fix(ci): disable .prov file upload for Gitea

Reviewed-on: #89

.gitea/scripts/add-annotations.sh

@@ -1,60 +1,65 @@
 #!/bin/bash
 
-set -e
+set -e -o pipefail
 
-CHART_FILE="Chart.yaml"
-if [ ! -f "${CHART_FILE}" ]; then
-  echo "ERROR: ${CHART_FILE} not found!" 1>&2
+chart_file="Chart.yaml"
+if [ ! -f "${chart_file}" ]; then
+  echo "ERROR: ${chart_file} not found!" 1>&2
   exit 1
 fi
 
-DEFAULT_NEW_TAG="$(git describe --abbrev=0)"
-DEFAULT_OLD_TAG="$(git describe --abbrev=0 --tags "$(git rev-list --tags --skip=1 --max-count=1)")"
+default_new_tag="$(git tag --sort=-version:refname | head -n 1)"
+default_old_tag="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
 
 if [ -z "${1}" ]; then
-  read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
-  if [ -z "${OLD_TAG}" ]; then
-    OLD_TAG="${DEFAULT_OLD_TAG}"
+  echo "Enter start tag [${default_old_tag}]:"
+  read -r old_tag
+  if [ -z "${old_tag}" ]; then
+    old_tag="${default_old_tag}"
   fi
 
-  while [ -z "$(git tag --list "${OLD_TAG}")" ]; do
-    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
-    read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
-    if [ -z "${OLD_TAG}" ]; then
-      OLD_TAG="${DEFAULT_OLD_TAG}"
+  while [ -z "$(git tag --list "${old_tag}")" ]; do
+    echo "ERROR: Tag '${old_tag}' not found!" 1>&2
+    echo "Enter start tag [${default_old_tag}]:"
+    read -r old_tag
+    if [ -z "${old_tag}" ]; then
+      old_tag="${default_old_tag}"
     fi
   done
 else
-  OLD_TAG=${1}
-  if [ -z "$(git tag --list "${OLD_TAG}")" ]; then
-    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
+  old_tag=${1}
+  if [ -z "$(git tag --list "${old_tag}")" ]; then
+    echo "ERROR: Tag '${old_tag}' not found!" 1>&2
     exit 1
   fi
 fi
 
 if [ -z "${2}" ]; then
-  read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
-  if [ -z "${NEW_TAG}" ]; then
-    NEW_TAG="${DEFAULT_NEW_TAG}"
+  echo "Enter end tag [${default_new_tag}]:"
+  read -r new_tag
+  if [ -z "${new_tag}" ]; then
+    new_tag="${default_new_tag}"
   fi
 
-  while [ -z "$(git tag --list "${NEW_TAG}")" ]; do
-    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
-    read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
-    if [ -z "${NEW_TAG}" ]; then
-      NEW_TAG="${DEFAULT_NEW_TAG}"
+  while [ -z "$(git tag --list "${new_tag}")" ]; do
+    echo "ERROR: Tag '${new_tag}' not found!" 1>&2
+    echo "Enter end tag [${default_new_tag}]:"
+    read -r new_tag
+    if [ -z "${new_tag}" ]; then
+      new_tag="${default_new_tag}"
     fi
   done
 else
-  NEW_TAG=${2}
+  new_tag=${2}
 
-  if [ -z "$(git tag --list "${NEW_TAG}")" ]; then
-    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
+  if [ -z "$(git tag --list "${new_tag}")" ]; then
+    echo "ERROR: Tag '${new_tag}' not found!" 1>&2
     exit 1
   fi
 fi
 
-YAML_FILE=$(mktemp)
+change_log_yaml=$(mktemp)
+echo "[]" > "${change_log_yaml}"
 
 function map_type_to_kind() {
   case "${1}" in
@@ -79,28 +84,42 @@ function map_type_to_kind() {
   esac
 }
 
-COMMIT_TITLES=$(git log "${OLD_TAG}..${NEW_TAG}" --pretty=format:"%s")
+commit_titles="$(git log --pretty=format:"%s" "${old_tag}..${new_tag}")"
+
+echo "INFO: Generate change log entries from ${old_tag} until ${new_tag}"
 
 while IFS= read -r line; do
   if [[ "${line}" =~ ^([a-zA-Z]+)(\([^\)]+\))?\:\ (.+)$ ]]; then
-    TYPE="${BASH_REMATCH[1]}"
+    type="${BASH_REMATCH[1]}"
+    kind=$(map_type_to_kind "${type}")
 
-    if [ "${TYPE}" == "skip" ]; then
+    if [ "${kind}" == "skip" ]; then
       continue
     fi
 
-    DESC="${BASH_REMATCH[3]}"
-    KIND=$(map_type_to_kind "${TYPE}")
+    desc="${BASH_REMATCH[3]}"
+
+    echo "- ${kind}: ${desc}"
+
+    jq --arg kind "${kind}" --arg description "${desc}" '. += [ $ARGS.named ]' < "${change_log_yaml}" > "${change_log_yaml}.new"
+    mv "${change_log_yaml}.new" "${change_log_yaml}"
 
-    yq --inplace ". += [ {\"kind\": \"${KIND}\", \"description\": \"${DESC}\"}]" "${YAML_FILE}"
   fi
-done <<< "${COMMIT_TITLES}"
+done <<< "${commit_titles}"
 
-if [ -s "${YAML_FILE}" ]; then
-  yq --no-colors --inplace ".annotations.\"artifacthub.io/changes\" |= loadstr(\"${YAML_FILE}\") | sort_keys(.)" "${CHART_FILE}"
+if [ -s "${change_log_yaml}" ]; then
+  yq --inplace --input-format json --output-format yml "${change_log_yaml}"
+  yq --no-colors --inplace ".annotations.\"artifacthub.io/changes\" |= loadstr(\"${change_log_yaml}\") | sort_keys(.)" "${chart_file}"
 else
-  echo "ERROR: Changelog file is empty: ${YAML_FILE}" 1>&2
+  echo "ERROR: Changelog file is empty: ${change_log_yaml}" 1>&2
   exit 1
 fi
 
-rm "${YAML_FILE}"
+rm "${change_log_yaml}"
+
+regexp=".*-alpha-[0-9]+(\.[0-9]+){,2}$"
+if [[ "${new_tag}" =~ $regexp ]]; then
+  yq --inplace '.annotations."artifacthub.io/prerelease" = "true"' "${chart_file}"
+else
+  yq --inplace '.annotations."artifacthub.io/prerelease" = "false"' "${chart_file}"
+fi

.gitea/workflows/artifacthub-metadata.yaml

@@ -0,0 +1,41 @@
+name: Upload ArtifactHub Metadata
+
+on:
+  schedule:
+    - cron: '0 3 1 * *'
+  workflow_dispatch:
+
+jobs:
+  upload-metadata:
+    name: "Upload artifacthub-repo.yml to OCI registry"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6.0.2
+    - uses: docker/login-action@v4.1.0
+      with:
+        registry: ${{ github.server_url }}
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+    - uses: oras-project/setup-oras@v2.0.0
+      with:
+        version: 1.3.2 # renovate: datasource=github-tags depName=oras-project/oras extractVersion='^v?(?<version>.*)$'
+    - name: Extract meta information
+      run: |
+        echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut -d '/' -f 3)" >> $GITHUB_ENV
+        echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+        echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
+        echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)" >> $GITHUB_ENV
+    - name: Push artifacthub-repo.yml
+      run: |
+        oras push ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:artifacthub.io \
+          --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
+          artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+    - name: Push public cosign key
+      env:
+        COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
+      run: |
+        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
+        oras push ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:cosign.pub \
+          --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          --annotation org.opencontainers.image.title=cosign.pub \
+          cosign.pub:application/vnd.dev.cosign.public-key.v1

.gitea/workflows/generate-readme.yaml

@@ -15,15 +15,14 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:24.1.0-alpine
-    runs-on:
-    - ubuntu-latest
+      image: docker.io/library/node:25.9.0-alpine
+    runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@v6.0.2
     - name: Generate parameter section in README
       run: |
         npm install

.gitea/workflows/helm.yaml

@@ -12,31 +12,26 @@ on:
 
 jobs:
   helm-lint:
-    container:
-      image: docker.io/volkerraschek/helm:3.18.2
-    runs-on:
-    - ubuntu-latest
+    runs-on: ubuntu-latest
     steps:
-    - name: Install tooling
-      run: |
-        apk update
-        apk add git npm
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@v6.0.2
+    - uses: azure/setup-helm@v5.0.0
+      with:
+        version: "v4.1.4" # renovate: datasource=github-tags depName=helm/helm
     - name: Lint helm files
       run: |
         helm lint --values values.yaml .
 
   helm-unittest:
-    container:
-      image: docker.io/volkerraschek/helm:3.18.2
-    runs-on:
-    - ubuntu-latest
+    runs-on: ubuntu-latest
     steps:
-    - name: Install tooling
-      run: |
-        apk update
-        apk add git npm
-    - uses: actions/checkout@v4.2.2
-    - name: Unittest
-      run: |
-        helm unittest --strict --file 'unittests/**/*.yaml' ./
+    - uses: actions/checkout@v6.0.2
+    - uses: azure/setup-helm@v5.0.0
+      with:
+        version: "v4.1.4" # renovate: datasource=github-tags depName=helm/helm
+    - env:
+        HELM_UNITTEST_VERSION: v1.0.0 #renovate: datasource=github-releases depName=helm-unittest/helm-unittest
+      name: Install helm-unittest
+      run: helm plugin install --verify=false --version "${HELM_UNITTEST_VERSION}" https://github.com/helm-unittest/helm-unittest
+    - name: Execute helm unittests
+      run: helm unittest --strict --file 'unittests/**/*.yaml' .

.gitea/workflows/markdown-linters.yaml

@@ -15,15 +15,14 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:24.1.0-alpine
-    runs-on:
-    - ubuntu-latest
+      image: docker.io/library/node:25.9.0-alpine
+    runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@v6.0.2
     - name: Verify links in markdown files
       run: |
         npm install
@@ -31,15 +30,14 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:24.1.0-alpine
-    runs-on:
-    - ubuntu-latest
+      image: docker.io/library/node:25.9.0-alpine
+    runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@v6.0.2
     - name: Lint markdown files
       run: |
         npm install

.gitea/workflows/release.yaml

@@ -1,59 +1,163 @@
 name: Release
 
+env:
+  GPG_PRIVATE_KEY_FILE: ${{ runner.temp }}/private.key
+  GPG_PRIVATE_KEY_FINGERPRINT: ${{ vars.GPG_PRIVATE_KEY_FINGERPRINT }}
+  GPG_PRIVATE_KEY_PASSPHRASE_FILE: ${{ runner.temp }}/passphrase.txt
+
 on:
   push:
-    branches:
-    - master
     tags:
     - "**"
 
 jobs:
   publish-chart:
-    container:
-      image: docker.io/volkerraschek/helm:3.18.2
     runs-on: ubuntu-latest
     steps:
-      - name: Install tooling
-        run: |
-          apk update
-          apk add git npm yq
+      - uses: volker-raschek/cosign-installer@v4.1.2-rc4
+        with:
+          cosign-release: "v3.0.6" # renovate: datasource=github-tags depName=sigstore/cosign
 
-      - uses: actions/checkout@v4
+      - uses: azure/setup-helm@v5.0.0
+        with:
+          version: "v4.1.4" # renovate: datasource=github-tags depName=helm/helm
+
+      - name: Install helm plugins
+        env:
+          HELM_SIGSTORE_VERSION: "0.3.0" # renovate: datasource=github-tags depName=sigstore/helm-sigstore extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+          HELM_SCHEMA_VALUES_VERSION: "2.3.1" # renovate: datasource=github-tags depName=losisin/helm-values-schema-json extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+          HELM_UNITTEST_VERSION: "1.0.3" # renovate: datasource=github-tags depName=helm-unittest/helm-unittest extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+        run: |
+          helm plugin install --verify=false https://github.com/sigstore/helm-sigstore.git --version "${HELM_SIGSTORE_VERSION}" 1> /dev/null
+          helm plugin install --verify=false https://github.com/losisin/helm-values-schema-json.git --version "${HELM_SCHEMA_VALUES_VERSION}" 1> /dev/null
+          helm plugin install --verify=false https://github.com/helm-unittest/helm-unittest.git --version "${HELM_UNITTEST_VERSION}" 1> /dev/null
+          helm plugin list
+
+      - name: GPG configuration
+        env:
+          GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+        run: |
+          # Configure GPG and GPG Agent
+          mkdir --parents "${HOME}/.gnupg"
+          chmod 0700 "${HOME}/.gnupg"
+
+          cat > "${HOME}/.gnupg/gpg.conf" <<EOF
+          use-agent
+          pinentry-mode loopback
+          EOF
+
+          cat > "${HOME}/.gnupg/gpg-agent.conf" <<EOF
+          allow-loopback-pinentry
+          max-cache-ttl 86400
+          default-cache-ttl 86400
+          EOF
+
+          gpgconf --kill gpg-agent
+          gpgconf --launch gpg-agent
+
+          # Import GPG private key
+          cat 1> "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+          cat 1> "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY}"
+          gpg --batch --yes --passphrase-fd 0 --import "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+
+          # Export GPG keyring
+          gpg --batch --yes --export "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/pubring.gpg"
+          gpg --batch --yes --passphrase-fd 0 --export-secret-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/secring.gpg" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+
+      - uses: actions/checkout@v6.0.2
         with:
           fetch-depth: 0
 
       - name: Add Artifacthub.io annotations
         run: |
-          git tag
-
-          NEW_TAG="$(git describe --abbrev=0)"
-          OLD_TAG="$(git describe --abbrev=0 --tags "$(git rev-list --tags --skip=1 --max-count=1)")"
-
+          NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
+          OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
           .gitea/scripts/add-annotations.sh "${OLD_TAG}" "${NEW_TAG}"
 
+      - name: Extract meta information
+        run: |
+          echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut --delimiter '/' --fields 3)" >> $GITHUB_ENV
+          echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
+          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 1)" >> $GITHUB_ENV
+
+      - name: Update Helm Chart version in README.md
+        run: sed -i -E "s/^CHART_VERSION=.*/CHART_VERSION=${PACKAGE_VERSION}/g" README.md
+
       - name: Package chart
+        run: |
+          helm dependency build
+          helm package \
+            --sign \
+            --key "$(gpg --with-colons --list-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" | grep uid | cut --delimiter ':' --fields 10)" \
+            --keyring "${HOME}/.gnupg/secring.gpg" \
+            --passphrase-file "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" \
+            --version "${PACKAGE_VERSION}" ./
+
+      - uses: docker/login-action@v4.1.0
+        with:
+          registry: ${{ github.server_url }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+
+      - name: Upload Chart to Gitea (OCI)
         env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          helm push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz oci://${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}
+          cosign sign --yes --upload=true --key=env://COSIGN_PRIVATE_KEY ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:${PACKAGE_VERSION}
+
+      - name: Upload Chart to Gitea (Helm)
+        env:
+          GITEA_REGISTRY_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+        run: |
+          curl \
+            --fail \
+            --show-error \
+            --request POST \
+            --user "${REPOSITORY_OWNER}:${GITEA_REGISTRY_TOKEN}" \
+            --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
+              https://${GITEA_SERVER_HOSTNAME}/api/packages/${REPOSITORY_OWNER}/helm/api/charts
+
+          # NOTE:
+          # Gitea does currently not support uploading Helm chart provenance files, so we skip this step for now. Once
+          # Gitea supports this, we can simply uncomment the following lines to upload the provenance file as well.
+          #
+          #   https://github.com/helm/helm/issues/31866
+          #
+          # if [ -f "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" ]; then
+          #   curl \
+          #     --fail \
+          #     --show-error \
+          #     --request POST \
+          #     --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+          #     --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" \
+          #       https://${GITEA_SERVER_HOSTNAME}/api/packages/${REPOSITORY_OWNER}/helm/api/prov
+          # fi
+
+      - name: Upload Chart to Chartmuseum (Helm)
+        env:
+          CHARTMUSEUM_HOSTNAME: ${{ vars.CHARTMUSEUM_HOSTNAME }}
+          CHARTMUSEUM_USERNAME: ${{ secrets.CHARTMUSEUM_USERNAME }}
           CHARTMUSEUM_PASSWORD: ${{ secrets.CHARTMUSEUM_PASSWORD }}
           CHARTMUSEUM_REPOSITORY: ${{ vars.CHARTMUSEUM_REPOSITORY }}
-          CHARTMUSEUM_USERNAME: ${{ secrets.CHARTMUSEUM_USERNAME }}
-          CHARTMUSEUM_HOSTNAME: ${{ vars.CHARTMUSEUM_HOSTNAME }}
-
-          GITEA_PACKAGE_REGISTRY_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
-          GITEA_SERVER_URL: ${{ github.server_url }}
         run: |
-          PACKAGE_VERSION=${GITHUB_REF#refs/tags/}
-          REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')
-          REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)
+          curl \
+            --fail \
+            --show-error \
+            --request POST \
+            --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+            --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
+              https://${CHARTMUSEUM_HOSTNAME}/api/${CHARTMUSEUM_REPOSITORY}/charts
 
-          helm dependency build
-          helm package --version "${PACKAGE_VERSION}" ./
-
-          # chart-museum
-          helm repo add --username ${CHARTMUSEUM_USERNAME} --password ${CHARTMUSEUM_PASSWORD} chartmuseum https://${CHARTMUSEUM_HOSTNAME}/${CHARTMUSEUM_REPOSITORY}
-          helm cm-push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz chartmuseum
-          helm repo remove chartmuseum
-
-          # gitea
-          helm repo add --username ${REPOSITORY_OWNER} --password ${GITEA_PACKAGE_REGISTRY_TOKEN} gitea ${GITEA_SERVER_URL}/api/packages/${REPOSITORY_OWNER}/helm
-          helm cm-push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz gitea
-          helm repo remove gitea
+          if [ -f "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" ]; then
+            curl \
+              --fail \
+              --show-error \
+              --request POST \
+              --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+              --upload-file ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov \
+                https://${CHARTMUSEUM_HOSTNAME}/api/${CHARTMUSEUM_REPOSITORY}/prov
+          fi

.gitignore

@@ -1,4 +1,5 @@
 charts
+cosign*
 node_modules
 target
 values2.yml

.markdownlint.yaml

@@ -136,7 +136,6 @@ MD044:
     - kube-prometheus-stack
     - Memcached
     - Oracle
-    - ORBIS U
     - PostgreSQL
     - Prometheus
     - prometheus-exporter

.vscode/settings.json

@@ -1,8 +1,11 @@
 {
+  "files.associations": {
+    ".gitea/workflows/*.yaml": "github-actions-workflow"
+  },
   "yaml.schemas": {
-    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [
+    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.3/schema/helm-testsuite.json": [
       "/unittests/**/*.yaml"
     ]
   },
   "yaml.schemaStore.enable": true
-}
+}

Chart.yaml

@@ -1,12 +1,19 @@
 annotations:
+  artifacthub.io/license: MIT
   artifacthub.io/links: |
     - name: Prometheus Fail2Ban exporter (binary)
       url: https://git.cryptic.systems/volker.raschek/prometheus-fail2ban-exporter
     - name: support
       url: https://git.cryptic.systems/volker.raschek/prometheus-fail2ban-exporter-charts/issues
+  artifacthub.io/operator: "false"
+  artifacthub.io/prerelease: "false"
+  artifacthub.io/signKey: |
+    fingerprint: 3B0CE9853CAD76076260025383D342258456906E
+    url: https://keys.openpgp.org/vks/v1/by-fingerprint/3B0CE9853CAD76076260025383D342258456906E
 apiVersion: v2
 appVersion: "0.1.1"
 description: Prometheus metric exporter for Fail2Ban
+home: https://git.cryptic.systems/volker.raschek/prometheus-fail2ban-exporter-charts
 # icon: https://annotations.example.com/icon.png
 keywords:
   - prometheus

Makefile

@@ -4,13 +4,13 @@ CONTAINER_RUNTIME?=$(shell which podman)
 # HELM_IMAGE
 HELM_IMAGE_REGISTRY_HOST?=docker.io
 HELM_IMAGE_REPOSITORY?=volkerraschek/helm
-HELM_IMAGE_VERSION?=3.18.2 # renovate: datasource=docker registryUrl=https://docker.io depName=volkerraschek/helm
+HELM_IMAGE_VERSION?=3.19.0 # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/volkerraschek/helm
 HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:${HELM_IMAGE_VERSION}
 
 # NODE_IMAGE
 NODE_IMAGE_REGISTRY_HOST?=docker.io
 NODE_IMAGE_REPOSITORY?=library/node
-NODE_IMAGE_VERSION?=24.1.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
+NODE_IMAGE_VERSION?=25.2.1-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
 NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
 
 # MISSING DOT
@@ -88,4 +88,4 @@ container-run/helm-lint:
 # ==============================================================================
 # Declare the contents of the PHONY variable as phony. We keep that information
 # in a variable so we can use it in if_changed.
-.PHONY: ${PHONY}
+.PHONY: ${PHONY}

README.md

@@ -14,11 +14,15 @@ Chapter [configuration and installation](#helm-configuration-and-installation) d
 and use it to deploy the exporter. It also contains further configuration examples.
 
 Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this
-helm chart is tested for deployment scenarios with **ArgoCD**.
+helm chart is tested for deployment scenarios with **ArgoCD**, but please keep in mind, that this chart supports the
+*[Automatically Roll Deployment](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments)*
+concept of Helm, which can trigger unexpected rolling releases. Further configuration instructions are described in a
+separate [chapter](#argocd).
 
 ## Helm: configuration and installation
 
-1. A helm chart repository must be configured, to pull the helm charts from.
+1. A helm chart repository must be configured, to pull the helm charts from. The helm charts can either be pulled from
+   the classic helm chart repository or OCI registry.
 2. All available [parameters](#parameters) are documented in detail below. The parameters can be defined via the helm
    `--set` flag or directly as part of a `values.yaml` file. The following example defines the `prometheus-exporter`
    repository and use the `--set` flag for a basic deployment.
@@ -29,9 +33,22 @@ helm chart is tested for deployment scenarios with **ArgoCD**.
 > time is not possible.
 
 ```bash
-helm repo add prometheus-exporters https://charts.cryptic.systems/prometheus-exporters
+helm repo add prometheus-exporters https://git.cryptic.systems/api/packages/volker.raschek/helm
 helm repo update
-helm install prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2ban-exporter \
+CHART_VERSION=0.4.23
+helm install --version "${CHART_VERSION}" prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2ban-exporter \
+  --set 'prometheus.metrics.enabled=true' \
+  --set 'prometheus.metrics.serviceMonitor.enabled=true'
+```
+
+Alternatively, the deployment of the helm charts can also be done via an OCI registry:
+
+```bash
+CHART_VERSION=0.5.9
+helm install "oci://git.cryptic.systems/volker.raschek/prometheus-fail2ban-exporter:${CHART_VERSION}" \
+  --set 'config.database.secret.databaseUsername=postgres' \
+  --set 'config.database.secret.databasePassword=postgres' \
+  --set 'config.database.secret.databaseConnectionUrl="postgres.example.local:5432/postgres?ssl=disable"' \
   --set 'prometheus.metrics.enabled=true' \
   --set 'prometheus.metrics.serviceMonitor.enabled=true'
 ```
@@ -42,8 +59,8 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
 versions can break something!
 
 ```bash
-CHART_VERSION=0.4.11
-helm show values prometheus-exporters/prometheus-fail2ban-exporter --version "${CHART_VERSION}" > values.yaml
+CHART_VERSION=0.4.23
+helm show values --version "${CHART_VERSION}" prometheus-exporters/prometheus-fail2ban-exporter > values.yaml
 ```
 
 A complete list of available helm chart versions can be displayed via the following command:
@@ -80,7 +97,8 @@ Further information about this topic can be found in one of Kanishk's blog
 > Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
 
 ```bash
-helm install prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2ban-exporter \
+CHART_VERSION=0.4.23
+helm install --version "${CHART_VERSION}" prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2ban-exporter \
   --set 'prometheus.metrics.enabled=true' \
   --set 'prometheus.metrics.serviceMonitor.enabled=true' \
   --set 'daemonSet.fail2banExporter.env.name=GOMAXPROCS' \
@@ -88,53 +106,6 @@ helm install prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2b
   --set 'daemonSet.fail2banExporter.resources.limits.cpu=1000m'
 ```
 
-<!--
-#### TLS authentication and encryption
-
-The first example shows how to deploy the metric exporter with TLS encryption. The verification of the custom TLS
-certification will be skipped by Prometheus.
-
-> [!WARNING]
-> The secret `Prometheus-fail2banql-exporter-http` containing the TLS certificate is already present. The keys `ca.crt`,
-> `TLS.key` and `TLS.crt` of the secret can be mounted into the container filesystem for TLS authentication / encryption.
-
-```bash
-helm install Prometheus-fail2ban-exporter Prometheus-exporters/Prometheus-fail2ban-exporter \
-  --set 'daemonSet.volumes[0].name=TLS' \
-  --set 'daemonSet.volumes[0].secret.secretName=Prometheus-fail2banql-exporter-http' \
-  --set 'daemonSet.fail2banExporter.volumeMounts[0].name=TLS' \
-  --set 'daemonSet.fail2banExporter.volumeMounts[0].mountPath=/etc/Prometheus-fail2ban-exporter/TLS' \
-  --set 'daemonSet.fail2banExporter.volumeMounts[0].readOnly=true' \
-  --set 'Prometheus.metrics.enabled=true' \
-  --set 'Prometheus.metrics.serviceMonitor.enabled=true' \
-  --set 'Prometheus.metrics.serviceMonitor.scheme=https' \
-  --set 'Prometheus.metrics.serviceMonitor.tlsConfig.insecureSkipVerify=true'
-```
-
-If the Prometheus pod has a TLS certificate mounted and is also signed by the private key of the CA which issued the TLS
-certificate for the metrics exporter - TLS certificate verification can be enabled. The following flags must be
-replaced:
-
-```diff
-  helm install Prometheus-fail2ban-exporter Prometheus-exporters/Prometheus-fail2ban-exporter \
-    --set 'config.webConfig.secret.webConfig.cert_file=/etc/Prometheus-fail2ban-exporter/TLS/TLS.crt' \
-    --set 'config.webConfig.secret.webConfig.client_ca_file=/etc/Prometheus-fail2ban-exporter/TLS/ca.crt' \
-    --set 'config.webConfig.secret.webConfig.key_file=/etc/Prometheus-fail2ban-exporter/TLS/TLS.key'
-    --set 'daemonSet.volumes[0].name=TLS' \
-    --set 'daemonSet.volumes[0].secret.secretName=Prometheus-fail2banql-exporter-http' \
-    --set 'daemonSet.fail2banExporter.volumeMounts[0].name=TLS' \
-    --set 'daemonSet.fail2banExporter.volumeMounts[0].mountPath=/etc/Prometheus-fail2ban-exporter/TLS' \
-    --set 'daemonSet.fail2banExporter.volumeMounts[0].readOnly=true' \
-    --set 'Prometheus.metrics.enabled=true' \
-    --set 'Prometheus.metrics.serviceMonitor.enabled=true' \
-    --set 'Prometheus.metrics.serviceMonitor.scheme=https' \
--   --set 'Prometheus.metrics.serviceMonitor.tlsConfig.insecureSkipVerify=true' \
-+   --set 'Prometheus.metrics.serviceMonitor.tlsConfig.caFile=/etc/Prometheus/TLS/ca.crt' \
-+   --set 'Prometheus.metrics.serviceMonitor.tlsConfig.certFile=/etc/Prometheus/TLS/TLS.crt' \
-+   --set 'Prometheus.metrics.serviceMonitor.tlsConfig.keyFile=/etc/Prometheus/TLS/TLS.key'
-```
--->
-
 #### Grafana dashboard
 
 The helm chart includes Grafana dashboards. These can be deployed as a configMap by activating Grafana integration. It
@@ -144,7 +115,8 @@ the Grafana container file system so that it is subsequently available to the us
 makes this possible.
 
 ```bash
-helm install prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2ban-exporter \
+CHART_VERSION=0.4.23
+helm install --version "${CHART_VERSION}" prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2ban-exporter \
   --set 'grafana.enabled=true'
 ```
 
@@ -198,6 +170,35 @@ networkPolicies:
         protocol: TCP
 ```
 
+## ArgoCD
+
+### Daily execution of rolling updates
+
+The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in
+connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll
+Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
+
+The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the
+content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version,
+Helm render order, different timestamps).
+
+This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this
+can lead to unnecessary notifications from ArgoCD.
+
+To avoid this, the annotation with the shasum must be ignored. Below is a diff that adds the `Application` to ignore all
+annotations with the prefix `checksum`.
+
+```diff
+  apiVersion: argoproj.io/v1alpha1
+  kind: Application
+  spec:
++   ignoreDifferences:
++   - group: apps/v1
++     kind: Deployment
++     jqPathExpressions:
++     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))'
+```
+
 ## Parameters
 
 ### Global

package.json

@@ -16,6 +16,6 @@
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
     "markdown-link-check": "^3.13.6",
-    "markdownlint-cli": "^0.45.0"
+    "markdownlint-cli": "^0.48.0"
   }
 }

renovate.json

@@ -9,6 +9,7 @@
   ],
   "customManagers": [
     {
+      "customType": "regex",
       "fileMatch": [
         "^Chart\\.yaml$"
       ],
@@ -21,17 +22,49 @@
       "versioningTemplate": "semver"
     },
     {
+      "customType": "regex",
       "fileMatch": ["^README\\.md$"],
       "matchStrings": [
-        "VERSION=(?<currentValue>.*)"
+        "CHART_VERSION=(?<currentValue>.*)"
       ],
       "depNameTemplate": "volker.raschek/prometheus-fail2ban-exporter-charts",
       "packageNameTemplate": "https://git.cryptic.systems/volker.raschek/prometheus-fail2ban-exporter-charts",
       "datasourceTemplate": "git-tags",
       "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "datasourceTemplate": "github-releases",
+      "fileMatch": [
+        ".vscode/settings\\.json$"
+      ],
+      "matchStrings": [
+        "https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json"
+      ]
     }
   ],
   "packageRules": [
+    {
+      "automerge": true,
+      "groupName": "Update helm plugin 'unittest'",
+      "matchDepNames": [
+        "helm-unittest/helm-unittest"
+      ],
+      "matchDatasources": [
+        "github-releases"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ]
+    },
+    {
+      "groupName": "Update docker.io/library/node",
+      "matchDepNames": [
+        "docker.io/library/node",
+        "library/node"
+      ]
+    },
     {
       "addLabels": [
         "renovate/automerge",

templates/_pod.tpl

@@ -16,7 +16,7 @@
 {{- $secret := default (dict "data" (dict)) (lookup "v1" "Secret" .Release.Namespace .Values.config.webConfig.existingSecret.secretName ) }}
 checksum/secret-web-config: {{ print $secret.spec | sha256sum }}
 {{- else }}
-checksum/secret-web-config: {{ include (print $.Template.BasePath "/prometheus-fail2ban-exporter/secretWebConfig.yaml") . | sha256sum }}
+checksum/secret-web-config: {{ include (print $.Template.BasePath "/secretWebConfig.yaml") . | sha256sum }}
 {{- end }}
 
 {{- end }}

unittests/configMaps/grafanaDashboardPostgresExporter.yaml

@@ -6,7 +6,7 @@ release:
   name: prometheus-fail2ban-exporter-unittest
   namespace: testing
 templates:
-- templates/prometheus-fail2ban-exporter/configMapGrafanaDashboardFail2BanExporter.yaml
+- templates/configMapGrafanaDashboardFail2BanExporter.yaml
 tests:
 - it: Rendering fail2banExporter
   asserts:

unittests/daemonset/daemonset.yaml

@@ -6,23 +6,23 @@ release:
   name: prometheus-fail2ban-exporter-unittest
   namespace: testing
 templates:
-- templates/prometheus-fail2ban-exporter/daemonSet.yaml
-- templates/prometheus-fail2ban-exporter/secretWebConfig.yaml
+- templates/daemonSet.yaml
+- templates/secretWebConfig.yaml
 tests:
 - it: Rendering default
   asserts:
   - hasDocuments:
       count: 1
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - containsDocument:
       apiVersion: apps/v1
       kind: DaemonSet
       name: prometheus-fail2ban-exporter-unittest
       namespace: testing
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: metadata.annotations
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: metadata.labels
       value:
@@ -31,10 +31,10 @@ tests:
         app.kubernetes.io/name: prometheus-fail2ban-exporter
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: prometheus-fail2ban-exporter-0.1.0
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - exists:
       path: spec.template.metadata.annotations.checksum/secret-web-config
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.metadata.labels
       value:
@@ -43,19 +43,19 @@ tests:
         app.kubernetes.io/name: prometheus-fail2ban-exporter
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: prometheus-fail2ban-exporter-0.1.0
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.affinity
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.containers[0].envFrom
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.spec.containers[0].args
       value:
       # - --web.config.file=/etc/prometheus-fail2ban-exporter/config.d/webConfig.yaml
       - --web.listen-address=:9191
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.spec.containers[0].volumeMounts
       value:
@@ -63,7 +63,7 @@ tests:
         name: socket
       - mountPath: /etc/prometheus-fail2ban-exporter/config.d
         name: config-d
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.spec.volumes
       value:
@@ -74,59 +74,59 @@ tests:
       - name: config-d
         secret:
           secretName: prometheus-fail2ban-exporter-unittest-web-config
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.spec.containers[0].image
       value: git.cryptic.systems/volker.raschek/prometheus-fail2ban-exporter:0.1.0
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: IfNotPresent
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.containers[0].resources
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.containers[0].securityContext
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.dnsConfig
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.dnsPolicy
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.hostname
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.spec.hostNetwork
       value: false
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.imagePullSecrets
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.nodeSelector
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.priorityClassName
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.restartPolicy
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.subdomain
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.spec.terminationGracePeriodSeconds
       value: 60
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.tolerations
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - notExists:
       path: spec.template.spec.topologySpreadConstraints
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.updateStrategy
       value:
@@ -134,7 +134,7 @@ tests:
           maxSurge: 1
           maxUnavailable: 0
         type: "RollingUpdate"
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test custom affinity
   set:
@@ -161,7 +161,7 @@ tests:
                 values:
                 - antarctica-east1
                 - antarctica-west1
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test additional arguments
   set:
@@ -176,7 +176,7 @@ tests:
       - --web.listen-address=:9191
       - --foo=bar
       - --bar=foo
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test custom imageRegistry and imageRepository
   set:
@@ -186,7 +186,7 @@ tests:
   - equal:
       path: spec.template.spec.containers[0].image
       value: registry.example.local/path/special/prometheus-fail2ban-exporter:0.1.0
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test custom imagePullPolicy
   set:
@@ -195,7 +195,7 @@ tests:
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: Always
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test config.webConfig.existingSecret
   set:
@@ -209,7 +209,7 @@ tests:
         name: socket
       - mountPath: /etc/prometheus-fail2ban-exporter/config.d
         name: config-d
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.spec.volumes
       value:
@@ -220,7 +220,7 @@ tests:
       - name: config-d
         secret:
           secretName: web-config-secret
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test custom resource limits and requests
   set:
@@ -240,7 +240,7 @@ tests:
           resourceFieldRef:
             divisor: "1"
             resource: limits.cpu
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.spec.containers[0].resources
       value:
@@ -250,7 +250,7 @@ tests:
         requests:
           cpu: 25m
           memory: 100MB
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test custom securityContext
   set:
@@ -277,7 +277,7 @@ tests:
         readOnlyRootFilesystem: true
         runAsNonRoot: true
         runAsUser: 1000
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test dnsConfig
   set:
@@ -292,7 +292,7 @@ tests:
         nameservers:
         - "8.8.8.8"
         - "8.8.4.4"
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test dnsPolicy
   set:
@@ -301,7 +301,7 @@ tests:
   - equal:
       path: spec.template.spec.dnsPolicy
       value: ClusterFirst
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test hostNetwork, hostname, subdomain
   set:
@@ -312,15 +312,15 @@ tests:
   - equal:
       path: spec.template.spec.hostNetwork
       value: true
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.spec.hostname
       value: pg-exporter
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.spec.subdomain
       value: exporters.internal
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test imagePullSecrets
   set:
@@ -333,7 +333,7 @@ tests:
       value:
       - name: my-pull-secret
       - name: my-special-secret
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test nodeSelector
   set:
@@ -344,7 +344,7 @@ tests:
       path: spec.template.spec.nodeSelector
       value:
         foo: bar
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test priorityClassName
   set:
@@ -353,7 +353,7 @@ tests:
   - equal:
       path: spec.template.spec.priorityClassName
       value: my-priority
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test restartPolicy
   set:
@@ -362,7 +362,7 @@ tests:
   - equal:
       path: spec.template.spec.restartPolicy
       value: Always
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test terminationGracePeriodSeconds
   set:
@@ -371,7 +371,7 @@ tests:
   - equal:
       path: spec.template.spec.terminationGracePeriodSeconds
       value: 120
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test tolerations
   set:
@@ -388,7 +388,7 @@ tests:
         operator: Equal
         value: fail2ban
         effect: NoSchedule
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test topologySpreadConstraints
   set:
@@ -407,7 +407,7 @@ tests:
         labelSelector:
           matchLabels:
             app.kubernetes.io/instance: prometheus-fail2ban-exporter
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
 
 - it: Test additional volumeMounts and volumes
   set:
@@ -426,7 +426,7 @@ tests:
         mountPath: /usr/lib/prometheus-fail2ban-exporter/data
       - name: config-d
         mountPath: /etc/prometheus-fail2ban-exporter/config.d
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml
   - equal:
       path: spec.template.spec.volumes
       value:
@@ -436,4 +436,4 @@ tests:
       - name: config-d
         secret:
           secretName: prometheus-fail2ban-exporter-unittest-web-config
-    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+    template: templates/daemonSet.yaml

unittests/ingress/ingress.yaml

@@ -6,7 +6,7 @@ release:
   name: prometheus-fail2ban-exporter-unittest
   namespace: testing
 templates:
-- templates/prometheus-fail2ban-exporter/ingress.yaml
+- templates/ingress.yaml
 tests:
 - it: Skip ingress by default.
   asserts:

unittests/networkPolicies/default.yaml

@@ -6,7 +6,7 @@ release:
   name: prometheus-fail2ban-exporter-unittest
   namespace: testing
 templates:
-- templates/prometheus-fail2ban-exporter/networkPolicies.yaml
+- templates/networkPolicies.yaml
 tests:
 - it: Skip networkPolicies in general disabled.
   set:

unittests/podMonitors/podMonitorHTTP.yaml

@@ -6,7 +6,7 @@ release:
   name: prometheus-fail2ban-exporter-unittest
   namespace: testing
 templates:
-- templates/prometheus-fail2ban-exporter/podMonitor.yaml
+- templates/podMonitor.yaml
 tests:
 - it: Skip podMonitor when metrics are disabled.
   set:

unittests/secrets/webconfig.yaml

@@ -6,7 +6,7 @@ release:
   name: prometheus-fail2ban-exporter-unittest
   namespace: testing
 templates:
-- templates/prometheus-fail2ban-exporter/secretWebConfig.yaml
+- templates/secretWebConfig.yaml
 tests:
 - it: Rendering default secret.
   asserts:

unittests/serviceAccounts/serviceAccount.yaml

@@ -6,7 +6,7 @@ release:
   name: prometheus-fail2ban-exporter-unittest
   namespace: testing
 templates:
-- templates/prometheus-fail2ban-exporter/serviceAccount.yaml
+- templates/serviceAccount.yaml
 tests:
 - it: Skip rendering.
   set:

unittests/serviceMonitors/serviceMonitorHTTP.yaml

@@ -6,7 +6,7 @@ release:
   name: prometheus-fail2ban-exporter-unittest
   namespace: testing
 templates:
-- templates/prometheus-fail2ban-exporter/serviceMonitorHTTP.yaml
+- templates/serviceMonitorHTTP.yaml
 tests:
 - it: Skip serviceMonitor when service is disabled.
   set:

unittests/services/http.yaml

@@ -6,7 +6,7 @@ release:
   name: prometheus-fail2ban-exporter-unittest
   namespace: testing
 templates:
-- templates/prometheus-fail2ban-exporter/serviceHTTP.yaml
+- templates/serviceHTTP.yaml
 tests:
 - it: Skip service when disabled.
   set: