volker.raschek/athens-proxy-charts
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: volker.raschek:master
Branches Tags
volker.raschek:master volker.raschek:renovate/major-update-docker.iovolkerraschekhelm
volker.raschek:1.3.0 volker.raschek:1.2.1 volker.raschek:1.2.0 volker.raschek:1.1.1 volker.raschek:1.1.0 volker.raschek:1.0.3 volker.raschek:1.0.2 volker.raschek:1.0.1 volker.raschek:1.0.0 volker.raschek:0.2.1 volker.raschek:0.2.0 volker.raschek:0.1.5 volker.raschek:0.1.4 volker.raschek:0.1.3 volker.raschek:0.1.2 volker.raschek:0.1.1 volker.raschek:0.1.0
..
compare: volker.raschek:d7222794cad692823a906440780077d635a244d1
Branches Tags
volker.raschek:renovate/major-update-docker.iovolkerraschekhelm volker.raschek:master
volker.raschek:1.3.0 volker.raschek:1.2.1 volker.raschek:1.2.0 volker.raschek:1.1.1 volker.raschek:1.1.0 volker.raschek:1.0.3 volker.raschek:1.0.2 volker.raschek:1.0.1 volker.raschek:1.0.0 volker.raschek:0.2.1 volker.raschek:0.2.0 volker.raschek:0.1.5 volker.raschek:0.1.4 volker.raschek:0.1.3 volker.raschek:0.1.2 volker.raschek:0.1.1 volker.raschek:0.1.0

1 Commits
master ... d7222794ca

Author SHA1 Message Date
CSRBot
d7222794ca chore(deps): update docker.io/library/node docker tag to v25
All checks were successful
Generate README / generate-parameters (push) Successful in 42s
Details
Helm / helm-lint (push) Successful in 16s
Details
Helm / helm-unittest (push) Successful in 17s
Details
Markdown linter / markdown-link-checker (push) Successful in 32s
Details
Markdown linter / markdown-lint (push) Successful in 29s
Details
Generate README / generate-parameters (pull_request) Successful in 30s
Details
Helm / helm-lint (pull_request) Successful in 15s
Details
Helm / helm-unittest (pull_request) Successful in 16s
Details
Markdown linter / markdown-link-checker (pull_request) Successful in 31s
Details
Markdown linter / markdown-lint (pull_request) Successful in 28s
Details
2025-10-21 22:01:12 +00:00
16 changed files with 724 additions and 633 deletions
Expand all files Collapse all files

7
.gitea/workflows/generate-readme.yaml
View File

@@ -15,14 +15,15 @@ on:
jobs:
generate-parameters:
container:
image: docker.io/library/node:25.2.1-alpine
runs-on: ubuntu-latest
image: docker.io/library/node:25.0.0-alpine
runs-on:
- ubuntu-latest
steps:
- name: Install tooling
run: |
apk update
apk add git npm
- uses: actions/checkout@v6.0.1
- uses: actions/checkout@v5.0.0
- name: Generate parameter section in README
run: |
npm install

37
.gitea/workflows/helm.yaml
View File

@@ -12,26 +12,31 @@ on:
jobs:
helm-lint:
runs-on: ubuntu-latest
container:
image: docker.io/volkerraschek/helm:3.19.0
runs-on:
- ubuntu-latest
steps:
- uses: actions/checkout@v6.0.1
- uses: azure/setup-helm@v4.3.1
with:
version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
- name: Install tooling
run: |
apk update
apk add git npm
- uses: actions/checkout@v5.0.0
- name: Lint helm files
run: |
helm lint --values values.yaml .
helm-unittest:
runs-on: ubuntu-latest
container:
image: docker.io/volkerraschek/helm:3.19.0
runs-on:
- ubuntu-latest
steps:
- uses: actions/checkout@v6.0.1
- uses: azure/setup-helm@v4.3.1
with:
version: v4.0.1 # renovate: datasource=github-releases depName=helm/helm
- env:
HELM_UNITTEST_VERSION: v1.0.0 #renovate: datasource=github-releases depName=helm-unittest/helm-unittest
name: Install helm-unittest
run: helm plugin install --verify=false --version "${HELM_UNITTEST_VERSION}" https://github.com/helm-unittest/helm-unittest
- name: Execute helm unittests
run: helm unittest --strict --file 'unittests/**/*.yaml' .
- name: Install tooling
run: |
apk update
apk add git npm
- uses: actions/checkout@v5.0.0
- name: Unittest
run: |
helm unittest --strict --file 'unittests/**/*.yaml' ./

14
.gitea/workflows/markdown-linters.yaml
View File

@@ -15,14 +15,15 @@ on:
jobs:
markdown-link-checker:
container:
image: docker.io/library/node:25.2.1-alpine
runs-on: ubuntu-latest
image: docker.io/library/node:25.0.0-alpine
runs-on:
- ubuntu-latest
steps:
- name: Install tooling
run: |
apk update
apk add git npm
- uses: actions/checkout@v6.0.1
- uses: actions/checkout@v5.0.0
- name: Verify links in markdown files
run: |
npm install
@@ -30,14 +31,15 @@ jobs:
markdown-lint:
container:
image: docker.io/library/node:25.2.1-alpine
runs-on: ubuntu-latest
image: docker.io/library/node:25.0.0-alpine
runs-on:
- ubuntu-latest
steps:
- name: Install tooling
run: |
apk update
apk add git
- uses: actions/checkout@v6.0.1
- uses: actions/checkout@v5.0.0
- name: Lint markdown files
run: |
npm install

4
.gitea/workflows/release.yaml
View File

@@ -8,7 +8,7 @@ on:
jobs:
publish-chart:
container:
image: docker.io/volkerraschek/helm:3.19.2
image: docker.io/volkerraschek/helm:3.19.0
runs-on: ubuntu-latest
steps:
- name: Install packages via apk
@@ -16,7 +16,7 @@ jobs:
apk update
apk add git npm jq yq
- uses: actions/checkout@v6.0.1
- uses: actions/checkout@v5.0.0
with:
fetch-depth: 0

2
Makefile
View File

@@ -10,7 +10,7 @@ HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:
# NODE_IMAGE
NODE_IMAGE_REGISTRY_HOST?=docker.io
NODE_IMAGE_REPOSITORY?=library/node
NODE_IMAGE_VERSION?=25.2.1-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
NODE_IMAGE_VERSION?=25.0.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
# MISSING DOT

154
README.md
View File

@@ -1,4 +1,4 @@
# Athens - A Go module datastore and proxy
# athens-proxy-charts
[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/volker-raschek)](https://artifacthub.io/packages/search?repo=volker-raschek)
@@ -16,7 +16,10 @@ Chapter [configuration and installation](#helm-configuration-and-installation) d
helm and use it to deploy the exporter. It also contains further configuration examples.
Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this
helm chart is tested for deployment scenarios with **ArgoCD**.
helm chart is tested for deployment scenarios with **ArgoCD**, but please keep in mind, that this chart supports the
*[Automatically Roll Deployment](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments)*
concept of Helm, which can trigger unexpected rolling releases. Further configuration instructions are described in a
separate [chapter](#argocd).
## Helm: configuration and installation
@@ -37,21 +40,21 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
versions can break something!
```bash
CHART_VERSION=1.3.0
CHART_VERSION=1.1.1
helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml
```
A complete list of available helm chart versions can be displayed via the following command:
```bash
helm search repo athens-proxy --versions
helm search repo reposilite --versions
```
The helm chart also contains a persistent volume claim definition. It persistent volume claim is not enabled by default.
Use the `--set` argument to persist your data.
```bash
CHART_VERSION=1.3.0
CHART_VERSION=1.1.1
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
persistence.enabled=true
```
@@ -81,7 +84,7 @@ Further information about this topic can be found in one of Kanishk's blog
> Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
```bash
CHART_VERSION=1.3.0
CHART_VERSION=1.1.1
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
--set 'deployment.athensProxy.env.name=GOMAXPROCS' \
--set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
@@ -101,7 +104,7 @@ The secret must be from type `kubernetes.io/tls`.
> `athens-proxy-ca` is present in the same namespace of the helm deployment.
```bash
CHART_VERSION=1.3.0
CHART_VERSION=1.1.1
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
--set 'config.certificate.enabled=true' \
--set 'config.certificate.new.issuerRef.kind=Issuer' \
@@ -120,13 +123,18 @@ before expiring.
Until the exporter does not support rotating TLS certificate a workaround can be applied. For example stakater's
[reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following
annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted secret has
been changed.
annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted configMaps
and secrets have been changed.
> [!IMPORTANT]
> The Helm chart already adds annotations to trigger a rolling release. Helm describes this approach under
> [Automatically Roll Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
> For this reason, **only external** configMaps or secrets need to be monitored by reloader.
```yaml
deployment:
annotations:
reloader.stakater.com/auto: "true"
```
Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for
individual items. For example, when the secret named `athens-proxy-tls` is mounted and the reloader controller should
only listen for changes of this secret:
```yaml
deployment:
@@ -134,20 +142,6 @@ deployment:
secret.reloader.stakater.com/reload: "athens-proxy-tls"
```
If the application is rolled out using ArgoCD, a rolling update from stakater's
[reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state
with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be
initiated. Further information are available in the official
[README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of
stakater's reloader.
```diff
deployment:
annotations:
+ reloader.stakater.com/rollout-strategy: "restart"
secret.reloader.stakater.com/reload: "athens-proxy-tls"
```
#### Network policies
Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
@@ -183,9 +177,6 @@ networkPolicies:
protocol: TCP
- port: 53
protocol: UDP
- ports:
- port: 22
protocol: TCP
- ports:
- port: 443
protocol: TCP
@@ -205,51 +196,62 @@ networkPolicies:
## ArgoCD
### Example Application
### Daily execution of rolling updates
An application resource for the Helm chart is defined below. It serves as an example for your own deployment.
The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in
connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll
Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments). Please ensure, that no
third party application modifies the config maps or secret afterwards.
```yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
spec:
destination:
server: https://kubernetes.default.svc
namespace: athens-proxy
ignoreDifferences:
- group: apps
kind: Deployment
jqPathExpressions:
# When HPA is enabled, ensure that a modification of the replicas does not lead to a
# drift.
- '.spec.replicas'
# Ensure that changes of the annotations or environment variables added or modified by
# stakater's reloader does not lead to a drift.
- '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
- '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
sources:
- repoURL: https://charts.cryptic.systems/volker.raschek
chart: athens-proxy
targetRevision: '0.*'
helm:
valueFiles:
- $values/values.yaml
releaseName: athens-proxy
syncPolicy:
automated:
prune: true
selfHeal: true
managedNamespaceMetadata:
annotations: {}
labels: {}
syncOptions:
- ApplyOutOfSyncOnly=true
- CreateNamespace=true
- FailOnSharedResource=false
- Replace=false
- RespectIgnoreDifferences=false
- ServerSideApply=true
- Validate=true
The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the
content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version,
Helm render order, different timestamps).
This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this
can lead to unnecessary notifications from ArgoCD.
To avoid this, the annotation with the shasum can be ignored. However, this negates the mechanism of [Automatically Roll
Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
Below is a diff that adds the `Application` to ignore all annotations with the prefix `checksum`.
> [!WARNING]
> Configurations of `ignoreDifferences` always refer to the determination of a drift and whether a possible sync is
> necessary. If the selected attributes should also be ignored in deployment afterwards, define
> `RespectIgnoreDifferences=true` in your `Application` resource. Further information can be found in the ArgoCD
> [documentation](https://argo-cd.readthedocs.io/en/latest/user-guide/sync-options/#respect-ignore-differences-configs).
```diff
apiVersion: argoproj.io/v1alpha1
kind: Application
spec:
+ ignoreDifferences:
+ - group: apps
+ kind: Deployment
+ jqPathExpressions:
+ - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))'
```
The definition of ignoreDifferences ensures that annotations with the prefix checksum are ignored during a diff.
> [!TIP]
> If the [reloader](https://github.com/stakater/Reloader) is configured as described in section [TLS certificate
> rotation](#tls-certificate-rotation), ensure that the shasum defined as annotation or environment variable is also
> ignored. The [reloader](https://github.com/stakater/Reloader) will modify the deployment based on his configuration
> and append additional annotations or environment variables containing the shasum. Below are some examples how to adapt
> the `ignoreDifferences` configuration to ignore only the annotations and environment variables of stakater's
> [reloader](https://github.com/stakater/Reloader).
```diff
apiVersion: argoproj.io/v1alpha1
kind: Application
spec:
ignoreDifferences:
- group: apps
kind: Deployment
jqPathExpressions:
+ - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
+ - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
```
## Parameters
@@ -266,7 +268,6 @@ spec:
| Name | Description | Value |
| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
| `certificate.enabled` | Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. | `false` |
| `certificate.addSHASumAnnotation` | Add an pod annotation with the sha sum of the secret containing the TLS certificates. | `true` |
| `certificate.existingSecret.enabled` | Use an existing secret of the type `kubernetes.io/tls`. | `false` |
| `certificate.existingSecret.secretName` | Name of the secret containing the TLS certificate and private key. | `""` |
| `certificate.new.annotations` | Additional certificate annotations. | `{}` |
@@ -297,35 +298,30 @@ spec:
| Name | Description | Value |
| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
| `config.env.enabled` | Enable mounting of the secret as environment variables. | `false` |
| `config.env.addSHASumAnnotation` | Add an pod annotation with the sha sum of the config map containing the configuration. | `true` |
| `config.env.existingSecret.enabled` | Mount an existing secret containing the application specific environment variables. | `false` |
| `config.env.existingSecret.secretName` | Name of the existing secret containing the application specific environment variables. | `""` |
| `config.env.secret.annotations` | Additional annotations of the secret containing the database credentials. | `{}` |
| `config.env.secret.labels` | Additional labels of the secret containing the database credentials. | `{}` |
| `config.env.secret.envs` | List of environment variables stored in a secret and mounted into the container. | `{}` |
| `config.downloadMode.enabled` | Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined. | `false` |
| `config.downloadMode.addSHASumAnnotation` | Add an pod annotation with the sha sum of the config map containing the downloadMode config. | `true` |
| `config.downloadMode.existingConfigMap.enabled` | Enable to use an external config map for mounting the download mode file. | `false` |
| `config.downloadMode.existingConfigMap.configMapName` | The name of the existing config map which should be used to mount the download mode file. | `""` |
| `config.downloadMode.existingConfigMap.downloadModeKey` | The name of the key inside the config map where the content of the download mode file is stored. | `downloadMode` |
| `config.downloadMode.configMap.annotations` | Additional annotations of the config map containing the download mode file. | `{}` |
| `config.downloadMode.configMap.labels` | Additional labels of the config map containing the download mode file. | `{}` |
| `config.gitConfig.enabled` | Enable mounting of a .gitconfig file into the container file system. | `false` |
| `config.gitConfig.addSHASumAnnotation` | Add an pod annotation with the sha sum of the config map containing the git config. | `true` |
| `config.gitConfig.existingConfigMap.enabled` | Enable to use an external config map for mounting the .gitconfig file. | `false` |
| `config.gitConfig.existingConfigMap.configMapName` | The name of the existing config map which should be used to mount the .gitconfig file. | `""` |
| `config.gitConfig.existingConfigMap.gitConfigKey` | The name of the key inside the config map where the content of the .gitconfig file is stored. | `nil` |
| `config.gitConfig.configMap.annotations` | Additional annotations of the config map containing the .gitconfig file. | `{}` |
| `config.gitConfig.configMap.labels` | Additional labels of the config map containing the .gitconfig file. | `{}` |
| `config.netrc.enabled` | Enable mounting of a .netrc file into the container file system. | `false` |
| `config.netrc.addSHASumAnnotation` | Add an pod annotation with the sha sum of the secret containing the netrc file. | `true` |
| `config.netrc.existingSecret.enabled` | Enable to use an external secret for mounting the .netrc file. | `false` |
| `config.netrc.existingSecret.secretName` | The name of the existing secret which should be used to mount the .netrc file. | `""` |
| `config.netrc.existingSecret.netrcKey` | The name of the key inside the secret where the content of the .netrc file is stored. | `.netrc` |
| `config.netrc.secret.annotations` | Additional annotations of the secret containing the database credentials. | `{}` |
| `config.netrc.secret.labels` | Additional labels of the secret containing the database credentials. | `{}` |
| `config.ssh.enabled` | Enable mounting of a .netrc file into the container file system. | `false` |
| `config.ssh.addSHASumAnnotation` | Add an pod annotation with the sha sum of the secret containing the ssh keys. | `true` |
| `config.ssh.existingSecret.enabled` | Enable to use an external secret for mounting the public and private SSH key files. | `false` |
| `config.ssh.existingSecret.secretName` | The name of the existing secret which should be used to mount the public and private SSH key files. | `""` |
| `config.ssh.existingSecret.configKey` | The name of the key inside the secret where the content of the SSH client config file is stored. | `config` |

749
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

2
package.json
View File

@@ -16,6 +16,6 @@
"devDependencies": {
"@bitnami/readme-generator-for-helm": "^2.5.0",
"markdown-link-check": "^3.13.6",
"markdownlint-cli": "^0.46.0"
"markdownlint-cli": "^0.45.0"
}
}

70
templates/_pod.tpl
View File

@@ -4,66 +4,24 @@
{{- define "athens-proxy.pod.annotations" }}
{{- include "athens-proxy.annotations" . }}
{{- if and .Values.certificate.enabled .Values.certificate.addSHASumAnnotation }}
{{- $secretName := include "athens-proxy.certificates.server.name" $ }}
{{- if and .Values.certificate.existingSecret.enabled (gt (len .Values.certificate.existingSecret.secretName) 0) }}
{{- $secretName = .Values.certificate.existingSecret.secretName }}
{{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }}
{{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.env.name" $) (include (print $.Template.BasePath "/secretEnv.yaml") . | sha256sum) }}
{{- end }}
{{- if and .Values.config.downloadMode.enabled (not .Values.config.downloadMode.existingConfigMap.enabled) }}
{{ printf "checksum/config-map-%s: %s" (include "athens-proxy.configMap.downloadMode.name" $) (include (print $.Template.BasePath "/configMapDownloadMode.yaml") . | sha256sum) }}
{{- end }}
{{- if and .Values.config.gitConfig.enabled (not .Values.config.gitConfig.existingConfigMap.enabled) }}
{{ printf "checksum/config-map-%s: %s" (include "athens-proxy.configMap.gitConfig.name" $) (include (print $.Template.BasePath "/configMapGitConfig.yaml") . | sha256sum) }}
{{- end }}
{{- if and .Values.config.netrc.enabled (not .Values.config.netrc.existingSecret.enabled) }}
{{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.netrc.name" $) (include (print $.Template.BasePath "/secretNetRC.yaml") . | sha256sum) }}
{{- end }}
{{- if and .Values.config.ssh.enabled (not .Values.config.ssh.existingSecret.enabled) }}
{{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.ssh.name" $) (include (print $.Template.BasePath "/secretSSH.yaml") . | sha256sum) }}
{{- end }}
{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
{{- end }}
{{- if and .Values.config.env.enabled .Values.config.env.addSHASumAnnotation }}
{{- $secretName := include "athens-proxy.secrets.env.name" $ }}
{{- $secret := include (print $.Template.BasePath "/secretEnv.yaml") $ }}
{{- if and .Values.config.env.existingSecret.enabled (gt (len .Values.config.env.existingSecret.secretName) 0) }}
{{- $secretName = .Values.config.env.existingSecret.secretName }}
{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
{{- end }}
{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
{{- end }}
{{- if and .Values.config.downloadMode.enabled .Values.config.downloadMode.addSHASumAnnotation }}
{{- $configMapName := include "athens-proxy.configMap.downloadMode.name" $ }}
{{- $configMap := include (print $.Template.BasePath "/configMapDownloadMode.yaml") . }}
{{- if and .Values.config.downloadMode.existingConfigMap.enabled (gt (len .Values.config.downloadMode.existingConfigMap.configMapName) 0) }}
{{- $configMapName = .Values.config.downloadMode.existingConfigMap.configMapName }}
{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace $configMapName | toYaml }}
{{- end }}
{{ printf "checksum/config-map-%s: %s" $configMapName ($configMap | sha256sum) }}
{{- end }}
{{- if and .Values.config.gitConfig.enabled .Values.config.gitConfig.addSHASumAnnotation }}
{{- $configMapName := include "athens-proxy.configMap.gitConfig.name" $ }}
{{- $configMap := include (print $.Template.BasePath "/configMapGitConfig.yaml") . }}
{{- if and .Values.config.gitConfig.existingConfigMap.enabled (gt (len .Values.config.gitConfig.existingConfigMap.configMapName) 0) }}
{{- $configMapName = .Values.config.gitConfig.existingConfigMap.configMapName }}
{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace $configMapName | toYaml }}
{{- end }}
{{ printf "checksum/config-map-%s: %s" $configMapName ($configMap | sha256sum) }}
{{- end }}
{{- if and .Values.config.netrc.enabled .Values.config.netrc.addSHASumAnnotation }}
{{- $secretName := include "athens-proxy.secrets.netrc.name" $ }}
{{- $secret := include (print $.Template.BasePath "/secretNetRC.yaml") $ }}
{{- if and .Values.config.netrc.existingSecret.enabled (gt (len .Values.config.netrc.existingSecret.secretName) 0) }}
{{- $secretName = .Values.config.netrc.existingSecret.secretName }}
{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
{{- end }}
{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
{{- end }}
{{- if and .Values.config.ssh.enabled .Values.config.ssh.addSHASumAnnotation }}
{{- $secretName := include "athens-proxy.secrets.ssh.name" $ }}
{{- $secret := include (print $.Template.BasePath "/secretSSH.yaml") $ }}
{{- if and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.secretName) 0) }}
{{- $secretName = .Values.config.ssh.existingSecret.secretName }}
{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | toYaml }}
{{- end }}
{{ printf "checksum/secret-%s: %s" $secretName ($secret | sha256sum) }}
{{- end }}
{{- end }}
{{/* labels */}}

38
unittests/deployment/certificate.yaml
View File

@@ -46,44 +46,6 @@ tests:
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: MyIssuer
asserts:
- exists:
path: spec.template.metadata.annotations["checksum/secret-athens-proxy-unittest-tls"]
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env
content:
name: ATHENS_TLSCERT_FILE
value: /etc/athens-proxy/tls/tls.crt
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env
content:
name: ATHENS_TLSKEY_FILE
value: /etc/athens-proxy/tls/tls.key
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: tls
mountPath: /etc/athens-proxy/tls
template: templates/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: tls
secret:
secretName: athens-proxy-unittest-tls
template: templates/deployment.yaml
- it: Rendering with external TLS config
set:
certificate.enabled: true
certificate.existingSecret.enabled: true
certificate.existingSecret.secretName: my-own-secret
asserts:
- exists:
path: spec.template.metadata.annotations["checksum/secret-my-own-secret"]
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env
content:

74
unittests/deployment/downloadMode.yaml
View File

@@ -40,7 +40,6 @@ tests:
- it: Rendering default with mounted gitconfig configMap
set:
config.downloadMode.enabled: true
config.downloadMode.addSHASumAnnotation: true
persistence.enabled: true
asserts:
- exists:
@@ -70,87 +69,16 @@ tests:
name: athens-proxy-unittest-download-mode-file
template: templates/deployment.yaml
- it: Rendering default with mounted gitconfig configMap
set:
config.downloadMode.enabled: true
config.downloadMode.addSHASumAnnotation: false
persistence.enabled: true
asserts:
- notExists:
path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env
content:
name: ATHENS_DOWNLOAD_MODE
value: file:/etc/athens/config/download-mode.d/download-mode
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: download-mode
mountPath: /etc/athens/config/download-mode.d
template: templates/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: download-mode
configMap:
items:
- key: downloadMode
mode: 0644
path: download-mode
name: athens-proxy-unittest-download-mode-file
template: templates/deployment.yaml
- it: Rendering with custom download mode configMap
set:
config.downloadMode.enabled: true
config.downloadMode.addSHASumAnnotation: true
config.downloadMode.existingConfigMap.enabled: true
config.downloadMode.existingConfigMap.configMapName: "my-custom-configmap"
config.downloadMode.existingConfigMap.downloadModeKey: "my-custom-download-mode-filename-key"
persistence.enabled: true
asserts:
- exists:
path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env
content:
name: ATHENS_DOWNLOAD_MODE
value: file:/etc/athens/config/download-mode.d/download-mode
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: download-mode
mountPath: /etc/athens/config/download-mode.d
template: templates/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: download-mode
configMap:
items:
- key: "my-custom-download-mode-filename-key"
path: "download-mode"
mode: 0644
name: my-custom-configmap
template: templates/deployment.yaml
- it: Rendering with custom download mode configMap, but without sha sum annotation
set:
config.downloadMode.enabled: true
config.downloadMode.addSHASumAnnotation: false
config.downloadMode.existingConfigMap.enabled: true
config.downloadMode.existingConfigMap.configMapName: "my-custom-configmap"
config.downloadMode.existingConfigMap.downloadModeKey: "my-custom-download-mode-filename-key"
persistence.enabled: true
asserts:
- notExists:
path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-download-mode-file
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env

37
unittests/deployment/env.yaml
View File

@@ -35,10 +35,10 @@ tests:
name: athens-proxy-unittest-env
template: templates/deployment.yaml
- it: Rendering default with mounted env secret, but without sha sum annotation
- it: Rendering default with mounted env secret
set:
config.env.enabled: true
config.env.addSHASumAnnotation: false
config.env.existingSecret.enabled: true
asserts:
- notExists:
path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env
@@ -48,37 +48,4 @@ tests:
content:
secretRef:
name: athens-proxy-unittest-env
template: templates/deployment.yaml
- it: Rendering default with mounted existing env secret
set:
config.env.enabled: true
config.env.existingSecret.enabled: true
config.env.existingSecret.secretName: my-secret
asserts:
- exists:
path: spec.template.metadata.annotations.checksum/secret-my-secret
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].envFrom
content:
secretRef:
name: my-secret
template: templates/deployment.yaml
- it: Rendering default with mounted existing env secret, but without sha sum annotation
set:
config.env.enabled: true
config.env.addSHASumAnnotation: false
config.env.existingSecret.enabled: true
config.env.existingSecret.secretName: my-secret
asserts:
- notExists:
path: spec.template.metadata.annotations.checksum/secret-my-secret
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].envFrom
content:
secretRef:
name: my-secret
template: templates/deployment.yaml

67
unittests/deployment/gitConfig.yaml
View File

@@ -41,7 +41,6 @@ tests:
- it: Rendering default with mounted gitconfig configMap
set:
config.gitConfig.enabled: true
config.gitConfig.addSHASumAnnotation: true
persistence.enabled: true
asserts:
- exists:
@@ -68,80 +67,16 @@ tests:
name: athens-proxy-unittest-gitconfig
template: templates/deployment.yaml
- it: Rendering default with mounted gitconfig configMap, but without sha sum annotation
set:
config.gitConfig.enabled: true
config.gitConfig.addSHASumAnnotation: false
persistence.enabled: true
asserts:
- notExists:
path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: secrets
mountPath: /root/.gitconfig
subPath: .gitconfig
template: templates/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: secrets
projected:
sources:
- configMap:
items:
- key: .gitconfig
path: .gitconfig
mode: 0644
name: athens-proxy-unittest-gitconfig
template: templates/deployment.yaml
- it: Rendering with custom gitconfig configMap
set:
config.gitConfig.enabled: true
config.gitConfig.addSHASumAnnotation: true
config.gitConfig.existingConfigMap.enabled: true
config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
persistence.enabled: true
asserts:
- exists:
path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: secrets
mountPath: /root/.gitconfig
subPath: .gitconfig
template: templates/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: secrets
projected:
sources:
- configMap:
items:
- key: my-gitconfig-key
path: .gitconfig
mode: 0644
name: my-custom-configmap
template: templates/deployment.yaml
- it: Rendering with custom gitconfig configMap, but without sha sum annotations
set:
config.gitConfig.enabled: true
config.gitConfig.addSHASumAnnotation: false
config.gitConfig.existingConfigMap.enabled: true
config.gitConfig.existingConfigMap.configMapName: "my-custom-configmap"
config.gitConfig.existingConfigMap.gitConfigKey: "my-gitconfig-key"
persistence.enabled: true
asserts:
- notExists:
path: spec.template.metadata.annotations.checksum/config-map-my-custom-configmap
path: spec.template.metadata.annotations.checksum/config-map-athens-proxy-unittest-gitconfig
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts

67
unittests/deployment/netrc.yaml
View File

@@ -40,7 +40,6 @@ tests:
- it: Rendering default with mounted netrc secret
set:
config.netrc.enabled: true
config.netrc.addSHASumAnnotation: true
persistence.enabled: true
asserts:
- exists:
@@ -67,80 +66,16 @@ tests:
name: athens-proxy-unittest-netrc
template: templates/deployment.yaml
- it: Rendering default with mounted netrc secret, but without sha sum annotation
set:
config.netrc.enabled: true
config.netrc.addSHASumAnnotation: false
persistence.enabled: true
asserts:
- notExists:
path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netrc
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: secrets
mountPath: /root/.netrc
subPath: .netrc
template: templates/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: secrets
projected:
sources:
- secret:
items:
- key: .netrc
path: .netrc
mode: 0600
name: athens-proxy-unittest-netrc
template: templates/deployment.yaml
- it: Rendering with custom netrc secret
set:
config.netrc.enabled: true
config.netrc.addSHASumAnnotation: true
config.netrc.existingSecret.enabled: true
config.netrc.existingSecret.secretName: "my-custom-secret"
config.netrc.existingSecret.netrcKey: "my-netrc-key"
persistence.enabled: true
asserts:
- exists:
path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: secrets
mountPath: /root/.netrc
subPath: .netrc
template: templates/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: secrets
projected:
sources:
- secret:
items:
- key: my-netrc-key
path: .netrc
mode: 0600
name: my-custom-secret
template: templates/deployment.yaml
- it: Rendering with custom netrc secret, but without sha sum annotation
set:
config.netrc.enabled: true
config.netrc.addSHASumAnnotation: false
config.netrc.existingSecret.enabled: true
config.netrc.existingSecret.secretName: "my-custom-secret"
config.netrc.existingSecret.netrcKey: "my-netrc-key"
persistence.enabled: true
asserts:
- notExists:
path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-netc
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts

17
unittests/deployment/ssh.yaml
View File

@@ -107,7 +107,6 @@ tests:
- it: Rendering default with mounted ssh keys
set:
config.ssh.enabled: true
config.ssh.addSHASumAnnotation: true
config.ssh.secret.id_ed25519: foo
config.ssh.secret.id_ed25519_pub: bar
config.ssh.secret.id_rsa: foo
@@ -181,7 +180,6 @@ tests:
- it: Rendering with custom ssh secret
set:
config.ssh.enabled: true
config.ssh.addSHASumAnnotation: true
config.ssh.existingSecret.enabled: true
config.ssh.existingSecret.secretName: "my-custom-secret"
config.ssh.existingSecret.configKey : "my-config-key"
@@ -191,8 +189,8 @@ tests:
config.ssh.existingSecret.id_rsaPubKey : "my-public-rsa-key"
persistence.enabled: true
asserts:
- exists:
path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
- notExists:
path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-ssh
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
@@ -253,15 +251,4 @@ tests:
path: id_rsa.pub
mode: 0644
name: my-custom-secret
template: templates/deployment.yaml
- it: Rendering with custom ssh secret, but without sha sum annotation
set:
config.ssh.enabled: true
config.ssh.addSHASumAnnotation: false
config.ssh.existingSecret.enabled: true
config.ssh.existingSecret.secretName: "my-custom-secret"
asserts:
- notExists:
path: spec.template.metadata.annotations.checksum/secret-my-custom-secret
template: templates/deployment.yaml

18
values.yaml
View File

@@ -8,9 +8,7 @@ fullnameOverride: ""
## @section Certificate
certificate:
## @param certificate.enabled Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added.
## @param certificate.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the TLS certificates.
enabled: false
addSHASumAnnotation: true
## @param certificate.existingSecret.enabled Use an existing secret of the type `kubernetes.io/tls`.
## @param certificate.existingSecret.secretName Name of the secret containing the TLS certificate and private key.
@@ -82,9 +80,7 @@ certificate:
config:
env:
## @param config.env.enabled Enable mounting of the secret as environment variables.
## @param config.env.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the configuration.
enabled: false
addSHASumAnnotation: true
## @param config.env.existingSecret.enabled Mount an existing secret containing the application specific environment variables.
## @param config.env.existingSecret.secretName Name of the existing secret containing the application specific environment variables.
@@ -172,9 +168,7 @@ config:
downloadMode:
## @param config.downloadMode.enabled Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined.
## @param config.downloadMode.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the downloadMode config.
enabled: false
addSHASumAnnotation: true
## @param config.downloadMode.existingConfigMap.enabled Enable to use an external config map for mounting the download mode file.
## @param config.downloadMode.existingConfigMap.configMapName The name of the existing config map which should be used to mount the download mode file.
@@ -210,9 +204,7 @@ config:
gitConfig:
## @param config.gitConfig.enabled Enable mounting of a .gitconfig file into the container file system.
## @param config.gitConfig.addSHASumAnnotation Add an pod annotation with the sha sum of the config map containing the git config.
enabled: false
addSHASumAnnotation: true
## @param config.gitConfig.existingConfigMap.enabled Enable to use an external config map for mounting the .gitconfig file.
## @param config.gitConfig.existingConfigMap.configMapName The name of the existing config map which should be used to mount the .gitconfig file.
@@ -238,9 +230,7 @@ config:
netrc:
## @param config.netrc.enabled Enable mounting of a .netrc file into the container file system.
## @param config.netrc.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the netrc file.
enabled: false
addSHASumAnnotation: true
## @param config.netrc.existingSecret.enabled Enable to use an external secret for mounting the .netrc file.
## @param config.netrc.existingSecret.secretName The name of the existing secret which should be used to mount the .netrc file.
@@ -272,9 +262,7 @@ config:
ssh:
## @param config.ssh.enabled Enable mounting of a .netrc file into the container file system.
## @param config.ssh.addSHASumAnnotation Add an pod annotation with the sha sum of the secret containing the ssh keys.
enabled: false
addSHASumAnnotation: true
## @param config.ssh.existingSecret.enabled Enable to use an external secret for mounting the public and private SSH key files.
## @param config.ssh.existingSecret.secretName The name of the existing secret which should be used to mount the public and private SSH key files.
@@ -602,12 +590,6 @@ networkPolicy:
# - Egress
# - Ingress
egress: []
# Allow outgoing SSH traffic to Source Code Control System's (SCCS') like GitHub or GitLab.
#
# - ports:
# - port: 22
# protocol: TCP
# Allow outgoing HTTPS traffic to external go module servers
#
# - ports: