fix(scripts): adapt rc pattern

Depending on the environment or tooling in which the chart is deployed, you may
or may not want to have the checksum annotation.

In the past, these were enforced. The default remains that the checksum
annotation is added. It now only contains a switch that allows you to optionally
disable it.

.gitea/scripts/add-annotations.sh

@@ -8,8 +8,11 @@ if [ ! -f "${CHART_FILE}" ]; then
   exit 1
 fi
 
-DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
-DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
+rc_pattern='-rc(\.[0-9]+)?$'
+
+# Exclude prerelease tags (matching -rc or -rc-<digits>) from default tag selection
+DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | grep --invert-match --perl-regexp "${rc_pattern}" | head --lines 1)"
+DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | grep --invert-match --perl-regexp "${rc_pattern}" | head --lines 2 | tail --lines 1)"
 
 if [ -z "${1}" ]; then
   read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
@@ -54,6 +57,13 @@ else
   fi
 fi
 
+# Check if NEW_TAG is a prerelease (matches -rc or -rc-<digits> suffix)
+if [[ "${NEW_TAG}" =~ ${rc_pattern} ]]; then
+  echo "INFO: Tag '${NEW_TAG}' is a prerelease, setting prerelease annotation and skipping changelog."
+  yq --no-colors --inplace ".annotations.\"artifacthub.io/prerelease\" = \"true\" | sort_keys(.)" "${CHART_FILE}"
+  exit 0
+fi
+
 CHANGE_LOG_YAML=$(mktemp)
 echo "[]" > "${CHANGE_LOG_YAML}"
 

.gitea/workflows/artifacthub-metadata.yaml

@@ -0,0 +1,41 @@
+name: Upload ArtifactHub Metadata
+
+on:
+  schedule:
+    - cron: '0 3 1 * *'
+  workflow_dispatch:
+
+jobs:
+  upload-metadata:
+    name: "Upload artifacthub-repo.yml to OCI registry"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6.0.2
+    - uses: docker/login-action@v4.2.0
+      with:
+        registry: ${{ github.server_url }}
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+    - uses: oras-project/setup-oras@v2.0.0
+      with:
+        version: 1.3.2 # renovate: datasource=github-tags depName=oras-project/oras extractVersion='^v?(?<version>.*)$'
+    - name: Extract meta information
+      run: |
+        echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut -d '/' -f 3)" >> $GITHUB_ENV
+        echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+        echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
+        echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)" >> $GITHUB_ENV
+    - name: Push artifacthub-repo.yml
+      run: |
+        oras push ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:artifacthub.io \
+          --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
+          artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+    - name: Push public cosign key
+      env:
+        COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
+      run: |
+        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
+        oras push ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:cosign.pub \
+          --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          --annotation org.opencontainers.image.title=cosign.pub \
+          cosign.pub:application/vnd.dev.cosign.public-key.v1

.gitea/workflows/generate-readme.yaml

@@ -15,14 +15,14 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:25.2.1-alpine
+      image: docker.io/library/node:26.2.0-alpine
     runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.1
+    - uses: actions/checkout@v6.0.2
     - name: Generate parameter section in README
       run: |
         npm install

.gitea/workflows/helm.yaml

@@ -14,10 +14,10 @@ jobs:
   helm-lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5.0.1
-    - uses: azure/setup-helm@v4.3.1
+    - uses: actions/checkout@v6.0.2
+    - uses: azure/setup-helm@v5.0.0
       with:
-        version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
+        version: v4.2.0 # renovate: datasource=github-releases depName=helm/helm
     - name: Lint helm files
       run: |
         helm lint --values values.yaml .
@@ -25,10 +25,10 @@ jobs:
   helm-unittest:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5.0.1
-    - uses: azure/setup-helm@v4.3.1
+    - uses: actions/checkout@v6.0.2
+    - uses: azure/setup-helm@v5.0.0
       with:
-        version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
+        version: v4.2.0 # renovate: datasource=github-releases depName=helm/helm
     - env:
         HELM_UNITTEST_VERSION: v1.0.0 #renovate: datasource=github-releases depName=helm-unittest/helm-unittest
       name: Install helm-unittest

.gitea/workflows/markdown-linters.yaml

@@ -15,14 +15,14 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:25.2.1-alpine
+      image: docker.io/library/node:26.2.0-alpine
     runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.1
+    - uses: actions/checkout@v6.0.2
     - name: Verify links in markdown files
       run: |
         npm install
@@ -30,14 +30,14 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:25.2.1-alpine
+      image: docker.io/library/node:26.2.0-alpine
     runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git
-    - uses: actions/checkout@v5.0.1
+    - uses: actions/checkout@v6.0.2
     - name: Lint markdown files
       run: |
         npm install

.gitea/workflows/release.yaml

@@ -1,5 +1,10 @@
 name: Release
 
+env:
+  GPG_PRIVATE_KEY_FILE: ${{ runner.temp }}/private.key
+  GPG_PRIVATE_KEY_FINGERPRINT: ${{ vars.GPG_PRIVATE_KEY_FINGERPRINT }}
+  GPG_PRIVATE_KEY_PASSPHRASE_FILE: ${{ runner.temp }}/passphrase.txt
+
 on:
   push:
     tags:
@@ -7,16 +12,60 @@ on:
 
 jobs:
   publish-chart:
-    container:
-      image: docker.io/volkerraschek/helm:3.19.2
     runs-on: ubuntu-latest
     steps:
-      - name: Install packages via apk
-        run: |
-          apk update
-          apk add git npm jq yq
+      - uses: volker-raschek/cosign-installer@v4.1.2-rc4
+        with:
+          cosign-release: "v3.0.6" # renovate: datasource=github-tags depName=sigstore/cosign
 
-      - uses: actions/checkout@v5.0.1
+      - uses: azure/setup-helm@v5.0.0
+        with:
+          version: "v4.2.0" # renovate: datasource=github-tags depName=helm/helm
+
+      - name: Install helm plugins
+        env:
+          HELM_SIGSTORE_VERSION: "0.3.0" # renovate: datasource=github-tags depName=sigstore/helm-sigstore extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+          HELM_SCHEMA_VALUES_VERSION: "2.4.0" # renovate: datasource=github-tags depName=losisin/helm-values-schema-json extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+          HELM_UNITTEST_VERSION: "1.1.0" # renovate: datasource=github-tags depName=helm-unittest/helm-unittest extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+        run: |
+          helm plugin install --verify=false https://github.com/sigstore/helm-sigstore.git --version "${HELM_SIGSTORE_VERSION}" 1> /dev/null
+          helm plugin install --verify=false https://github.com/losisin/helm-values-schema-json.git --version "${HELM_SCHEMA_VALUES_VERSION}" 1> /dev/null
+          helm plugin install --verify=false https://github.com/helm-unittest/helm-unittest.git --version "${HELM_UNITTEST_VERSION}" 1> /dev/null
+          helm plugin list
+
+      - name: GPG configuration
+        env:
+          GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+        run: |
+          # Configure GPG and GPG Agent
+          mkdir --parents "${HOME}/.gnupg"
+          chmod 0700 "${HOME}/.gnupg"
+
+          cat > "${HOME}/.gnupg/gpg.conf" <<EOF
+          use-agent
+          pinentry-mode loopback
+          EOF
+
+          cat > "${HOME}/.gnupg/gpg-agent.conf" <<EOF
+          allow-loopback-pinentry
+          max-cache-ttl 86400
+          default-cache-ttl 86400
+          EOF
+
+          gpgconf --kill gpg-agent
+          gpgconf --launch gpg-agent
+
+          # Import GPG private key
+          cat 1> "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+          cat 1> "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY}"
+          gpg --batch --yes --passphrase-fd 0 --import "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+
+          # Export GPG keyring
+          gpg --batch --yes --export "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/pubring.gpg"
+          gpg --batch --yes --passphrase-fd 0 --export-secret-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/secring.gpg" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+
+      - uses: actions/checkout@v6.0.2
         with:
           fetch-depth: 0
 
@@ -28,9 +77,10 @@ jobs:
 
       - name: Extract meta information
         run: |
+          echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut --delimiter '/' --fields 3)" >> $GITHUB_ENV
           echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
-          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)" >> $GITHUB_ENV
+          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
+          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 1)" >> $GITHUB_ENV
 
       - name: Update Helm Chart version in README.md
         run: sed -i -E "s/^CHART_VERSION=.*/CHART_VERSION=${PACKAGE_VERSION}/g" README.md
@@ -38,24 +88,76 @@ jobs:
       - name: Package chart
         run: |
           helm dependency build
-          helm package --version "${PACKAGE_VERSION}" ./
+          helm package \
+            --sign \
+            --key "$(gpg --with-colons --list-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" | grep uid | cut --delimiter ':' --fields 10)" \
+            --keyring "${HOME}/.gnupg/secring.gpg" \
+            --passphrase-file "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" \
+            --version "${PACKAGE_VERSION}" ./
 
-      - name: Upload Chart to ChartMuseum
+      - uses: docker/login-action@v4.2.0
+        with:
+          registry: ${{ github.server_url }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+
+      - name: Upload Chart to Gitea (OCI)
         env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          helm push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz oci://${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}
+          cosign sign --yes --upload=true --key=env://COSIGN_PRIVATE_KEY ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:${PACKAGE_VERSION}
+
+      - name: Upload Chart to Gitea (Helm)
+        env:
+          GITEA_REGISTRY_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+        run: |
+          curl \
+            --fail \
+            --show-error \
+            --request POST \
+            --user "${REPOSITORY_OWNER}:${GITEA_REGISTRY_TOKEN}" \
+            --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
+              https://${GITEA_SERVER_HOSTNAME}/api/packages/${REPOSITORY_OWNER}/helm/api/charts
+
+          # NOTE:
+          # Gitea does currently not support uploading Helm chart provenance files, so we skip this step for now. Once
+          # Gitea supports this, we can simply uncomment the following lines to upload the provenance file as well.
+          #
+          #   https://github.com/helm/helm/issues/31866
+          #
+          # if [ -f "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" ]; then
+          #   curl \
+          #     --fail \
+          #     --show-error \
+          #     --request POST \
+          #     --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+          #     --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" \
+          #       https://${GITEA_SERVER_HOSTNAME}/api/packages/${REPOSITORY_OWNER}/helm/api/prov
+          # fi
+
+      - name: Upload Chart to Chartmuseum (Helm)
+        env:
+          CHARTMUSEUM_HOSTNAME: ${{ vars.CHARTMUSEUM_HOSTNAME }}
+          CHARTMUSEUM_USERNAME: ${{ secrets.CHARTMUSEUM_USERNAME }}
           CHARTMUSEUM_PASSWORD: ${{ secrets.CHARTMUSEUM_PASSWORD }}
           CHARTMUSEUM_REPOSITORY: ${{ vars.CHARTMUSEUM_REPOSITORY }}
-          CHARTMUSEUM_USERNAME: ${{ secrets.CHARTMUSEUM_USERNAME }}
-          CHARTMUSEUM_HOSTNAME: ${{ vars.CHARTMUSEUM_HOSTNAME }}
         run: |
-          helm repo add --username ${CHARTMUSEUM_USERNAME} --password ${CHARTMUSEUM_PASSWORD} chartmuseum https://${CHARTMUSEUM_HOSTNAME}/${CHARTMUSEUM_REPOSITORY}
-          helm cm-push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz chartmuseum
-          helm repo remove chartmuseum
+          curl \
+            --fail \
+            --show-error \
+            --request POST \
+            --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+            --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
+              https://${CHARTMUSEUM_HOSTNAME}/api/${CHARTMUSEUM_REPOSITORY}/charts
 
-      - name: Upload Chart to Gitea
-        env:
-          GITEA_PACKAGE_REGISTRY_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
-          GITEA_SERVER_URL: ${{ github.server_url }}
-        run: |
-          helm repo add --username ${REPOSITORY_OWNER} --password ${GITEA_PACKAGE_REGISTRY_TOKEN} gitea ${GITEA_SERVER_URL}/api/packages/${REPOSITORY_OWNER}/helm
-          helm cm-push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz gitea
-          helm repo remove gitea
+          if [ -f "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" ]; then
+            curl \
+              --fail \
+              --show-error \
+              --request POST \
+              --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+              --upload-file ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov \
+                https://${CHARTMUSEUM_HOSTNAME}/api/${CHARTMUSEUM_REPOSITORY}/prov
+          fi

.gitignore

@@ -1,9 +1,9 @@
 charts
+cosign*
 node_modules
 target
-values2.yml
-values2.yaml
+!values.yaml
+!values.yml
+values*.yaml
+values*.yml
 *.tgz
-
-install.sh
-uninstall.sh

.vscode/settings.json

@@ -1,6 +1,6 @@
 {
   "yaml.schemas": {
-    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.3/schema/helm-testsuite.json": [
+    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.1.0/schema/helm-testsuite.json": [
       "/unittests/**/*.yaml"
     ]
   },

Chart.yaml

@@ -1,15 +1,21 @@
 annotations:
+  artifacthub.io/license: MIT
   artifacthub.io/links: |
     - name: Athens proxy (binary)
       url: https://github.com/gomods/athens
     - name: support
       url: https://git.cryptic.systems/volker.raschek/athens-proxy-charts/issues
+  artifacthub.io/operator: "false"
+  artifacthub.io/prerelease: "false"
+  artifacthub.io/signKey: |
+    fingerprint: 3B0CE9853CAD76076260025383D342258456906E
+    url: https://keys.openpgp.org/vks/v1/by-fingerprint/3B0CE9853CAD76076260025383D342258456906E
 apiVersion: v2
 name: athens-proxy
 description: Athens proxy server for golang
 type: application
 version: "0.1.0"
-appVersion: "v0.16.1"
+appVersion: "v0.17.1"
 icon: https://github.com/gomods/athens/blob/main/docs/static/banner.png?raw=true
 
 keywords:

Makefile

@@ -18,6 +18,25 @@ NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:
 missing-dot:
 	grep --perl-regexp '## @(param|skip).*[^.]$$' values.yaml
 
+# README
+# ==============================================================================
+readme: readme/link readme/lint readme/parameters
+
+readme/link:
+	npm install && npm run readme:link
+
+readme/lint:
+	npm install && npm run readme:lint
+
+readme/parameters:
+	npm install && npm run readme:parameters
+
+# HELM UNITTESTS
+# ==============================================================================
+PHONY+=helm/unittest
+helm/unittest:
+	helm unittest --strict --file 'unittests/**/*.yaml' ./
+
 # CONTAINER RUN - README
 # ==============================================================================
 PHONY+=container-run/readme

README.md

@@ -37,7 +37,7 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
 versions can break something!
 
 ```bash
-CHART_VERSION=1.1.1
+CHART_VERSION=1.4.1
 helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml
 ```
 
@@ -51,7 +51,7 @@ The helm chart also contains a persistent volume claim definition. It persistent
 Use the `--set` argument to persist your data.
 
 ```bash
-CHART_VERSION=1.1.1
+CHART_VERSION=1.4.1
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
   persistence.enabled=true
 ```
@@ -81,7 +81,7 @@ Further information about this topic can be found in one of Kanishk's blog
 > Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
 
 ```bash
-CHART_VERSION=1.1.1
+CHART_VERSION=1.4.1
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
   --set 'deployment.athensProxy.env.name=GOMAXPROCS' \
   --set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
@@ -96,12 +96,16 @@ certificate can be used the [cert-manager](https://cert-manager.io/). The chart
 certificate via `cert-manager.io/v1 Certificate` resource. Alternatively can be mounted a TLS certificate from a secret.
 The secret must be from type `kubernetes.io/tls`.
 
+If athens-proxy is deployed behind a reverse proxy, for example an ingress nginx controller or Gateway API, please
+instruct the reverse proxy to establish a TLS encrypted connection to avoid connection problems. The documentation
+describes configuring [Ingress NGINX](#ingress-nginx) as well as [NGINX Gateway Fabric](#gatewayapi-nginx-fabric).
+
 > [!WARNING]
 > The following example expects that the [cert-manager](https://cert-manager.io/) is deployed and the `Issuer` named
 > `athens-proxy-ca` is present in the same namespace of the helm deployment.
 
 ```bash
-CHART_VERSION=1.1.1
+CHART_VERSION=1.4.1
 helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
   --set 'config.certificate.enabled=true' \
   --set 'config.certificate.new.issuerRef.kind=Issuer' \
@@ -111,6 +115,110 @@ helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-pro
 The environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` are automatically added and the TLS certificate
 and private key are mounted to a pre-defined destination inside the container file system.
 
+##### Ingress NGINX
+
+The following changes must be applied to enable TLS encryption and authentication on-top between the ingress and backend
+service.
+
+> [!IMPORTANT]
+> The HTTP Version between the ingress nginx and backend must be set to `1.1`, as well as the TLS protocol must be set
+> to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
+
+The secret `athens-proxy/ingress-nginx-controller-tls` contains TLS certificates for the nginx ingress controller. The
+TLS certificate must be created manually, for example via [cert-manager](https://cert-manager.io/). It is used by the
+nginx for TLS authentication.
+
+```yaml
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
+    nginx.ingress.kubernetes.io/proxy-ssl-secret: athens-proxy/ingress-nginx-controller-tls
+    nginx.ingress.kubernetes.io/proxy-ssl-protocols: TLSv1.2
+    nginx.ingress.kubernetes.io/proxy-ssl-name: athens-proxy
+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
+```
+
+##### GatewayAPI: NGINX Fabric
+
+The following changes must be applied to enable TLS encryption and authentication on-top between the gateway and backend
+service.
+
+> [!IMPORTANT]
+> The HTTP Version between the nginx gateway fabric and backend must be set to `1.1`, as well as the TLS protocol must
+> be set to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
+
+The `gatewayAPI.core.backendTLSPolicy.validation.caCertificateRefs` must contain at least one secret containing the
+root or intermediate certificate of the issued TLS certificate used by athens-proxy to be able to validate the TLS
+certificate.
+
+```yaml
+gatewayAPI:
+  enabled: true
+  core:
+    backendTLSPolicy:
+      enabled: true
+      validation:
+        caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: "athens-proxy-ca"
+        hostname: "athens-proxy"
+
+    httpRoute:
+      enabled: true
+      hostnames:
+      - athens-proxy.example.local
+      parentRefs:
+      - name: nginx
+        kind: Gateway
+        group: gateway.networking.k8s.io
+        namespace: my-gateway-namespace
+        sectionName: athens-proxy-https
+```
+
+The Gateway resource is not part of the helm chart, but for illustrating the configuration example, here a GatewayAPI
+resource with configured backend TLS certificate. The TLS certificates `gateway-frontend-tls` and `gateway-backend-tls`
+must also be created manually, for example via [cert-manager](https://cert-manager.io/).
+
+```yaml
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: nginx
+  namespace: my-gateway-namespace
+spec:
+  gatewayClassName: nginx
+  listeners:
+    - allowedRoutes:
+        kinds:
+          - group: gateway.networking.k8s.io
+            kind: HTTPRoute
+        namespaces:
+          from: All
+      hostname: athens-proxy.example.local
+      name: https
+      port: 443
+      protocol: HTTPS
+      tls:
+        certificateRefs:
+          - group: ''
+            kind: Secret
+            name: gateway-frontend-tls
+            namespace: my-gateway-namespace
+        mode: Terminate
+  tls:
+    backend:
+      clientCertificateRef:
+        group: ''
+        kind: Secret
+        name: gateway-backend-tls
+        namespace: my-gateway-namespace
+```
+
 #### TLS certificate rotation
 
 If the application uses TLS certificates that are mounted as a secret in the container file system like the example
@@ -198,6 +306,13 @@ networkPolicies:
       podSelector:
         matchLabels:
           app.kubernetes.io/name: ingress-nginx
+    # NGINX GatewayAPI Fabric
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: gateway-nginx
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: gateway-nginx
     ports:
     - port: http
       protocol: TCP
@@ -266,6 +381,7 @@ spec:
 | Name                                          | Description                                                                                                                                                 | Value                           |
 | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
 | `certificate.enabled`                         | Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. | `false`                         |
+| `certificate.addSHASumAnnotation`             | Add an pod annotation with the sha sum of the secret containing the TLS certificates.                                                                       | `true`                          |
 | `certificate.existingSecret.enabled`          | Use an existing secret of the type `kubernetes.io/tls`.                                                                                                     | `false`                         |
 | `certificate.existingSecret.secretName`       | Name of the secret containing the TLS certificate and private key.                                                                                          | `""`                            |
 | `certificate.new.annotations`                 | Additional certificate annotations.                                                                                                                         | `{}`                            |
@@ -296,30 +412,35 @@ spec:
 | Name                                                    | Description                                                                                                                                       | Value            |
 | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
 | `config.env.enabled`                                    | Enable mounting of the secret as environment variables.                                                                                           | `false`          |
+| `config.env.addSHASumAnnotation`                        | Add an pod annotation with the sha sum of the config map containing the configuration.                                                            | `true`           |
 | `config.env.existingSecret.enabled`                     | Mount an existing secret containing the application specific environment variables.                                                               | `false`          |
 | `config.env.existingSecret.secretName`                  | Name of the existing secret containing the application specific environment variables.                                                            | `""`             |
 | `config.env.secret.annotations`                         | Additional annotations of the secret containing the database credentials.                                                                         | `{}`             |
 | `config.env.secret.labels`                              | Additional labels of the secret containing the database credentials.                                                                              | `{}`             |
 | `config.env.secret.envs`                                | List of environment variables stored in a secret and mounted into the container.                                                                  | `{}`             |
 | `config.downloadMode.enabled`                           | Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined. | `false`          |
+| `config.downloadMode.addSHASumAnnotation`               | Add an pod annotation with the sha sum of the config map containing the downloadMode config.                                                      | `true`           |
 | `config.downloadMode.existingConfigMap.enabled`         | Enable to use an external config map for mounting the download mode file.                                                                         | `false`          |
 | `config.downloadMode.existingConfigMap.configMapName`   | The name of the existing config map which should be used to mount the download mode file.                                                         | `""`             |
 | `config.downloadMode.existingConfigMap.downloadModeKey` | The name of the key inside the config map where the content of the download mode file is stored.                                                  | `downloadMode`   |
 | `config.downloadMode.configMap.annotations`             | Additional annotations of the config map containing the download mode file.                                                                       | `{}`             |
 | `config.downloadMode.configMap.labels`                  | Additional labels of the config map containing the download mode file.                                                                            | `{}`             |
 | `config.gitConfig.enabled`                              | Enable mounting of a .gitconfig file into the container file system.                                                                              | `false`          |
+| `config.gitConfig.addSHASumAnnotation`                  | Add an pod annotation with the sha sum of the config map containing the git config.                                                               | `true`           |
 | `config.gitConfig.existingConfigMap.enabled`            | Enable to use an external config map for mounting the .gitconfig file.                                                                            | `false`          |
 | `config.gitConfig.existingConfigMap.configMapName`      | The name of the existing config map which should be used to mount the .gitconfig file.                                                            | `""`             |
 | `config.gitConfig.existingConfigMap.gitConfigKey`       | The name of the key inside the config map where the content of the .gitconfig file is stored.                                                     | `nil`            |
 | `config.gitConfig.configMap.annotations`                | Additional annotations of the config map containing the .gitconfig file.                                                                          | `{}`             |
 | `config.gitConfig.configMap.labels`                     | Additional labels of the config map containing the .gitconfig file.                                                                               | `{}`             |
 | `config.netrc.enabled`                                  | Enable mounting of a .netrc file into the container file system.                                                                                  | `false`          |
+| `config.netrc.addSHASumAnnotation`                      | Add an pod annotation with the sha sum of the secret containing the netrc file.                                                                   | `true`           |
 | `config.netrc.existingSecret.enabled`                   | Enable to use an external secret for mounting the .netrc file.                                                                                    | `false`          |
 | `config.netrc.existingSecret.secretName`                | The name of the existing secret which should be used to mount the .netrc file.                                                                    | `""`             |
 | `config.netrc.existingSecret.netrcKey`                  | The name of the key inside the secret where the content of the .netrc file is stored.                                                             | `.netrc`         |
 | `config.netrc.secret.annotations`                       | Additional annotations of the secret containing the database credentials.                                                                         | `{}`             |
 | `config.netrc.secret.labels`                            | Additional labels of the secret containing the database credentials.                                                                              | `{}`             |
 | `config.ssh.enabled`                                    | Enable mounting of a .netrc file into the container file system.                                                                                  | `false`          |
+| `config.ssh.addSHASumAnnotation`                        | Add an pod annotation with the sha sum of the secret containing the ssh keys.                                                                     | `true`           |
 | `config.ssh.existingSecret.enabled`                     | Enable to use an external secret for mounting the public and private SSH key files.                                                               | `false`          |
 | `config.ssh.existingSecret.secretName`                  | The name of the existing secret which should be used to mount the public and private SSH key files.                                               | `""`             |
 | `config.ssh.existingSecret.configKey`                   | The name of the key inside the secret where the content of the SSH client config file is stored.                                                  | `config`         |
@@ -332,42 +453,76 @@ spec:
 
 ### Deployment
 
-| Name                                               | Description                                                                                                | Value           |
-| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------- |
-| `deployment.annotations`                           | Additional deployment annotations.                                                                         | `{}`            |
-| `deployment.labels`                                | Additional deployment labels.                                                                              | `{}`            |
-| `deployment.additionalContainers`                  | List of additional containers.                                                                             | `[]`            |
-| `deployment.affinity`                              | Affinity for the athens-proxy deployment.                                                                  | `{}`            |
-| `deployment.initContainers`                        | List of additional init containers.                                                                        | `[]`            |
-| `deployment.dnsConfig`                             | dnsConfig of the athens-proxy deployment.                                                                  | `{}`            |
-| `deployment.dnsPolicy`                             | dnsPolicy of the athens-proxy deployment.                                                                  | `""`            |
-| `deployment.hostname`                              | Individual hostname of the pod.                                                                            | `""`            |
-| `deployment.subdomain`                             | Individual domain of the pod.                                                                              | `""`            |
-| `deployment.hostNetwork`                           | Use the kernel network namespace of the host system.                                                       | `false`         |
-| `deployment.imagePullSecrets`                      | Secret to use for pulling the image.                                                                       | `[]`            |
-| `deployment.athensProxy.args`                      | Arguments passed to the athens-proxy container.                                                            | `[]`            |
-| `deployment.athensProxy.command`                   | Command passed to the athens-proxy container.                                                              | `[]`            |
-| `deployment.athensProxy.env`                       | List of environment variables for the athens-proxy container.                                              | `[]`            |
-| `deployment.athensProxy.envFrom`                   | List of environment variables mounted from configMaps or secrets for the athens-proxy container.           | `[]`            |
-| `deployment.athensProxy.image.registry`            | Image registry, eg. `docker.io`.                                                                           | `docker.io`     |
-| `deployment.athensProxy.image.repository`          | Image repository, eg. `library/busybox`.                                                                   | `gomods/athens` |
-| `deployment.athensProxy.image.tag`                 | Custom image tag, eg. `0.1.0`. Defaults to `appVersion`.                                                   | `""`            |
-| `deployment.athensProxy.image.pullPolicy`          | Image pull policy.                                                                                         | `IfNotPresent`  |
-| `deployment.athensProxy.resources`                 | CPU and memory resources of the pod.                                                                       | `{}`            |
-| `deployment.athensProxy.securityContext`           | Security context of the container of the deployment.                                                       | `{}`            |
-| `deployment.athensProxy.volumeMounts`              | Additional volume mounts.                                                                                  | `[]`            |
-| `deployment.nodeSelector`                          | NodeSelector of the athens-proxy deployment.                                                               | `{}`            |
-| `deployment.priorityClassName`                     | PriorityClassName of the athens-proxy deployment.                                                          | `""`            |
-| `deployment.replicas`                              | Number of replicas for the athens-proxy deployment.                                                        | `1`             |
-| `deployment.restartPolicy`                         | Restart policy of the athens-proxy deployment.                                                             | `""`            |
-| `deployment.securityContext`                       | Security context of the athens-proxy deployment.                                                           | `{}`            |
-| `deployment.strategy.type`                         | Strategy type - `Recreate` or `RollingUpdate`.                                                             | `RollingUpdate` |
-| `deployment.strategy.rollingUpdate.maxSurge`       | The maximum number of pods that can be scheduled above the desired number of pods during a rolling update. | `1`             |
-| `deployment.strategy.rollingUpdate.maxUnavailable` | The maximum number of pods that can be unavailable during a rolling update.                                | `1`             |
-| `deployment.terminationGracePeriodSeconds`         | How long to wait until forcefully kill the pod.                                                            | `60`            |
-| `deployment.tolerations`                           | Tolerations of the athens-proxy deployment.                                                                | `[]`            |
-| `deployment.topologySpreadConstraints`             | TopologySpreadConstraints of the athens-proxy deployment.                                                  | `[]`            |
-| `deployment.volumes`                               | Additional volumes to mount into the pods of the athens-proxy deployment.                                  | `[]`            |
+| Name                                                        | Description                                                                                                | Value           |
+| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------- |
+| `deployment.annotations`                                    | Additional deployment annotations.                                                                         | `{}`            |
+| `deployment.labels`                                         | Additional deployment labels.                                                                              | `{}`            |
+| `deployment.additionalContainers`                           | List of additional containers.                                                                             | `[]`            |
+| `deployment.affinity`                                       | Affinity for the athens-proxy deployment.                                                                  | `{}`            |
+| `deployment.initContainers`                                 | List of additional init containers.                                                                        | `[]`            |
+| `deployment.dnsConfig`                                      | dnsConfig of the athens-proxy deployment.                                                                  | `{}`            |
+| `deployment.dnsPolicy`                                      | dnsPolicy of the athens-proxy deployment.                                                                  | `""`            |
+| `deployment.hostname`                                       | Individual hostname of the pod.                                                                            | `""`            |
+| `deployment.subdomain`                                      | Individual domain of the pod.                                                                              | `""`            |
+| `deployment.hostNetwork`                                    | Use the kernel network namespace of the host system.                                                       | `false`         |
+| `deployment.imagePullSecrets`                               | Secret to use for pulling the image.                                                                       | `[]`            |
+| `deployment.athensProxy.args`                               | Arguments passed to the athens-proxy container.                                                            | `[]`            |
+| `deployment.athensProxy.command`                            | Command passed to the athens-proxy container.                                                              | `[]`            |
+| `deployment.athensProxy.env`                                | List of environment variables for the athens-proxy container.                                              | `[]`            |
+| `deployment.athensProxy.envFrom`                            | List of environment variables mounted from configMaps or secrets for the athens-proxy container.           | `[]`            |
+| `deployment.athensProxy.image.registry`                     | Image registry, eg. `docker.io`.                                                                           | `docker.io`     |
+| `deployment.athensProxy.image.repository`                   | Image repository, eg. `library/busybox`.                                                                   | `gomods/athens` |
+| `deployment.athensProxy.image.tag`                          | Custom image tag, eg. `0.1.0`. Defaults to `appVersion`.                                                   | `""`            |
+| `deployment.athensProxy.image.pullPolicy`                   | Image pull policy.                                                                                         | `IfNotPresent`  |
+| `deployment.athensProxy.livenessProbe.failureThreshold`     | Minimum consecutive failures for the probe to be considered failed after having succeeded.                 | `3`             |
+| `deployment.athensProxy.livenessProbe.initialDelaySeconds`  | Number of seconds after the container has started before liveness probes are initiated.                    | `5`             |
+| `deployment.athensProxy.livenessProbe.periodSeconds`        | How often (in seconds) to perform the probe.                                                               | `60`            |
+| `deployment.athensProxy.livenessProbe.successThreshold`     | Minimum consecutive successes for the probe to be considered successful after having failed.               | `1`             |
+| `deployment.athensProxy.livenessProbe.timeoutSeconds`       | Number of seconds after which the probe times out.                                                         | `3`             |
+| `deployment.athensProxy.readinessProbe.failureThreshold`    | Minimum consecutive failures for the probe to be considered failed after having succeeded.                 | `3`             |
+| `deployment.athensProxy.readinessProbe.initialDelaySeconds` | Number of seconds after the container has started before liveness probes are initiated.                    | `5`             |
+| `deployment.athensProxy.readinessProbe.periodSeconds`       | How often (in seconds) to perform the probe.                                                               | `15`            |
+| `deployment.athensProxy.readinessProbe.successThreshold`    | Minimum consecutive successes for the probe to be considered successful after having failed.               | `1`             |
+| `deployment.athensProxy.readinessProbe.timeoutSeconds`      | Number of seconds after which the probe times out.                                                         | `3`             |
+| `deployment.athensProxy.resources`                          | CPU and memory resources of the pod.                                                                       | `{}`            |
+| `deployment.athensProxy.securityContext`                    | Security context of the container of the deployment.                                                       | `{}`            |
+| `deployment.athensProxy.volumeMounts`                       | Additional volume mounts.                                                                                  | `[]`            |
+| `deployment.nodeSelector`                                   | NodeSelector of the athens-proxy deployment.                                                               | `{}`            |
+| `deployment.priorityClassName`                              | PriorityClassName of the athens-proxy deployment.                                                          | `""`            |
+| `deployment.replicas`                                       | Number of replicas for the athens-proxy deployment.                                                        | `1`             |
+| `deployment.restartPolicy`                                  | Restart policy of the athens-proxy deployment.                                                             | `""`            |
+| `deployment.securityContext`                                | Security context of the athens-proxy deployment.                                                           | `{}`            |
+| `deployment.strategy.type`                                  | Strategy type - `Recreate` or `RollingUpdate`.                                                             | `RollingUpdate` |
+| `deployment.strategy.rollingUpdate.maxSurge`                | The maximum number of pods that can be scheduled above the desired number of pods during a rolling update. | `1`             |
+| `deployment.strategy.rollingUpdate.maxUnavailable`          | The maximum number of pods that can be unavailable during a rolling update.                                | `1`             |
+| `deployment.terminationGracePeriodSeconds`                  | How long to wait until forcefully kill the pod.                                                            | `60`            |
+| `deployment.tolerations`                                    | Tolerations of the athens-proxy deployment.                                                                | `[]`            |
+| `deployment.topologySpreadConstraints`                      | TopologySpreadConstraints of the athens-proxy deployment.                                                  | `[]`            |
+| `deployment.volumes`                                        | Additional volumes to mount into the pods of the athens-proxy deployment.                                  | `[]`            |
+
+### GatewayAPI
+
+| Name                                                        | Description                                                                                                                                                                                         | Value   |
+| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `gatewayAPI.enabled`                                        | Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.                                                                               | `false` |
+| `gatewayAPI.core.backendTLSPolicy.enabled`                  | Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.                                                                                                              | `false` |
+| `gatewayAPI.core.backendTLSPolicy.annotations`              | Additional annotations for the BackendTLSPolicy.                                                                                                                                                    | `{}`    |
+| `gatewayAPI.core.backendTLSPolicy.labels`                   | Additional labels for the BackendTLSPolicy.                                                                                                                                                         | `{}`    |
+| `gatewayAPI.core.backendTLSPolicy.validation`               | Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the athens-proxy pod.               | `{}`    |
+| `gatewayAPI.core.httpRoute.enabled`                         | Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `service.enabled` to be `true`.                                                                                               | `false` |
+| `gatewayAPI.core.httpRoute.annotations`                     | Additional annotations for the HTTPRoute.                                                                                                                                                           | `{}`    |
+| `gatewayAPI.core.httpRoute.labels`                          | Additional labels for the HTTPRoute.                                                                                                                                                                | `{}`    |
+| `gatewayAPI.core.httpRoute.hostnames`                       | Hostnames for the HTTPRoute.                                                                                                                                                                        | `[]`    |
+| `gatewayAPI.core.httpRoute.parentRefs`                      | ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.                                                                                       | `[]`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.enabled`             | Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.                                                                                                          | `false` |
+| `gatewayAPI.nginx.clientSettingsPolicy.annotations`         | Additional annotations for the ClientSettingsPolicy.                                                                                                                                                | `{}`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.labels`              | Additional labels for the ClientSettingsPolicy.                                                                                                                                                     | `{}`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize`   | ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.                                                  | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout`   | ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.                                                      | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests`   | KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.                   | `nil`   |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime`       | KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.                                                             | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout`    | KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.            | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout` | KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used. | `""`    |
 
 ### Horizontal Pod Autoscaler (HPA)
 
@@ -382,14 +537,14 @@ spec:
 
 ### Ingress
 
-| Name                  | Description                                                                                                          | Value   |
-| --------------------- | -------------------------------------------------------------------------------------------------------------------- | ------- |
-| `ingress.enabled`     | Enable creation of an ingress resource. Requires, that the http service is also enabled.                             | `false` |
-| `ingress.className`   | Ingress class.                                                                                                       | `nginx` |
-| `ingress.annotations` | Additional ingress annotations.                                                                                      | `{}`    |
-| `ingress.labels`      | Additional ingress labels.                                                                                           | `{}`    |
-| `ingress.hosts`       | Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k. | `[]`    |
-| `ingress.tls`         | Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``.         | `[]`    |
+| Name                  | Description                                                                              | Value   |
+| --------------------- | ---------------------------------------------------------------------------------------- | ------- |
+| `ingress.enabled`     | Enable creation of an ingress resource. Requires, that the http service is also enabled. | `false` |
+| `ingress.className`   | Ingress class.                                                                           | `nginx` |
+| `ingress.annotations` | Additional ingress annotations.                                                          | `{}`    |
+| `ingress.labels`      | Additional ingress labels.                                                               | `{}`    |
+| `ingress.hosts`       | Ingress specific configuration.                                                          | `[]`    |
+| `ingress.tls`         | Ingress TLS settings.                                                                    | `[]`    |
 
 ### Persistence
 
@@ -424,22 +579,22 @@ spec:
 
 ### Service
 
-| Name                                     | Description                                                                                                                                                                                                | Value       |
-| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
-| `services.http.enabled`                  | Enable the service.                                                                                                                                                                                        | `true`      |
-| `services.http.annotations`              | Additional service annotations.                                                                                                                                                                            | `{}`        |
-| `services.http.externalIPs`              | External IPs for the service.                                                                                                                                                                              | `[]`        |
-| `services.http.externalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation. | `Cluster`   |
-| `services.http.internalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.                                                   | `Cluster`   |
-| `services.http.ipFamilies`               | IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.         | `[]`        |
-| `services.http.labels`                   | Additional service labels.                                                                                                                                                                                 | `{}`        |
-| `services.http.loadBalancerClass`        | LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.                                                                     | `""`        |
-| `services.http.loadBalancerIP`           | LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.                                                                                              | `""`        |
-| `services.http.loadBalancerSourceRanges` | Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.                                                                                                                           | `[]`        |
-| `services.http.port`                     | Port to forward the traffic to.                                                                                                                                                                            | `3000`      |
-| `services.http.sessionAffinity`          | Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.                                                                                                                    | `None`      |
-| `services.http.sessionAffinityConfig`    | Contains the configuration of the session affinity.                                                                                                                                                        | `{}`        |
-| `services.http.type`                     | Kubernetes service type for the traffic.                                                                                                                                                                   | `ClusterIP` |
+| Name                               | Description                                                                                                                                                                                                | Value       |
+| ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
+| `service.enabled`                  | Enable the service.                                                                                                                                                                                        | `true`      |
+| `service.annotations`              | Additional service annotations.                                                                                                                                                                            | `{}`        |
+| `service.externalIPs`              | External IPs for the service.                                                                                                                                                                              | `[]`        |
+| `service.externalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation. | `Cluster`   |
+| `service.internalTrafficPolicy`    | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.                                                   | `Cluster`   |
+| `service.ipFamilies`               | IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.         | `[]`        |
+| `service.labels`                   | Additional service labels.                                                                                                                                                                                 | `{}`        |
+| `service.loadBalancerClass`        | LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.                                                                     | `""`        |
+| `service.loadBalancerIP`           | LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.                                                                                              | `""`        |
+| `service.loadBalancerSourceRanges` | Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.                                                                                                                           | `[]`        |
+| `service.port`                     | Port to forward the traffic to.                                                                                                                                                                            | `3000`      |
+| `service.sessionAffinity`          | Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.                                                                                                                    | `None`      |
+| `service.sessionAffinityConfig`    | Contains the configuration of the session affinity.                                                                                                                                                        | `{}`        |
+| `service.type`                     | Kubernetes service type for the traffic.                                                                                                                                                                   | `ClusterIP` |
 
 ### ServiceAccount
 

artifacthub-repo.yml

@@ -0,0 +1 @@
+repositoryID: 4c206fe5-b83a-457a-bcad-7dd664f8b70c

package-lock.json

@@ -9,7 +9,7 @@
       "devDependencies": {
         "@bitnami/readme-generator-for-helm": "^2.5.0",
         "markdown-link-check": "^3.13.6",
-        "markdownlint-cli": "^0.46.0"
+        "markdownlint-cli": "^0.48.0"
       },
       "engines": {
         "node": ">=16.0.0",
@@ -33,29 +33,6 @@
         "readme-generator": "bin/index.js"
       }
     },
-    "node_modules/@isaacs/balanced-match": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/@isaacs/balanced-match/-/balanced-match-4.0.1.tgz",
-      "integrity": "sha512-yzMTt9lEb8Gv7zRioUilSglI0c0smZ9k5D65677DLWLtWJaXIS3CqcGyUFByYKlnUj6TkjLVs54fBl6+TiGQDQ==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": "20 || >=22"
-      }
-    },
-    "node_modules/@isaacs/brace-expansion": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/@isaacs/brace-expansion/-/brace-expansion-5.0.0.tgz",
-      "integrity": "sha512-ZT55BDLV0yv0RBm2czMiZ+SqCGO7AvmOM3G/w2xhVPH+te0aKgFjmBvGlL1dH+ql2tgGO3MVrbb3jCKyvpgnxA==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@isaacs/balanced-match": "^4.0.1"
-      },
-      "engines": {
-        "node": "20 || >=22"
-      }
-    },
     "node_modules/@oozcitak/dom": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/@oozcitak/dom/-/dom-2.0.1.tgz",
@@ -156,6 +133,19 @@
         "node": ">= 14"
       }
     },
+    "node_modules/ansi-regex": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz",
+      "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
+      }
+    },
     "node_modules/argparse": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
@@ -637,6 +627,19 @@
       "dev": true,
       "license": "ISC"
     },
+    "node_modules/get-east-asian-width": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.4.0.tgz",
+      "integrity": "sha512-QZjmEOC+IT1uk6Rx0sX22V6uHWVwbdbxf1faPqJ1QhLdGgsRGCZoyaQBm/piRdJy/D2um6hM1UP7ZEeQ4EkP+Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/get-uri": {
       "version": "6.0.4",
       "resolved": "https://registry.npmjs.org/get-uri/-/get-uri-6.0.4.tgz",
@@ -981,9 +984,9 @@
       }
     },
     "node_modules/markdown-it": {
-      "version": "14.1.0",
-      "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.0.tgz",
-      "integrity": "sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==",
+      "version": "14.1.1",
+      "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.1.tgz",
+      "integrity": "sha512-BuU2qnTti9YKgK5N+IeMubp14ZUKUUw7yeJbkjtosvHiP0AZ5c8IAgEMk79D0eC8F23r4Ac/q8cAIFdm2FtyoA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1055,9 +1058,9 @@
       }
     },
     "node_modules/markdownlint": {
-      "version": "0.39.0",
-      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.39.0.tgz",
-      "integrity": "sha512-Xt/oY7bAiHwukL1iru2np5LIkhwD19Y7frlsiDILK62v3jucXCD6JXlZlwMG12HZOR+roHIVuJZrfCkOhp6k3g==",
+      "version": "0.40.0",
+      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.40.0.tgz",
+      "integrity": "sha512-UKybllYNheWac61Ia7T6fzuQNDZimFIpCg2w6hHjgV1Qu0w1TV0LlSgryUGzM0bkKQCBhy2FDhEELB73Kb0kAg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1068,7 +1071,8 @@
         "micromark-extension-gfm-footnote": "2.1.0",
         "micromark-extension-gfm-table": "2.1.1",
         "micromark-extension-math": "3.1.0",
-        "micromark-util-types": "2.0.2"
+        "micromark-util-types": "2.0.2",
+        "string-width": "8.1.0"
       },
       "engines": {
         "node": ">=20"
@@ -1078,23 +1082,23 @@
       }
     },
     "node_modules/markdownlint-cli": {
-      "version": "0.46.0",
-      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.46.0.tgz",
-      "integrity": "sha512-4gxTNzPjpLnY7ftrEZD4flPY0QBkQLiqezb6KURFSkV+vPHFOsYw8OMtY6fu82Yt8ghtSrWegpYdq1ix25VFLQ==",
+      "version": "0.48.0",
+      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.48.0.tgz",
+      "integrity": "sha512-NkZQNu2E0Q5qLEEHwWj674eYISTLD4jMHkBzDobujXd1kv+yCxi8jOaD/rZoQNW1FBBMMGQpuW5So8B51N/e0A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "commander": "~14.0.2",
+        "commander": "~14.0.3",
         "deep-extend": "~0.6.0",
         "ignore": "~7.0.5",
         "js-yaml": "~4.1.1",
         "jsonc-parser": "~3.3.1",
         "jsonpointer": "~5.0.1",
-        "markdown-it": "~14.1.0",
-        "markdownlint": "~0.39.0",
-        "minimatch": "~10.1.1",
+        "markdown-it": "~14.1.1",
+        "markdownlint": "~0.40.0",
+        "minimatch": "~10.2.4",
         "run-con": "~1.3.2",
-        "smol-toml": "~1.5.2",
+        "smol-toml": "~1.6.0",
         "tinyglobby": "~0.2.15"
       },
       "bin": {
@@ -1104,10 +1108,33 @@
         "node": ">=20"
       }
     },
+    "node_modules/markdownlint-cli/node_modules/balanced-match": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
+      "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "18 || 20 || >=22"
+      }
+    },
+    "node_modules/markdownlint-cli/node_modules/brace-expansion": {
+      "version": "5.0.4",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
+      "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^4.0.2"
+      },
+      "engines": {
+        "node": "18 || 20 || >=22"
+      }
+    },
     "node_modules/markdownlint-cli/node_modules/commander": {
-      "version": "14.0.2",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.2.tgz",
-      "integrity": "sha512-TywoWNNRbhoD0BXs1P3ZEScW8W5iKrnbithIl0YH+uCmBd0QpPOA8yc82DS3BIE5Ma6FnBVUsJ7wVUDz4dvOWQ==",
+      "version": "14.0.3",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.3.tgz",
+      "integrity": "sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -1115,16 +1142,16 @@
       }
     },
     "node_modules/markdownlint-cli/node_modules/minimatch": {
-      "version": "10.1.1",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz",
-      "integrity": "sha512-enIvLvRAFZYXJzkCYG5RKmPfrFArdLv+R+lbQ53BmIMLIry74bjKzX6iHAm8WYamJkhSSEabrWN5D97XnKObjQ==",
+      "version": "10.2.4",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
+      "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==",
       "dev": true,
       "license": "BlueOak-1.0.0",
       "dependencies": {
-        "@isaacs/brace-expansion": "^5.0.0"
+        "brace-expansion": "^5.0.2"
       },
       "engines": {
-        "node": "20 || >=22"
+        "node": "18 || 20 || >=22"
       },
       "funding": {
         "url": "https://github.com/sponsors/isaacs"
@@ -1890,7 +1917,6 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -1997,9 +2023,9 @@
       }
     },
     "node_modules/smol-toml": {
-      "version": "1.5.2",
-      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.5.2.tgz",
-      "integrity": "sha512-QlaZEqcAH3/RtNyet1IPIYPsEWAaYyXXv1Krsi+1L/QHppjX4Ifm8MQsBISz9vE8cHicIq3clogsheili5vhaQ==",
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.0.tgz",
+      "integrity": "sha512-4zemZi0HvTnYwLfrpk/CF9LOd9Lt87kAt50GnqhMpyF9U3poDAP2+iukq2bZsO/ufegbYehBkqINbsWxj4l4cw==",
       "dev": true,
       "license": "BSD-3-Clause",
       "engines": {
@@ -2057,6 +2083,39 @@
       "dev": true,
       "license": "BSD-3-Clause"
     },
+    "node_modules/string-width": {
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-8.1.0.tgz",
+      "integrity": "sha512-Kxl3KJGb/gxkaUMOjRsQ8IrXiGW75O4E3RPjFIINOVH8AMl2SQ/yWdTzWwF3FevIX9LcMAjJW+GRwAlAbTSXdg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "get-east-asian-width": "^1.3.0",
+        "strip-ansi": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=20"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/strip-ansi": {
+      "version": "7.1.2",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.2.tgz",
+      "integrity": "sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
+      }
+    },
     "node_modules/strip-json-comments": {
       "version": "3.1.1",
       "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz",

package.json

@@ -16,6 +16,6 @@
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
     "markdown-link-check": "^3.13.6",
-    "markdownlint-cli": "^0.46.0"
+    "markdownlint-cli": "^0.48.0"
   }
 }

renovate.json

@@ -51,20 +51,6 @@
         "volkerraschek/helm"
       ]
     },
-    {
-      "automerge": true,
-      "groupName": "Update helm plugin 'unittest'",
-      "matchDepNames": [
-        "helm-unittest/helm-unittest"
-      ],
-      "matchDatasources": [
-        "github-releases"
-      ],
-      "matchUpdateTypes": [
-        "minor",
-        "patch"
-      ]
-    },
     {
       "groupName": "Update docker.io/library/node",
       "matchDepNames": [

templates/_backendTLSPolicies.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.backendTLSPolicy.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
+{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "athens-proxy.backendTLSPolicy.enabled" -}}
+{{- if and .Values.gatewayAPI.enabled
+           .Values.gatewayAPI.core.backendTLSPolicy.enabled
+           .Values.service.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.backendTLSPolicy.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- if .Values.gatewayAPI.core.backendTLSPolicy.labels }}
+{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_clientSettingsPolicies.tpl

@@ -0,0 +1,31 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.clientSettingsPolicy.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
+{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "athens-proxy.clientSettingsPolicy.enabled" -}}
+{{- if and (eq (include "athens-proxy.httpRoute.enabled" $) "true")
+           .Values.gatewayAPI.nginx.clientSettingsPolicy.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.clientSettingsPolicy.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
+{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_httpRoutes.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.httpRoute.annotations" -}}
+{{ include "athens-proxy.annotations" . }}
+{{- if .Values.gatewayAPI.core.httpRoute.annotations }}
+{{ toYaml .Values.gatewayAPI.core.httpRoute.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "athens-proxy.httpRoute.enabled" -}}
+{{- if and .Values.gatewayAPI.enabled
+           .Values.gatewayAPI.core.httpRoute.enabled
+           .Values.service.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.httpRoute.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- if .Values.gatewayAPI.core.httpRoute.labels }}
+{{ toYaml .Values.gatewayAPI.core.httpRoute.labels }}
+{{- end }}
+{{- end }}

templates/_pod.tpl

@@ -1,34 +0,0 @@
----
-
-{{/* annotations */}}
-
-{{- define "athens-proxy.pod.annotations" }}
-{{- include "athens-proxy.annotations" . }}
-{{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }}
-{{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.env.name" $) (include (print $.Template.BasePath "/secretEnv.yaml") . | sha256sum) }}
-{{- end }}
-{{- if and .Values.config.downloadMode.enabled (not .Values.config.downloadMode.existingConfigMap.enabled) }}
-{{ printf "checksum/config-map-%s: %s" (include "athens-proxy.configMap.downloadMode.name" $) (include (print $.Template.BasePath "/configMapDownloadMode.yaml") . | sha256sum) }}
-{{- end }}
-{{- if and .Values.config.gitConfig.enabled (not .Values.config.gitConfig.existingConfigMap.enabled) }}
-{{ printf "checksum/config-map-%s: %s" (include "athens-proxy.configMap.gitConfig.name" $) (include (print $.Template.BasePath "/configMapGitConfig.yaml") . | sha256sum) }}
-{{- end }}
-{{- if and .Values.config.netrc.enabled (not .Values.config.netrc.existingSecret.enabled) }}
-{{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.netrc.name" $) (include (print $.Template.BasePath "/secretNetRC.yaml") . | sha256sum) }}
-{{- end }}
-{{- if and .Values.config.ssh.enabled (not .Values.config.ssh.existingSecret.enabled) }}
-{{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.ssh.name" $) (include (print $.Template.BasePath "/secretSSH.yaml") . | sha256sum) }}
-{{- end }}
-{{- end }}
-
-
-
-{{/* labels */}}
-
-{{- define "athens-proxy.pod.labels" -}}
-{{ include "athens-proxy.labels" . }}
-{{- end }}
-
-{{- define "athens-proxy.pod.selectorLabels" -}}
-{{ include "athens-proxy.selectorLabels" . }}
-{{- end }}

templates/_pods.tpl

@@ -0,0 +1,76 @@
+---
+
+{{/* annotations */}}
+
+{{- define "athens-proxy.pod.annotations" }}
+{{- include "athens-proxy.annotations" . }}
+{{- if and .Values.certificate.enabled .Values.certificate.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.certificates.server.name" $ }}
+{{- if and .Values.certificate.existingSecret.enabled (gt (len .Values.certificate.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.certificate.existingSecret.secretName }}
+{{- end }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.env.enabled .Values.config.env.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.secrets.env.name" $ }}
+{{- $secret := include (print $.Template.BasePath "/secretEnv.yaml") $ }}
+{{- if and .Values.config.env.existingSecret.enabled (gt (len .Values.config.env.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.config.env.existingSecret.secretName }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{- end }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.downloadMode.enabled .Values.config.downloadMode.addSHASumAnnotation }}
+{{- $configMapName := include "athens-proxy.configMap.downloadMode.name" $ }}
+{{- $configMap := include (print $.Template.BasePath "/configMapDownloadMode.yaml") . }}
+{{- if and .Values.config.downloadMode.existingConfigMap.enabled (gt (len .Values.config.downloadMode.existingConfigMap.configMapName) 0) }}
+{{- $configMapName = .Values.config.downloadMode.existingConfigMap.configMapName }}
+{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace $configMapName | toYaml }}
+{{- end }}
+{{ printf "checksum/config-map-%s: %s" $configMapName ($configMap | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.gitConfig.enabled .Values.config.gitConfig.addSHASumAnnotation }}
+{{- $configMapName := include "athens-proxy.configMap.gitConfig.name" $ }}
+{{- $configMap := include (print $.Template.BasePath "/configMapGitConfig.yaml") . }}
+{{- if and .Values.config.gitConfig.existingConfigMap.enabled (gt (len .Values.config.gitConfig.existingConfigMap.configMapName) 0) }}
+{{- $configMapName = .Values.config.gitConfig.existingConfigMap.configMapName }}
+{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace $configMapName | toYaml }}
+{{- end }}
+{{ printf "checksum/config-map-%s: %s" $configMapName ($configMap | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.netrc.enabled .Values.config.netrc.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.secrets.netrc.name" $ }}
+{{- $secret := include (print $.Template.BasePath "/secretNetRC.yaml") $ }}
+{{- if and .Values.config.netrc.existingSecret.enabled (gt (len .Values.config.netrc.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.config.netrc.existingSecret.secretName }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{- end }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
+
+{{- if and .Values.config.ssh.enabled .Values.config.ssh.addSHASumAnnotation }}
+{{- $secretName := include "athens-proxy.secrets.ssh.name" $ }}
+{{- $secret := include (print $.Template.BasePath "/secretSSH.yaml") $ }}
+{{- if and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.config.ssh.existingSecret.secretName }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
+{{- end }}
+{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
+{{- end }}
+
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "athens-proxy.pod.labels" -}}
+{{ include "athens-proxy.labels" . }}
+{{- end }}
+
+{{- define "athens-proxy.pod.selectorLabels" -}}
+{{ include "athens-proxy.selectorLabels" . }}
+{{- end }}

templates/_services.tpl

@@ -2,28 +2,28 @@
 
 {{/* annotations */}}
 
-{{- define "athens-proxy.services.http.annotations" -}}
+{{- define "athens-proxy.service.annotations" -}}
 {{ include "athens-proxy.annotations" . }}
-{{- if .Values.services.http.annotations }}
-{{ toYaml .Values.services.http.annotations }}
+{{- if .Values.service.annotations }}
+{{ toYaml .Values.service.annotations }}
 {{- end }}
 {{- end }}
 
 {{/* labels */}}
 
-{{- define "athens-proxy.services.http.labels" -}}
+{{- define "athens-proxy.service.labels" -}}
 {{ include "athens-proxy.labels" . }}
 {{/* Add label to select the correct service via `selector.matchLabels` of the serviceMonitor resource. */}}
 app.kubernetes.io/service-name: http
-{{- if .Values.services.http.labels }}
-{{ toYaml .Values.services.http.labels }}
+{{- if .Values.service.labels }}
+{{ toYaml .Values.service.labels }}
 {{- end }}
 {{- end }}
 
 {{/* names */}}
 
-{{- define "athens-proxy.services.http.name" -}}
-{{- if .Values.services.http.enabled -}}
-{{ include "athens-proxy.fullname" . }}-http
+{{- define "athens-proxy.service.name" -}}
+{{- if .Values.service.enabled -}}
+{{ include "athens-proxy.fullname" . }}
+{{- end -}}
 {{- end -}}
-{{- end -}}

templates/backendTLSPolicy.yaml

@@ -0,0 +1,25 @@
+{{- if eq (include "athens-proxy.backendTLSPolicy.enabled" $) "true" }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  {{- with (include "athens-proxy.backendTLSPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.backendTLSPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRefs:
+    - group: ""
+      kind: Service
+      name: {{ include "athens-proxy.service.name" . }}
+  {{- with .Values.gatewayAPI.core.backendTLSPolicy.validation }}
+  validation:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

templates/clientSettingsPolicy.yaml

@@ -0,0 +1,50 @@
+{{- if eq (include "athens-proxy.clientSettingsPolicy.enabled" $) "true" }}
+apiVersion: gateway.nginx.org/v1alpha1
+kind: ClientSettingsPolicy
+metadata:
+  {{- with (include "athens-proxy.clientSettingsPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.clientSettingsPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: {{ include "athens-proxy.fullname" . }}
+  {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout
+  }}
+  body:
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize }}
+    maxSize: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout }}
+    timeout: {{ . }}
+    {{- end }}
+  {{- end }}
+  {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout
+  }}
+  keepAlive:
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests }}
+    requests: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime }}
+    time: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout }}
+    timeout: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout }}
+    minTimeout: {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end -}}

templates/deployment.yaml

@@ -52,27 +52,27 @@ spec:
         livenessProbe:
           exec:
             {{- if not .Values.certificate.enabled }}
-            command: [ "wget", "-T", "3", "-O", "/dev/null", "http://localhost:3000" ]
+            command: [ "wget", "-T", "{{ .Values.deployment.athensProxy.livenessProbe.timeoutSeconds }}", "-O", "/dev/null", "http://localhost:3000" ]
             {{- else }}
-            command: [ "wget", "--no-check-certificate", "-T", "3", "-O", "/dev/null", "https://localhost:3000" ]
+            command: [ "wget", "--no-check-certificate", "-T", "{{ .Values.deployment.athensProxy.livenessProbe.timeoutSeconds }}", "-O", "/dev/null", "https://localhost:3000" ]
             {{- end }}
-          failureThreshold: 3
-          initialDelaySeconds: 5
-          periodSeconds: 60
-          successThreshold: 1
-          timeoutSeconds: 3
+          failureThreshold: {{ .Values.deployment.athensProxy.livenessProbe.failureThreshold }}
+          initialDelaySeconds: {{ .Values.deployment.athensProxy.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.deployment.athensProxy.livenessProbe.periodSeconds }}
+          successThreshold: {{ .Values.deployment.athensProxy.livenessProbe.successThreshold }}
+          timeoutSeconds: {{ .Values.deployment.athensProxy.livenessProbe.timeoutSeconds }}
         readinessProbe:
           exec:
             {{- if not .Values.certificate.enabled }}
-            command: [ "wget", "-T", "3", "-O", "/dev/null", "http://localhost:3000" ]
+            command: [ "wget", "-T", "{{ .Values.deployment.athensProxy.readinessProbe.timeoutSeconds }}", "-O", "/dev/null", "http://localhost:3000" ]
             {{- else }}
-            command: [ "wget", "--no-check-certificate", "-T", "3", "-O", "/dev/null", "https://localhost:3000" ]
+            command: [ "wget", "--no-check-certificate", "-T", "{{ .Values.deployment.athensProxy.readinessProbe.timeoutSeconds }}", "-O", "/dev/null", "https://localhost:3000" ]
             {{- end }}
-          failureThreshold: 3
-          initialDelaySeconds: 5
-          periodSeconds: 15
-          successThreshold: 1
-          timeoutSeconds: 3
+          failureThreshold: {{ .Values.deployment.athensProxy.readinessProbe.failureThreshold }}
+          initialDelaySeconds: {{ .Values.deployment.athensProxy.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.deployment.athensProxy.readinessProbe.periodSeconds }}
+          successThreshold: {{ .Values.deployment.athensProxy.readinessProbe.successThreshold }}
+          timeoutSeconds: {{ .Values.deployment.athensProxy.readinessProbe.timeoutSeconds }}
         ports:
         - name: http
           containerPort: 3000

templates/httpRoute.yaml

@@ -0,0 +1,36 @@
+{{- if eq (include "athens-proxy.httpRoute.enabled" $) "true" }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  {{- with (include "athens-proxy.httpRoute.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.httpRoute.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- with .Values.gatewayAPI.core.httpRoute.hostnames }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.gatewayAPI.core.httpRoute.parentRefs }}
+  parentRefs:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    - backendRefs:
+        - kind: Service
+          name: {{ include "athens-proxy.service.name" . }}
+          namespace: {{ .Release.Namespace }}
+          port: {{ .Values.service.port }}
+          weight: 1
+      {{- with .Values.gatewayAPI.core.httpRoute.matches }}
+      matches:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}

templates/ingress.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.services.http.enabled .Values.ingress.enabled }}
+{{- if and .Values.service.enabled .Values.ingress.enabled }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -27,9 +27,9 @@ spec:
         {{- end }}
         backend:
           service:
-            name: {{ include "athens-proxy.services.http.name" $ }}
+            name: {{ include "athens-proxy.service.name" $ }}
             port:
-              number: {{ $.Values.services.http.port }}
+              number: {{ $.Values.service.port }}
       {{- end }}
   {{- end }}
   {{- if .Values.ingress.tls }}
@@ -42,4 +42,4 @@ spec:
     secretName: {{ .secretName | quote }}
   {{- end }}
 {{- end }}
-{{- end }}
+{{- end }}

templates/service.yaml

@@ -0,0 +1,57 @@
+{{- if .Values.service.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  {{- with (include "athens-proxy.service.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "athens-proxy.service.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "athens-proxy.service.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- if not (empty .Values.service.externalIPs) }}
+  externalIPs:
+  {{- range .Values.service.externalIPs }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if and (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") ) .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+  {{- end }}
+  internalTrafficPolicy: {{ required "No internal traffic policy defined!" .Values.service.internalTrafficPolicy }}
+  {{- if .Values.service.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.service.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+  {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+  {{- end }}
+  {{- if eq .Values.service.type "LoadBalancer" }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.loadBalancerSourceRanges }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  ports:
+  - name: http
+    protocol: TCP
+    port: {{ required "No service port defined!" .Values.service.port }}
+  selector:
+    {{- include "athens-proxy.pod.selectorLabels" . | nindent 4 }}
+  sessionAffinity: {{ required "No session affinity defined!" .Values.service.sessionAffinity }}
+  {{- with .Values.service.sessionAffinityConfig }}
+  sessionAffinityConfig:
+    {{- toYaml . | nindent 4}}
+  {{- end }}
+  type: {{ required "No service type defined!" .Values.service.type }}
+{{- end }}

templates/serviceHTTP.yaml

@@ -1,57 +0,0 @@
-{{- if .Values.services.http.enabled }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  {{- with (include "athens-proxy.services.http.annotations" . | fromYaml) }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- with (include "athens-proxy.services.http.labels" . | fromYaml) }}
-  labels:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  name: {{ include "athens-proxy.services.http.name" . }}
-  namespace: {{ .Release.Namespace }}
-spec:
-  {{- if not (empty .Values.services.http.externalIPs) }}
-  externalIPs:
-  {{- range .Values.services.http.externalIPs }}
-  - {{ . }}
-  {{- end }}
-  {{- end }}
-  {{- if and (or (eq .Values.services.http.type "LoadBalancer") (eq .Values.services.http.type "NodePort") ) .Values.services.http.externalTrafficPolicy }}
-  externalTrafficPolicy: {{ .Values.services.http.externalTrafficPolicy }}
-  {{- end }}
-  internalTrafficPolicy: {{ required "No internal traffic policy defined!" .Values.services.http.internalTrafficPolicy }}
-  {{- if .Values.services.http.ipFamilies }}
-  ipFamilies:
-  {{- range .Values.services.http.ipFamilies }}
-  - {{ . }}
-  {{- end }}
-  {{- end }}
-  {{- if and (eq .Values.services.http.type "LoadBalancer") .Values.services.http.loadBalancerClass }}
-  loadBalancerClass: {{ .Values.services.http.loadBalancerClass }}
-  {{- end }}
-  {{- if and (eq .Values.services.http.type "LoadBalancer") .Values.services.http.loadBalancerIP }}
-  loadBalancerIP: {{ .Values.services.http.loadBalancerIP }}
-  {{- end }}
-  {{- if eq .Values.services.http.type "LoadBalancer" }}
-  loadBalancerSourceRanges:
-  {{- range .Values.services.http.loadBalancerSourceRanges }}
-  - {{ . }}
-  {{- end }}
-  {{- end }}
-  ports:
-  - name: http
-    protocol: TCP
-    port: {{ required "No service port defined!" .Values.services.http.port }}
-  selector:
-    {{- include "athens-proxy.pod.selectorLabels" . | nindent 4 }}
-  sessionAffinity: {{ required "No session affinity defined!" .Values.services.http.sessionAffinity }}
-  {{- with .Values.services.http.sessionAffinityConfig }}
-  sessionAffinityConfig:
-    {{- toYaml . | nindent 4}}
-  {{- end }}
-  type: {{ required "No service type defined!" .Values.services.http.type }}
-{{- end }}

unittests/backendTLSPolicies/backendTLSPolicy.yaml

@@ -0,0 +1,130 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: backendTLSPolicy template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/backendTLSPolicy.yaml
+tests:
+- it: Skip rendering when disabled 1/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Render default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.networking.k8s.io/v1
+      kind: BackendTLSPolicy
+      name: athens-proxy-unittest
+      namespace: testing
+  - contains:
+      path: spec.targetRefs
+      content:
+        group: ""
+        kind: Service
+        name: athens-proxy-unittest
+  - notExists:
+      path: spec.validation.caCertificateRefs
+
+- it: Render with custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy:
+      enabled: true
+      annotations:
+        foo: bar
+      labels:
+        bar: foo
+    service.enabled: true
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        app.kubernetes.io/managed-by: Helm
+        helm.sh/chart: athens-proxy-0.1.0
+        bar: foo
+
+- it: Render with custom validation
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    gatewayAPI.core.backendTLSPolicy.validation:
+      caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: athens-proxy-ca
+      hostname: athens-proxy.svc.cluster.local
+    service.enabled: true
+  asserts:
+  - isSubset:
+      path: spec.validation
+      content:
+        caCertificateRefs:
+          - group: ""
+            kind: Secret
+            name: athens-proxy-ca

unittests/clientSettingsPolicies/clientSettingsPolicy.yaml

@@ -0,0 +1,190 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: ClientSettingsPolicy template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/clientSettingsPolicy.yaml
+tests:
+- it: Skip rendering when disabled 1/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 7/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 8/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Render default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.nginx.org/v1alpha1
+      kind: ClientSettingsPolicy
+      name: athens-proxy-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: athens-proxy-0.1.0
+  - isSubset:
+      path: spec.targetRef
+      content:
+        group: gateway.networking.k8s.io
+        kind: HTTPRoute
+        name: athens-proxy-unittest
+  - notExists:
+      path: spec.body
+  - notExists:
+      path: spec.keepAlive
+
+- it: Render custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      annotations:
+        foo: "bar"
+      labels:
+        bar: "foo"
+    service.enabled: true
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: "bar"
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: athens-proxy-0.1.0
+        bar: "foo"
+
+- it: Render with custom body settings
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      clientMaxBodySize: 10m
+      clientBodyTimeout: 30s
+    service.enabled: true
+  asserts:
+  - isSubset:
+      path: spec.body
+      content:
+        maxSize: 10m
+        timeout: 30s
+  - notExists:
+      path: spec.keepAlive
+
+- it: Render with custom keepAlive settings
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      keepaliveRequests: 100
+      keepaliveTime: 60s
+      keepaliveTimeout: 60s
+      keepaliveMinTimeout: 10s
+    service.enabled: true
+  asserts:
+  - notExists:
+      path: spec.body
+  - isSubset:
+      path: spec.keepAlive
+      content:
+        requests: 100
+        time: 60s
+        timeout: 60s
+        minTimeout: 10s

unittests/deployments/certificate.yaml

@@ -46,6 +46,44 @@ tests:
     certificate.new.issuerRef.kind: ClusterIssuer
     certificate.new.issuerRef.name: MyIssuer
   asserts:
+    - exists:
+        path: spec.template.metadata.annotations["checksum/secret-athens-proxy-unittest-tls"]
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSCERT_FILE
+          value: /etc/athens-proxy/tls/tls.crt
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSKEY_FILE
+          value: /etc/athens-proxy/tls/tls.key
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: tls
+          mountPath: /etc/athens-proxy/tls
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: tls
+          secret:
+            secretName: athens-proxy-unittest-tls
+      template: templates/deployment.yaml
+
+- it: Rendering with external TLS config
+  set:
+    certificate.enabled: true
+    certificate.existingSecret.enabled: true
+    certificate.existingSecret.secretName: my-own-secret
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations["checksum/secret-my-own-secret"]
+      template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].env
         content:

unittests/deployments/deployment.yaml

@@ -67,6 +67,46 @@ tests:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: IfNotPresent
     template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.failureThreshold
+      value: 3
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds
+      value: 5
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.periodSeconds
+      value: 60
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.successThreshold
+      value: 1
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
+      value: 3
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.failureThreshold
+      value: 3
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
+      value: 5
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.periodSeconds
+      value: 15
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.successThreshold
+      value: 1
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
+      value: 3
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].resources
     template: templates/deployment.yaml
@@ -221,6 +261,77 @@ tests:
       value: Always
     template: templates/deployment.yaml
 
+- it: Test custom livenessProbe
+  set:
+    # Normal test values
+    deployment.athensProxy.livenessProbe:
+      failureThreshold: 5
+      initialDelaySeconds: 10
+      periodSeconds: 120
+      successThreshold: 3
+      timeoutSeconds: 5
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.failureThreshold
+      value: 5
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds
+      value: 10
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.periodSeconds
+      value: 120
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.successThreshold
+      value: 3
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
+      value: 5
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].livenessProbe.exec.command
+      content: "5"
+    template: templates/deployment.yaml
+
+- it: Test custom readinessProbe
+  set:
+    # Normal test values
+    deployment.athensProxy.readinessProbe:
+      failureThreshold: 10
+      initialDelaySeconds: 10
+      periodSeconds: 30
+      successThreshold: 5
+      timeoutSeconds: 5
+
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.failureThreshold
+      value: 10
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
+      value: 10
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.periodSeconds
+      value: 30
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.successThreshold
+      value: 5
+    template: templates/deployment.yaml
+  - equal:
+      path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
+      value: 5
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].readinessProbe.exec.command
+      content: "5"
+    template: templates/deployment.yaml
+
 - it: Test custom resource limits and requests
   set:
     # Ensure that the secrets and config maps are well configured.

unittests/deployments/downloadMode.yaml

@@ -40,6 +40,7 @@ tests:
 - it: Rendering default with mounted gitconfig configMap
   set:
     config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: true
     persistence.enabled: true
   asserts:
     - exists:
@@ -69,16 +70,87 @@ tests:
             name: athens-proxy-unittest-download-mode-file
       template: templates/deployment.yaml
 
+- it: Rendering default with mounted gitconfig configMap
+  set:
+    config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: false
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_DOWNLOAD_MODE
+          value: file:/etc/athens/config/download-mode.d/download-mode
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: download-mode
+          mountPath: /etc/athens/config/download-mode.d
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: download-mode
+          configMap:
+            items:
+              - key: downloadMode
+                mode: 0644
+                path: download-mode
+            name: athens-proxy-unittest-download-mode-file
+      template: templates/deployment.yaml
+
+
 - it: Rendering with custom download mode configMap
   set:
     config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: true
+    config.downloadMode.existingConfigMap.enabled: true
+    config.downloadMode.existingConfigMap.configMapName: "my-custom-configmap"
+    config.downloadMode.existingConfigMap.downloadModeKey: "my-custom-download-mode-filename-key"
+    persistence.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_DOWNLOAD_MODE
+          value: file:/etc/athens/config/download-mode.d/download-mode
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: download-mode
+          mountPath: /etc/athens/config/download-mode.d
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: download-mode
+          configMap:
+            items:
+            - key: "my-custom-download-mode-filename-key"
+              path: "download-mode"
+              mode: 0644
+            name: my-custom-configmap
+      template: templates/deployment.yaml
+
+- it: Rendering with custom download mode configMap, but without sha sum annotation
+  set:
+    config.downloadMode.enabled: true
+    config.downloadMode.addSHASumAnnotation: false
     config.downloadMode.existingConfigMap.enabled: true
     config.downloadMode.existingConfigMap.configMapName: "my-custom-configmap"
     config.downloadMode.existingConfigMap.downloadModeKey: "my-custom-download-mode-filename-key"
     persistence.enabled: true
   asserts:
     - notExists:
-        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
       template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].env

unittests/deployments/env.yaml

@@ -35,10 +35,10 @@ tests:
             name: athens-proxy-unittest-env
       template: templates/deployment.yaml
 
-- it: Rendering default with mounted env secret
+- it: Rendering default with mounted env secret, but without sha sum annotation
   set:
     config.env.enabled: true
-    config.env.existingSecret.enabled: true
+    config.env.addSHASumAnnotation: false
   asserts:
     - notExists:
         path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env
@@ -48,4 +48,37 @@ tests:
         content:
           secretRef:
             name: athens-proxy-unittest-env
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted existing env secret
+  set:
+    config.env.enabled: true
+    config.env.existingSecret.enabled: true
+    config.env.existingSecret.secretName: my-secret
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/secret-my-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: my-secret
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted existing env secret, but without sha sum annotation
+  set:
+    config.env.enabled: true
+    config.env.addSHASumAnnotation: false
+    config.env.existingSecret.enabled: true
+    config.env.existingSecret.secretName: my-secret
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-my-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: my-secret
       template: templates/deployment.yaml

unittests/deployments/gitConfig.yaml

@@ -41,6 +41,7 @@ tests:
 - it: Rendering default with mounted gitconfig configMap
   set:
     config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: true
     persistence.enabled: true
   asserts:
     - exists:
@@ -67,16 +68,80 @@ tests:
                 name: athens-proxy-unittest-gitconfig
       template: templates/deployment.yaml
 
+- it: Rendering default with mounted gitconfig configMap, but without sha sum annotation
+  set:
+    config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: false
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.gitconfig
+          subPath: .gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - configMap:
+                items:
+                - key: .gitconfig
+                  path: .gitconfig
+                  mode: 0644
+                name: athens-proxy-unittest-gitconfig
+      template: templates/deployment.yaml
+
 - it: Rendering with custom gitconfig configMap
   set:
     config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: true
+    config.gitConfig.existingConfigMap.enabled: true
+    config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
+    config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
+    persistence.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.gitconfig
+          subPath: .gitconfig
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - configMap:
+                items:
+                - key: my-gitconfig-key
+                  path: .gitconfig
+                  mode: 0644
+                name: my-custom-configmap
+      template: templates/deployment.yaml
+
+- it: Rendering with custom gitconfig configMap, but without sha sum annotations
+  set:
+    config.gitConfig.enabled: true
+    config.gitConfig.addSHASumAnnotation: false
     config.gitConfig.existingConfigMap.enabled: true
     config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
     config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
     persistence.enabled: true
   asserts:
     - notExists:
-        path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
+        path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
       template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].volumeMounts

unittests/deployments/netrc.yaml

@@ -40,6 +40,7 @@ tests:
 - it: Rendering default with mounted netrc secret
   set:
     config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: true
     persistence.enabled: true
   asserts:
     - exists:
@@ -66,16 +67,80 @@ tests:
                 name: athens-proxy-unittest-netrc
       template: templates/deployment.yaml
 
+- it: Rendering default with mounted netrc secret, but without sha sum annotation
+  set:
+    config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: false
+    persistence.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.netrc
+          subPath: .netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: .netrc
+                  path: .netrc
+                  mode: 0600
+                name: athens-proxy-unittest-netrc
+      template: templates/deployment.yaml
+
 - it: Rendering with custom netrc secret
   set:
     config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: true
+    config.netrc.existingSecret.enabled: true
+    config.netrc.existingSecret.secretName: "my-custom-secret"
+    config.netrc.existingSecret.netrcKey: "my-netrc-key"
+    persistence.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.netrc
+          subPath: .netrc
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: my-netrc-key
+                  path: .netrc
+                  mode: 0600
+                name: my-custom-secret
+      template: templates/deployment.yaml
+
+- it: Rendering with custom netrc secret, but without sha sum annotation
+  set:
+    config.netrc.enabled: true
+    config.netrc.addSHASumAnnotation: false
     config.netrc.existingSecret.enabled: true
     config.netrc.existingSecret.secretName: "my-custom-secret"
     config.netrc.existingSecret.netrcKey: "my-netrc-key"
     persistence.enabled: true
   asserts:
     - notExists:
-        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netc
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
       template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].volumeMounts

unittests/deployments/ssh.yaml

@@ -107,6 +107,7 @@ tests:
 - it: Rendering default with mounted ssh keys
   set:
     config.ssh.enabled: true
+    config.ssh.addSHASumAnnotation: true
     config.ssh.secret.id_ed25519: foo
     config.ssh.secret.id_ed25519_pub: bar
     config.ssh.secret.id_rsa: foo
@@ -180,6 +181,7 @@ tests:
 - it: Rendering with custom ssh secret
   set:
     config.ssh.enabled: true
+    config.ssh.addSHASumAnnotation: true
     config.ssh.existingSecret.enabled: true
     config.ssh.existingSecret.secretName: "my-custom-secret"
     config.ssh.existingSecret.configKey : "my-config-key"
@@ -189,8 +191,8 @@ tests:
     config.ssh.existingSecret.id_rsaPubKey : "my-public-rsa-key"
     persistence.enabled: true
   asserts:
-    - notExists:
-        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-ssh
+    - exists:
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
       template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.containers[0].volumeMounts
@@ -251,4 +253,15 @@ tests:
                   path: id_rsa.pub
                   mode: 0644
                 name: my-custom-secret
+      template: templates/deployment.yaml
+
+- it: Rendering with custom ssh secret, but without sha sum annotation
+  set:
+    config.ssh.enabled: true
+    config.ssh.addSHASumAnnotation: false
+    config.ssh.existingSecret.enabled: true
+    config.ssh.existingSecret.secretName: "my-custom-secret"
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
       template: templates/deployment.yaml

unittests/httpRoutes/httpRoute.yaml

@@ -0,0 +1,194 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: HTTPRoute template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/httpRoute.yaml
+tests:
+- it: Skip rendering when disabled 1/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Rendering default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.networking.k8s.io/v1
+      kind: HTTPRoute
+      name: athens-proxy-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: athens-proxy-0.1.0
+  - notExists:
+      path: spec.hostnames
+  - notExists:
+      path: spec.parentRefs
+  - contains:
+      path: spec.rules[0].backendRefs
+      content:
+        kind: Service
+        name: athens-proxy-unittest
+        namespace: testing
+        port: 3000
+        weight: 1
+  - contains:
+      path: spec.rules[0].matches
+      content:
+        path:
+          type: PathPrefix
+          value: /
+
+- it: Rendering custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      annotations:
+        foo: bar
+      labels:
+        bar: foo
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: athens-proxy-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: athens-proxy
+        app.kubernetes.io/version: 0.1.0
+        bar: foo
+        helm.sh/chart: athens-proxy-0.1.0
+
+- it: Rendering custom service port
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service:
+      enabled: true
+      port: 9090
+  asserts:
+  - equal:
+      path: spec.rules[0].backendRefs[0].port
+      value: 9090
+
+- it: Rendering custom matches
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      matches:
+      - path:
+          type: PathPrefix
+          value: /foo
+    service.enabled: true
+  asserts:
+  - contains:
+      path: spec.rules[0].matches
+      content:
+        path:
+          type: PathPrefix
+          value: /foo
+
+- it: Rendering custom hostnames and parentRefs
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      hostnames:
+      - athens-proxy.example.local
+      parentRefs:
+      - name: gateway
+        namespace: testing
+        kind: Gateway
+        sectionName: athens-proxy-debug-gateway
+    service.enabled: true
+  asserts:
+  - lengthEqual:
+      path: spec.hostnames
+      count: 1
+  - contains:
+      path: spec.hostnames
+      content:
+        athens-proxy.example.local
+  - lengthEqual:
+      path: spec.parentRefs
+      count: 1
+  - contains:
+      path: spec.parentRefs
+      content:
+        name: gateway
+        namespace: testing
+        kind: Gateway
+        sectionName: athens-proxy-debug-gateway

unittests/ingresses/ingress.yaml

@@ -15,7 +15,7 @@ tests:
 
 - it: Skip ingress, when service is disabled.
   set:
-    services.http.enabled: false
+    service.enabled: false
     ingress.enabled: true
   asserts:
   - hasDocuments:
@@ -65,7 +65,7 @@ tests:
             pathType: Prefix
             backend:
               service:
-                name: athens-proxy-unittest-http
+                name: athens-proxy-unittest
                 port:
                   number: 3000
   - contains:
@@ -92,7 +92,7 @@ tests:
     - secretName: athens-proxy-http-tls
       hosts:
       - athens-proxy.example.local
-    services.http.port: 8080
+    service.port: 8080
 
   asserts:
   - hasDocuments:
@@ -128,7 +128,7 @@ tests:
             pathType: Prefix
             backend:
               service:
-                name: athens-proxy-unittest-http
+                name: athens-proxy-unittest
                 port:
                   number: 8080
   - contains:

unittests/services/service.yaml

@@ -6,11 +6,11 @@ release:
   name: athens-proxy-unittest
   namespace: testing
 templates:
-- templates/serviceHTTP.yaml
+- templates/service.yaml
 tests:
 - it: Skip service when disabled.
   set:
-    services.http.enabled: false
+    service.enabled: false
   asserts:
   - hasDocuments:
       count: 0
@@ -22,7 +22,7 @@ tests:
   - containsDocument:
       apiVersion: v1
       kind: Service
-      name: athens-proxy-unittest-http
+      name: athens-proxy-unittest
       namespace: testing
   - notExists:
       path: metadata.annotations
@@ -75,37 +75,37 @@ tests:
 
 - it: Require internalTrafficPolicy.
   set:
-    services.http.internalTrafficPolicy: ""
+    service.internalTrafficPolicy: ""
   asserts:
   - failedTemplate:
       errorMessage: No internal traffic policy defined!
 
 - it: Require port.
   set:
-    services.http.port: ""
+    service.port: ""
   asserts:
   - failedTemplate:
       errorMessage: No service port defined!
 
 - it: Require sessionAffinity.
   set:
-    services.http.sessionAffinity: ""
+    service.sessionAffinity: ""
   asserts:
   - failedTemplate:
       errorMessage: No session affinity defined!
 
 - it: Require service type.
   set:
-    services.http.type: ""
+    service.type: ""
   asserts:
   - failedTemplate:
       errorMessage: No service type defined!
 
 - it: Render service with custom annotations and labels.
   set:
-    services.http.annotations:
+    service.annotations:
       foo: bar
-    services.http.labels:
+    service.labels:
       bar: foo
   asserts:
   - equal:
@@ -125,19 +125,19 @@ tests:
 
 - it: Change defaults
   set:
-    services.http.externalIPs:
+    service.externalIPs:
     - "10.11.12.13/32"
-    services.http.externalTrafficPolicy: Local
-    services.http.internalTrafficPolicy: Local
-    services.http.ipFamilies:
+    service.externalTrafficPolicy: Local
+    service.internalTrafficPolicy: Local
+    service.ipFamilies:
     - IPv4
-    services.http.loadBalancerClass: aws
-    services.http.loadBalancerIP: "11.12.13.14"
-    services.http.loadBalancerSourceRanges:
+    service.loadBalancerClass: aws
+    service.loadBalancerIP: "11.12.13.14"
+    service.loadBalancerSourceRanges:
     - "11.12.0.0/17"
-    services.http.port: 10443
-    services.http.sessionAffinity: ClientIP
-    services.http.type: LoadBalancer
+    service.port: 10443
+    service.sessionAffinity: ClientIP
+    service.type: LoadBalancer
   asserts:
   - equal:
       path: spec.externalIPs
@@ -171,4 +171,4 @@ tests:
       value: ClientIP
   - equal:
       path: spec.type
-      value: LoadBalancer
+      value: LoadBalancer

values.yaml

@@ -1,4 +1,5 @@
 # Declare variables to be passed into your templates.
+
 ## @section Global
 ## @param nameOverride Individual release name suffix.
 ## @param fullnameOverride Override the complete release name logic.
@@ -8,7 +9,9 @@ fullnameOverride: ""
 ## @section Certificate
 certificate:
   ## @param certificate.enabled Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added.
+  ## @param certificate.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the TLS certificates.
   enabled: false
+  addSHASumAnnotation: true
 
   ## @param certificate.existingSecret.enabled Use an existing secret of the type `kubernetes.io/tls`.
   ## @param certificate.existingSecret.secretName Name of the secret containing the TLS certificate and private key.
@@ -80,7 +83,9 @@ certificate:
 config:
   env:
     ## @param config.env.enabled Enable mounting of the secret as environment variables.
+    ## @param config.env.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the configuration.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.env.existingSecret.enabled Mount an existing secret containing the application specific environment variables.
     ## @param config.env.existingSecret.secretName Name of the existing secret containing the application specific environment variables.
@@ -168,7 +173,9 @@ config:
 
   downloadMode:
     ## @param config.downloadMode.enabled Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined.
+    ## @param config.downloadMode.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the downloadMode config.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.downloadMode.existingConfigMap.enabled Enable to use an external config map for mounting the download mode file.
     ## @param config.downloadMode.existingConfigMap.configMapName The name of the existing config map which should be used to mount the download mode file.
@@ -204,7 +211,9 @@ config:
 
   gitConfig:
     ## @param config.gitConfig.enabled Enable mounting of a .gitconfig file into the container file system.
+    ## @param config.gitConfig.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the git config.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.gitConfig.existingConfigMap.enabled Enable to use an external config map for mounting the .gitconfig file.
     ## @param config.gitConfig.existingConfigMap.configMapName The name of the existing config map which should be used to mount the .gitconfig file.
@@ -230,7 +239,9 @@ config:
 
   netrc:
     ## @param config.netrc.enabled Enable mounting of a .netrc file into the container file system.
+    ## @param config.netrc.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the netrc file.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.netrc.existingSecret.enabled Enable to use an external secret for mounting the .netrc file.
     ## @param config.netrc.existingSecret.secretName The name of the existing secret which should be used to mount the .netrc file.
@@ -262,7 +273,9 @@ config:
 
   ssh:
     ## @param config.ssh.enabled Enable mounting of a .netrc file into the container file system.
+    ## @param config.ssh.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the ssh keys.
     enabled: false
+    addSHASumAnnotation: true
 
     ## @param config.ssh.existingSecret.enabled Enable to use an external secret for mounting the public and private SSH key files.
     ## @param config.ssh.existingSecret.secretName The name of the existing secret which should be used to mount the public and private SSH key files.
@@ -403,6 +416,30 @@ deployment:
       tag: ""
       pullPolicy: IfNotPresent
 
+    ## @param deployment.athensProxy.livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
+    ## @param deployment.athensProxy.livenessProbe.initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated.
+    ## @param deployment.athensProxy.livenessProbe.periodSeconds How often (in seconds) to perform the probe.
+    ## @param deployment.athensProxy.livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
+    ## @param deployment.athensProxy.livenessProbe.timeoutSeconds Number of seconds after which the probe times out.
+    livenessProbe:
+      failureThreshold: 3
+      initialDelaySeconds: 5
+      periodSeconds: 60
+      successThreshold: 1
+      timeoutSeconds: 3
+
+    ## @param deployment.athensProxy.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
+    ## @param deployment.athensProxy.readinessProbe.initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated.
+    ## @param deployment.athensProxy.readinessProbe.periodSeconds How often (in seconds) to perform the probe.
+    ## @param deployment.athensProxy.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
+    ## @param deployment.athensProxy.readinessProbe.timeoutSeconds Number of seconds after which the probe times out.
+    readinessProbe:
+      failureThreshold: 3
+      initialDelaySeconds: 5
+      periodSeconds: 15
+      successThreshold: 1
+      timeoutSeconds: 3
+
     ## @param deployment.athensProxy.resources CPU and memory resources of the pod.
     resources: {}
       # limits:
@@ -484,6 +521,72 @@ deployment:
   #   secret:
   #     secretName: my-secret
 
+
+## @section GatewayAPI
+gatewayAPI:
+  ## @param gatewayAPI.enabled Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.
+  enabled: false
+
+  core:
+    ## @param gatewayAPI.core.backendTLSPolicy.enabled Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
+    ## @param gatewayAPI.core.backendTLSPolicy.annotations Additional annotations for the BackendTLSPolicy.
+    ## @param gatewayAPI.core.backendTLSPolicy.labels Additional labels for the BackendTLSPolicy.
+    ## @param gatewayAPI.core.backendTLSPolicy.validation Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the athens-proxy pod.
+    backendTLSPolicy:
+      enabled: false
+      annotations: {}
+      labels: {}
+      validation: {}
+        # caCertificateRefs:
+        # - group: ""
+        #   kind: Secret
+        #   name: "athens-proxy-ca"
+        # hostname: "athens-proxy"
+
+    ## @param gatewayAPI.core.httpRoute.enabled Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `service.enabled` to be `true`.
+    ## @param gatewayAPI.core.httpRoute.annotations Additional annotations for the HTTPRoute.
+    ## @param gatewayAPI.core.httpRoute.labels Additional labels for the HTTPRoute.
+    ## @param gatewayAPI.core.httpRoute.hostnames Hostnames for the HTTPRoute.
+    ## @skip gatewayAPI.core.httpRoute.matches Match conditions for the HTTPRoute. You can specify path based match conditions to route traffic to the athens-proxy service.
+    ## @param gatewayAPI.core.httpRoute.parentRefs ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.
+    httpRoute:
+      enabled: false
+      annotations: {}
+      labels: {}
+      hostnames: []
+      matches:
+      - path:
+          type: PathPrefix
+          value: /
+      parentRefs: []
+      # - name: gateway
+      #   kind: Gateway
+      #   group: gateway.networking.k8s.io
+      #   namespace: default
+      #   sectionName: athens-proxy-http
+
+  nginx:
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.enabled Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.annotations Additional annotations for the ClientSettingsPolicy.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.labels Additional labels for the ClientSettingsPolicy.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
+    clientSettingsPolicy:
+      enabled: false
+      annotations: {}
+      labels: {}
+      clientMaxBodySize: ""
+      clientBodyTimeout: ""
+      keepaliveRequests:
+      keepaliveTime: ""
+      keepaliveTimeout: ""
+      keepaliveMinTimeout: ""
+
+
 ## @section Horizontal Pod Autoscaler (HPA)
 # In order for the HPA to function successfully, a metric server is required, especially for resource consumption. The
 # metric server enables the CPU and memory utilisation to be recorded. If such a metric server is not available, the HPA
@@ -515,6 +618,7 @@ hpa:
   minReplicas: 1
   maxReplicas: 10
 
+
 ## @section Ingress
 ingress:
   ## @param ingress.enabled Enable creation of an ingress resource. Requires, that the http service is also enabled.
@@ -526,7 +630,7 @@ ingress:
   annotations: {}
   labels: {}
 
-  ## @param ingress.hosts Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k.
+  ## @param ingress.hosts Ingress specific configuration.
   ## @skip ingress.hosts Skip individual host configuration.
   hosts: []
   # - host: athens-proxy.example.local
@@ -534,7 +638,7 @@ ingress:
   #   - path: /
   #     pathType: Prefix
 
-  ## @param ingress.tls Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``.
+  ## @param ingress.tls Ingress TLS settings.
   ## @skip ingress.tls Skip individual TLS configuration.
   tls: []
   # - secretName: athens-proxy-http-tls
@@ -645,36 +749,35 @@ networkPolicy:
   #     protocol: TCP
 
 ## @section Service
-## @param services.http.enabled Enable the service.
-## @param services.http.annotations Additional service annotations.
-## @param services.http.externalIPs External IPs for the service.
-## @param services.http.externalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation.
-## @param services.http.internalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.
-## @param services.http.ipFamilies IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.
-## @param services.http.labels Additional service labels.
-## @param services.http.loadBalancerClass LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.
-## @param services.http.loadBalancerIP LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.
-## @param services.http.loadBalancerSourceRanges Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.
-## @param services.http.port Port to forward the traffic to.
-## @param services.http.sessionAffinity Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.
-## @param services.http.sessionAffinityConfig Contains the configuration of the session affinity.
-## @param services.http.type Kubernetes service type for the traffic.
-services:
-  http:
-    enabled: true
-    annotations: {}
-    externalIPs: []
-    externalTrafficPolicy: "Cluster"
-    internalTrafficPolicy: "Cluster"
-    ipFamilies: []
-    labels: {}
-    loadBalancerClass: ""
-    loadBalancerIP: ""
-    loadBalancerSourceRanges: []
-    port: 3000
-    sessionAffinity: "None"
-    sessionAffinityConfig: {}
-    type: "ClusterIP"
+## @param service.enabled Enable the service.
+## @param service.annotations Additional service annotations.
+## @param service.externalIPs External IPs for the service.
+## @param service.externalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation.
+## @param service.internalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.
+## @param service.ipFamilies IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.
+## @param service.labels Additional service labels.
+## @param service.loadBalancerClass LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.
+## @param service.loadBalancerIP LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.
+## @param service.loadBalancerSourceRanges Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.
+## @param service.port Port to forward the traffic to.
+## @param service.sessionAffinity Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.
+## @param service.sessionAffinityConfig Contains the configuration of the session affinity.
+## @param service.type Kubernetes service type for the traffic.
+service:
+  enabled: true
+  annotations: {}
+  externalIPs: []
+  externalTrafficPolicy: "Cluster"
+  internalTrafficPolicy: "Cluster"
+  ipFamilies: []
+  labels: {}
+  loadBalancerClass: ""
+  loadBalancerIP: ""
+  loadBalancerSourceRanges: []
+  port: 3000
+  sessionAffinity: "None"
+  sessionAffinityConfig: {}
+  type: "ClusterIP"
 
 ## @section ServiceAccount
 serviceAccount: