existingSecret.configKey "path" "config" "mode" 0600 }}
+{{- $itemList = concat $itemList (list $configItem) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.existingSecret.id_ed25519Key) 0 }}
+{{- $idED25519Item := dict "key" .Values.config.ssh.existingSecret.id_ed25519Key "path" "id_ed25519" "mode" 0600 }}
+{{- $itemList = concat $itemList (list $idED25519Item) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.existingSecret.id_ed25519PubKey) 0 }}
+{{- $idED25519PubItem := dict "key" .Values.config.ssh.existingSecret.id_ed25519PubKey "path" "id_ed25519.pub" "mode" 0644 }}
+{{- $itemList = concat $itemList (list $idED25519PubItem) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.existingSecret.id_rsaKey) 0 }}
+{{- $idRSAItem := dict "key" .Values.config.ssh.existingSecret.id_rsaKey "path" "id_rsa" "mode" 0600 }}
+{{- $itemList = concat $itemList (list $idRSAItem) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.existingSecret.id_rsaPubKey) 0 }}
+{{- $idRSAPubItem := dict "key" .Values.config.ssh.existingSecret.id_rsaPubKey "path" "id_rsa.pub" "mode" 0644 }}
+{{- $itemList = concat $itemList (list $idRSAPubItem) }}
+{{- end }}
+{{- end }}
+
+{{- if not .Values.config.ssh.existingSecret.enabled }}
+{{- if gt (len .Values.config.ssh.secret.config) 0 }}
+{{- $configItem := dict "key" "config" "path" "config" "mode" 0600 }}
+{{- $itemList = concat $itemList (list $configItem) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.secret.id_ed25519) 0 }}
+{{- $idED25519Item := dict "key" "id_ed25519" "path" "id_ed25519" "mode" 0600 }}
+{{- $itemList = concat $itemList (list $idED25519Item) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.secret.id_ed25519_pub) 0 }}
+{{- $idED25519PubItem := dict "key" "id_ed25519.pub" "path" "id_ed25519.pub" "mode" 0644 }}
+{{- $itemList = concat $itemList (list $idED25519PubItem) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.secret.id_rsa) 0 }}
+{{- $idRSAItem := dict "key" "id_rsa" "path" "id_rsa" "mode" 0600 }}
+{{- $itemList = concat $itemList (list $idRSAItem) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.secret.id_rsa_pub) 0 }}
+{{- $idRSAPubItem := dict "key" "id_rsa.pub" "path" "id_rsa.pub" "mode" 0644 }}
+{{- $itemList = concat $itemList (list $idRSAPubItem) }}
+{{- end }}
+{{- end }}
+
+{{- $projectedSecretSources = concat $projectedSecretSources (list (dict "secret" (dict "name" $secretName "items" $itemList))) }}
+{{- end }}
+
+{{- if gt (len $projectedSecretSources) 0 }}
+{{- $projectedSecretVolume := dict "name" "secrets" "projected" (dict "sources" $projectedSecretSources) }}
+{{- $volumes = concat $volumes (list $projectedSecretVolume) }}
+{{- end }}
+
+{{/* volumes (tls) */}}
+{{- if .Values.certificate.enabled }}
+{{- $secretName := include "athens-proxy.certificates.server.name" $ }}
+{{- if .Values.certificate.existingSecret.enabled }}
+{{- $secretName := .Values.certificate.existingSecret.secretName }}
+{{- end }}
+{{- $volumes = concat $volumes (list (dict "name" "tls" "secret" (dict "secretName" $secretName))) }}
+{{- end }}
+
+
+{{ toYaml (dict "volumes" $volumes) }}
+{{- end -}}

templates/_httpRoutes.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.httpRoute.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.gatewayAPI.core.httpRoute.annotations }}
+{{ toYaml .Values.gatewayAPI.core.httpRoute.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "athens-proxy.httpRoute.enabled" -}}
+{{- if and .Values.gatewayAPI.enabled
+           .Values.gatewayAPI.core.httpRoute.enabled
+           .Values.service.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.httpRoute.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- if .Values.gatewayAPI.core.httpRoute.labels }}
+{{ toYaml .Values.gatewayAPI.core.httpRoute.labels }}
+{{- end }}
+{{- end }}

templates/_networkPolicies.tpl

@@ -0,0 +1,19 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.networkPolicy.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.networkPolicy.annotations }}
+{{ toYaml .Values.networkPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.networkPolicy.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- if .Values.networkPolicy.labels }}
+{{ toYaml .Values.networkPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_pods.tpl

@@ -0,0 +1,76 @@
+---
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.pod.annotations" }}
+{{- include "athens-proxy.annotations" . }}
+{{- if and .Values.certificate.enabled .Values.certificate.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.certificates.server.name" $ }}
+{{- if and .Values.certificate.existingSecret.enabled (gt (len .Values.certificate.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.certificate.existingSecret.secretName }}
+{{- end }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.env.enabled .Values.config.env.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.secrets.env.name" $ }}
+{{- $secret := include (print $.Template.BasePath "/secretEnv.yaml") $ }}
+{{- if and .Values.config.env.existingSecret.enabled (gt (len .Values.config.env.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.config.env.existingSecret.secretName }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{- end }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.downloadMode.enabled .Values.config.downloadMode.addSHASumAnnotation }}
+{{- $configMapName := include "athens-proxy.configMap.downloadMode.name" $ }}
+{{- $configMap := include (print $.Template.BasePath "/configMapDownloadMode.yaml") . }}
+{{- if and .Values.config.downloadMode.existingConfigMap.enabled (gt (len .Values.config.downloadMode.existingConfigMap.configMapName) 0) }}
+{{- $configMapName = .Values.config.downloadMode.existingConfigMap.configMapName }}
+{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace $configMapName | toYaml }}
+{{- end }}
+{{ printf "checksum/config-map-%s: %s" $configMapName ($configMap | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.gitConfig.enabled .Values.config.gitConfig.addSHASumAnnotation }}
+{{- $configMapName := include "athens-proxy.configMap.gitConfig.name" $ }}
+{{- $configMap := include (print $.Template.BasePath "/configMapGitConfig.yaml") . }}
+{{- if and .Values.config.gitConfig.existingConfigMap.enabled (gt (len .Values.config.gitConfig.existingConfigMap.configMapName) 0) }}
+{{- $configMapName = .Values.config.gitConfig.existingConfigMap.configMapName }}
+{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace $configMapName | toYaml }}
+{{- end }}
+{{ printf "checksum/config-map-%s: %s" $configMapName ($configMap | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.netrc.enabled .Values.config.netrc.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.secrets.netrc.name" $ }}
+{{- $secret := include (print $.Template.BasePath "/secretNetRC.yaml") $ }}
+{{- if and .Values.config.netrc.existingSecret.enabled (gt (len .Values.config.netrc.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.config.netrc.existingSecret.secretName }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{- end }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.ssh.enabled .Values.config.ssh.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.secrets.ssh.name" $ }}
+{{- $secret := include (print $.Template.BasePath "/secretSSH.yaml") $ }}
+{{- if and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.config.ssh.existingSecret.secretName }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{- end }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
+
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.pod.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- end }}
+
+{{- define "athens-proxy.pod.selectorLabels" -}}
+{{ include "athens-proxy.selectorLabels" . }}
+{{- end }}

templates/_services.tpl

@@ -0,0 +1,29 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.service.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.service.annotations }}
+{{ toYaml .Values.service.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.service.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{/* Add label to select the correct service via `selector.matchLabels` of the serviceMonitor resource. */}}
+app.kubernetes.io/service-name: http
+{{- if .Values.service.labels }}
+{{ toYaml .Values.service.labels }}
+{{- end }}
+{{- end }}
+
+{{/* names */}}
+
+{{- define "athens-proxy.service.name" -}}
+{{- if .Values.service.enabled -}}
+{{ include "athens-proxy.fullname" . }}
+{{- end -}}
+{{- end -}}

templates/athens-proxy/_deployment.tpl

@@ -1,118 +0,0 @@
-{{/* vim: set filetype=mustache: */}}
-
-{{/* annotations */}}
-
-{{- define "athens-proxy.deployment.annotations" -}}
-{{ include "athens-proxy.annotations" . }}
-{{- if .Values.deployment.annotations }}
-{{ toYaml .Values.deployment.annotations }}
-{{- end }}
-{{- end }}
-
-{{/* env */}}
-
-{{- define "athens-proxy.deployment.env" -}}
-{{- $env := .Values.deployment.athensProxy.env | default (list) }}
-{{- if and .Values.persistence.enabled }}
-{{- $env = concat $env (list (dict "name" "ATHENS_STORAGE_TYPE" "value" "disk") (dict "name" "ATHENS_DISK_STORAGE_ROOT" "value" .Values.persistence.data.mountPath)) }}
-{{- end }}
-{{- if and (hasKey .Values.deployment.athensProxy.resources "limits") (hasKey .Values.deployment.athensProxy.resources.limits "cpu") }}
-{{- $env = concat $env (list (dict "name" "GOMAXPROCS" "valueFrom" (dict "resourceFieldRef" (dict "divisor" "1" "resource" "limits.cpu")))) }}
-{{- end }}
-{{ toYaml (dict "env" $env) }}
-{{- end -}}
-
-
-{{/* envFrom */}}
-
-{{- define "athens-proxy.deployment.envFrom" -}}
-{{- end -}}
-
-{{/* image */}}
-
-{{- define "athens-proxy.deployment.images.athens-proxy.fqin" -}}
-{{- $registry := .Values.deployment.athensProxy.image.registry -}}
-{{- $repository := .Values.deployment.athensProxy.image.repository -}}
-{{- $tag := default .Chart.AppVersion .Values.deployment.athensProxy.image.tag -}}
-{{- printf "%s/%s:v%s" $registry $repository $tag -}}
-{{- end -}}
-
-{{/* labels */}}
-
-{{- define "athens-proxy.deployment.labels" -}}
-{{ include "athens-proxy.labels" . }}
-{{- if .Values.deployment.labels }}
-{{ toYaml .Values.deployment.labels }}
-{{- end }}
-{{- end }}
-
-{{/* serviceAccount */}}
-
-{{- define "athens-proxy.deployment.serviceAccount" -}}
-{{- if .Values.serviceAccount.existing.enabled -}}
-{{- printf "%s" .Values.serviceAccount.existing.serviceAccountName -}}
-{{- else -}}
-{{- include "athens-proxy.fullname" . -}}
-{{- end -}}
-{{- end }}
-
-{{/* volumeMounts */}}
-
-{{- define "athens-proxy.deployment.volumeMounts" -}}
-{{- $volumeMounts := .Values.deployment.athensProxy.volumeMounts | default (list) }}
-{{- if .Values.persistence.enabled }}
-{{- $volumeMounts = concat $volumeMounts (list (dict "name" "data" "mountPath" .Values.persistence.data.mountPath)) }}
-{{- end }}
-
-{{- if .Values.config.gitConfig.enabled }}
-{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.gitconfig" "subPath" ".gitconfig" )) }}
-{{- end }}
-
-{{- if .Values.config.netrc.enabled }}
-{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.netrc" "subPath" ".netrc" )) }}
-{{- end }}
-
-{{ toYaml (dict "volumeMounts" $volumeMounts) }}
-{{- end -}}
-
-{{/* volumes */}}
-
-{{- define "athens-proxy.deployment.volumes" -}}
-{{- $volumes := .Values.deployment.athensProxy.volumes | default (list) }}
-
-{{- if .Values.persistence.enabled }}
-{{- $claimName := include "athens-proxy.persistentVolumeClaim.data.name" $ }}
-{{- if .Values.persistence.data.existingPersistentVolumeClaim.enabled }}
-{{- $claimName = .Values.persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName }}
-{{- end }}
-{{- $volumes = concat $volumes (list (dict "name" "data" "persistentVolumeClaim" (dict "claimName" $claimName))) }}
-{{- end }}
-
-{{- if .Values.config.gitConfig.enabled }}
-{{- $projectedSources := list -}}
-{{- $itemList := list (dict "key" ".gitconfig" "path" ".gitconfig" "mode" 0644) }}
-{{- $configMapName := include "athens-proxy.configMap.gitConfig.name" . }}
-{{- if .Values.config.gitConfig.existingConfigMap.enabled }}
-{{- $itemList = list (dict "key" .Values.config.gitConfig.existingConfigMap.gitConfigKey "path" ".gitconfig" "mode" 0644) }}
-{{- $configMapName = .Values.config.gitConfig.existingConfigMap.configMapName }}
-{{- end }}
-{{- $projectedSources = concat $projectedSources (list (dict "configMap" (dict "name" $configMapName "items" $itemList))) }}
-
-{{- $volumes = concat $volumes (list (dict "name" "secrets" "projected" (dict "sources" $projectedSources)))}}
-{{- end }}
-
-{{- if .Values.config.netrc.enabled }}
-{{- $projectedSources := list -}}
-{{- $itemList := list (dict "key" ".netrc" "path" ".netrc" "mode" 0600) }}
-{{- $secretName := include "athens-proxy.secrets.netrc.name" . }}
-{{- if .Values.config.netrc.existingSecret.enabled }}
-{{- $itemList = list (dict "key" .Values.config.netrc.existingSecret.netrcKey "path" ".netrc" "mode" 0600) }}
-{{- $secretName = .Values.config.netrc.existingSecret.secretName }}
-{{- end }}
-{{- $projectedSources = concat $projectedSources (list (dict "secret" (dict "name" $secretName "items" $itemList))) }}
-
-{{- $volumes = concat $volumes (list (dict "name" "secrets" "projected" (dict "sources" $projectedSources)))}}
-{{- end }}
-
-{{ toYaml (dict "volumes" $volumes) }}
-{{- end -}}

templates/athens-proxy/_networkPolicies.tpl

@@ -1,19 +0,0 @@
-{{/* vim: set filetype=mustache: */}}
-
-{{/* annotations */}}
-
-{{- define "athens-proxy.networkPolicies.annotations" -}}
-{{ include "athens-proxy.annotations" .context }}
-{{- if .networkPolicy.annotations }}
-{{ toYaml .networkPolicy.annotations }}
-{{- end }}
-{{- end }}
-
-{{/* labels */}}
-
-{{- define "athens-proxy.networkPolicies.labels" -}}
-{{ include "athens-proxy.labels" .context }}
-{{- if .networkPolicy.labels }}
-{{ toYaml .networkPolicy.labels }}
-{{- end }}
-{{- end }}

templates/athens-proxy/_pod.tpl

@@ -1,17 +0,0 @@
----
-
-{{/* annotations */}}
-
-{{- define "athens-proxy.pod.annotations" -}}
-{{ include "athens-proxy.annotations" . }}
-{{- end }}
-
-{{/* labels */}}
-
-{{- define "athens-proxy.pod.labels" -}}
-{{ include "athens-proxy.labels" . }}
-{{- end }}
-
-{{- define "athens-proxy.pod.selectorLabels" -}}
-{{ include "athens-proxy.selectorLabels" . }}
-{{- end }}

templates/athens-proxy/_services.tpl

@@ -1,29 +0,0 @@
-{{/* vim: set filetype=mustache: */}}
-
-{{/* annotations */}}
-
-{{- define "athens-proxy.services.http.annotations" -}}
-{{ include "athens-proxy.annotations" . }}
-{{- if .Values.services.http.annotations }}
-{{ toYaml .Values.services.http.annotations }}
-{{- end }}
-{{- end }}
-
-{{/* labels */}}
-
-{{- define "athens-proxy.services.http.labels" -}}
-{{ include "athens-proxy.labels" . }}
-{{/* Add label to select the correct service via `selector.matchLabels` of the serviceMonitor resource. */}}
-app.kubernetes.io/service-name: http
-{{- if .Values.services.http.labels }}
-{{ toYaml .Values.services.http.labels }}
-{{- end }}
-{{- end }}
-
-{{/* names */}}
-
-{{- define "athens-proxy.services.http.name" -}}
-{{- if .Values.services.http.enabled -}}
-{{ include "athens-proxy.fullname" . }}-http
-{{- end -}}
-{{- end -}}

templates/athens-proxy/networkPolicies.yaml

@@ -1,36 +0,0 @@
-{{- if .Values.networkPolicies.enabled }}
-{{- range $key, $value := .Values.networkPolicies -}}
-{{- if and (not (eq $key "enabled")) $value.enabled }}
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  {{- with (include "athens-proxy.networkPolicies.annotations" (dict "networkPolicy" $value "context" $) | fromYaml) }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- with (include "athens-proxy.networkPolicies.labels" (dict "networkPolicy" $value "context" $) | fromYaml) }}
-  labels:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  name: {{ printf "%s-%s" (include "athens-proxy.fullname" $ ) $key }}
-  namespace: {{ $.Release.Namespace }}
-spec:
-  podSelector:
-    matchLabels:
-      {{- include "athens-proxy.pod.selectorLabels" $ | nindent 6 }}
-  {{- with $value.policyTypes }}
-  policyTypes:
-  {{- toYaml . | nindent 2 }}
-  {{- end }}
-  {{- with $value.egress }}
-  egress:
-  {{- toYaml . | nindent 2 }}
-  {{- end }}
-  {{- with $value.ingress }}
-  ingress:
-  {{- toYaml . | nindent 2 }}
-  {{- end }}
-{{- end }}
-{{- end }}
-{{- end }}

templates/athens-proxy/serviceHTTP.yaml

@@ -1,57 +0,0 @@
-{{- if .Values.services.http.enabled }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  {{- with (include "athens-proxy.services.http.annotations" . | fromYaml) }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- with (include "athens-proxy.services.http.labels" . | fromYaml) }}
-  labels:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  name: {{ include "athens-proxy.services.http.name" . }}
-  namespace: {{ .Release.Namespace }}
-spec:
-  {{- if not (empty .Values.services.http.externalIPs) }}
-  externalIPs:
-  {{- range .Values.services.http.externalIPs }}
-  - {{ . }}
-  {{- end }}
-  {{- end }}
-  {{- if and (or (eq .Values.services.http.type "LoadBalancer") (eq .Values.services.http.type "NodePort") ) .Values.services.http.externalTrafficPolicy }}
-  externalTrafficPolicy: {{ .Values.services.http.externalTrafficPolicy }}
-  {{- end }}
-  internalTrafficPolicy: {{ required "No internal traffic policy defined!" .Values.services.http.internalTrafficPolicy }}
-  {{- if .Values.services.http.ipFamilies }}
-  ipFamilies:
-  {{- range .Values.services.http.ipFamilies }}
-  - {{ . }}
-  {{- end }}
-  {{- end }}
-  {{- if and (eq .Values.services.http.type "LoadBalancer") .Values.services.http.loadBalancerClass }}
-  loadBalancerClass: {{ .Values.services.http.loadBalancerClass }}
-  {{- end }}
-  {{- if and (eq .Values.services.http.type "LoadBalancer") .Values.services.http.loadBalancerIP }}
-  loadBalancerIP: {{ .Values.services.http.loadBalancerIP }}
-  {{- end }}
-  {{- if eq .Values.services.http.type "LoadBalancer" }}
-  loadBalancerSourceRanges:
-  {{- range .Values.services.http.loadBalancerSourceRanges }}
-  - {{ . }}
-  {{- end }}
-  {{- end }}
-  ports:
-  - name: http
-    protocol: TCP
-    port: {{ required "No service port defined!" .Values.services.http.port }}
-  selector:
-    {{- include "athens-proxy.pod.selectorLabels" . | nindent 4 }}
-  sessionAffinity: {{ required "No session affinity defined!" .Values.services.http.sessionAffinity }}
-  {{- with .Values.services.http.sessionAffinityConfig }}
-  sessionAffinityConfig:
-    {{- toYaml . | nindent 4}}
-  {{- end }}
-  type: {{ required "No service type defined!" .Values.services.http.type }}
-{{- end }}

templates/backendTLSPolicy.yaml

@@ -0,0 +1,25 @@
+{{- if eq (include "athens-proxy.backendTLSPolicy.enabled" $) "true" }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  {{- with (include "athens-proxy.backendTLSPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.backendTLSPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRefs:
+    - group: ""
+      kind: Service
+      name: {{ include "athens-proxy.service.name" . }}
+  {{- with .Values.gatewayAPI.core.backendTLSPolicy.validation }}
+  validation:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

templates/certificate.yaml

@@ -0,0 +1,97 @@
+{{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  {{- with (include "athens-proxy.certificates.server.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.certificates.server.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.certificates.server.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  commonName: {{ include "athens-proxy.fullname" . }}
+  {{- if empty .Values.certificate.new.dnsNames }}
+  dnsNames:
+  - {{ include "athens-proxy.fullname" . }}
+  - {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}
+  - {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc
+  - {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
+  {{- else }}
+  dnsNames:
+  {{- range .Values.certificate.new.dnsNames }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  duration: {{ .Values.certificate.new.duration }}
+  {{- if not (empty .Values.certificate.new.ipAddresses) }}
+  ipAddresses:
+  {{- range .Values.certificate.new.ipAddresses }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  isCA: false
+  issuerRef:
+    kind: {{ required "No certificate issuer kind defined!" .Values.certificate.new.issuerRef.kind }}
+    name: {{ required "No certificate issuer name defined!" .Values.certificate.new.issuerRef.name }}
+  privateKey:
+    algorithm: {{ .Values.certificate.new.privateKey.algorithm }}
+    rotationPolicy: {{ .Values.certificate.new.privateKey.rotationPolicy }}
+    size: {{ .Values.certificate.new.privateKey.size }}
+  renewBefore: {{ .Values.certificate.new.renewBefore }}
+  secretName: {{ include "athens-proxy.certificates.server.name" . }}
+  {{- with .Values.certificate.new.secretTemplate }}
+  secretTemplate:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if or .Values.certificate.new.subject.countries
+            .Values.certificate.new.subject.localities
+            .Values.certificate.new.subject.organizationalUnits
+            .Values.certificate.new.subject.organizations
+            .Values.certificate.new.subject.postalCodes
+            .Values.certificate.new.subject.provinces
+            .Values.certificate.new.subject.serialNumber
+            .Values.certificate.new.subject.streetAddresses
+  }}
+  subject:
+    {{- with .Values.certificate.new.subject.countries }}
+    countries:
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.certificate.new.subject.localities }}
+    localities:
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.certificate.new.subject.organizationalUnits }}
+    organizationalUnits:
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.certificate.new.subject.organizations }}
+    organizations:
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.certificate.new.subject.postalCodes }}
+    postalCodes:
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.certificate.new.subject.provinces }}
+    provinces:
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.certificate.new.subject.serialNumber }}
+    serialNumber: {{ .Values.certificate.new.subject.serialNumber }}
+    {{- end }}
+    {{- with .Values.certificate.new.subject.streetAddresses }}
+    streetAddresses:
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  usages:
+  {{- range .Values.certificate.new.usages }}
+  - {{ . }}
+  {{- end }}
+{{- end }}

templates/clientSettingsPolicy.yaml

@@ -0,0 +1,50 @@
+{{- if eq (include "athens-proxy.clientSettingsPolicy.enabled" $) "true" }}
+apiVersion: gateway.nginx.org/v1alpha1
+kind: ClientSettingsPolicy
+metadata:
+  {{- with (include "athens-proxy.clientSettingsPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.clientSettingsPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: {{ include "athens-proxy.fullname" . }}
+  {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout
+  }}
+  body:
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize }}
+    maxSize: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout }}
+    timeout: {{ . }}
+    {{- end }}
+  {{- end }}
+  {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout
+  }}
+  keepAlive:
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests }}
+    requests: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime }}
+    time: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout }}
+    timeout: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout }}
+    minTimeout: {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end -}}

templates/configMapDownloadMode.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.config.downloadMode.existingConfigMap.enabled }}
+{{- if and .Values.config.downloadMode.enabled (not .Values.config.downloadMode.existingConfigMap.enabled) }}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -11,7 +11,7 @@ metadata:
   labels:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  name: {{ include "athens-proxy.fullname" . }}-download-mode-file
+  name: {{ include "athens-proxy.configMap.downloadMode.name" . }}
   namespace: {{ .Release.Namespace }}
 data:
   downloadMode: |

templates/configMapGitConfig.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.config.gitConfig.existingConfigMap.enabled }}
+{{- if and .Values.config.gitConfig.enabled (not .Values.config.gitConfig.existingConfigMap.enabled) }}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -11,7 +11,7 @@ metadata:
   labels:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  name: {{ include "athens-proxy.fullname" . }}-git-config
+  name: {{ include "athens-proxy.configMap.gitConfig.name" . }}
   namespace: {{ .Release.Namespace }}
 data:
   .gitconfig: |

templates/deployment.yaml

@@ -50,21 +50,29 @@ spec:
         image: {{ include "athens-proxy.deployment.images.athens-proxy.fqin" . | quote }}
         imagePullPolicy: {{ .Values.deployment.athensProxy.image.pullPolicy }}
         livenessProbe:
-          tcpSocket:
-            port: http
-          failureThreshold: 3
-          initialDelaySeconds: 5
-          periodSeconds: 60
-          successThreshold: 1
-          timeoutSeconds: 3
+          exec:
+            {{- if not .Values.certificate.enabled }}
+            command: [ "wget", "-T", "{{ .Values.deployment.athensProxy.livenessProbe.timeoutSeconds }}", "-O", "/dev/null", "http://localhost:3000" ]
+            {{- else }}
+            command: [ "wget", "--no-check-certificate", "-T", "{{ .Values.deployment.athensProxy.livenessProbe.timeoutSeconds }}", "-O", "/dev/null", "https://localhost:3000" ]
+            {{- end }}
+          failureThreshold: {{ .Values.deployment.athensProxy.livenessProbe.failureThreshold }}
+          initialDelaySeconds: {{ .Values.deployment.athensProxy.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.deployment.athensProxy.livenessProbe.periodSeconds }}
+          successThreshold: {{ .Values.deployment.athensProxy.livenessProbe.successThreshold }}
+          timeoutSeconds: {{ .Values.deployment.athensProxy.livenessProbe.timeoutSeconds }}
         readinessProbe:
-          tcpSocket:
-            port: http
-          failureThreshold: 3
-          initialDelaySeconds: 5
-          periodSeconds: 15
-          successThreshold: 1
-          timeoutSeconds: 3
+          exec:
+            {{- if not .Values.certificate.enabled }}
+            command: [ "wget", "-T", "{{ .Values.deployment.athensProxy.readinessProbe.timeoutSeconds }}", "-O", "/dev/null", "http://localhost:3000" ]
+            {{- else }}
+            command: [ "wget", "--no-check-certificate", "-T", "{{ .Values.deployment.athensProxy.readinessProbe.timeoutSeconds }}", "-O", "/dev/null", "https://localhost:3000" ]
+            {{- end }}
+          failureThreshold: {{ .Values.deployment.athensProxy.readinessProbe.failureThreshold }}
+          initialDelaySeconds: {{ .Values.deployment.athensProxy.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.deployment.athensProxy.readinessProbe.periodSeconds }}
+          successThreshold: {{ .Values.deployment.athensProxy.readinessProbe.successThreshold }}
+          timeoutSeconds: {{ .Values.deployment.athensProxy.readinessProbe.timeoutSeconds }}
         ports:
         - name: http
           containerPort: 3000

templates/httpRoute.yaml

@@ -0,0 +1,36 @@
+{{- if eq (include "athens-proxy.httpRoute.enabled" $) "true" }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  {{- with (include "athens-proxy.httpRoute.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.httpRoute.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- with .Values.gatewayAPI.core.httpRoute.hostnames }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.gatewayAPI.core.httpRoute.parentRefs }}
+  parentRefs:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    - backendRefs:
+        - kind: Service
+          name: {{ include "athens-proxy.service.name" . }}
+          namespace: {{ .Release.Namespace }}
+          port: {{ .Values.service.port }}
+          weight: 1
+      {{- with .Values.gatewayAPI.core.httpRoute.matches }}
+      matches:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}

templates/ingress.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.services.http.enabled .Values.ingress.enabled }}
+{{- if and .Values.service.enabled .Values.ingress.enabled }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -27,9 +27,9 @@ spec:
         {{- end }}
         backend:
           service:
-            name: {{ include "athens-proxy.services.http.name" $ }}
+            name: {{ include "athens-proxy.service.name" $ }}
             port:
-              number: {{ $.Values.services.http.port }}
+              number: {{ $.Values.service.port }}
       {{- end }}
   {{- end }}
   {{- if .Values.ingress.tls }}
@@ -42,4 +42,4 @@ spec:
     secretName: {{ .secretName | quote }}
   {{- end }}
 {{- end }}
-{{- end }}
+{{- end }}

templates/networkPolicy.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.networkPolicy.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  {{- with (include "athens-proxy.networkPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.networkPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "athens-proxy.pod.selectorLabels" $ | nindent 6 }}
+  {{- with .Values.networkPolicy.policyTypes }}
+  policyTypes:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.networkPolicy.egress }}
+  egress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.networkPolicy.ingress }}
+  ingress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}

templates/secretEnv.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.config.env.existingSecret.enabled }}
+{{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }}
 ---
 apiVersion: v1
 kind: Secret

templates/secretSSH.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.config.ssh.existingSecret.enabled }}
+{{- if and .Values.config.ssh.enabled (not .Values.config.ssh.existingSecret.enabled) }}
 ---
 apiVersion: v1
 kind: Secret

templates/service.yaml

@@ -0,0 +1,57 @@
+{{- if .Values.service.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  {{- with (include "athens-proxy.service.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.service.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.service.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- if not (empty .Values.service.externalIPs) }}
+  externalIPs:
+  {{- range .Values.service.externalIPs }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if and (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") ) .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+  {{- end }}
+  internalTrafficPolicy: {{ required "No internal traffic policy defined!" .Values.service.internalTrafficPolicy }}
+  {{- if .Values.service.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.service.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+  {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+  {{- end }}
+  {{- if eq .Values.service.type "LoadBalancer" }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.loadBalancerSourceRanges }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  ports:
+  - name: http
+    protocol: TCP
+    port: {{ required "No service port defined!" .Values.service.port }}
+  selector:
+    {{- include "athens-proxy.pod.selectorLabels" . | nindent 4 }}
+  sessionAffinity: {{ required "No session affinity defined!" .Values.service.sessionAffinity }}
+  {{- with .Values.service.sessionAffinityConfig }}
+  sessionAffinityConfig:
+    {{- toYaml . | nindent 4}}
+  {{- end }}
+  type: {{ required "No service type defined!" .Values.service.type }}
+{{- end }}

unittests/backendTLSPolicies/backendTLSPolicy.yaml

@@ -0,0 +1,130 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: backendTLSPolicy template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/backendTLSPolicy.yaml
+tests:
+- it: Skip rendering when disabled 1/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Render default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.networking.k8s.io/v1
+      kind: BackendTLSPolicy
+      name: athens-proxy-unittest
+      namespace: testing
+  - contains:
+      path: spec.targetRefs
+      content:
+        group: ""
+        kind: Service
+        name: athens-proxy-unittest
+  - notExists:
+      path: spec.validation.caCertificateRefs
+
+- it: Render with custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy:
+      enabled: true
+      annotations:
+        foo: bar
+      labels:
+        bar: foo
+    service.enabled: true
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        app.kubernetes.io/managed-by: Helm
+        helm.sh/chart: athens-proxy-0.1.0
+        bar: foo
+
+- it: Render with custom validation
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    gatewayAPI.core.backendTLSPolicy.validation:
+      caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: athens-proxy-ca
+      hostname: athens-proxy.svc.cluster.local
+    service.enabled: true
+  asserts:
+  - isSubset:
+      path: spec.validation
+      content:
+        caCertificateRefs:
+          - group: ""
+            kind: Secret
+            name: athens-proxy-ca

unittests/certificates/certificate.yaml

@@ -0,0 +1,300 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Certificate athens-proxy template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/certificate.yaml
+tests:
+- it: Skip rendering by default.
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering for existing certificate
+  set:
+    certificate.enabled: true
+    certificate.existingSecret.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Throw error when issuerKind and IssuerName is not defined
+  set:
+    certificate.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "No certificate issuer kind defined!"
+
+- it: Throw error when issuerKind and IssuerName is not defined
+  set:
+    certificate.enabled: true
+  asserts:
+  - failedTemplate: {}
+
+- it: Throw error when issuerKind not defined
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.name: "my-issuer"
+  asserts:
+  - failedTemplate:
+      errorMessage: "No certificate issuer kind defined!"
+
+- it: Throw error when issuerName not defined
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: "ClusterIssuer"
+  asserts:
+  - failedTemplate:
+      errorMessage: "No certificate issuer name defined!"
+
+- it: Rendering Certificate object when certificate.enabled=true (default)
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: ClusterIssuer
+    certificate.new.issuerRef.name: my-issuer
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      name: athens-proxy-unittest-tls
+      namespace: testing
+  - equal:
+      path: spec.commonName
+      value: athens-proxy-unittest
+  - equal:
+      path: spec.duration
+      value: 744h
+  - equal:
+      path: spec.dnsNames
+      value: [ "athens-proxy-unittest", "athens-proxy-unittest.testing", "athens-proxy-unittest.testing.svc", "athens-proxy-unittest.testing.svc.cluster.local" ]
+  - notExists:
+      path: spec.ipAddresses
+  - equal:
+      path: spec.isCA
+      value: false
+  - equal:
+      path: spec.issuerRef.kind
+      value: ClusterIssuer
+  - equal:
+      path: spec.issuerRef.name
+      value: my-issuer
+  - equal:
+      path: spec.privateKey.algorithm
+      value: RSA
+  - equal:
+      path: spec.privateKey.size
+      value: 4096
+  - equal:
+      path: spec.privateKey.rotationPolicy
+      value: Never
+  - equal:
+      path: spec.secretName
+      value: athens-proxy-unittest-tls
+  - exists:
+      path: spec.secretTemplate.annotations
+  - exists:
+      path: spec.secretTemplate.labels
+  - notExists:
+      path: spec.subject
+  - notExists:
+      path: spec.subject.countries
+  - notExists:
+      path: spec.subject.localities
+  - notExists:
+      path: spec.subject.organizationalUnits
+  - notExists:
+      path: spec.subject.organizations
+  - notExists:
+      path: spec.subject.postalCodes
+  - notExists:
+      path: spec.subject.provinces
+  - notExists:
+      path: spec.subject.serialNumber
+  - notExists:
+      path: spec.subject.streetAddresses
+  - equal:
+      path: spec.renewBefore
+      value: 672h
+  - equal:
+      path: spec.usages
+      value: [ "client auth", "server auth" ]
+
+# metadata.annotations
+- it: Rendering Certificate object with additional annotations and labels
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: ClusterIssuer
+    certificate.new.issuerRef.name: my-issuer
+    certificate.new.annotations:
+      foo: bar
+    certificate.new.labels:
+      bar: foo
+  asserts:
+  - isSubset:
+      path: metadata.annotations
+      content:
+        foo: bar
+  - isSubset:
+      path: metadata.labels
+      content:
+        bar: foo
+
+# spec.duration
+- it: Rendering Certificate object with custom `.Values.certificate.new.duration`.
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: ClusterIssuer
+    certificate.new.issuerRef.name: my-issuer
+    certificate.new.duration: 3000h
+  asserts:
+  - equal:
+      path: spec.duration
+      value: 3000h
+
+# spec.dnsNames
+- it: Rendering Certificate object with custom `.Values.certificate.new.dnsNames`.
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: ClusterIssuer
+    certificate.new.issuerRef.name: my-issuer
+    certificate.new.dnsNames: [ "app", "app.example.local" ]
+  asserts:
+  - equal:
+      path: spec.dnsNames
+      value: [ "app", "app.example.local" ]
+
+# spec.dnsNames
+- it: Rendering Certificate object with custom `.Values.clusterDomain` as domain.
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: ClusterIssuer
+    certificate.new.issuerRef.name: my-issuer
+    clusterDomain: k8s.example.local
+  asserts:
+  - contains:
+      path: spec.dnsNames
+      content:
+        athens-proxy-unittest.testing.svc.k8s.example.local
+      count: 1
+
+# spec.ipAddresses
+- it: RRendering Certificate object with custom `.Values.certificate.new.ipAddresses`.
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: ClusterIssuer
+    certificate.new.issuerRef.name: my-issuer
+    certificate.new.ipAddresses: [ "10.11.12.13", "fe00:xxyy:xxyy" ]
+  asserts:
+  - equal:
+      path: spec.ipAddresses
+      value: [ "10.11.12.13", "fe00:xxyy:xxyy" ]
+
+# spec.privateKey
+- it: Rendering Certificate object with custom `.Values.certificate.new.privateKey` values.
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: ClusterIssuer
+    certificate.new.issuerRef.name: my-issuer
+    certificate.new.privateKey.algorithm: ED25519
+    certificate.new.privateKey.rotationPolicy: Never
+    certificate.new.privateKey.size: 512
+  asserts:
+  - equal:
+      path: spec.privateKey.algorithm
+      value: ED25519
+  - equal:
+      path: spec.privateKey.rotationPolicy
+      value: Never
+  - equal:
+      path: spec.privateKey.size
+      value: 512
+
+# spec.renewBefore
+- it: Rendering Certificate object with custom `.Values.certificate.new.renewBefore`.
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: ClusterIssuer
+    certificate.new.issuerRef.name: my-issuer
+    certificate.new.renewBefore: 2000h
+  asserts:
+  - equal:
+      path: spec.renewBefore
+      value: 2000h
+
+# spec.secretTemplate
+- it: Rendering Certificate object with custom `.Values.certificate.new.secretTemplate` values.
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: ClusterIssuer
+    certificate.new.issuerRef.name: my-issuer
+    certificate.new.secretTemplate:
+      annotations:
+        foo: bar
+      labels:
+        bar: foo
+  asserts:
+  - equal:
+      path: spec.secretTemplate.annotations
+      value:
+        foo: bar
+  - equal:
+      path: spec.secretTemplate.labels
+      value:
+        bar: foo
+
+# spec.secretTemplate
+- it: Rendering Certificate object with custom `.Values.certificate.new.subject` values.
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: ClusterIssuer
+    certificate.new.issuerRef.name: my-issuer
+    certificate.new.subject.countries: [ "Country" ]
+    certificate.new.subject.localities: [ "City" ]
+    certificate.new.subject.organizationalUnits: [ "IT department" ]
+    certificate.new.subject.organizations: [ "My organization" ]
+    certificate.new.subject.postalCodes: [ "AB12345", "12345AB" ]
+    certificate.new.subject.provinces: [ "Provinces" ]
+    certificate.new.subject.serialNumber: "MyNumber"
+    certificate.new.subject.streetAddresses: [ "ExampleStreet 1", "StreetExample 2" ]
+  asserts:
+  - equal:
+      path: spec.subject.countries
+      value: [ "Country" ]
+  - equal:
+      path: spec.subject.localities
+      value: [ "City" ]
+  - equal:
+      path: spec.subject.organizationalUnits
+      value: [ "IT department" ]
+  - equal:
+      path: spec.subject.organizations
+      value: [ "My organization" ]
+  - equal:
+      path: spec.subject.postalCodes
+      value: [ "AB12345", "12345AB" ]
+  - equal:
+      path: spec.subject.provinces
+      value: [ "Provinces" ]
+  - equal:
+      path: spec.subject.serialNumber
+      value: "MyNumber"
+  - equal:
+      path: spec.subject.streetAddresses
+      value: [ "ExampleStreet 1", "StreetExample 2" ]
+
+# spec.usages
+- it: Rendering Certificate object with custom `.Values.certificate.new.usages`.
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: ClusterIssuer
+    certificate.new.issuerRef.name: my-issuer
+    certificate.new.usages: [ "client auth" ]
+  asserts:
+  - equal:
+      path: spec.usages
+      value: [ "client auth" ]

unittests/clientSettingsPolicies/clientSettingsPolicy.yaml

@@ -0,0 +1,190 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: ClientSettingsPolicy template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/clientSettingsPolicy.yaml
+tests:
+- it: Skip rendering when disabled 1/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 7/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 8/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Render default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.nginx.org/v1alpha1
+      kind: ClientSettingsPolicy
+      name: athens-proxy-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: athens-proxy-0.1.0
+  - isSubset:
+      path: spec.targetRef
+      content:
+        group: gateway.networking.k8s.io
+        kind: HTTPRoute
+        name: athens-proxy-unittest
+  - notExists:
+      path: spec.body
+  - notExists:
+      path: spec.keepAlive
+
+- it: Render custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      annotations:
+        foo: "bar"
+      labels:
+        bar: "foo"
+    service.enabled: true
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: "bar"
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: athens-proxy-0.1.0
+        bar: "foo"
+
+- it: Render with custom body settings
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      clientMaxBodySize: 10m
+      clientBodyTimeout: 30s
+    service.enabled: true
+  asserts:
+  - isSubset:
+      path: spec.body
+      content:
+        maxSize: 10m
+        timeout: 30s
+  - notExists:
+      path: spec.keepAlive
+
+- it: Render with custom keepAlive settings
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      keepaliveRequests: 100
+      keepaliveTime: 60s
+      keepaliveTimeout: 60s
+      keepaliveMinTimeout: 10s
+    service.enabled: true
+  asserts:
+  - notExists:
+      path: spec.body
+  - isSubset:
+      path: spec.keepAlive
+      content:
+        requests: 100
+        time: 60s
+        timeout: 60s
+        minTimeout: 10s

unittests/configMaps/downloadMode.yaml

@@ -6,16 +6,24 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/configMapDownloadMode.yaml
+- templates/configMapDownloadMode.yaml
 tests:
+- it: Skip rending by default.
+  asserts:
+  - hasDocuments:
+      count: 0
+
 - it: Skip rending by using existing config map.
   set:
+    config.downloadMode.enabled: true
     config.downloadMode.existingConfigMap.enabled: true
   asserts:
   - hasDocuments:
       count: 0
 
-- it: Rendering by default.
+- it: Rendering with default values
+  set:
+    config.downloadMode.enabled: true
   asserts:
   - hasDocuments:
       count: 1
@@ -37,10 +45,10 @@ tests:
   - equal:
       path: data.downloadMode
       value: |
-        # downloadURL = "https://proxy.golang.org"
-        #
-        # mode = "async_redirect"
-        #
+        downloadURL = "https://proxy.golang.org"
+
+        mode = "async_redirect"
+
         # download "github.com/gomods/*" {
         #     mode = "sync"
         # }
@@ -51,11 +59,12 @@ tests:
         #
         # download "github.com/pkg/*" {
         #     mode = "redirect"
-        #     downloadURL = "https://gocenter.io"
+        #     downloadURL = "https://proxy.golang.org"
         # }
 
 - it: Rendering custom annotations and labels.
   set:
+    config.downloadMode.enabled: true
     config.downloadMode.configMap.annotations:
       foo: bar
       bar: foo
@@ -76,6 +85,7 @@ tests:
 
 - it: Rendering custom configuration
   set:
+    config.downloadMode.enabled: true
     config.downloadMode.configMap.content: |
       downloadURL = "https://proxy.golang.org"
       mode = "async_redirect"

unittests/configMaps/gitConfig.yaml

@@ -6,23 +6,31 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/configMapGitConfig.yaml
+- templates/configMapGitConfig.yaml
 tests:
+- it: Skip rending by default.
+  asserts:
+  - hasDocuments:
+      count: 0
+
 - it: Skip rending by using existing config map.
   set:
+    config.gitConfig.enabled: true
     config.gitConfig.existingConfigMap.enabled: true
   asserts:
   - hasDocuments:
       count: 0
 
 - it: Rendering by default.
+  set:
+    config.gitConfig.enabled: true
   asserts:
   - hasDocuments:
       count: 1
   - containsDocument:
       apiVersion: v1
       kind: ConfigMap
-      name: athens-proxy-unittest-git-config
+      name: athens-proxy-unittest-gitconfig
       namespace: testing
   - notExists:
       path: metadata.annotations
@@ -46,6 +54,7 @@ tests:
 
 - it: Rendering custom annotations and labels.
   set:
+    config.gitConfig.enabled: true
     config.gitConfig.configMap.annotations:
       foo: bar
       bar: foo
@@ -66,6 +75,7 @@ tests:
 
 - it: Rendering custom configuration
   set:
+    config.gitConfig.enabled: true
     config.gitConfig.configMap.content: |
       [url "git@github.com:"]
       insteadOf = https://github.com/

unittests/deployment/gitConfig.yaml

@@ -1,81 +0,0 @@
-chart:
-  appVersion: 0.1.0
-  version: 0.1.0
-suite: Deployment template
-release:
-  name: athens-proxy-unittest
-  namespace: testing
-templates:
-- templates/athens-proxy/deployment.yaml
-tests:
-- it: Rendering default without mounted git config map
-  asserts:
-    - notContains:
-        path: spec.template.spec.containers[0].volumeMounts
-        content:
-          name: secrets
-          mountPath: /root/.gitconfig
-          subPath: .gitconfig
-    - notContains:
-        path: spec.template.spec.volumes
-        content:
-          name: secrets
-          projected:
-            sources:
-            - configMap:
-                items:
-                - key: .gitconfig
-                  path: .gitconfig
-                  mode: 0600
-                name: athens-proxy-unittest-gitconfig
-
-- it: Rendering default with mounted gitconfig configMap
-  set:
-    config.gitConfig.enabled: true
-    persistence.enabled: true
-  asserts:
-    - contains:
-        path: spec.template.spec.containers[0].volumeMounts
-        content:
-          name: secrets
-          mountPath: /root/.gitconfig
-          subPath: .gitconfig
-    - contains:
-        path: spec.template.spec.volumes
-        content:
-          name: secrets
-          projected:
-            sources:
-            - configMap:
-                items:
-                - key: .gitconfig
-                  path: .gitconfig
-                  mode: 0644
-                name: athens-proxy-unittest-gitconfig
-
-- it: Rendering with custom gitconfig configMap
-  set:
-    config.gitConfig.enabled: true
-    config.gitConfig.existingConfigMap.enabled: true
-    config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
-    config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
-    persistence.enabled: true
-  asserts:
-    - contains:
-        path: spec.template.spec.containers[0].volumeMounts
-        content:
-          name: secrets
-          mountPath: /root/.gitconfig
-          subPath: .gitconfig
-    - contains:
-        path: spec.template.spec.volumes
-        content:
-          name: secrets
-          projected:
-            sources:
-            - configMap:
-                items:
-                - key: my-gitconfig-key
-                  path: .gitconfig
-                  mode: 0644
-                name: my-custom-configmap

unittests/deployment/netrc.yaml

@@ -1,80 +0,0 @@
-chart:
-  appVersion: 0.1.0
-  version: 0.1.0
-suite: Deployment template
-release:
-  name: athens-proxy-unittest
-  namespace: testing
-templates:
-- templates/athens-proxy/deployment.yaml
-tests:
-- it: Rendering default without mounted netrc secret
-  asserts:
-    - notContains:
-        path: spec.template.spec.containers[0].volumeMounts
-        content:
-          name: netrc
-          mountPath: /root
-    - notContains:
-        path: spec.template.spec.volumes
-        content:
-          name: secrets
-          projected:
-            sources:
-            - secret:
-                items:
-                - key: .netrc
-                  path: .netrc
-                  mode: 0600
-                name: athens-proxy-unittest-netrc
-
-- it: Rendering default with mounted netrc secret
-  set:
-    config.netrc.enabled: true
-    persistence.enabled: true
-  asserts:
-    - contains:
-        path: spec.template.spec.containers[0].volumeMounts
-        content:
-          name: secrets
-          mountPath: /root/.netrc
-          subPath: .netrc
-    - contains:
-        path: spec.template.spec.volumes
-        content:
-          name: secrets
-          projected:
-            sources:
-            - secret:
-                items:
-                - key: .netrc
-                  path: .netrc
-                  mode: 0600
-                name: athens-proxy-unittest-netrc
-
-- it: Rendering with custom netrc secret
-  set:
-    config.netrc.enabled: true
-    config.netrc.existingSecret.enabled: true
-    config.netrc.existingSecret.secretName: "my-custom-secret"
-    config.netrc.existingSecret.netrcKey: "my-netrc-key"
-    persistence.enabled: true
-  asserts:
-    - contains:
-        path: spec.template.spec.containers[0].volumeMounts
-        content:
-          name: secrets
-          mountPath: /root/.netrc
-          subPath: .netrc
-    - contains:
-        path: spec.template.spec.volumes
-        content:
-          name: secrets
-          projected:
-            sources:
-            - secret:
-                items:
-                - key: my-netrc-key
-                  path: .netrc
-                  mode: 0600
-                name: my-custom-secret

unittests/deployments/certificate.yaml

@@ -0,0 +1,111 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Deployment template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/configMapDownloadMode.yaml
+- templates/configMapGitConfig.yaml
+- templates/deployment.yaml
+- templates/secretNetRC.yaml
+- templates/secretSSH.yaml
+tests:
+- it: Rendering default without tls config
+  asserts:
+    - notContains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSCERT_FILE
+          value: /etc/athens-proxy/tls/tls.crt
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSKEY_FILE
+          value: /etc/athens-proxy/tls/tls.key
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: tls
+          mountPath: /etc/athens-proxy/tls
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.volumes
+        content:
+          name: tls
+          secretRef:
+            name: athens-proxy-unittest-tls
+      template: templates/deployment.yaml
+
+- it: Rendering with tls config
+  set:
+    certificate.enabled: true
+    certificate.new.issuerRef.kind: ClusterIssuer
+    certificate.new.issuerRef.name: MyIssuer
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations["checksum/secret-athens-proxy-unittest-tls"]
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSCERT_FILE
+          value: /etc/athens-proxy/tls/tls.crt
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSKEY_FILE
+          value: /etc/athens-proxy/tls/tls.key
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: tls
+          mountPath: /etc/athens-proxy/tls
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: tls
+          secret:
+            secretName: athens-proxy-unittest-tls
+      template: templates/deployment.yaml
+
+- it: Rendering with external TLS config
+  set:
+    certificate.enabled: true
+    certificate.existingSecret.enabled: true
+    certificate.existingSecret.secretName: my-own-secret
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations["checksum/secret-my-own-secret"]
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSCERT_FILE
+          value: /etc/athens-proxy/tls/tls.crt
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSKEY_FILE
+          value: /etc/athens-proxy/tls/tls.key
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: tls
+          mountPath: /etc/athens-proxy/tls
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: tls
+          secret:
+            secretName: athens-proxy-unittest-tls
+      template: templates/deployment.yaml

unittests/deployments/deployment.yaml

@@ -6,22 +6,22 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/deployment.yaml
+- templates/deployment.yaml
 tests:
 - it: Rendering default
   asserts:
   - hasDocuments:
       count: 1
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - containsDocument:
       apiVersion: apps/v1
       kind: Deployment
       name: athens-proxy-unittest
       namespace: testing
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: metadata.annotations
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - equal:
       path: metadata.labels
       value:
@@ -30,11 +30,11 @@ tests:
         app.kubernetes.io/name: athens-proxy
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: athens-proxy-0.1.0
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - equal:
       path: spec.replicas
       value: 1
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.metadata.labels
       value:
@@ -43,74 +43,114 @@ tests:
         app.kubernetes.io/name: athens-proxy
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: athens-proxy-0.1.0
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.affinity
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].args
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].command
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].envFrom
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].volumeMounts
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].image
-      value: docker.io/gomods/athens:v0.1.0
-    template: templates/athens-proxy/deployment.yaml
+      value: docker.io/gomods/athens:0.1.0
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: IfNotPresent
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.failureThreshold
+      value: 3
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds
+      value: 5
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.periodSeconds
+      value: 60
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.successThreshold
+      value: 1
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
+      value: 3
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.failureThreshold
+      value: 3
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
+      value: 5
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.periodSeconds
+      value: 15
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.successThreshold
+      value: 1
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
+      value: 3
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].resources
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].securityContext
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.dnsConfig
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.dnsPolicy
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.hostname
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.hostNetwork
       value: false
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.imagePullSecrets
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.nodeSelector
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.priorityClassName
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.restartPolicy
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.subdomain
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.terminationGracePeriodSeconds
       value: 60
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.tolerations
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.topologySpreadConstraints
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - equal:
       path: spec.strategy
       value:
@@ -118,7 +158,7 @@ tests:
         rollingUpdate:
           maxSurge: 1
           maxUnavailable: 1
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test custom replicas
   set:
@@ -130,7 +170,7 @@ tests:
   - equal:
       path: spec.replicas
       value: 3
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test custom affinity
   set:
@@ -160,7 +200,7 @@ tests:
                 values:
                 - antarctica-east1
                 - antarctica-west1
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test additional arguments
   set:
@@ -176,7 +216,7 @@ tests:
       value:
       - --foo=bar
       - --bar=foo
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test additional command
   set:
@@ -194,7 +234,7 @@ tests:
       - "/bin/sh"
       - "-c"
       - "echo hello"
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test custom imageRegistry and imageRepository
   set:
@@ -206,8 +246,8 @@ tests:
   asserts:
   - equal:
       path: spec.template.spec.containers[0].image
-      value: registry.example.local/path/special/athens-proxy:v0.1.0
-    template: templates/athens-proxy/deployment.yaml
+      value: registry.example.local/path/special/athens-proxy:0.1.0
+    template: templates/deployment.yaml
 
 - it: Test custom imagePullPolicy
   set:
@@ -219,7 +259,78 @@ tests:
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: Always
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
+
+- it: Test custom livenessProbe
+  set:
+    # Normal test values
+    deployment.athensProxy.livenessProbe:
+      failureThreshold: 5
+      initialDelaySeconds: 10
+      periodSeconds: 120
+      successThreshold: 3
+      timeoutSeconds: 5
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.failureThreshold
+      value: 5
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds
+      value: 10
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.periodSeconds
+      value: 120
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.successThreshold
+      value: 3
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
+      value: 5
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].livenessProbe.exec.command
+      content: "5"
+    template: templates/deployment.yaml
+
+- it: Test custom readinessProbe
+  set:
+    # Normal test values
+    deployment.athensProxy.readinessProbe:
+      failureThreshold: 10
+      initialDelaySeconds: 10
+      periodSeconds: 30
+      successThreshold: 5
+      timeoutSeconds: 5
+
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.failureThreshold
+      value: 10
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
+      value: 10
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.periodSeconds
+      value: 30
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.successThreshold
+      value: 5
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
+      value: 5
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].readinessProbe.exec.command
+      content: "5"
+    template: templates/deployment.yaml
 
 - it: Test custom resource limits and requests
   set:
@@ -242,7 +353,7 @@ tests:
           resourceFieldRef:
             divisor: "1"
             resource: limits.cpu
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].resources
       value:
@@ -252,7 +363,7 @@ tests:
         requests:
           cpu: 25m
           memory: 100MB
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test custom securityContext
   set:
@@ -282,7 +393,7 @@ tests:
         readOnlyRootFilesystem: true
         runAsNonRoot: true
         runAsUser: 1000
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test dnsConfig
   set:
@@ -300,7 +411,7 @@ tests:
         nameservers:
         - "8.8.8.8"
         - "8.8.4.4"
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test dnsPolicy
   set:
@@ -312,7 +423,7 @@ tests:
   - equal:
       path: spec.template.spec.dnsPolicy
       value: ClusterFirst
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test hostNetwork, hostname, subdomain
   set:
@@ -326,15 +437,15 @@ tests:
   - equal:
       path: spec.template.spec.hostNetwork
       value: true
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.hostname
       value: pg-exporter
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.subdomain
       value: exporters.internal
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test imagePullSecrets
   set:
@@ -350,7 +461,7 @@ tests:
       value:
       - name: my-pull-secret
       - name: my-special-secret
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test nodeSelector
   set:
@@ -364,7 +475,7 @@ tests:
       path: spec.template.spec.nodeSelector
       value:
         foo: bar
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test priorityClassName
   set:
@@ -376,7 +487,7 @@ tests:
   - equal:
       path: spec.template.spec.priorityClassName
       value: my-priority
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test restartPolicy
   set:
@@ -388,7 +499,7 @@ tests:
   - equal:
       path: spec.template.spec.restartPolicy
       value: Always
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test terminationGracePeriodSeconds
   set:
@@ -400,7 +511,7 @@ tests:
   - equal:
       path: spec.template.spec.terminationGracePeriodSeconds
       value: 120
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test tolerations
   set:
@@ -420,7 +531,7 @@ tests:
         operator: Equal
         value: postgres
         effect: NoSchedule
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test topologySpreadConstraints
   set:
@@ -442,7 +553,7 @@ tests:
         labelSelector:
           matchLabels:
             app.kubernetes.io/instance: athens-proxy
-    template: templates/athens-proxy/deployment.yaml
+    template: templates/deployment.yaml
 
 - it: Test additional volumeMounts and volumes
   set:
@@ -462,5 +573,11 @@ tests:
       value:
       - name: data
         mountPath: /usr/lib/athens-proxy/data
-    template: templates/athens-proxy/deployment.yaml
-
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.volumes
+      value:
+      - name: data
+        hostPath:
+          path: /usr/lib/athens-proxy/data
+    template: templates/deployment.yaml

unittests/deployments/downloadMode.yaml

@@ -0,0 +1,177 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Deployment template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/configMapDownloadMode.yaml
+- templates/configMapGitConfig.yaml
+- templates/deployment.yaml
+- templates/secretNetRC.yaml
+- templates/secretSSH.yaml
+tests:
+- it: Rendering default without mounted download mode config map
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_DOWNLOAD_MODE
+          value: file:/etc/athens/config/download-mode.d/download-mode
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: download-mode
+          mountPath: /etc/athens/config/download-mode.d
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.volumes
+        content:
+          name: download-mode
+          configMap:
+            name: athens-proxy-unittest-download-mode-file
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted gitconfig configMap
+  set:
+    config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: true
+    persistence.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_DOWNLOAD_MODE
+          value: file:/etc/athens/config/download-mode.d/download-mode
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: download-mode
+          mountPath: /etc/athens/config/download-mode.d
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: download-mode
+          configMap:
+            items:
+              - key: downloadMode
+                mode: 0644
+                path: download-mode
+            name: athens-proxy-unittest-download-mode-file
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted gitconfig configMap
+  set:
+    config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: false
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_DOWNLOAD_MODE
+          value: file:/etc/athens/config/download-mode.d/download-mode
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: download-mode
+          mountPath: /etc/athens/config/download-mode.d
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: download-mode
+          configMap:
+            items:
+              - key: downloadMode
+                mode: 0644
+                path: download-mode
+            name: athens-proxy-unittest-download-mode-file
+      template: templates/deployment.yaml
+
+
+- it: Rendering with custom download mode configMap
+  set:
+    config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: true
+    config.downloadMode.existingConfigMap.enabled: true
+    config.downloadMode.existingConfigMap.configMapName: "my-custom-configmap"
+    config.downloadMode.existingConfigMap.downloadModeKey: "my-custom-download-mode-filename-key"
+    persistence.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_DOWNLOAD_MODE
+          value: file:/etc/athens/config/download-mode.d/download-mode
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: download-mode
+          mountPath: /etc/athens/config/download-mode.d
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: download-mode
+          configMap:
+            items:
+            - key: "my-custom-download-mode-filename-key"
+              path: "download-mode"
+              mode: 0644
+            name: my-custom-configmap
+      template: templates/deployment.yaml
+
+- it: Rendering with custom download mode configMap, but without sha sum annotation
+  set:
+    config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: false
+    config.downloadMode.existingConfigMap.enabled: true
+    config.downloadMode.existingConfigMap.configMapName: "my-custom-configmap"
+    config.downloadMode.existingConfigMap.downloadModeKey: "my-custom-download-mode-filename-key"
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_DOWNLOAD_MODE
+          value: file:/etc/athens/config/download-mode.d/download-mode
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: download-mode
+          mountPath: /etc/athens/config/download-mode.d
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: download-mode
+          configMap:
+            items:
+            - key: "my-custom-download-mode-filename-key"
+              path: "download-mode"
+              mode: 0644
+            name: my-custom-configmap
+      template: templates/deployment.yaml

unittests/deployments/env.yaml

@@ -0,0 +1,84 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Deployment template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/deployment.yaml
+- templates/secretEnv.yaml
+tests:
+- it: Rendering default without mounted env secret
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: athens-proxy-unittest-env
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted env secret
+  set:
+    config.env.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: athens-proxy-unittest-env
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted env secret, but without sha sum annotation
+  set:
+    config.env.enabled: true
+    config.env.addSHASumAnnotation: false
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: athens-proxy-unittest-env
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted existing env secret
+  set:
+    config.env.enabled: true
+    config.env.existingSecret.enabled: true
+    config.env.existingSecret.secretName: my-secret
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/secret-my-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: my-secret
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted existing env secret, but without sha sum annotation
+  set:
+    config.env.enabled: true
+    config.env.addSHASumAnnotation: false
+    config.env.existingSecret.enabled: true
+    config.env.existingSecret.secretName: my-secret
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-my-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: my-secret
+      template: templates/deployment.yaml

unittests/deployments/gitConfig.yaml

@@ -0,0 +1,165 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Deployment template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/configMapDownloadMode.yaml
+- templates/configMapGitConfig.yaml
+- templates/deployment.yaml
+- templates/secretNetRC.yaml
+- templates/secretSSH.yaml
+tests:
+- it: Rendering default without mounted git config map
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.gitconfig
+          subPath: .gitconfig
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - configMap:
+                items:
+                - key: .gitconfig
+                  path: .gitconfig
+                  mode: 0600
+                name: athens-proxy-unittest-gitconfig
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted gitconfig configMap
+  set:
+    config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: true
+    persistence.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.gitconfig
+          subPath: .gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - configMap:
+                items:
+                - key: .gitconfig
+                  path: .gitconfig
+                  mode: 0644
+                name: athens-proxy-unittest-gitconfig
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted gitconfig configMap, but without sha sum annotation
+  set:
+    config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: false
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.gitconfig
+          subPath: .gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - configMap:
+                items:
+                - key: .gitconfig
+                  path: .gitconfig
+                  mode: 0644
+                name: athens-proxy-unittest-gitconfig
+      template: templates/deployment.yaml
+
+- it: Rendering with custom gitconfig configMap
+  set:
+    config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: true
+    config.gitConfig.existingConfigMap.enabled: true
+    config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
+    config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
+    persistence.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.gitconfig
+          subPath: .gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - configMap:
+                items:
+                - key: my-gitconfig-key
+                  path: .gitconfig
+                  mode: 0644
+                name: my-custom-configmap
+      template: templates/deployment.yaml
+
+- it: Rendering with custom gitconfig configMap, but without sha sum annotations
+  set:
+    config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: false
+    config.gitConfig.existingConfigMap.enabled: true
+    config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
+    config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.gitconfig
+          subPath: .gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - configMap:
+                items:
+                - key: my-gitconfig-key
+                  path: .gitconfig
+                  mode: 0644
+                name: my-custom-configmap
+      template: templates/deployment.yaml

unittests/deployments/netrc.yaml

@@ -0,0 +1,164 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Deployment template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/configMapDownloadMode.yaml
+- templates/configMapGitConfig.yaml
+- templates/deployment.yaml
+- templates/secretNetRC.yaml
+- templates/secretSSH.yaml
+tests:
+- it: Rendering default without mounted netrc secret
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netrc
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: netrc
+          mountPath: /root
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: .netrc
+                  path: .netrc
+                  mode: 0600
+                name: athens-proxy-unittest-netrc
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted netrc secret
+  set:
+    config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: true
+    persistence.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.netrc
+          subPath: .netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: .netrc
+                  path: .netrc
+                  mode: 0600
+                name: athens-proxy-unittest-netrc
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted netrc secret, but without sha sum annotation
+  set:
+    config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: false
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.netrc
+          subPath: .netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: .netrc
+                  path: .netrc
+                  mode: 0600
+                name: athens-proxy-unittest-netrc
+      template: templates/deployment.yaml
+
+- it: Rendering with custom netrc secret
+  set:
+    config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: true
+    config.netrc.existingSecret.enabled: true
+    config.netrc.existingSecret.secretName: "my-custom-secret"
+    config.netrc.existingSecret.netrcKey: "my-netrc-key"
+    persistence.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.netrc
+          subPath: .netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: my-netrc-key
+                  path: .netrc
+                  mode: 0600
+                name: my-custom-secret
+      template: templates/deployment.yaml
+
+- it: Rendering with custom netrc secret, but without sha sum annotation
+  set:
+    config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: false
+    config.netrc.existingSecret.enabled: true
+    config.netrc.existingSecret.secretName: "my-custom-secret"
+    config.netrc.existingSecret.netrcKey: "my-netrc-key"
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.netrc
+          subPath: .netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: my-netrc-key
+                  path: .netrc
+                  mode: 0600
+                name: my-custom-secret
+      template: templates/deployment.yaml

unittests/deployments/persistentVolumeClaim.yaml

@@ -6,7 +6,11 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/deployment.yaml
+- templates/configMapDownloadMode.yaml
+- templates/configMapGitConfig.yaml
+- templates/deployment.yaml
+- templates/secretNetRC.yaml
+- templates/secretSSH.yaml
 tests:
 - it: Test persistent volume claim
   set:
@@ -17,26 +21,26 @@ tests:
         content:
           name: ATHENS_STORAGE_TYPE
           value: disk
-      template: templates/athens-proxy/deployment.yaml
+      template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].env
         content:
           name: ATHENS_DISK_STORAGE_ROOT
           value: /var/www/athens-proxy/data
-      template: templates/athens-proxy/deployment.yaml
+      template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].volumeMounts
         content:
           name: data
           mountPath: /var/www/athens-proxy/data
-      template: templates/athens-proxy/deployment.yaml
+      template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.volumes
         content:
           name: data
           persistentVolumeClaim:
             claimName: athens-proxy-unittest-data
-      template: templates/athens-proxy/deployment.yaml
+      template: templates/deployment.yaml
 
 - it: Test existing persistent volume claim
   set:
@@ -51,23 +55,23 @@ tests:
         content:
           name: ATHENS_STORAGE_TYPE
           value: disk
-      template: templates/athens-proxy/deployment.yaml
+      template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].env
         content:
           name: ATHENS_DISK_STORAGE_ROOT
           value: /mnt/go-proxy/data
-      template: templates/athens-proxy/deployment.yaml
+      template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].volumeMounts
         content:
           name: data
           mountPath: /mnt/go-proxy/data
-      template: templates/athens-proxy/deployment.yaml
+      template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.volumes
         content:
           name: data
           persistentVolumeClaim:
             claimName: my-special-pvc
-      template: templates/athens-proxy/deployment.yaml
+      template: templates/deployment.yaml

unittests/deployments/ssh.yaml

@@ -0,0 +1,267 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Deployment template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/configMapDownloadMode.yaml
+- templates/configMapGitConfig.yaml
+- templates/deployment.yaml
+- templates/secretNetRC.yaml
+- templates/secretSSH.yaml
+tests:
+- it: Rendering default without mounted ssh secret
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-ssh
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/config
+          subPath: config
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_ed25519
+          subPath: id_ed25519
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_ed25519.pub
+          subPath: id_ed25519.pub
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_rsa
+          subPath: id_rsa
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_rsa.pub
+          subPath: id_rsa.pub
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: config
+                  path: config
+                  mode: 0644
+                - key: id_ed25519
+                  path: id_ed25519
+                  mode: 0600
+                - key: id_ed25519.pub
+                  path: id_ed25519.pub
+                  mode: 0644
+                - key: id_rsa
+                  path: id_rsa
+                  mode: 0600
+                - key: id_rsa.pub
+                  path: id_rsa.pub
+                  mode: 0644
+                name: athens-proxy-unittest-ssh
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted ssh config
+  set:
+    config.ssh.enabled: true
+    persistence.enabled: true
+  asserts:
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/config
+          subPath: config
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: config
+                  path: config
+                  mode: 0600
+                name: athens-proxy-unittest-ssh
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted ssh keys
+  set:
+    config.ssh.enabled: true
+    config.ssh.addSHASumAnnotation: true
+    config.ssh.secret.id_ed25519: foo
+    config.ssh.secret.id_ed25519_pub: bar
+    config.ssh.secret.id_rsa: foo
+    config.ssh.secret.id_rsa_pub: bar
+    persistence.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-ssh
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/config
+          subPath: config
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_ed25519
+          subPath: id_ed25519
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_ed25519.pub
+          subPath: id_ed25519.pub
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_rsa
+          subPath: id_rsa
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_rsa.pub
+          subPath: id_rsa.pub
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: config
+                  path: config
+                  mode: 0600
+                - key: id_ed25519
+                  path: id_ed25519
+                  mode: 0600
+                - key: id_ed25519.pub
+                  path: id_ed25519.pub
+                  mode: 0644
+                - key: id_rsa
+                  path: id_rsa
+                  mode: 0600
+                - key: id_rsa.pub
+                  path: id_rsa.pub
+                  mode: 0644
+                name: athens-proxy-unittest-ssh
+      template: templates/deployment.yaml
+
+- it: Rendering with custom ssh secret
+  set:
+    config.ssh.enabled: true
+    config.ssh.addSHASumAnnotation: true
+    config.ssh.existingSecret.enabled: true
+    config.ssh.existingSecret.secretName: "my-custom-secret"
+    config.ssh.existingSecret.configKey : "my-config-key"
+    config.ssh.existingSecret.id_ed25519Key : "my-private-ed25519-key"
+    config.ssh.existingSecret.id_ed25519PubKey : "my-public-ed25519-key"
+    config.ssh.existingSecret.id_rsaKey : "my-private-rsa-key"
+    config.ssh.existingSecret.id_rsaPubKey : "my-public-rsa-key"
+    persistence.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/config
+          subPath: config
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_ed25519
+          subPath: id_ed25519
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_ed25519.pub
+          subPath: id_ed25519.pub
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_rsa
+          subPath: id_rsa
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_rsa.pub
+          subPath: id_rsa.pub
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: my-config-key
+                  path: config
+                  mode: 0600
+                - key: my-private-ed25519-key
+                  path: id_ed25519
+                  mode: 0600
+                - key: my-public-ed25519-key
+                  path: id_ed25519.pub
+                  mode: 0644
+                - key: my-private-rsa-key
+                  path: id_rsa
+                  mode: 0600
+                - key: my-public-rsa-key
+                  path: id_rsa.pub
+                  mode: 0644
+                name: my-custom-secret
+      template: templates/deployment.yaml
+
+- it: Rendering with custom ssh secret, but without sha sum annotation
+  set:
+    config.ssh.enabled: true
+    config.ssh.addSHASumAnnotation: false
+    config.ssh.existingSecret.enabled: true
+    config.ssh.existingSecret.secretName: "my-custom-secret"
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
+      template: templates/deployment.yaml

unittests/hpa/default.yaml

@@ -6,7 +6,7 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/hpa.yaml
+- templates/hpa.yaml
 tests:
 - it: Skip rendering by default.
   asserts:

unittests/httpRoutes/httpRoute.yaml

@@ -0,0 +1,194 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: HTTPRoute template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/httpRoute.yaml
+tests:
+- it: Skip rendering when disabled 1/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Rendering default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.networking.k8s.io/v1
+      kind: HTTPRoute
+      name: athens-proxy-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: athens-proxy-0.1.0
+  - notExists:
+      path: spec.hostnames
+  - notExists:
+      path: spec.parentRefs
+  - contains:
+      path: spec.rules[0].backendRefs
+      content:
+        kind: Service
+        name: athens-proxy-unittest
+        namespace: testing
+        port: 3000
+        weight: 1
+  - contains:
+      path: spec.rules[0].matches
+      content:
+        path:
+          type: PathPrefix
+          value: /
+
+- it: Rendering custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      annotations:
+        foo: bar
+      labels:
+        bar: foo
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        bar: foo
+        helm.sh/chart: athens-proxy-0.1.0
+
+- it: Rendering custom service port
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service:
+      enabled: true
+      port: 9090
+  asserts:
+  - equal:
+      path: spec.rules[0].backendRefs[0].port
+      value: 9090
+
+- it: Rendering custom matches
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      matches:
+      - path:
+          type: PathPrefix
+          value: /foo
+    service.enabled: true
+  asserts:
+  - contains:
+      path: spec.rules[0].matches
+      content:
+        path:
+          type: PathPrefix
+          value: /foo
+
+- it: Rendering custom hostnames and parentRefs
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      hostnames:
+      - athens-proxy.example.local
+      parentRefs:
+      - name: gateway
+        namespace: testing
+        kind: Gateway
+        sectionName: athens-proxy-debug-gateway
+    service.enabled: true
+  asserts:
+  - lengthEqual:
+      path: spec.hostnames
+      count: 1
+  - contains:
+      path: spec.hostnames
+      content:
+        athens-proxy.example.local
+  - lengthEqual:
+      path: spec.parentRefs
+      count: 1
+  - contains:
+      path: spec.parentRefs
+      content:
+        name: gateway
+        namespace: testing
+        kind: Gateway
+        sectionName: athens-proxy-debug-gateway

unittests/ingresses/ingress.yaml

@@ -6,7 +6,7 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/ingress.yaml
+- templates/ingress.yaml
 tests:
 - it: Skip ingress by default.
   asserts:
@@ -15,7 +15,7 @@ tests:
 
 - it: Skip ingress, when service is disabled.
   set:
-    services.http.enabled: false
+    service.enabled: false
     ingress.enabled: true
   asserts:
   - hasDocuments:
@@ -65,7 +65,7 @@ tests:
             pathType: Prefix
             backend:
               service:
-                name: athens-proxy-unittest-http
+                name: athens-proxy-unittest
                 port:
                   number: 3000
   - contains:
@@ -92,7 +92,7 @@ tests:
     - secretName: athens-proxy-http-tls
       hosts:
       - athens-proxy.example.local
-    services.http.port: 8080
+    service.port: 8080
 
   asserts:
   - hasDocuments:
@@ -128,7 +128,7 @@ tests:
             pathType: Prefix
             backend:
               service:
-                name: athens-proxy-unittest-http
+                name: athens-proxy-unittest
                 port:
                   number: 8080
   - contains:

unittests/networkPolicies/networkPolicy.yaml

@@ -1,49 +1,30 @@
 chart:
   appVersion: 0.1.0
   version: 0.1.0
-suite: NetworkPolicies template
+suite: NetworkPolicy template
 release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/networkPolicies.yaml
+- templates/networkPolicy.yaml
 tests:
-- it: Skip networkPolicies in general disabled.
+- it: Skip rendering networkPolicy
   set:
-    networkPolicies.enabled: false
+    networkPolicy.enabled: false
   asserts:
   - hasDocuments:
       count: 0
 
-- it: Skip networkPolicy 'default' when disabled.
+- it: Render default networkPolicy
   set:
-    networkPolicies.enabled: true
-    networkPolicies.default.enabled: false
+    networkPolicy.enabled: true
   asserts:
   - hasDocuments:
-      count: 0
-
-- it: Loop over networkPolicies
-  set:
-    networkPolicies.enabled: true
-    networkPolicies.default.enabled: false
-    networkPolicies.nginx.enabled: true
-    networkPolicies.prometheus.enabled: true
-  asserts:
-  - hasDocuments:
-      count: 2
-
-- it: Template networkPolicy 'default' without policyTypes, egress and ingress configuration
-  set:
-    networkPolicies.enabled: true
-    networkPolicies.default.enabled: true
-  asserts:
-  - hasDocuments:
-      count: 1
+      count:  1
   - containsDocument:
       apiVersion: networking.k8s.io/v1
       kind: NetworkPolicy
-      name: athens-proxy-unittest-default
+      name: athens-proxy-unittest
       namespace: testing
   - notExists:
       path: metadata.annotations
@@ -67,29 +48,28 @@ tests:
   - notExists:
       path: spec.ingress
 
-- it: Template networkPolicy 'default' with policyTypes, egress and ingress configuration
+- it: Template networkPolicy with policyTypes, egress and ingress configuration
   set:
-    networkPolicies.enabled: true
-    networkPolicies.default.enabled: true
-    networkPolicies.default.policyTypes:
+    networkPolicy.enabled: true
+    networkPolicy.policyTypes:
     - Egress
     - Ingress
-    networkPolicies.default.ingress:
+    networkPolicy.ingress:
     - from:
       - namespaceSelector:
           matchLabels:
-            kubernetes.io/metadata.name: khv-production
+            kubernetes.io/metadata.name: monitoring
         podSelector:
           matchLabels:
             app.kubernetes.io/name: prometheus
-    networkPolicies.default.egress:
+    networkPolicy.egress:
     - to:
       - namespaceSelector:
           matchLabels:
-            kubernetes.io/metadata.name: database
+            kubernetes.io/metadata.name: ingress-nginx
         podSelector:
           matchLabels:
-            app.kubernetes.io/name: oracle
+            app.kubernetes.io/name: ingress-nginx
   asserts:
   - equal:
       path: spec.policyTypes
@@ -102,17 +82,17 @@ tests:
       - to:
         - namespaceSelector:
             matchLabels:
-              kubernetes.io/metadata.name: database
+              kubernetes.io/metadata.name: ingress-nginx
           podSelector:
             matchLabels:
-              app.kubernetes.io/name: oracle
+              app.kubernetes.io/name: ingress-nginx
   - equal:
       path: spec.ingress
       value:
       - from:
         - namespaceSelector:
             matchLabels:
-              kubernetes.io/metadata.name: khv-production
+              kubernetes.io/metadata.name: monitoring
           podSelector:
             matchLabels:
               app.kubernetes.io/name: prometheus

unittests/persistentVolumeClaims/persistentVolumeClaim.yaml

@@ -6,7 +6,7 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/persistentVolumeClaim.yaml
+- templates/persistentVolumeClaim.yaml
 tests:
 - it: Rendering default
   asserts:

unittests/secrets/env.yaml

@@ -6,16 +6,24 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/secretEnv.yaml
+- templates/secretEnv.yaml
 tests:
+- it: Skip rendering by default
+  asserts:
+  - hasDocuments:
+      count: 0
+
 - it: Skip rendering by using existing secret.
   set:
+    config.env.enabled: true
     config.env.existingSecret.enabled: true
   asserts:
   - hasDocuments:
       count: 0
 
 - it: Rendering env secret with default values.
+  set:
+    config.env.enabled: true
   asserts:
   - hasDocuments:
       count: 1
@@ -39,6 +47,7 @@ tests:
 
 - it: Rendering env secret with custom values.
   set:
+    config.env.enabled: true
     config.env.secret.envs.ATHENS_GITHUB_TOKEN: my-secret-token
   asserts:
   - isSubset:
@@ -48,6 +57,7 @@ tests:
 
 - it: Rendering custom annotations and labels.
   set:
+    config.env.enabled: true
     config.env.secret.annotations:
       foo: bar
       bar: foo

unittests/secrets/netrc.yaml

@@ -6,7 +6,7 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/secretNetRC.yaml
+- templates/secretNetRC.yaml
 tests:
 - it: Skip rendering by default
   asserts:

unittests/secrets/ssh.yaml

@@ -6,16 +6,24 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/secretSSH.yaml
+- templates/secretSSH.yaml
 tests:
+- it: Skip rending by default.
+  asserts:
+  - hasDocuments:
+      count: 0
+
 - it: Skip rendering by using existing secret.
   set:
+    config.ssh.enabled: true
     config.ssh.existingSecret.enabled: true
   asserts:
   - hasDocuments:
       count: 0
 
 - it: Rendering ssh secret with default values.
+  set:
+    config.ssh.enabled: true
   asserts:
   - hasDocuments:
       count: 1
@@ -51,6 +59,7 @@ tests:
 
 - it: Rendering ssh secret with custom values.
   set:
+    config.ssh.enabled: true
     config.ssh.secret.config: |
       Host *
         IdentityFile ~/.ssh/id_ed25519
@@ -90,6 +99,7 @@ tests:
 
 - it: Rendering custom annotations and labels.
   set:
+    config.ssh.enabled: true
     config.ssh.secret.annotations:
       foo: bar
       bar: foo

unittests/serviceAccounts/serviceAccount.yaml

@@ -6,7 +6,7 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/serviceAccount.yaml
+- templates/serviceAccount.yaml
 tests:
 - it: Skip rendering.
   set:

unittests/services/service.yaml

@@ -6,11 +6,11 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/athens-proxy/serviceHTTP.yaml
+- templates/service.yaml
 tests:
 - it: Skip service when disabled.
   set:
-    services.http.enabled: false
+    service.enabled: false
   asserts:
   - hasDocuments:
       count: 0
@@ -22,7 +22,7 @@ tests:
   - containsDocument:
       apiVersion: v1
       kind: Service
-      name: athens-proxy-unittest-http
+      name: athens-proxy-unittest
       namespace: testing
   - notExists:
       path: metadata.annotations
@@ -75,37 +75,37 @@ tests:
 
 - it: Require internalTrafficPolicy.
   set:
-    services.http.internalTrafficPolicy: ""
+    service.internalTrafficPolicy: ""
   asserts:
   - failedTemplate:
       errorMessage: No internal traffic policy defined!
 
 - it: Require port.
   set:
-    services.http.port: ""
+    service.port: ""
   asserts:
   - failedTemplate:
       errorMessage: No service port defined!
 
 - it: Require sessionAffinity.
   set:
-    services.http.sessionAffinity: ""
+    service.sessionAffinity: ""
   asserts:
   - failedTemplate:
       errorMessage: No session affinity defined!
 
 - it: Require service type.
   set:
-    services.http.type: ""
+    service.type: ""
   asserts:
   - failedTemplate:
       errorMessage: No service type defined!
 
 - it: Render service with custom annotations and labels.
   set:
-    services.http.annotations:
+    service.annotations:
       foo: bar
-    services.http.labels:
+    service.labels:
       bar: foo
   asserts:
   - equal:
@@ -125,19 +125,19 @@ tests:
 
 - it: Change defaults
   set:
-    services.http.externalIPs:
+    service.externalIPs:
     - "10.11.12.13/32"
-    services.http.externalTrafficPolicy: Local
-    services.http.internalTrafficPolicy: Local
-    services.http.ipFamilies:
+    service.externalTrafficPolicy: Local
+    service.internalTrafficPolicy: Local
+    service.ipFamilies:
     - IPv4
-    services.http.loadBalancerClass: aws
-    services.http.loadBalancerIP: "11.12.13.14"
-    services.http.loadBalancerSourceRanges:
+    service.loadBalancerClass: aws
+    service.loadBalancerIP: "11.12.13.14"
+    service.loadBalancerSourceRanges:
     - "11.12.0.0/17"
-    services.http.port: 10443
-    services.http.sessionAffinity: ClientIP
-    services.http.type: LoadBalancer
+    service.port: 10443
+    service.sessionAffinity: ClientIP
+    service.type: LoadBalancer
   asserts:
   - equal:
       path: spec.externalIPs
@@ -171,4 +171,4 @@ tests:
       value: ClientIP
   - equal:
       path: spec.type
-      value: LoadBalancer
+      value: LoadBalancer

values.yaml

@@ -1,13 +1,92 @@
 # Declare variables to be passed into your templates.
+
 ## @section Global
 ## @param nameOverride Individual release name suffix.
 ## @param fullnameOverride Override the complete release name logic.
 nameOverride: ""
 fullnameOverride: ""
 
+## @section Certificate
+certificate:
+  ## @param certificate.enabled Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added.
+  ## @param certificate.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the TLS certificates.
+  enabled: false
+  addSHASumAnnotation: true
+
+  ## @param certificate.existingSecret.enabled Use an existing secret of the type `kubernetes.io/tls`.
+  ## @param certificate.existingSecret.secretName Name of the secret containing the TLS certificate and private key.
+  existingSecret:
+    enabled: false
+    secretName: ""
+
+  ## @param certificate.new.annotations Additional certificate annotations.
+  ## @param certificate.new.labels Additional certificate labels.
+  ## @param certificate.new.duration Duration of the TLS certificate.
+  ## @param certificate.new.renewBefore Renew TLS certificate before expiring.
+  ## @param certificate.new.dnsNames Overwrites the default of the subject alternative DNS names.
+  ## @param certificate.new.ipAddresses Overwrites the default of the subject alternative IP addresses.
+  ## @param certificate.new.issuerRef.kind Issuer kind. Can be `Issuer` or `ClusterIssuer`.
+  ## @param certificate.new.issuerRef.name Name of the `Issuer` or `ClusterIssuer`.
+  ## @param certificate.new.privateKey.algorithm Algorithm of the private TLS key.
+  ## @param certificate.new.privateKey.rotationPolicy Rotation of the private TLS key.
+  ## @param certificate.new.privateKey.size Size of the private TLS key.
+  ## @param certificate.new.secretTemplate.annotations Additional annotation of the created secret.
+  ## @param certificate.new.secretTemplate.labels Additional labels of the created secret.
+  ## @param certificate.new.subject.countries List of countries.
+  ## @param certificate.new.subject.localities List of localities.
+  ## @param certificate.new.subject.organizationalUnits List of organizationalUnits.
+  ## @param certificate.new.subject.organizations List of organizations.
+  ## @param certificate.new.subject.postalCodes List of postalCodes.
+  ## @param certificate.new.subject.provinces List of provinces.
+  ## @param certificate.new.subject.serialNumber Serial number.
+  ## @param certificate.new.subject.streetAddresses List of streetAddresses.
+  ## @param certificate.new.usages Define the usage of the TLS key.
+  new:
+    annotations: {}
+    labels: {}
+    duration: "744h"      # 31 days
+    renewBefore: "672h"   # 28 days
+    dnsNames: []
+    # The following DNS names are already part of the SAN's and serves only as example.
+    # - "athens-proxy"
+    # - "athens-proxy.svc"
+    # - "athens-proxy.svc.namespace"
+    # - "athens-proxy.svc.namespace.cluster.local"
+    ipAddresses: []
+    # The following IP addresses serves only as example.
+    # - "10.92.1.10"
+    # - "2001:0db8:85a3:08d3:1319:8a2e:0370:7344"
+    issuerRef:
+      kind: ""
+      name: ""
+    privateKey:
+      algorithm: "RSA"
+      rotationPolicy: "Never"
+      size: 4096
+    secretTemplate:
+      annotations: {}
+      labels: {}
+    subject:
+      countries: []
+      localities: []
+      organizationalUnits: []
+      organizations: []
+      postalCodes: []
+      provinces: []
+      serialNumber: ""
+      streetAddresses: []
+    usages:
+    - "client auth"
+    - "server auth"
+
 ## @section Configuration
 config:
   env:
+    ## @param config.env.enabled Enable mounting of the secret as environment variables.
+    ## @param config.env.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the configuration.
+    enabled: false
+    addSHASumAnnotation: true
+
     ## @param config.env.existingSecret.enabled Mount an existing secret containing the application specific environment variables.
     ## @param config.env.existingSecret.secretName Name of the existing secret containing the application specific environment variables.
     existingSecret:
@@ -25,7 +104,6 @@ config:
         # ATHENS_AZURE_ACCOUNT_NAME:
         # ATHENS_AZURE_CONTAINER_NAME:
         # ATHENS_CLOUD_RUNTIME:
-        # ATHENS_DOWNLOAD_MODE:
         # ATHENS_DOWNLOAD_URL:
         # ATHENS_ETCD_ENDPOINTS:
         # ATHENS_EXTERNAL_STORAGE_URL:
@@ -76,8 +154,6 @@ config:
         # ATHENS_STORAGE_GCP_JSON_KEY:
         # ATHENS_SUM_DBS:
         # ATHENS_TIMEOUT:
-        # ATHENS_TLSCERT_FILE:
-        # ATHENS_TLSKEY_FILE:
         # ATHENS_TRACE_EXPORTER_URL:
         # ATHENS_TRACE_EXPORTER:
         # AWS_ACCESS_KEY_ID:
@@ -96,23 +172,30 @@ config:
         # PROXY_FORCE_SSL:
 
   downloadMode:
-    ## @param config.downloadMode.existingConfigMap.enabled TODO:
-    ## @param config.downloadMode.existingConfigMap.secretName TODO:
+    ## @param config.downloadMode.enabled Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined.
+    ## @param config.downloadMode.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the downloadMode config.
+    enabled: false
+    addSHASumAnnotation: true
+
+    ## @param config.downloadMode.existingConfigMap.enabled Enable to use an external config map for mounting the download mode file.
+    ## @param config.downloadMode.existingConfigMap.configMapName The name of the existing config map which should be used to mount the download mode file.
+    ## @param config.downloadMode.existingConfigMap.downloadModeKey The name of the key inside the config map where the content of the download mode file is stored.
     existingConfigMap:
       enabled: false
-      secretName: ""
+      configMapName: ""
+      downloadModeKey: "downloadMode"
 
     ## @param config.downloadMode.configMap.annotations Additional annotations of the config map containing the download mode file.
     ## @param config.downloadMode.configMap.labels Additional labels of the config map containing the download mode file.
-    ## @param config.downloadMode.configMap.content Additional labels of the config map containing the download mode file.
+    ## @skip config.downloadMode.configMap.content The content of the download mode file.
     configMap:
       annotations: {}
       labels: {}
       content: |
-        # downloadURL = "https://proxy.golang.org"
-        #
-        # mode = "async_redirect"
-        #
+        downloadURL = "https://proxy.golang.org"
+
+        mode = "async_redirect"
+
         # download "github.com/gomods/*" {
         #     mode = "sync"
         # }
@@ -123,12 +206,14 @@ config:
         #
         # download "github.com/pkg/*" {
         #     mode = "redirect"
-        #     downloadURL = "https://gocenter.io"
+        #     downloadURL = "https://proxy.golang.org"
         # }
 
   gitConfig:
     ## @param config.gitConfig.enabled Enable mounting of a .gitconfig file into the container file system.
+    ## @param config.gitConfig.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the git config.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.gitConfig.existingConfigMap.enabled Enable to use an external config map for mounting the .gitconfig file.
     ## @param config.gitConfig.existingConfigMap.configMapName The name of the existing config map which should be used to mount the .gitconfig file.
@@ -138,9 +223,9 @@ config:
       configMapName: ""
       gitConfigKey:
 
-    ## @param config.gitConfig.configMap.annotations Additional annotations of the config map containing the download mode file.
-    ## @param config.gitConfig.configMap.labels Additional labels of the config map containing the download mode file.
-    ## @param config.gitConfig.configMap.content The content of the .gitconfig file.
+    ## @param config.gitConfig.configMap.annotations Additional annotations of the config map containing the .gitconfig file.
+    ## @param config.gitConfig.configMap.labels Additional labels of the config map containing the .gitconfig file.
+    ## @skip config.gitConfig.configMap.content The content of the .gitconfig file.
     configMap:
       annotations: {}
       labels: {}
@@ -154,7 +239,9 @@ config:
 
   netrc:
     ## @param config.netrc.enabled Enable mounting of a .netrc file into the container file system.
+    ## @param config.netrc.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the netrc file.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.netrc.existingSecret.enabled Enable to use an external secret for mounting the .netrc file.
     ## @param config.netrc.existingSecret.secretName The name of the existing secret which should be used to mount the .netrc file.
@@ -166,7 +253,7 @@ config:
 
     ## @param config.netrc.secret.annotations Additional annotations of the secret containing the database credentials.
     ## @param config.netrc.secret.labels Additional labels of the secret containing the database credentials.
-    ## @param config.netrc.secret.content The content of the .netrc file.
+    ## @skip config.netrc.secret.content The content of the .netrc file.
     secret:
       annotations: {}
       labels: {}
@@ -185,18 +272,34 @@ config:
         # machine api.github.com  [octocat]  password  [PAT]
 
   ssh:
-    ## @param config.ssh.existingSecret.enabled TODO:.
-    ## @param config.ssh.existingSecret.secretName TODO:
+    ## @param config.ssh.enabled Enable mounting of a .netrc file into the container file system.
+    ## @param config.ssh.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the ssh keys.
+    enabled: false
+    addSHASumAnnotation: true
+
+    ## @param config.ssh.existingSecret.enabled Enable to use an external secret for mounting the public and private SSH key files.
+    ## @param config.ssh.existingSecret.secretName The name of the existing secret which should be used to mount the public and private SSH key files.
+    ## @param config.ssh.existingSecret.configKey The name of the key inside the secret where the content of the SSH client config file is stored.
+    ## @param config.ssh.existingSecret.id_ed25519Key The name of the key inside the secret where the content of the id_ed25519 key file is stored.
+    ## @param config.ssh.existingSecret.id_ed25519PubKey The name of the key inside the secret where the content of the id_ed25519.pub key file is stored.
+    ## @param config.ssh.existingSecret.id_rsaKey The name of the key inside the secret where the content of the id_rsa key file is stored.
+    ## @param config.ssh.existingSecret.id_rsaPubKey The name of the key inside the secret where the content of the id_ed25519.pub key file is stored.
     existingSecret:
       enabled: false
+      secretName: ""
+      configKey: "config"
+      id_ed25519Key: "id_ed25519"
+      id_ed25519PubKey: "id_ed25519.pub"
+      id_rsaKey: "id_rsa"
+      id_rsaPubKey: "id_rsa.pub"
 
-    ## @param config.ssh.secret.annotations Additional annotations of the secret containing the database credentials.
-    ## @param config.ssh.secret.labels Additional labels of the secret containing the database credentials.
-    ## @param config.ssh.secret.files TODO:
-    ## @skip config.ssh.secret.id_ed25519 TODO:
-    ## @skip config.ssh.secret.id_ed25519_pub TODO:
-    ## @skip config.ssh.secret.id_rsa TODO:
-    ## @skip config.ssh.secret.id_rsa_pub TODO:
+    ## @param config.ssh.secret.annotations Additional annotations of the secret containing the public and private SSH key files.
+    ## @param config.ssh.secret.labels Additional labels of the secret containing the public and private SSH key files.
+    ## @skip config.ssh.secret.config The content of the SSH client config file.
+    ## @skip config.ssh.secret.id_ed25519 The content of the private SSH ed25519 key.
+    ## @skip config.ssh.secret.id_ed25519_pub The content of the public SSH ed25519 key.
+    ## @skip config.ssh.secret.id_rsa The content of the private SSH RSA key.
+    ## @skip config.ssh.secret.id_rsa_pub The content of the public SSH RSA key.
     secret:
       annotations: {}
       labels: {}
@@ -313,6 +416,30 @@ deployment:
       tag: ""
       pullPolicy: IfNotPresent
 
+    ## @param deployment.athensProxy.livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
+    ## @param deployment.athensProxy.livenessProbe.initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated.
+    ## @param deployment.athensProxy.livenessProbe.periodSeconds How often (in seconds) to perform the probe.
+    ## @param deployment.athensProxy.livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
+    ## @param deployment.athensProxy.livenessProbe.timeoutSeconds Number of seconds after which the probe times out.
+    livenessProbe:
+      failureThreshold: 3
+      initialDelaySeconds: 5
+      periodSeconds: 60
+      successThreshold: 1
+      timeoutSeconds: 3
+
+    ## @param deployment.athensProxy.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
+    ## @param deployment.athensProxy.readinessProbe.initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated.
+    ## @param deployment.athensProxy.readinessProbe.periodSeconds How often (in seconds) to perform the probe.
+    ## @param deployment.athensProxy.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
+    ## @param deployment.athensProxy.readinessProbe.timeoutSeconds Number of seconds after which the probe times out.
+    readinessProbe:
+      failureThreshold: 3
+      initialDelaySeconds: 5
+      periodSeconds: 15
+      successThreshold: 1
+      timeoutSeconds: 3
+
     ## @param deployment.athensProxy.resources CPU and memory resources of the pod.
     resources: {}
       # limits:
@@ -383,9 +510,9 @@ deployment:
   #   whenUnsatisfiable: DoNotSchedule
   #   labelSelector:
   #     matchLabels:
-  #       app.kubernetes.io/instance: prometheus-athens-proxy
+  #       app.kubernetes.io/instance: athens-proxy
 
-  ## @param deployment.volumes Additional volumes to mount into the pods of the prometheus-exporter deployment.
+  ## @param deployment.volumes Additional volumes to mount into the pods of the athens-proxy deployment.
   volumes: []
   # - name: my-configmap-volume
   #   config:
@@ -394,6 +521,72 @@ deployment:
   #   secret:
   #     secretName: my-secret
 
+
+## @section GatewayAPI
+gatewayAPI:
+  ## @param gatewayAPI.enabled Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.
+  enabled: false
+
+  core:
+    ## @param gatewayAPI.core.backendTLSPolicy.enabled Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
+    ## @param gatewayAPI.core.backendTLSPolicy.annotations Additional annotations for the BackendTLSPolicy.
+    ## @param gatewayAPI.core.backendTLSPolicy.labels Additional labels for the BackendTLSPolicy.
+    ## @param gatewayAPI.core.backendTLSPolicy.validation Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the athens-proxy pod.
+    backendTLSPolicy:
+      enabled: false
+      annotations: {}
+      labels: {}
+      validation: {}
+        # caCertificateRefs:
+        # - group: ""
+        #   kind: Secret
+        #   name: "athens-proxy-ca"
+        # hostname: "athens-proxy"
+
+    ## @param gatewayAPI.core.httpRoute.enabled Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `service.enabled` to be `true`.
+    ## @param gatewayAPI.core.httpRoute.annotations Additional annotations for the HTTPRoute.
+    ## @param gatewayAPI.core.httpRoute.labels Additional labels for the HTTPRoute.
+    ## @param gatewayAPI.core.httpRoute.hostnames Hostnames for the HTTPRoute.
+    ## @skip gatewayAPI.core.httpRoute.matches Match conditions for the HTTPRoute. You can specify path based match conditions to route traffic to the athens-proxy service.
+    ## @param gatewayAPI.core.httpRoute.parentRefs ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.
+    httpRoute:
+      enabled: false
+      annotations: {}
+      labels: {}
+      hostnames: []
+      matches:
+      - path:
+          type: PathPrefix
+          value: /
+      parentRefs: []
+      # - name: gateway
+      #   kind: Gateway
+      #   group: gateway.networking.k8s.io
+      #   namespace: default
+      #   sectionName: athens-proxy-http
+
+  nginx:
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.enabled Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.annotations Additional annotations for the ClientSettingsPolicy.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.labels Additional labels for the ClientSettingsPolicy.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
+    clientSettingsPolicy:
+      enabled: false
+      annotations: {}
+      labels: {}
+      clientMaxBodySize: ""
+      clientBodyTimeout: ""
+      keepaliveRequests:
+      keepaliveTime: ""
+      keepaliveTimeout: ""
+      keepaliveMinTimeout: ""
+
+
 ## @section Horizontal Pod Autoscaler (HPA)
 # In order for the HPA to function successfully, a metric server is required, especially for resource consumption. The
 # metric server enables the CPU and memory utilisation to be recorded. If such a metric server is not available, the HPA
@@ -425,6 +618,7 @@ hpa:
   minReplicas: 1
   maxReplicas: 10
 
+
 ## @section Ingress
 ingress:
   ## @param ingress.enabled Enable creation of an ingress resource. Requires, that the http service is also enabled.
@@ -436,7 +630,7 @@ ingress:
   annotations: {}
   labels: {}
 
-  ## @param ingress.hosts Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k.
+  ## @param ingress.hosts Ingress specific configuration.
   ## @skip ingress.hosts Skip individual host configuration.
   hosts: []
   # - host: athens-proxy.example.local
@@ -444,7 +638,7 @@ ingress:
   #   - path: /
   #     pathType: Prefix
 
-  ## @param ingress.tls Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``.
+  ## @param ingress.tls Ingress TLS settings.
   ## @skip ingress.tls Skip individual TLS configuration.
   tls: []
   # - secretName: athens-proxy-http-tls
@@ -460,121 +654,130 @@ persistence:
     ## @param persistence.data.mountPath The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`.
     mountPath: "/var/www/athens-proxy/data"
 
+    ## @param persistence.data.existingPersistentVolumeClaim.enabled Use an existing persistent volume claim.
+    ## @param persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName The name of the existing persistent volume claim.
     existingPersistentVolumeClaim:
       enabled: false
       persistentVolumeClaimName: ""
 
+    ## @param persistence.data.persistentVolumeClaim.annotations Additional persistent volume claim annotations.
+    ## @param persistence.data.persistentVolumeClaim.labels Additional persistent volume claim labels.
+    ## @param persistence.data.persistentVolumeClaim.accessModes Access modes of the persistent volume claim.
+    ## @param persistence.data.persistentVolumeClaim.storageClassName Storage class of the persistent volume claim.
+    ## @param persistence.data.persistentVolumeClaim.storageSize Size of the persistent volume claim.
     persistentVolumeClaim:
       annotations: {}
       labels: {}
       accessModes:
       - ReadWriteMany
-      storageClass: ""
+      storageClassName: ""
       storageSize: "5Gi"
 
-## @section NetworkPolicies
-## @param networkPolicies.enabled Enable network policies in general.
-networkPolicies:
+## @section Network
+## @param clusterDomain Domain of the Cluster. Domain is part of internally issued certificates.
+clusterDomain: "cluster.local"
+
+## @section Network Policy
+networkPolicy:
+  ## @param networkPolicy.enabled Enable network policies in general.
+  ## @param networkPolicy.annotations Additional network policy annotations.
+  ## @param networkPolicy.labels Additional network policy labels.
+  ## @param networkPolicy.policyTypes List of policy types. Supported is ingress, egress or ingress and egress.
+  ## @param networkPolicy.egress Concrete egress network policy implementation.
+  ## @skip networkPolicy.egress Skip individual egress configuration.
+  ## @param networkPolicy.ingress Concrete ingress network policy implementation.
+  ## @skip networkPolicy.ingress Skip individual ingress configuration.
   enabled: false
+  annotations: {}
+  labels: {}
+  policyTypes: []
+  # - Egress
+  # - Ingress
+  egress: []
+  # Allow outgoing SSH traffic to Source Code Control System's (SCCS') like GitHub or GitLab.
+  #
+  # - ports:
+  #   - port: 22
+  #     protocol: TCP
 
-  ## @param networkPolicies.default.enabled Enable the network policy for accessing the application by default. For example to scape the metrics.
-  ## @param networkPolicies.default.annotations Additional network policy annotations.
-  ## @param networkPolicies.default.labels Additional network policy labels.
-  ## @param networkPolicies.default.policyTypes List of policy types. Supported is ingress, egress or ingress and egress.
-  ## @param networkPolicies.default.egress Concrete egress network policy implementation.
-  ## @skip networkPolicies.default.egress Skip individual egress configuration.
-  ## @param networkPolicies.default.ingress Concrete ingress network policy implementation.
-  ## @skip networkPolicies.default.ingress Skip individual ingress configuration.
-  default:
-    enabled: false
-    annotations: {}
-    labels: {}
-    policyTypes: []
-    # - Egress
-    # - Ingress
-    egress: []
-    # Allow outgoing traffic to database host
-    #
-    # - to:
-    #   - ipBlock:
-    #       cidr: 192.168.179.1/32
-    #   ports:
-    #   - port: 5432
-    #     protocol: TCP
+  # Allow outgoing HTTPS traffic to external go module servers
+  #
+  # - ports:
+  #   - port: 443
+  #     protocol: TCP
 
-    # Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns.
-    #
-    # - to:
-    #   - namespaceSelector:
-    #       matchLabels:
-    #         kubernetes.io/metadata.name: kube-system
-    #     podSelector:
-    #       matchLabels:
-    #        k8s-app: kube-dns
-    #   ports:
-    #   - port: 53
-    #     protocol: TCP
-    #   - port: 53
-    #     protocol: UDP
+  # Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns.
+  #
+  # - to:
+  #   - namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: kube-system
+  #     podSelector:
+  #       matchLabels:
+  #        k8s-app: kube-dns
+  #   ports:
+  #   - port: 53
+  #     protocol: TCP
+  #   - port: 53
+  #     protocol: UDP
 
-    ingress: []
-    # Allow incoming HTTP traffic from prometheus.
-    #
-    # - from:
-    #   - namespaceSelector:
-    #       matchLabels:
-    #         kubernetes.io/metadata.name: monitoring
-    #     podSelector:
-    #       matchLabels:
-    #         app.kubernetes.io/name: prometheus
-    #   ports:
-    #   - port: http
-    #     protocol: TCP
+  ingress: []
+  # Allow incoming HTTP traffic from prometheus.
+  #
+  # - from:
+  #   - namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: monitoring
+  #     podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: prometheus
+  #   ports:
+  #   - port: http
+  #     protocol: TCP
 
-    # Allow incoming HTTP traffic from ingress-nginx.
-    #
-    # - from:
-    #   - namespaceSelector:
-    #       matchLabels:
-    #         kubernetes.io/metadata.name: ingress-nginx
-    #     podSelector:
-    #       matchLabels:
-    #         app.kubernetes.io/name: ingress-nginx
-    #   ports:
-    #   - port: http
-    #     protocol: TCP
+  # Allow incoming HTTP traffic from ingress-nginx.
+  #
+  # - from:
+  #   - namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: ingress-nginx
+  #     podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: ingress-nginx
+  #   ports:
+  #   - port: http
+  #     protocol: TCP
 
 ## @section Service
-## @param services.http.enabled Enable the service.
-## @param services.http.annotations Additional service annotations.
-## @param services.http.externalIPs External IPs for the service.
-## @param services.http.externalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation.
-## @param services.http.internalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.
-## @param services.http.ipFamilies IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.
-## @param services.http.labels Additional service labels.
-## @param services.http.loadBalancerClass LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.
-## @param services.http.loadBalancerIP LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.
-## @param services.http.loadBalancerSourceRanges Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.
-## @param services.http.port Port to forward the traffic to.
-## @param services.http.sessionAffinity Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.
-## @param services.http.sessionAffinityConfig Contains the configuration of the session affinity.
-## @param services.http.type Kubernetes service type for the traffic.
-services:
-  http:
-    enabled: true
-    annotations: {}
-    externalIPs: []
-    externalTrafficPolicy: "Cluster"
-    internalTrafficPolicy: "Cluster"
-    ipFamilies: []
-    labels: {}
-    loadBalancerClass: ""
-    loadBalancerIP: ""
-    loadBalancerSourceRanges: []
-    port: 3000
-    sessionAffinity: "None"
-    sessionAffinityConfig: {}
-    type: "ClusterIP"
+## @param service.enabled Enable the service.
+## @param service.annotations Additional service annotations.
+## @param service.externalIPs External IPs for the service.
+## @param service.externalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation.
+## @param service.internalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.
+## @param service.ipFamilies IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.
+## @param service.labels Additional service labels.
+## @param service.loadBalancerClass LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.
+## @param service.loadBalancerIP LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.
+## @param service.loadBalancerSourceRanges Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.
+## @param service.port Port to forward the traffic to.
+## @param service.sessionAffinity Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.
+## @param service.sessionAffinityConfig Contains the configuration of the session affinity.
+## @param service.type Kubernetes service type for the traffic.
+service:
+  enabled: true
+  annotations: {}
+  externalIPs: []
+  externalTrafficPolicy: "Cluster"
+  internalTrafficPolicy: "Cluster"
+  ipFamilies: []
+  labels: {}
+  loadBalancerClass: ""
+  loadBalancerIP: ""
+  loadBalancerSourceRanges: []
+  port: 3000
+  sessionAffinity: "None"
+  sessionAffinityConfig: {}
+  type: "ClusterIP"
 
 ## @section ServiceAccount
 serviceAccount: