chore(deps): update docker.io/volkerraschek/helm docker tag to v4

Depending on the environment or tooling in which the chart is deployed, you may
or may not want to have the checksum annotation.

In the past, these were enforced. The default remains that the checksum
annotation is added. It now only contains a switch that allows you to optionally
disable it.

.gitea/workflows/generate-readme.yaml

@@ -15,15 +15,14 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:24.10.0-alpine
+      image: docker.io/library/node:25.2.1-alpine
-    runs-on:
+    runs-on: ubuntu-latest
-    - ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v6.0.1
     - name: Generate parameter section in README
       run: |
         npm install

.gitea/workflows/helm.yaml

@@ -12,31 +12,26 @@ on:
 
 jobs:
   helm-lint:
-    container:
+    runs-on: ubuntu-latest
-      image: docker.io/volkerraschek/helm:3.19.0
-    runs-on:
-    - ubuntu-latest
     steps:
-    - name: Install tooling
+    - uses: actions/checkout@v6.0.1
-      run: |
+    - uses: azure/setup-helm@v4.3.1
-        apk update
+      with:
-        apk add git npm
+        version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
-    - uses: actions/checkout@v5.0.0
     - name: Lint helm files
       run: |
         helm lint --values values.yaml .
 
   helm-unittest:
-    container:
+    runs-on: ubuntu-latest
-      image: docker.io/volkerraschek/helm:3.19.0
-    runs-on:
-    - ubuntu-latest
     steps:
-    - name: Install tooling
+    - uses: actions/checkout@v6.0.1
-      run: |
+    - uses: azure/setup-helm@v4.3.1
-        apk update
+      with:
-        apk add git npm
+        version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
-    - uses: actions/checkout@v5.0.0
+    - env:
-    - name: Unittest
+        HELM_UNITTEST_VERSION: v1.0.0 #renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-      run: |
+      name: Install helm-unittest
-        helm unittest --strict --file 'unittests/**/*.yaml' ./
+      run: helm plugin install --verify=false --version "${HELM_UNITTEST_VERSION}" https://github.com/helm-unittest/helm-unittest
+    - name: Execute helm unittests
+      run: helm unittest --strict --file 'unittests/**/*.yaml' .

.gitea/workflows/markdown-linters.yaml

@@ -15,15 +15,14 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:24.10.0-alpine
+      image: docker.io/library/node:25.2.1-alpine
-    runs-on:
+    runs-on: ubuntu-latest
-    - ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v6.0.1
     - name: Verify links in markdown files
       run: |
         npm install
@@ -31,15 +30,14 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:24.10.0-alpine
+      image: docker.io/library/node:25.2.1-alpine
-    runs-on:
+    runs-on: ubuntu-latest
-    - ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v6.0.1
     - name: Lint markdown files
       run: |
         npm install

.gitea/workflows/release.yaml

@@ -8,7 +8,7 @@ on:
 jobs:
   publish-chart:
     container:
-      image: docker.io/volkerraschek/helm:3.19.0
+      image: docker.io/volkerraschek/helm:4.0.1
     runs-on: ubuntu-latest
     steps:
       - name: Install packages via apk
@@ -16,7 +16,7 @@ jobs:
           apk update
           apk add git npm jq yq
 
-      - uses: actions/checkout@v5.0.0
+      - uses: actions/checkout@v6.0.1
         with:
           fetch-depth: 0
 

Makefile

@@ -10,7 +10,7 @@ HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:
 # NODE_IMAGE
 NODE_IMAGE_REGISTRY_HOST?=docker.io
 NODE_IMAGE_REPOSITORY?=library/node
-NODE_IMAGE_VERSION?=24.10.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
+NODE_IMAGE_VERSION?=25.2.1-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
 NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
 
 # MISSING DOT

README.md

@@ -1,4 +1,4 @@
-# athens-proxy-charts
+# Athens - A Go module datastore and proxy
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/volker-raschek)](https://artifacthub.io/packages/search?repo=volker-raschek)
 
@@ -16,10 +16,7 @@ Chapter [configuration and installation](#helm-configuration-and-installation) d
 helm and use it to deploy the exporter. It also contains further configuration examples.
 
 Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this
-helm chart is tested for deployment scenarios with **ArgoCD**, but please keep in mind, that this chart supports the
+helm chart is tested for deployment scenarios with **ArgoCD**.
-*[Automatically Roll Deployment](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments)*
-concept of Helm, which can trigger unexpected rolling releases. Further configuration instructions are described in a
-separate [chapter](#argocd).
 
 ## Helm: configuration and installation
 
@@ -40,21 +37,21 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
 versions can break something!
 
 ```bash
-CHART_VERSION=1.1.1
+CHART_VERSION=1.3.0
 helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml
 ```
 
 A complete list of available helm chart versions can be displayed via the following command:
 
 ```bash
-helm search repo reposilite --versions
+helm search repo athens-proxy --versions
 ```
 
 The helm chart also contains a persistent volume claim definition. It persistent volume claim is not enabled by default.
 Use the `--set` argument to persist your data.
 
 ```bash
-CHART_VERSION=1.1.1
+CHART_VERSION=1.3.0
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
   persistence.enabled=true
 ```
@@ -84,7 +81,7 @@ Further information about this topic can be found in one of Kanishk's blog
 > Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
 
 ```bash
-CHART_VERSION=1.1.1
+CHART_VERSION=1.3.0
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
   --set 'deployment.athensProxy.env.name=GOMAXPROCS' \
   --set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
@@ -104,7 +101,7 @@ The secret must be from type `kubernetes.io/tls`.
 > `athens-proxy-ca` is present in the same namespace of the helm deployment.
 
 ```bash
-CHART_VERSION=1.1.1
+CHART_VERSION=1.3.0
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
   --set 'config.certificate.enabled=true' \
   --set 'config.certificate.new.issuerRef.kind=Issuer' \
@@ -123,22 +120,31 @@ before expiring.
 
 Until the exporter does not support rotating TLS certificate a workaround can be applied. For example stakater's
 [reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following
-annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted configMaps
+annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted secret has
-and secrets have been changed.
+been changed.
+
+> [!IMPORTANT]
+> The Helm chart already adds annotations to trigger a rolling release. Helm describes this approach under
+> [Automatically Roll Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
+> For this reason, **only external** configMaps or secrets need to be monitored by reloader.
 
 ```yaml
 deployment:
   annotations:
-    reloader.stakater.com/auto: "true"
+    secret.reloader.stakater.com/reload: "athens-proxy-tls"
 ```
 
-Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for
+If the application is rolled out using ArgoCD, a rolling update from stakater's
-individual items. For example, when the secret named `athens-proxy-tls` is mounted and the reloader controller should
+[reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state
-only listen for changes of this secret:
+with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be
+initiated. Further information are available in the official
+[README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of
+stakater's reloader.
 
-```yaml
+```diff
-deployment:
+  deployment:
     annotations:
++     reloader.stakater.com/rollout-strategy: "restart"
       secret.reloader.stakater.com/reload: "athens-proxy-tls"
 ```
 
@@ -177,6 +183,9 @@ networkPolicies:
       protocol: TCP
     - port: 53
       protocol: UDP
+  - ports:
+    - port: 22
+      protocol: TCP
   - ports:
     - port: 443
       protocol: TCP
@@ -196,62 +205,51 @@ networkPolicies:
 
 ## ArgoCD
 
-### Daily execution of rolling updates
+### Example Application
 
-The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in
+An application resource for the Helm chart is defined below. It serves as an example for your own deployment.
-connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll
-Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments). Please ensure, that no
-third party application modifies the config maps or secret afterwards.
 
-The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the
+```yaml
-content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version,
+apiVersion: argoproj.io/v1alpha1
-Helm render order, different timestamps).
+kind: Application
-
+spec:
-This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this
+  destination:
-can lead to unnecessary notifications from ArgoCD.
+    server: https://kubernetes.default.svc
-
+    namespace: athens-proxy
-To avoid this, the annotation with the shasum can be ignored. However, this negates the mechanism of [Automatically Roll
-Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
-
-Below is a diff that adds the `Application` to ignore all annotations with the prefix `checksum`.
-
-> [!WARNING]
-> Configurations of `ignoreDifferences` always refer to the determination of a drift and whether a possible sync is
-> necessary. If the selected attributes should also be ignored in deployment afterwards, define
-> `RespectIgnoreDifferences=true` in your `Application` resource. Further information can be found in the ArgoCD
-> [documentation](https://argo-cd.readthedocs.io/en/latest/user-guide/sync-options/#respect-ignore-differences-configs).
-
-```diff
-  apiVersion: argoproj.io/v1alpha1
-  kind: Application
-  spec:
-+   ignoreDifferences:
-+   - group: apps
-+     kind: Deployment
-+     jqPathExpressions:
-+     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))'
-```
-
-The definition of ignoreDifferences ensures that annotations with the prefix checksum are ignored during a diff.
-
-> [!TIP]
-> If the [reloader](https://github.com/stakater/Reloader) is configured as described in section [TLS certificate
-> rotation](#tls-certificate-rotation), ensure that the shasum defined as annotation or environment variable is also
-> ignored. The [reloader](https://github.com/stakater/Reloader) will modify the deployment based on his configuration
-> and append additional annotations or environment variables containing the shasum. Below are some examples how to adapt
-> the `ignoreDifferences` configuration to ignore only the annotations and environment variables of stakater's
-> [reloader](https://github.com/stakater/Reloader).
-
-```diff
-  apiVersion: argoproj.io/v1alpha1
-  kind: Application
-  spec:
   ignoreDifferences:
   - group: apps
     kind: Deployment
     jqPathExpressions:
-+     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
+    # When HPA is enabled, ensure that a modification of the replicas does not lead to a
-+     - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
+    # drift.
+      - '.spec.replicas'
+    # Ensure that changes of the annotations or environment variables added or modified by
+    # stakater's reloader does not lead to a drift.
+    - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
+    - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
+  sources:
+  - repoURL: https://charts.cryptic.systems/volker.raschek
+    chart: athens-proxy
+    targetRevision: '0.*'
+    helm:
+      valueFiles:
+      - $values/values.yaml
+      releaseName: athens-proxy
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    managedNamespaceMetadata:
+      annotations: {}
+      labels: {}
+    syncOptions:
+    - ApplyOutOfSyncOnly=true
+    - CreateNamespace=true
+    - FailOnSharedResource=false
+    - Replace=false
+    - RespectIgnoreDifferences=false
+    - ServerSideApply=true
+    - Validate=true
 ```
 
 ## Parameters
@@ -268,6 +266,7 @@ The definition of ignoreDifferences ensures that annotations with the prefix che
 | Name                                          | Description                                                                                                                                                 | Value                           |
 | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
 | `certificate.enabled`                         | Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. | `false`                         |
+| `certificate.addSHASumAnnotation`             | Add an pod annotation with the sha sum of the secret containing the TLS certificates.                                                                       | `true`                          |
 | `certificate.existingSecret.enabled`          | Use an existing secret of the type `kubernetes.io/tls`.                                                                                                     | `false`                         |
 | `certificate.existingSecret.secretName`       | Name of the secret containing the TLS certificate and private key.                                                                                          | `""`                            |
 | `certificate.new.annotations`                 | Additional certificate annotations.                                                                                                                         | `{}`                            |
@@ -298,30 +297,35 @@ The definition of ignoreDifferences ensures that annotations with the prefix che
 | Name                                                    | Description                                                                                                                                       | Value            |
 | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
 | `config.env.enabled`                                    | Enable mounting of the secret as environment variables.                                                                                           | `false`          |
+| `config.env.addSHASumAnnotation`                        | Add an pod annotation with the sha sum of the config map containing the configuration.                                                            | `true`           |
 | `config.env.existingSecret.enabled`                     | Mount an existing secret containing the application specific environment variables.                                                               | `false`          |
 | `config.env.existingSecret.secretName`                  | Name of the existing secret containing the application specific environment variables.                                                            | `""`             |
 | `config.env.secret.annotations`                         | Additional annotations of the secret containing the database credentials.                                                                         | `{}`             |
 | `config.env.secret.labels`                              | Additional labels of the secret containing the database credentials.                                                                              | `{}`             |
 | `config.env.secret.envs`                                | List of environment variables stored in a secret and mounted into the container.                                                                  | `{}`             |
 | `config.downloadMode.enabled`                           | Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined. | `false`          |
+| `config.downloadMode.addSHASumAnnotation`               | Add an pod annotation with the sha sum of the config map containing the downloadMode config.                                                      | `true`           |
 | `config.downloadMode.existingConfigMap.enabled`         | Enable to use an external config map for mounting the download mode file.                                                                         | `false`          |
 | `config.downloadMode.existingConfigMap.configMapName`   | The name of the existing config map which should be used to mount the download mode file.                                                         | `""`             |
 | `config.downloadMode.existingConfigMap.downloadModeKey` | The name of the key inside the config map where the content of the download mode file is stored.                                                  | `downloadMode`   |
 | `config.downloadMode.configMap.annotations`             | Additional annotations of the config map containing the download mode file.                                                                       | `{}`             |
 | `config.downloadMode.configMap.labels`                  | Additional labels of the config map containing the download mode file.                                                                            | `{}`             |
 | `config.gitConfig.enabled`                              | Enable mounting of a .gitconfig file into the container file system.                                                                              | `false`          |
+| `config.gitConfig.addSHASumAnnotation`                  | Add an pod annotation with the sha sum of the config map containing the git config.                                                               | `true`           |
 | `config.gitConfig.existingConfigMap.enabled`            | Enable to use an external config map for mounting the .gitconfig file.                                                                            | `false`          |
 | `config.gitConfig.existingConfigMap.configMapName`      | The name of the existing config map which should be used to mount the .gitconfig file.                                                            | `""`             |
 | `config.gitConfig.existingConfigMap.gitConfigKey`       | The name of the key inside the config map where the content of the .gitconfig file is stored.                                                     | `nil`            |
 | `config.gitConfig.configMap.annotations`                | Additional annotations of the config map containing the .gitconfig file.                                                                          | `{}`             |
 | `config.gitConfig.configMap.labels`                     | Additional labels of the config map containing the .gitconfig file.                                                                               | `{}`             |
 | `config.netrc.enabled`                                  | Enable mounting of a .netrc file into the container file system.                                                                                  | `false`          |
+| `config.netrc.addSHASumAnnotation`                      | Add an pod annotation with the sha sum of the secret containing the netrc file.                                                                   | `true`           |
 | `config.netrc.existingSecret.enabled`                   | Enable to use an external secret for mounting the .netrc file.                                                                                    | `false`          |
 | `config.netrc.existingSecret.secretName`                | The name of the existing secret which should be used to mount the .netrc file.                                                                    | `""`             |
 | `config.netrc.existingSecret.netrcKey`                  | The name of the key inside the secret where the content of the .netrc file is stored.                                                             | `.netrc`         |
 | `config.netrc.secret.annotations`                       | Additional annotations of the secret containing the database credentials.                                                                         | `{}`             |
 | `config.netrc.secret.labels`                            | Additional labels of the secret containing the database credentials.                                                                              | `{}`             |
 | `config.ssh.enabled`                                    | Enable mounting of a .netrc file into the container file system.                                                                                  | `false`          |
+| `config.ssh.addSHASumAnnotation`                        | Add an pod annotation with the sha sum of the secret containing the ssh keys.                                                                     | `true`           |
 | `config.ssh.existingSecret.enabled`                     | Enable to use an external secret for mounting the public and private SSH key files.                                                               | `false`          |
 | `config.ssh.existingSecret.secretName`                  | The name of the existing secret which should be used to mount the public and private SSH key files.                                               | `""`             |
 | `config.ssh.existingSecret.configKey`                   | The name of the key inside the secret where the content of the SSH client config file is stored.                                                  | `config`         |

package.json

@@ -16,6 +16,6 @@
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
     "markdown-link-check": "^3.13.6",
-    "markdownlint-cli": "^0.45.0"
+    "markdownlint-cli": "^0.46.0"
   }
 }

templates/_pod.tpl

@@ -4,24 +4,66 @@
 
 {{- define "athens-proxy.pod.annotations" }}
 {{- include "athens-proxy.annotations" . }}
-{{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }}
+{{- if and .Values.certificate.enabled .Values.certificate.addSHASumAnnotation }}
-{{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.env.name" $) (include (print $.Template.BasePath "/secretEnv.yaml") . | sha256sum) }}
+{{- $secretName := include "athens-proxy.certificates.server.name" $ }}
-{{- end }}
+{{- if and .Values.certificate.existingSecret.enabled (gt (len .Values.certificate.existingSecret.secretName) 0) }}
-{{- if and .Values.config.downloadMode.enabled (not .Values.config.downloadMode.existingConfigMap.enabled) }}
+{{- $secretName = .Values.certificate.existingSecret.secretName }}
-{{ printf "checksum/config-map-%s: %s" (include "athens-proxy.configMap.downloadMode.name" $) (include (print $.Template.BasePath "/configMapDownloadMode.yaml") . | sha256sum) }}
-{{- end }}
-{{- if and .Values.config.gitConfig.enabled (not .Values.config.gitConfig.existingConfigMap.enabled) }}
-{{ printf "checksum/config-map-%s: %s" (include "athens-proxy.configMap.gitConfig.name" $) (include (print $.Template.BasePath "/configMapGitConfig.yaml") . | sha256sum) }}
-{{- end }}
-{{- if and .Values.config.netrc.enabled (not .Values.config.netrc.existingSecret.enabled) }}
-{{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.netrc.name" $) (include (print $.Template.BasePath "/secretNetRC.yaml") . | sha256sum) }}
-{{- end }}
-{{- if and .Values.config.ssh.enabled (not .Values.config.ssh.existingSecret.enabled) }}
-{{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.ssh.name" $) (include (print $.Template.BasePath "/secretSSH.yaml") . | sha256sum) }}
 {{- end }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
 {{- end }}
 
+{{- if and .Values.config.env.enabled .Values.config.env.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.secrets.env.name" $ }}
+{{- $secret := include (print $.Template.BasePath "/secretEnv.yaml") $ }}
+{{- if and .Values.config.env.existingSecret.enabled (gt (len .Values.config.env.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.config.env.existingSecret.secretName }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{- end }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
 
+{{- if and .Values.config.downloadMode.enabled .Values.config.downloadMode.addSHASumAnnotation }}
+{{- $configMapName := include "athens-proxy.configMap.downloadMode.name" $ }}
+{{- $configMap := include (print $.Template.BasePath "/configMapDownloadMode.yaml") . }}
+{{- if and .Values.config.downloadMode.existingConfigMap.enabled (gt (len .Values.config.downloadMode.existingConfigMap.configMapName) 0) }}
+{{- $configMapName = .Values.config.downloadMode.existingConfigMap.configMapName }}
+{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace $configMapName | toYaml }}
+{{- end }}
+{{ printf "checksum/config-map-%s: %s" $configMapName ($configMap | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.gitConfig.enabled .Values.config.gitConfig.addSHASumAnnotation }}
+{{- $configMapName := include "athens-proxy.configMap.gitConfig.name" $ }}
+{{- $configMap := include (print $.Template.BasePath "/configMapGitConfig.yaml") . }}
+{{- if and .Values.config.gitConfig.existingConfigMap.enabled (gt (len .Values.config.gitConfig.existingConfigMap.configMapName) 0) }}
+{{- $configMapName = .Values.config.gitConfig.existingConfigMap.configMapName }}
+{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace $configMapName | toYaml }}
+{{- end }}
+{{ printf "checksum/config-map-%s: %s" $configMapName ($configMap | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.netrc.enabled .Values.config.netrc.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.secrets.netrc.name" $ }}
+{{- $secret := include (print $.Template.BasePath "/secretNetRC.yaml") $ }}
+{{- if and .Values.config.netrc.existingSecret.enabled (gt (len .Values.config.netrc.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.config.netrc.existingSecret.secretName }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{- end }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.ssh.enabled .Values.config.ssh.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.secrets.ssh.name" $ }}
+{{- $secret := include (print $.Template.BasePath "/secretSSH.yaml") $ }}
+{{- if and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.config.ssh.existingSecret.secretName }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{- end }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
+
+{{- end }}
 
 {{/* labels */}}
 

unittests/deployment/certificate.yaml

@@ -46,6 +46,44 @@ tests:
     certificate.new.issuerRef.kind: ClusterIssuer
     certificate.new.issuerRef.name: MyIssuer
   asserts:
+    - exists:
+        path: spec.template.metadata.annotations["checksum/secret-athens-proxy-unittest-tls"]
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSCERT_FILE
+          value: /etc/athens-proxy/tls/tls.crt
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSKEY_FILE
+          value: /etc/athens-proxy/tls/tls.key
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: tls
+          mountPath: /etc/athens-proxy/tls
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: tls
+          secret:
+            secretName: athens-proxy-unittest-tls
+      template: templates/deployment.yaml
+
+- it: Rendering with external TLS config
+  set:
+    certificate.enabled: true
+    certificate.existingSecret.enabled: true
+    certificate.existingSecret.secretName: my-own-secret
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations["checksum/secret-my-own-secret"]
+      template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].env
         content:

unittests/deployment/downloadMode.yaml

@@ -40,6 +40,7 @@ tests:
 - it: Rendering default with mounted gitconfig configMap
   set:
     config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: true
     persistence.enabled: true
   asserts:
     - exists:
@@ -69,16 +70,87 @@ tests:
             name: athens-proxy-unittest-download-mode-file
       template: templates/deployment.yaml
 
+- it: Rendering default with mounted gitconfig configMap
+  set:
+    config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: false
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_DOWNLOAD_MODE
+          value: file:/etc/athens/config/download-mode.d/download-mode
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: download-mode
+          mountPath: /etc/athens/config/download-mode.d
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: download-mode
+          configMap:
+            items:
+              - key: downloadMode
+                mode: 0644
+                path: download-mode
+            name: athens-proxy-unittest-download-mode-file
+      template: templates/deployment.yaml
+
+
 - it: Rendering with custom download mode configMap
   set:
     config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: true
     config.downloadMode.existingConfigMap.enabled: true
     config.downloadMode.existingConfigMap.configMapName: "my-custom-configmap"
     config.downloadMode.existingConfigMap.downloadModeKey: "my-custom-download-mode-filename-key"
     persistence.enabled: true
   asserts:
-    - notExists:
+    - exists:
-        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_DOWNLOAD_MODE
+          value: file:/etc/athens/config/download-mode.d/download-mode
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: download-mode
+          mountPath: /etc/athens/config/download-mode.d
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: download-mode
+          configMap:
+            items:
+            - key: "my-custom-download-mode-filename-key"
+              path: "download-mode"
+              mode: 0644
+            name: my-custom-configmap
+      template: templates/deployment.yaml
+
+- it: Rendering with custom download mode configMap, but without sha sum annotation
+  set:
+    config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: false
+    config.downloadMode.existingConfigMap.enabled: true
+    config.downloadMode.existingConfigMap.configMapName: "my-custom-configmap"
+    config.downloadMode.existingConfigMap.downloadModeKey: "my-custom-download-mode-filename-key"
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
       template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].env

unittests/deployment/env.yaml

@@ -35,10 +35,10 @@ tests:
             name: athens-proxy-unittest-env
       template: templates/deployment.yaml
 
-- it: Rendering default with mounted env secret
+- it: Rendering default with mounted env secret, but without sha sum annotation
   set:
     config.env.enabled: true
-    config.env.existingSecret.enabled: true
+    config.env.addSHASumAnnotation: false
   asserts:
     - notExists:
         path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env
@@ -49,3 +49,36 @@ tests:
           secretRef:
             name: athens-proxy-unittest-env
       template: templates/deployment.yaml
+
+- it: Rendering default with mounted existing env secret
+  set:
+    config.env.enabled: true
+    config.env.existingSecret.enabled: true
+    config.env.existingSecret.secretName: my-secret
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/secret-my-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: my-secret
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted existing env secret, but without sha sum annotation
+  set:
+    config.env.enabled: true
+    config.env.addSHASumAnnotation: false
+    config.env.existingSecret.enabled: true
+    config.env.existingSecret.secretName: my-secret
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-my-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: my-secret
+      template: templates/deployment.yaml

unittests/deployment/gitConfig.yaml

@@ -41,6 +41,7 @@ tests:
 - it: Rendering default with mounted gitconfig configMap
   set:
     config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: true
     persistence.enabled: true
   asserts:
     - exists:
@@ -67,16 +68,80 @@ tests:
                 name: athens-proxy-unittest-gitconfig
       template: templates/deployment.yaml
 
+- it: Rendering default with mounted gitconfig configMap, but without sha sum annotation
+  set:
+    config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: false
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.gitconfig
+          subPath: .gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - configMap:
+                items:
+                - key: .gitconfig
+                  path: .gitconfig
+                  mode: 0644
+                name: athens-proxy-unittest-gitconfig
+      template: templates/deployment.yaml
+
 - it: Rendering with custom gitconfig configMap
   set:
     config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: true
     config.gitConfig.existingConfigMap.enabled: true
     config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
     config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
     persistence.enabled: true
   asserts:
-    - notExists:
+    - exists:
-        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.gitconfig
+          subPath: .gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - configMap:
+                items:
+                - key: my-gitconfig-key
+                  path: .gitconfig
+                  mode: 0644
+                name: my-custom-configmap
+      template: templates/deployment.yaml
+
+- it: Rendering with custom gitconfig configMap, but without sha sum annotations
+  set:
+    config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: false
+    config.gitConfig.existingConfigMap.enabled: true
+    config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
+    config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
       template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].volumeMounts

unittests/deployment/netrc.yaml

@@ -40,6 +40,7 @@ tests:
 - it: Rendering default with mounted netrc secret
   set:
     config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: true
     persistence.enabled: true
   asserts:
     - exists:
@@ -66,16 +67,80 @@ tests:
                 name: athens-proxy-unittest-netrc
       template: templates/deployment.yaml
 
+- it: Rendering default with mounted netrc secret, but without sha sum annotation
+  set:
+    config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: false
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.netrc
+          subPath: .netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: .netrc
+                  path: .netrc
+                  mode: 0600
+                name: athens-proxy-unittest-netrc
+      template: templates/deployment.yaml
+
 - it: Rendering with custom netrc secret
   set:
     config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: true
     config.netrc.existingSecret.enabled: true
     config.netrc.existingSecret.secretName: "my-custom-secret"
     config.netrc.existingSecret.netrcKey: "my-netrc-key"
     persistence.enabled: true
   asserts:
-    - notExists:
+    - exists:
-        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netc
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.netrc
+          subPath: .netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: my-netrc-key
+                  path: .netrc
+                  mode: 0600
+                name: my-custom-secret
+      template: templates/deployment.yaml
+
+- it: Rendering with custom netrc secret, but without sha sum annotation
+  set:
+    config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: false
+    config.netrc.existingSecret.enabled: true
+    config.netrc.existingSecret.secretName: "my-custom-secret"
+    config.netrc.existingSecret.netrcKey: "my-netrc-key"
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
       template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].volumeMounts

unittests/deployment/ssh.yaml

@@ -107,6 +107,7 @@ tests:
 - it: Rendering default with mounted ssh keys
   set:
     config.ssh.enabled: true
+    config.ssh.addSHASumAnnotation: true
     config.ssh.secret.id_ed25519: foo
     config.ssh.secret.id_ed25519_pub: bar
     config.ssh.secret.id_rsa: foo
@@ -180,6 +181,7 @@ tests:
 - it: Rendering with custom ssh secret
   set:
     config.ssh.enabled: true
+    config.ssh.addSHASumAnnotation: true
     config.ssh.existingSecret.enabled: true
     config.ssh.existingSecret.secretName: "my-custom-secret"
     config.ssh.existingSecret.configKey : "my-config-key"
@@ -189,8 +191,8 @@ tests:
     config.ssh.existingSecret.id_rsaPubKey : "my-public-rsa-key"
     persistence.enabled: true
   asserts:
-    - notExists:
+    - exists:
-        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-ssh
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
       template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].volumeMounts
@@ -252,3 +254,14 @@ tests:
                   mode: 0644
                 name: my-custom-secret
       template: templates/deployment.yaml
+
+- it: Rendering with custom ssh secret, but without sha sum annotation
+  set:
+    config.ssh.enabled: true
+    config.ssh.addSHASumAnnotation: false
+    config.ssh.existingSecret.enabled: true
+    config.ssh.existingSecret.secretName: "my-custom-secret"
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
+      template: templates/deployment.yaml

values.yaml

@@ -8,7 +8,9 @@ fullnameOverride: ""
 ## @section Certificate
 certificate:
   ## @param certificate.enabled Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added.
+  ## @param certificate.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the TLS certificates.
   enabled: false
+  addSHASumAnnotation: true
 
   ## @param certificate.existingSecret.enabled Use an existing secret of the type `kubernetes.io/tls`.
   ## @param certificate.existingSecret.secretName Name of the secret containing the TLS certificate and private key.
@@ -80,7 +82,9 @@ certificate:
 config:
   env:
     ## @param config.env.enabled Enable mounting of the secret as environment variables.
+    ## @param config.env.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the configuration.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.env.existingSecret.enabled Mount an existing secret containing the application specific environment variables.
     ## @param config.env.existingSecret.secretName Name of the existing secret containing the application specific environment variables.
@@ -168,7 +172,9 @@ config:
 
   downloadMode:
     ## @param config.downloadMode.enabled Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined.
+    ## @param config.downloadMode.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the downloadMode config.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.downloadMode.existingConfigMap.enabled Enable to use an external config map for mounting the download mode file.
     ## @param config.downloadMode.existingConfigMap.configMapName The name of the existing config map which should be used to mount the download mode file.
@@ -204,7 +210,9 @@ config:
 
   gitConfig:
     ## @param config.gitConfig.enabled Enable mounting of a .gitconfig file into the container file system.
+    ## @param config.gitConfig.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the git config.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.gitConfig.existingConfigMap.enabled Enable to use an external config map for mounting the .gitconfig file.
     ## @param config.gitConfig.existingConfigMap.configMapName The name of the existing config map which should be used to mount the .gitconfig file.
@@ -230,7 +238,9 @@ config:
 
   netrc:
     ## @param config.netrc.enabled Enable mounting of a .netrc file into the container file system.
+    ## @param config.netrc.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the netrc file.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.netrc.existingSecret.enabled Enable to use an external secret for mounting the .netrc file.
     ## @param config.netrc.existingSecret.secretName The name of the existing secret which should be used to mount the .netrc file.
@@ -262,7 +272,9 @@ config:
 
   ssh:
     ## @param config.ssh.enabled Enable mounting of a .netrc file into the container file system.
+    ## @param config.ssh.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the ssh keys.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.ssh.existingSecret.enabled Enable to use an external secret for mounting the public and private SSH key files.
     ## @param config.ssh.existingSecret.secretName The name of the existing secret which should be used to mount the public and private SSH key files.
@@ -590,6 +602,12 @@ networkPolicy:
   # - Egress
   # - Ingress
   egress: []
+  # Allow outgoing SSH traffic to Source Code Control System's (SCCS') like GitHub or GitLab.
+  #
+  # - ports:
+  #   - port: 22
+  #     protocol: TCP
+
   # Allow outgoing HTTPS traffic to external go module servers
   #
   # - ports: