fix(scripts): adapt rc pattern

.gitea/scripts/add-annotations.sh

@@ -8,8 +8,11 @@ if [ ! -f "${CHART_FILE}" ]; then
   exit 1
 fi
 
-DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
-DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
+rc_pattern='-rc(\.[0-9]+)?$'
+
+# Exclude prerelease tags (matching -rc or -rc-<digits>) from default tag selection
+DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | grep --invert-match --perl-regexp "${rc_pattern}" | head --lines 1)"
+DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | grep --invert-match --perl-regexp "${rc_pattern}" | head --lines 2 | tail --lines 1)"
 
 if [ -z "${1}" ]; then
   read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
@@ -54,6 +57,13 @@ else
   fi
 fi
 
+# Check if NEW_TAG is a prerelease (matches -rc or -rc-<digits> suffix)
+if [[ "${NEW_TAG}" =~ ${rc_pattern} ]]; then
+  echo "INFO: Tag '${NEW_TAG}' is a prerelease, setting prerelease annotation and skipping changelog."
+  yq --no-colors --inplace ".annotations.\"artifacthub.io/prerelease\" = \"true\" | sort_keys(.)" "${CHART_FILE}"
+  exit 0
+fi
+
 CHANGE_LOG_YAML=$(mktemp)
 echo "[]" > "${CHANGE_LOG_YAML}"
 

.gitea/workflows/artifacthub-metadata.yaml

@@ -0,0 +1,41 @@
+name: Upload ArtifactHub Metadata
+
+on:
+  schedule:
+    - cron: '0 3 1 * *'
+  workflow_dispatch:
+
+jobs:
+  upload-metadata:
+    name: "Upload artifacthub-repo.yml to OCI registry"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6.0.2
+    - uses: docker/login-action@v4.2.0
+      with:
+        registry: ${{ github.server_url }}
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+    - uses: oras-project/setup-oras@v2.0.0
+      with:
+        version: 1.3.2 # renovate: datasource=github-tags depName=oras-project/oras extractVersion='^v?(?<version>.*)$'
+    - name: Extract meta information
+      run: |
+        echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut -d '/' -f 3)" >> $GITHUB_ENV
+        echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+        echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
+        echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)" >> $GITHUB_ENV
+    - name: Push artifacthub-repo.yml
+      run: |
+        oras push ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:artifacthub.io \
+          --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
+          artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+    - name: Push public cosign key
+      env:
+        COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
+      run: |
+        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
+        oras push ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:cosign.pub \
+          --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          --annotation org.opencontainers.image.title=cosign.pub \
+          cosign.pub:application/vnd.dev.cosign.public-key.v1

.gitea/workflows/generate-readme.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:25.9.0-alpine
+      image: docker.io/library/node:26.2.0-alpine
     runs-on: ubuntu-latest
     steps:
     - name: Install tooling

.gitea/workflows/helm.yaml

@@ -17,7 +17,7 @@ jobs:
     - uses: actions/checkout@v6.0.2
     - uses: azure/setup-helm@v5.0.0
       with:
-        version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
+        version: v4.2.0 # renovate: datasource=github-releases depName=helm/helm
     - name: Lint helm files
       run: |
         helm lint --values values.yaml .
@@ -28,7 +28,7 @@ jobs:
     - uses: actions/checkout@v6.0.2
     - uses: azure/setup-helm@v5.0.0
       with:
-        version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
+        version: v4.2.0 # renovate: datasource=github-releases depName=helm/helm
     - env:
         HELM_UNITTEST_VERSION: v1.0.0 #renovate: datasource=github-releases depName=helm-unittest/helm-unittest
       name: Install helm-unittest

.gitea/workflows/markdown-linters.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:25.9.0-alpine
+      image: docker.io/library/node:26.2.0-alpine
     runs-on: ubuntu-latest
     steps:
     - name: Install tooling
@@ -30,7 +30,7 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:25.9.0-alpine
+      image: docker.io/library/node:26.2.0-alpine
     runs-on: ubuntu-latest
     steps:
     - name: Install tooling

.gitea/workflows/release.yaml

@@ -1,5 +1,10 @@
 name: Release
 
+env:
+  GPG_PRIVATE_KEY_FILE: ${{ runner.temp }}/private.key
+  GPG_PRIVATE_KEY_FINGERPRINT: ${{ vars.GPG_PRIVATE_KEY_FINGERPRINT }}
+  GPG_PRIVATE_KEY_PASSPHRASE_FILE: ${{ runner.temp }}/passphrase.txt
+
 on:
   push:
     tags:
@@ -7,14 +12,58 @@ on:
 
 jobs:
   publish-chart:
-    container:
-      image: docker.io/volkerraschek/helm:3.19.2
     runs-on: ubuntu-latest
     steps:
-      - name: Install packages via apk
+      - uses: volker-raschek/cosign-installer@v4.1.2-rc4
+        with:
+          cosign-release: "v3.0.6" # renovate: datasource=github-tags depName=sigstore/cosign
+
+      - uses: azure/setup-helm@v5.0.0
+        with:
+          version: "v4.2.0" # renovate: datasource=github-tags depName=helm/helm
+
+      - name: Install helm plugins
+        env:
+          HELM_SIGSTORE_VERSION: "0.3.0" # renovate: datasource=github-tags depName=sigstore/helm-sigstore extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+          HELM_SCHEMA_VALUES_VERSION: "2.4.0" # renovate: datasource=github-tags depName=losisin/helm-values-schema-json extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+          HELM_UNITTEST_VERSION: "1.1.0" # renovate: datasource=github-tags depName=helm-unittest/helm-unittest extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
         run: |
-          apk update
-          apk add git npm jq yq
+          helm plugin install --verify=false https://github.com/sigstore/helm-sigstore.git --version "${HELM_SIGSTORE_VERSION}" 1> /dev/null
+          helm plugin install --verify=false https://github.com/losisin/helm-values-schema-json.git --version "${HELM_SCHEMA_VALUES_VERSION}" 1> /dev/null
+          helm plugin install --verify=false https://github.com/helm-unittest/helm-unittest.git --version "${HELM_UNITTEST_VERSION}" 1> /dev/null
+          helm plugin list
+
+      - name: GPG configuration
+        env:
+          GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+        run: |
+          # Configure GPG and GPG Agent
+          mkdir --parents "${HOME}/.gnupg"
+          chmod 0700 "${HOME}/.gnupg"
+
+          cat > "${HOME}/.gnupg/gpg.conf" <<EOF
+          use-agent
+          pinentry-mode loopback
+          EOF
+
+          cat > "${HOME}/.gnupg/gpg-agent.conf" <<EOF
+          allow-loopback-pinentry
+          max-cache-ttl 86400
+          default-cache-ttl 86400
+          EOF
+
+          gpgconf --kill gpg-agent
+          gpgconf --launch gpg-agent
+
+          # Import GPG private key
+          cat 1> "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+          cat 1> "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY}"
+          gpg --batch --yes --passphrase-fd 0 --import "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+
+          # Export GPG keyring
+          gpg --batch --yes --export "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/pubring.gpg"
+          gpg --batch --yes --passphrase-fd 0 --export-secret-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/secring.gpg" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
 
       - uses: actions/checkout@v6.0.2
         with:
@@ -28,9 +77,10 @@ jobs:
 
       - name: Extract meta information
         run: |
+          echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut --delimiter '/' --fields 3)" >> $GITHUB_ENV
           echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
-          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)" >> $GITHUB_ENV
+          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
+          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 1)" >> $GITHUB_ENV
 
       - name: Update Helm Chart version in README.md
         run: sed -i -E "s/^CHART_VERSION=.*/CHART_VERSION=${PACKAGE_VERSION}/g" README.md
@@ -38,24 +88,76 @@ jobs:
       - name: Package chart
         run: |
           helm dependency build
-          helm package --version "${PACKAGE_VERSION}" ./
+          helm package \
+            --sign \
+            --key "$(gpg --with-colons --list-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" | grep uid | cut --delimiter ':' --fields 10)" \
+            --keyring "${HOME}/.gnupg/secring.gpg" \
+            --passphrase-file "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" \
+            --version "${PACKAGE_VERSION}" ./
 
-      - name: Upload Chart to ChartMuseum
+      - uses: docker/login-action@v4.2.0
+        with:
+          registry: ${{ github.server_url }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+
+      - name: Upload Chart to Gitea (OCI)
         env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          helm push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz oci://${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}
+          cosign sign --yes --upload=true --key=env://COSIGN_PRIVATE_KEY ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:${PACKAGE_VERSION}
+
+      - name: Upload Chart to Gitea (Helm)
+        env:
+          GITEA_REGISTRY_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+        run: |
+          curl \
+            --fail \
+            --show-error \
+            --request POST \
+            --user "${REPOSITORY_OWNER}:${GITEA_REGISTRY_TOKEN}" \
+            --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
+              https://${GITEA_SERVER_HOSTNAME}/api/packages/${REPOSITORY_OWNER}/helm/api/charts
+
+          # NOTE:
+          # Gitea does currently not support uploading Helm chart provenance files, so we skip this step for now. Once
+          # Gitea supports this, we can simply uncomment the following lines to upload the provenance file as well.
+          #
+          #   https://github.com/helm/helm/issues/31866
+          #
+          # if [ -f "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" ]; then
+          #   curl \
+          #     --fail \
+          #     --show-error \
+          #     --request POST \
+          #     --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+          #     --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" \
+          #       https://${GITEA_SERVER_HOSTNAME}/api/packages/${REPOSITORY_OWNER}/helm/api/prov
+          # fi
+
+      - name: Upload Chart to Chartmuseum (Helm)
+        env:
+          CHARTMUSEUM_HOSTNAME: ${{ vars.CHARTMUSEUM_HOSTNAME }}
+          CHARTMUSEUM_USERNAME: ${{ secrets.CHARTMUSEUM_USERNAME }}
           CHARTMUSEUM_PASSWORD: ${{ secrets.CHARTMUSEUM_PASSWORD }}
           CHARTMUSEUM_REPOSITORY: ${{ vars.CHARTMUSEUM_REPOSITORY }}
-          CHARTMUSEUM_USERNAME: ${{ secrets.CHARTMUSEUM_USERNAME }}
-          CHARTMUSEUM_HOSTNAME: ${{ vars.CHARTMUSEUM_HOSTNAME }}
         run: |
-          helm repo add --username ${CHARTMUSEUM_USERNAME} --password ${CHARTMUSEUM_PASSWORD} chartmuseum https://${CHARTMUSEUM_HOSTNAME}/${CHARTMUSEUM_REPOSITORY}
-          helm cm-push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz chartmuseum
-          helm repo remove chartmuseum
+          curl \
+            --fail \
+            --show-error \
+            --request POST \
+            --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+            --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
+              https://${CHARTMUSEUM_HOSTNAME}/api/${CHARTMUSEUM_REPOSITORY}/charts
 
-      - name: Upload Chart to Gitea
-        env:
-          GITEA_PACKAGE_REGISTRY_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
-          GITEA_SERVER_URL: ${{ github.server_url }}
-        run: |
-          helm repo add --username ${REPOSITORY_OWNER} --password ${GITEA_PACKAGE_REGISTRY_TOKEN} gitea ${GITEA_SERVER_URL}/api/packages/${REPOSITORY_OWNER}/helm
-          helm cm-push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz gitea
-          helm repo remove gitea
+          if [ -f "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" ]; then
+            curl \
+              --fail \
+              --show-error \
+              --request POST \
+              --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+              --upload-file ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov \
+                https://${CHARTMUSEUM_HOSTNAME}/api/${CHARTMUSEUM_REPOSITORY}/prov
+          fi

.gitignore

@@ -1,9 +1,9 @@
 charts
+cosign*
 node_modules
 target
-values2.yml
-values2.yaml
+!values.yaml
+!values.yml
+values*.yaml
+values*.yml
 *.tgz
-
-install.sh
-uninstall.sh

.vscode/settings.json

@@ -1,6 +1,6 @@
 {
   "yaml.schemas": {
-    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.3/schema/helm-testsuite.json": [
+    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.1.0/schema/helm-testsuite.json": [
       "/unittests/**/*.yaml"
     ]
   },

Chart.yaml

@@ -1,15 +1,21 @@
 annotations:
+  artifacthub.io/license: MIT
   artifacthub.io/links: |
     - name: Athens proxy (binary)
       url: https://github.com/gomods/athens
     - name: support
       url: https://git.cryptic.systems/volker.raschek/athens-proxy-charts/issues
+  artifacthub.io/operator: "false"
+  artifacthub.io/prerelease: "false"
+  artifacthub.io/signKey: |
+    fingerprint: 3B0CE9853CAD76076260025383D342258456906E
+    url: https://keys.openpgp.org/vks/v1/by-fingerprint/3B0CE9853CAD76076260025383D342258456906E
 apiVersion: v2
 name: athens-proxy
 description: Athens proxy server for golang
 type: application
 version: "0.1.0"
-appVersion: "v0.16.2"
+appVersion: "v0.17.1"
 icon: https://github.com/gomods/athens/blob/main/docs/static/banner.png?raw=true
 
 keywords:

Makefile

@@ -18,6 +18,25 @@ NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:
 missing-dot:
 	grep --perl-regexp '## @(param|skip).*[^.]$$' values.yaml
 
+# README
+# ==============================================================================
+readme: readme/link readme/lint readme/parameters
+
+readme/link:
+	npm install && npm run readme:link
+
+readme/lint:
+	npm install && npm run readme:lint
+
+readme/parameters:
+	npm install && npm run readme:parameters
+
+# HELM UNITTESTS
+# ==============================================================================
+PHONY+=helm/unittest
+helm/unittest:
+	helm unittest --strict --file 'unittests/**/*.yaml' ./
+
 # CONTAINER RUN - README
 # ==============================================================================
 PHONY+=container-run/readme

README.md

@@ -96,6 +96,10 @@ certificate can be used the [cert-manager](https://cert-manager.io/). The chart
 certificate via `cert-manager.io/v1 Certificate` resource. Alternatively can be mounted a TLS certificate from a secret.
 The secret must be from type `kubernetes.io/tls`.
 
+If athens-proxy is deployed behind a reverse proxy, for example an ingress nginx controller or Gateway API, please
+instruct the reverse proxy to establish a TLS encrypted connection to avoid connection problems. The documentation
+describes configuring [Ingress NGINX](#ingress-nginx) as well as [NGINX Gateway Fabric](#gatewayapi-nginx-fabric).
+
 > [!WARNING]
 > The following example expects that the [cert-manager](https://cert-manager.io/) is deployed and the `Issuer` named
 > `athens-proxy-ca` is present in the same namespace of the helm deployment.
@@ -111,6 +115,110 @@ helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-pro
 The environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` are automatically added and the TLS certificate
 and private key are mounted to a pre-defined destination inside the container file system.
 
+##### Ingress NGINX
+
+The following changes must be applied to enable TLS encryption and authentication on-top between the ingress and backend
+service.
+
+> [!IMPORTANT]
+> The HTTP Version between the ingress nginx and backend must be set to `1.1`, as well as the TLS protocol must be set
+> to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
+
+The secret `athens-proxy/ingress-nginx-controller-tls` contains TLS certificates for the nginx ingress controller. The
+TLS certificate must be created manually, for example via [cert-manager](https://cert-manager.io/). It is used by the
+nginx for TLS authentication.
+
+```yaml
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
+    nginx.ingress.kubernetes.io/proxy-ssl-secret: athens-proxy/ingress-nginx-controller-tls
+    nginx.ingress.kubernetes.io/proxy-ssl-protocols: TLSv1.2
+    nginx.ingress.kubernetes.io/proxy-ssl-name: athens-proxy
+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
+```
+
+##### GatewayAPI: NGINX Fabric
+
+The following changes must be applied to enable TLS encryption and authentication on-top between the gateway and backend
+service.
+
+> [!IMPORTANT]
+> The HTTP Version between the nginx gateway fabric and backend must be set to `1.1`, as well as the TLS protocol must
+> be set to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
+
+The `gatewayAPI.core.backendTLSPolicy.validation.caCertificateRefs` must contain at least one secret containing the
+root or intermediate certificate of the issued TLS certificate used by athens-proxy to be able to validate the TLS
+certificate.
+
+```yaml
+gatewayAPI:
+  enabled: true
+  core:
+    backendTLSPolicy:
+      enabled: true
+      validation:
+        caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: "athens-proxy-ca"
+        hostname: "athens-proxy"
+
+    httpRoute:
+      enabled: true
+      hostnames:
+      - athens-proxy.example.local
+      parentRefs:
+      - name: nginx
+        kind: Gateway
+        group: gateway.networking.k8s.io
+        namespace: my-gateway-namespace
+        sectionName: athens-proxy-https
+```
+
+The Gateway resource is not part of the helm chart, but for illustrating the configuration example, here a GatewayAPI
+resource with configured backend TLS certificate. The TLS certificates `gateway-frontend-tls` and `gateway-backend-tls`
+must also be created manually, for example via [cert-manager](https://cert-manager.io/).
+
+```yaml
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: nginx
+  namespace: my-gateway-namespace
+spec:
+  gatewayClassName: nginx
+  listeners:
+    - allowedRoutes:
+        kinds:
+          - group: gateway.networking.k8s.io
+            kind: HTTPRoute
+        namespaces:
+          from: All
+      hostname: athens-proxy.example.local
+      name: https
+      port: 443
+      protocol: HTTPS
+      tls:
+        certificateRefs:
+          - group: ''
+            kind: Secret
+            name: gateway-frontend-tls
+            namespace: my-gateway-namespace
+        mode: Terminate
+  tls:
+    backend:
+      clientCertificateRef:
+        group: ''
+        kind: Secret
+        name: gateway-backend-tls
+        namespace: my-gateway-namespace
+```
+
 #### TLS certificate rotation
 
 If the application uses TLS certificates that are mounted as a secret in the container file system like the example
@@ -198,6 +306,13 @@ networkPolicies:
       podSelector:
         matchLabels:
           app.kubernetes.io/name: ingress-nginx
+    # NGINX GatewayAPI Fabric
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: gateway-nginx
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: gateway-nginx
     ports:
     - port: http
       protocol: TCP
@@ -385,6 +500,30 @@ spec:
 | `deployment.topologySpreadConstraints`                      | TopologySpreadConstraints of the athens-proxy deployment.                                                  | `[]`            |
 | `deployment.volumes`                                        | Additional volumes to mount into the pods of the athens-proxy deployment.                                  | `[]`            |
 
+### GatewayAPI
+
+| Name                                                        | Description                                                                                                                                                                                         | Value   |
+| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `gatewayAPI.enabled`                                        | Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.                                                                               | `false` |
+| `gatewayAPI.core.backendTLSPolicy.enabled`                  | Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.                                                                                                              | `false` |
+| `gatewayAPI.core.backendTLSPolicy.annotations`              | Additional annotations for the BackendTLSPolicy.                                                                                                                                                    | `{}`    |
+| `gatewayAPI.core.backendTLSPolicy.labels`                   | Additional labels for the BackendTLSPolicy.                                                                                                                                                         | `{}`    |
+| `gatewayAPI.core.backendTLSPolicy.validation`               | Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the athens-proxy pod.               | `{}`    |
+| `gatewayAPI.core.httpRoute.enabled`                         | Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `service.enabled` to be `true`.                                                                                               | `false` |
+| `gatewayAPI.core.httpRoute.annotations`                     | Additional annotations for the HTTPRoute.                                                                                                                                                           | `{}`    |
+| `gatewayAPI.core.httpRoute.labels`                          | Additional labels for the HTTPRoute.                                                                                                                                                                | `{}`    |
+| `gatewayAPI.core.httpRoute.hostnames`                       | Hostnames for the HTTPRoute.                                                                                                                                                                        | `[]`    |
+| `gatewayAPI.core.httpRoute.parentRefs`                      | ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.                                                                                       | `[]`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.enabled`             | Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.                                                                                                          | `false` |
+| `gatewayAPI.nginx.clientSettingsPolicy.annotations`         | Additional annotations for the ClientSettingsPolicy.                                                                                                                                                | `{}`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.labels`              | Additional labels for the ClientSettingsPolicy.                                                                                                                                                     | `{}`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize`   | ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.                                                  | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout`   | ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.                                                      | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests`   | KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.                   | `nil`   |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime`       | KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.                                                             | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout`    | KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.            | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout` | KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used. | `""`    |
+
 ### Horizontal Pod Autoscaler (HPA)
 
 | Name              | Description                                                                                        | Value       |
@@ -398,14 +537,14 @@ spec:
 
 ### Ingress
 
-| Name                  | Description                                                                                                          | Value   |
-| --------------------- | -------------------------------------------------------------------------------------------------------------------- | ------- |
-| `ingress.enabled`     | Enable creation of an ingress resource. Requires, that the http service is also enabled.                             | `false` |
-| `ingress.className`   | Ingress class.                                                                                                       | `nginx` |
-| `ingress.annotations` | Additional ingress annotations.                                                                                      | `{}`    |
-| `ingress.labels`      | Additional ingress labels.                                                                                           | `{}`    |
-| `ingress.hosts`       | Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k. | `[]`    |
-| `ingress.tls`         | Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``.         | `[]`    |
+| Name                  | Description                                                                              | Value   |
+| --------------------- | ---------------------------------------------------------------------------------------- | ------- |
+| `ingress.enabled`     | Enable creation of an ingress resource. Requires, that the http service is also enabled. | `false` |
+| `ingress.className`   | Ingress class.                                                                           | `nginx` |
+| `ingress.annotations` | Additional ingress annotations.                                                          | `{}`    |
+| `ingress.labels`      | Additional ingress labels.                                                               | `{}`    |
+| `ingress.hosts`       | Ingress specific configuration.                                                          | `[]`    |
+| `ingress.tls`         | Ingress TLS settings.                                                                    | `[]`    |
 
 ### Persistence
 
@@ -440,22 +579,22 @@ spec:
 
 ### Service
 
-| Name                                     | Description                                                                                                                                                                                                | Value       |
-| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
-| `services.http.enabled`                  | Enable the service.                                                                                                                                                                                        | `true`      |
-| `services.http.annotations`              | Additional service annotations.                                                                                                                                                                            | `{}`        |
-| `services.http.externalIPs`              | External IPs for the service.                                                                                                                                                                              | `[]`        |
-| `services.http.externalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation. | `Cluster`   |
-| `services.http.internalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.                                                   | `Cluster`   |
-| `services.http.ipFamilies`               | IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.         | `[]`        |
-| `services.http.labels`                   | Additional service labels.                                                                                                                                                                                 | `{}`        |
-| `services.http.loadBalancerClass`        | LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.                                                                     | `""`        |
-| `services.http.loadBalancerIP`           | LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.                                                                                              | `""`        |
-| `services.http.loadBalancerSourceRanges` | Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.                                                                                                                           | `[]`        |
-| `services.http.port`                     | Port to forward the traffic to.                                                                                                                                                                            | `3000`      |
-| `services.http.sessionAffinity`          | Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.                                                                                                                    | `None`      |
-| `services.http.sessionAffinityConfig`    | Contains the configuration of the session affinity.                                                                                                                                                        | `{}`        |
-| `services.http.type`                     | Kubernetes service type for the traffic.                                                                                                                                                                   | `ClusterIP` |
+| Name                               | Description                                                                                                                                                                                                | Value       |
+| ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
+| `service.enabled`                  | Enable the service.                                                                                                                                                                                        | `true`      |
+| `service.annotations`              | Additional service annotations.                                                                                                                                                                            | `{}`        |
+| `service.externalIPs`              | External IPs for the service.                                                                                                                                                                              | `[]`        |
+| `service.externalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation. | `Cluster`   |
+| `service.internalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.                                                   | `Cluster`   |
+| `service.ipFamilies`               | IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.         | `[]`        |
+| `service.labels`                   | Additional service labels.                                                                                                                                                                                 | `{}`        |
+| `service.loadBalancerClass`        | LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.                                                                     | `""`        |
+| `service.loadBalancerIP`           | LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.                                                                                              | `""`        |
+| `service.loadBalancerSourceRanges` | Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.                                                                                                                           | `[]`        |
+| `service.port`                     | Port to forward the traffic to.                                                                                                                                                                            | `3000`      |
+| `service.sessionAffinity`          | Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.                                                                                                                    | `None`      |
+| `service.sessionAffinityConfig`    | Contains the configuration of the session affinity.                                                                                                                                                        | `{}`        |
+| `service.type`                     | Kubernetes service type for the traffic.                                                                                                                                                                   | `ClusterIP` |
 
 ### ServiceAccount
 

artifacthub-repo.yml

@@ -0,0 +1 @@
+repositoryID: 4c206fe5-b83a-457a-bcad-7dd664f8b70c

renovate.json

@@ -51,20 +51,6 @@
         "volkerraschek/helm"
       ]
     },
-    {
-      "automerge": true,
-      "groupName": "Update helm plugin 'unittest'",
-      "matchDepNames": [
-        "helm-unittest/helm-unittest"
-      ],
-      "matchDatasources": [
-        "github-releases"
-      ],
-      "matchUpdateTypes": [
-        "minor",
-        "patch"
-      ]
-    },
     {
       "groupName": "Update docker.io/library/node",
       "matchDepNames": [

templates/_backendTLSPolicies.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.backendTLSPolicy.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
+{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "athens-proxy.backendTLSPolicy.enabled" -}}
+{{- if and .Values.gatewayAPI.enabled
+           .Values.gatewayAPI.core.backendTLSPolicy.enabled
+           .Values.service.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.backendTLSPolicy.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- if .Values.gatewayAPI.core.backendTLSPolicy.labels }}
+{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_clientSettingsPolicies.tpl

@@ -0,0 +1,31 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.clientSettingsPolicy.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
+{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "athens-proxy.clientSettingsPolicy.enabled" -}}
+{{- if and (eq (include "athens-proxy.httpRoute.enabled" $) "true")
+           .Values.gatewayAPI.nginx.clientSettingsPolicy.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.clientSettingsPolicy.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
+{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_httpRoutes.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.httpRoute.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.gatewayAPI.core.httpRoute.annotations }}
+{{ toYaml .Values.gatewayAPI.core.httpRoute.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "athens-proxy.httpRoute.enabled" -}}
+{{- if and .Values.gatewayAPI.enabled
+           .Values.gatewayAPI.core.httpRoute.enabled
+           .Values.service.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.httpRoute.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- if .Values.gatewayAPI.core.httpRoute.labels }}
+{{ toYaml .Values.gatewayAPI.core.httpRoute.labels }}
+{{- end }}
+{{- end }}

templates/_services.tpl

@@ -2,28 +2,28 @@
 
 {{/* annotations */}}
 
-{{- define "athens-proxy.services.http.annotations" -}}
+{{- define "athens-proxy.service.annotations" -}}
 {{ include "athens-proxy.annotations" . }}
-{{- if .Values.services.http.annotations }}
-{{ toYaml .Values.services.http.annotations }}
+{{- if .Values.service.annotations }}
+{{ toYaml .Values.service.annotations }}
 {{- end }}
 {{- end }}
 
 {{/* labels */}}
 
-{{- define "athens-proxy.services.http.labels" -}}
+{{- define "athens-proxy.service.labels" -}}
 {{ include "athens-proxy.labels" . }}
 {{/* Add label to select the correct service via `selector.matchLabels` of the serviceMonitor resource. */}}
 app.kubernetes.io/service-name: http
-{{- if .Values.services.http.labels }}
-{{ toYaml .Values.services.http.labels }}
+{{- if .Values.service.labels }}
+{{ toYaml .Values.service.labels }}
 {{- end }}
 {{- end }}
 
 {{/* names */}}
 
-{{- define "athens-proxy.services.http.name" -}}
-{{- if .Values.services.http.enabled -}}
-{{ include "athens-proxy.fullname" . }}-http
+{{- define "athens-proxy.service.name" -}}
+{{- if .Values.service.enabled -}}
+{{ include "athens-proxy.fullname" . }}
+{{- end -}}
 {{- end -}}
-{{- end -}}

templates/backendTLSPolicy.yaml

@@ -0,0 +1,25 @@
+{{- if eq (include "athens-proxy.backendTLSPolicy.enabled" $) "true" }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  {{- with (include "athens-proxy.backendTLSPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.backendTLSPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRefs:
+    - group: ""
+      kind: Service
+      name: {{ include "athens-proxy.service.name" . }}
+  {{- with .Values.gatewayAPI.core.backendTLSPolicy.validation }}
+  validation:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

templates/clientSettingsPolicy.yaml

@@ -0,0 +1,50 @@
+{{- if eq (include "athens-proxy.clientSettingsPolicy.enabled" $) "true" }}
+apiVersion: gateway.nginx.org/v1alpha1
+kind: ClientSettingsPolicy
+metadata:
+  {{- with (include "athens-proxy.clientSettingsPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.clientSettingsPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: {{ include "athens-proxy.fullname" . }}
+  {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout
+  }}
+  body:
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize }}
+    maxSize: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout }}
+    timeout: {{ . }}
+    {{- end }}
+  {{- end }}
+  {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout
+  }}
+  keepAlive:
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests }}
+    requests: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime }}
+    time: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout }}
+    timeout: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout }}
+    minTimeout: {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end -}}

templates/httpRoute.yaml

@@ -0,0 +1,36 @@
+{{- if eq (include "athens-proxy.httpRoute.enabled" $) "true" }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  {{- with (include "athens-proxy.httpRoute.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.httpRoute.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- with .Values.gatewayAPI.core.httpRoute.hostnames }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.gatewayAPI.core.httpRoute.parentRefs }}
+  parentRefs:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    - backendRefs:
+        - kind: Service
+          name: {{ include "athens-proxy.service.name" . }}
+          namespace: {{ .Release.Namespace }}
+          port: {{ .Values.service.port }}
+          weight: 1
+      {{- with .Values.gatewayAPI.core.httpRoute.matches }}
+      matches:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}

templates/ingress.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.services.http.enabled .Values.ingress.enabled }}
+{{- if and .Values.service.enabled .Values.ingress.enabled }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -27,9 +27,9 @@ spec:
         {{- end }}
         backend:
           service:
-            name: {{ include "athens-proxy.services.http.name" $ }}
+            name: {{ include "athens-proxy.service.name" $ }}
             port:
-              number: {{ $.Values.services.http.port }}
+              number: {{ $.Values.service.port }}
       {{- end }}
   {{- end }}
   {{- if .Values.ingress.tls }}
@@ -42,4 +42,4 @@ spec:
     secretName: {{ .secretName | quote }}
   {{- end }}
 {{- end }}
-{{- end }}
+{{- end }}

templates/service.yaml

@@ -0,0 +1,57 @@
+{{- if .Values.service.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  {{- with (include "athens-proxy.service.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.service.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.service.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- if not (empty .Values.service.externalIPs) }}
+  externalIPs:
+  {{- range .Values.service.externalIPs }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if and (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") ) .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+  {{- end }}
+  internalTrafficPolicy: {{ required "No internal traffic policy defined!" .Values.service.internalTrafficPolicy }}
+  {{- if .Values.service.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.service.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+  {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+  {{- end }}
+  {{- if eq .Values.service.type "LoadBalancer" }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.loadBalancerSourceRanges }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  ports:
+  - name: http
+    protocol: TCP
+    port: {{ required "No service port defined!" .Values.service.port }}
+  selector:
+    {{- include "athens-proxy.pod.selectorLabels" . | nindent 4 }}
+  sessionAffinity: {{ required "No session affinity defined!" .Values.service.sessionAffinity }}
+  {{- with .Values.service.sessionAffinityConfig }}
+  sessionAffinityConfig:
+    {{- toYaml . | nindent 4}}
+  {{- end }}
+  type: {{ required "No service type defined!" .Values.service.type }}
+{{- end }}

templates/serviceHTTP.yaml

@@ -1,57 +0,0 @@
-{{- if .Values.services.http.enabled }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  {{- with (include "athens-proxy.services.http.annotations" . | fromYaml) }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- with (include "athens-proxy.services.http.labels" . | fromYaml) }}
-  labels:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  name: {{ include "athens-proxy.services.http.name" . }}
-  namespace: {{ .Release.Namespace }}
-spec:
-  {{- if not (empty .Values.services.http.externalIPs) }}
-  externalIPs:
-  {{- range .Values.services.http.externalIPs }}
-  - {{ . }}
-  {{- end }}
-  {{- end }}
-  {{- if and (or (eq .Values.services.http.type "LoadBalancer") (eq .Values.services.http.type "NodePort") ) .Values.services.http.externalTrafficPolicy }}
-  externalTrafficPolicy: {{ .Values.services.http.externalTrafficPolicy }}
-  {{- end }}
-  internalTrafficPolicy: {{ required "No internal traffic policy defined!" .Values.services.http.internalTrafficPolicy }}
-  {{- if .Values.services.http.ipFamilies }}
-  ipFamilies:
-  {{- range .Values.services.http.ipFamilies }}
-  - {{ . }}
-  {{- end }}
-  {{- end }}
-  {{- if and (eq .Values.services.http.type "LoadBalancer") .Values.services.http.loadBalancerClass }}
-  loadBalancerClass: {{ .Values.services.http.loadBalancerClass }}
-  {{- end }}
-  {{- if and (eq .Values.services.http.type "LoadBalancer") .Values.services.http.loadBalancerIP }}
-  loadBalancerIP: {{ .Values.services.http.loadBalancerIP }}
-  {{- end }}
-  {{- if eq .Values.services.http.type "LoadBalancer" }}
-  loadBalancerSourceRanges:
-  {{- range .Values.services.http.loadBalancerSourceRanges }}
-  - {{ . }}
-  {{- end }}
-  {{- end }}
-  ports:
-  - name: http
-    protocol: TCP
-    port: {{ required "No service port defined!" .Values.services.http.port }}
-  selector:
-    {{- include "athens-proxy.pod.selectorLabels" . | nindent 4 }}
-  sessionAffinity: {{ required "No session affinity defined!" .Values.services.http.sessionAffinity }}
-  {{- with .Values.services.http.sessionAffinityConfig }}
-  sessionAffinityConfig:
-    {{- toYaml . | nindent 4}}
-  {{- end }}
-  type: {{ required "No service type defined!" .Values.services.http.type }}
-{{- end }}

unittests/backendTLSPolicies/backendTLSPolicy.yaml

@@ -0,0 +1,130 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: backendTLSPolicy template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/backendTLSPolicy.yaml
+tests:
+- it: Skip rendering when disabled 1/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Render default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.networking.k8s.io/v1
+      kind: BackendTLSPolicy
+      name: athens-proxy-unittest
+      namespace: testing
+  - contains:
+      path: spec.targetRefs
+      content:
+        group: ""
+        kind: Service
+        name: athens-proxy-unittest
+  - notExists:
+      path: spec.validation.caCertificateRefs
+
+- it: Render with custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy:
+      enabled: true
+      annotations:
+        foo: bar
+      labels:
+        bar: foo
+    service.enabled: true
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        app.kubernetes.io/managed-by: Helm
+        helm.sh/chart: athens-proxy-0.1.0
+        bar: foo
+
+- it: Render with custom validation
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    gatewayAPI.core.backendTLSPolicy.validation:
+      caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: athens-proxy-ca
+      hostname: athens-proxy.svc.cluster.local
+    service.enabled: true
+  asserts:
+  - isSubset:
+      path: spec.validation
+      content:
+        caCertificateRefs:
+          - group: ""
+            kind: Secret
+            name: athens-proxy-ca

unittests/clientSettingsPolicies/clientSettingsPolicy.yaml

@@ -0,0 +1,190 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: ClientSettingsPolicy template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/clientSettingsPolicy.yaml
+tests:
+- it: Skip rendering when disabled 1/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 7/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 8/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Render default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.nginx.org/v1alpha1
+      kind: ClientSettingsPolicy
+      name: athens-proxy-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: athens-proxy-0.1.0
+  - isSubset:
+      path: spec.targetRef
+      content:
+        group: gateway.networking.k8s.io
+        kind: HTTPRoute
+        name: athens-proxy-unittest
+  - notExists:
+      path: spec.body
+  - notExists:
+      path: spec.keepAlive
+
+- it: Render custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      annotations:
+        foo: "bar"
+      labels:
+        bar: "foo"
+    service.enabled: true
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: "bar"
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: athens-proxy-0.1.0
+        bar: "foo"
+
+- it: Render with custom body settings
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      clientMaxBodySize: 10m
+      clientBodyTimeout: 30s
+    service.enabled: true
+  asserts:
+  - isSubset:
+      path: spec.body
+      content:
+        maxSize: 10m
+        timeout: 30s
+  - notExists:
+      path: spec.keepAlive
+
+- it: Render with custom keepAlive settings
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      keepaliveRequests: 100
+      keepaliveTime: 60s
+      keepaliveTimeout: 60s
+      keepaliveMinTimeout: 10s
+    service.enabled: true
+  asserts:
+  - notExists:
+      path: spec.body
+  - isSubset:
+      path: spec.keepAlive
+      content:
+        requests: 100
+        time: 60s
+        timeout: 60s
+        minTimeout: 10s

unittests/httpRoutes/httpRoute.yaml

@@ -0,0 +1,194 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: HTTPRoute template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/httpRoute.yaml
+tests:
+- it: Skip rendering when disabled 1/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Rendering default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.networking.k8s.io/v1
+      kind: HTTPRoute
+      name: athens-proxy-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: athens-proxy-0.1.0
+  - notExists:
+      path: spec.hostnames
+  - notExists:
+      path: spec.parentRefs
+  - contains:
+      path: spec.rules[0].backendRefs
+      content:
+        kind: Service
+        name: athens-proxy-unittest
+        namespace: testing
+        port: 3000
+        weight: 1
+  - contains:
+      path: spec.rules[0].matches
+      content:
+        path:
+          type: PathPrefix
+          value: /
+
+- it: Rendering custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      annotations:
+        foo: bar
+      labels:
+        bar: foo
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        bar: foo
+        helm.sh/chart: athens-proxy-0.1.0
+
+- it: Rendering custom service port
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service:
+      enabled: true
+      port: 9090
+  asserts:
+  - equal:
+      path: spec.rules[0].backendRefs[0].port
+      value: 9090
+
+- it: Rendering custom matches
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      matches:
+      - path:
+          type: PathPrefix
+          value: /foo
+    service.enabled: true
+  asserts:
+  - contains:
+      path: spec.rules[0].matches
+      content:
+        path:
+          type: PathPrefix
+          value: /foo
+
+- it: Rendering custom hostnames and parentRefs
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      hostnames:
+      - athens-proxy.example.local
+      parentRefs:
+      - name: gateway
+        namespace: testing
+        kind: Gateway
+        sectionName: athens-proxy-debug-gateway
+    service.enabled: true
+  asserts:
+  - lengthEqual:
+      path: spec.hostnames
+      count: 1
+  - contains:
+      path: spec.hostnames
+      content:
+        athens-proxy.example.local
+  - lengthEqual:
+      path: spec.parentRefs
+      count: 1
+  - contains:
+      path: spec.parentRefs
+      content:
+        name: gateway
+        namespace: testing
+        kind: Gateway
+        sectionName: athens-proxy-debug-gateway

unittests/ingresses/ingress.yaml

@@ -15,7 +15,7 @@ tests:
 
 - it: Skip ingress, when service is disabled.
   set:
-    services.http.enabled: false
+    service.enabled: false
     ingress.enabled: true
   asserts:
   - hasDocuments:
@@ -65,7 +65,7 @@ tests:
             pathType: Prefix
             backend:
               service:
-                name: athens-proxy-unittest-http
+                name: athens-proxy-unittest
                 port:
                   number: 3000
   - contains:
@@ -92,7 +92,7 @@ tests:
     - secretName: athens-proxy-http-tls
       hosts:
       - athens-proxy.example.local
-    services.http.port: 8080
+    service.port: 8080
 
   asserts:
   - hasDocuments:
@@ -128,7 +128,7 @@ tests:
             pathType: Prefix
             backend:
               service:
-                name: athens-proxy-unittest-http
+                name: athens-proxy-unittest
                 port:
                   number: 8080
   - contains:

unittests/services/service.yaml

@@ -6,11 +6,11 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/serviceHTTP.yaml
+- templates/service.yaml
 tests:
 - it: Skip service when disabled.
   set:
-    services.http.enabled: false
+    service.enabled: false
   asserts:
   - hasDocuments:
       count: 0
@@ -22,7 +22,7 @@ tests:
   - containsDocument:
       apiVersion: v1
       kind: Service
-      name: athens-proxy-unittest-http
+      name: athens-proxy-unittest
       namespace: testing
   - notExists:
       path: metadata.annotations
@@ -75,37 +75,37 @@ tests:
 
 - it: Require internalTrafficPolicy.
   set:
-    services.http.internalTrafficPolicy: ""
+    service.internalTrafficPolicy: ""
   asserts:
   - failedTemplate:
       errorMessage: No internal traffic policy defined!
 
 - it: Require port.
   set:
-    services.http.port: ""
+    service.port: ""
   asserts:
   - failedTemplate:
       errorMessage: No service port defined!
 
 - it: Require sessionAffinity.
   set:
-    services.http.sessionAffinity: ""
+    service.sessionAffinity: ""
   asserts:
   - failedTemplate:
       errorMessage: No session affinity defined!
 
 - it: Require service type.
   set:
-    services.http.type: ""
+    service.type: ""
   asserts:
   - failedTemplate:
       errorMessage: No service type defined!
 
 - it: Render service with custom annotations and labels.
   set:
-    services.http.annotations:
+    service.annotations:
       foo: bar
-    services.http.labels:
+    service.labels:
       bar: foo
   asserts:
   - equal:
@@ -125,19 +125,19 @@ tests:
 
 - it: Change defaults
   set:
-    services.http.externalIPs:
+    service.externalIPs:
     - "10.11.12.13/32"
-    services.http.externalTrafficPolicy: Local
-    services.http.internalTrafficPolicy: Local
-    services.http.ipFamilies:
+    service.externalTrafficPolicy: Local
+    service.internalTrafficPolicy: Local
+    service.ipFamilies:
     - IPv4
-    services.http.loadBalancerClass: aws
-    services.http.loadBalancerIP: "11.12.13.14"
-    services.http.loadBalancerSourceRanges:
+    service.loadBalancerClass: aws
+    service.loadBalancerIP: "11.12.13.14"
+    service.loadBalancerSourceRanges:
     - "11.12.0.0/17"
-    services.http.port: 10443
-    services.http.sessionAffinity: ClientIP
-    services.http.type: LoadBalancer
+    service.port: 10443
+    service.sessionAffinity: ClientIP
+    service.type: LoadBalancer
   asserts:
   - equal:
       path: spec.externalIPs
@@ -171,4 +171,4 @@ tests:
       value: ClientIP
   - equal:
       path: spec.type
-      value: LoadBalancer
+      value: LoadBalancer

values.yaml

@@ -1,4 +1,5 @@
 # Declare variables to be passed into your templates.
+
 ## @section Global
 ## @param nameOverride Individual release name suffix.
 ## @param fullnameOverride Override the complete release name logic.
@@ -520,6 +521,72 @@ deployment:
   #   secret:
   #     secretName: my-secret
 
+
+## @section GatewayAPI
+gatewayAPI:
+  ## @param gatewayAPI.enabled Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.
+  enabled: false
+
+  core:
+    ## @param gatewayAPI.core.backendTLSPolicy.enabled Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
+    ## @param gatewayAPI.core.backendTLSPolicy.annotations Additional annotations for the BackendTLSPolicy.
+    ## @param gatewayAPI.core.backendTLSPolicy.labels Additional labels for the BackendTLSPolicy.
+    ## @param gatewayAPI.core.backendTLSPolicy.validation Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the athens-proxy pod.
+    backendTLSPolicy:
+      enabled: false
+      annotations: {}
+      labels: {}
+      validation: {}
+        # caCertificateRefs:
+        # - group: ""
+        #   kind: Secret
+        #   name: "athens-proxy-ca"
+        # hostname: "athens-proxy"
+
+    ## @param gatewayAPI.core.httpRoute.enabled Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `service.enabled` to be `true`.
+    ## @param gatewayAPI.core.httpRoute.annotations Additional annotations for the HTTPRoute.
+    ## @param gatewayAPI.core.httpRoute.labels Additional labels for the HTTPRoute.
+    ## @param gatewayAPI.core.httpRoute.hostnames Hostnames for the HTTPRoute.
+    ## @skip gatewayAPI.core.httpRoute.matches Match conditions for the HTTPRoute. You can specify path based match conditions to route traffic to the athens-proxy service.
+    ## @param gatewayAPI.core.httpRoute.parentRefs ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.
+    httpRoute:
+      enabled: false
+      annotations: {}
+      labels: {}
+      hostnames: []
+      matches:
+      - path:
+          type: PathPrefix
+          value: /
+      parentRefs: []
+      # - name: gateway
+      #   kind: Gateway
+      #   group: gateway.networking.k8s.io
+      #   namespace: default
+      #   sectionName: athens-proxy-http
+
+  nginx:
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.enabled Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.annotations Additional annotations for the ClientSettingsPolicy.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.labels Additional labels for the ClientSettingsPolicy.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
+    clientSettingsPolicy:
+      enabled: false
+      annotations: {}
+      labels: {}
+      clientMaxBodySize: ""
+      clientBodyTimeout: ""
+      keepaliveRequests:
+      keepaliveTime: ""
+      keepaliveTimeout: ""
+      keepaliveMinTimeout: ""
+
+
 ## @section Horizontal Pod Autoscaler (HPA)
 # In order for the HPA to function successfully, a metric server is required, especially for resource consumption. The
 # metric server enables the CPU and memory utilisation to be recorded. If such a metric server is not available, the HPA
@@ -551,6 +618,7 @@ hpa:
   minReplicas: 1
   maxReplicas: 10
 
+
 ## @section Ingress
 ingress:
   ## @param ingress.enabled Enable creation of an ingress resource. Requires, that the http service is also enabled.
@@ -562,7 +630,7 @@ ingress:
   annotations: {}
   labels: {}
 
-  ## @param ingress.hosts Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k.
+  ## @param ingress.hosts Ingress specific configuration.
   ## @skip ingress.hosts Skip individual host configuration.
   hosts: []
   # - host: athens-proxy.example.local
@@ -570,7 +638,7 @@ ingress:
   #   - path: /
   #     pathType: Prefix
 
-  ## @param ingress.tls Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``.
+  ## @param ingress.tls Ingress TLS settings.
   ## @skip ingress.tls Skip individual TLS configuration.
   tls: []
   # - secretName: athens-proxy-http-tls
@@ -681,36 +749,35 @@ networkPolicy:
   #     protocol: TCP
 
 ## @section Service
-## @param services.http.enabled Enable the service.
-## @param services.http.annotations Additional service annotations.
-## @param services.http.externalIPs External IPs for the service.
-## @param services.http.externalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation.
-## @param services.http.internalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.
-## @param services.http.ipFamilies IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.
-## @param services.http.labels Additional service labels.
-## @param services.http.loadBalancerClass LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.
-## @param services.http.loadBalancerIP LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.
-## @param services.http.loadBalancerSourceRanges Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.
-## @param services.http.port Port to forward the traffic to.
-## @param services.http.sessionAffinity Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.
-## @param services.http.sessionAffinityConfig Contains the configuration of the session affinity.
-## @param services.http.type Kubernetes service type for the traffic.
-services:
-  http:
-    enabled: true
-    annotations: {}
-    externalIPs: []
-    externalTrafficPolicy: "Cluster"
-    internalTrafficPolicy: "Cluster"
-    ipFamilies: []
-    labels: {}
-    loadBalancerClass: ""
-    loadBalancerIP: ""
-    loadBalancerSourceRanges: []
-    port: 3000
-    sessionAffinity: "None"
-    sessionAffinityConfig: {}
-    type: "ClusterIP"
+## @param service.enabled Enable the service.
+## @param service.annotations Additional service annotations.
+## @param service.externalIPs External IPs for the service.
+## @param service.externalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation.
+## @param service.internalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.
+## @param service.ipFamilies IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.
+## @param service.labels Additional service labels.
+## @param service.loadBalancerClass LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.
+## @param service.loadBalancerIP LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.
+## @param service.loadBalancerSourceRanges Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.
+## @param service.port Port to forward the traffic to.
+## @param service.sessionAffinity Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.
+## @param service.sessionAffinityConfig Contains the configuration of the session affinity.
+## @param service.type Kubernetes service type for the traffic.
+service:
+  enabled: true
+  annotations: {}
+  externalIPs: []
+  externalTrafficPolicy: "Cluster"
+  internalTrafficPolicy: "Cluster"
+  ipFamilies: []
+  labels: {}
+  loadBalancerClass: ""
+  loadBalancerIP: ""
+  loadBalancerSourceRanges: []
+  port: 3000
+  sessionAffinity: "None"
+  sessionAffinityConfig: {}
+  type: "ClusterIP"
 
 ## @section ServiceAccount
 serviceAccount: