feat(secret): support annotations and labels for the basic auth secret

The following patch extends the helm chart of additional init containers for
each plugin.

.gitea/workflows/generate-readme.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:24.1.0-alpine
+      image: docker.io/library/node:24.9.0-alpine
     runs-on:
     - ubuntu-latest
     steps:
@@ -23,7 +23,7 @@ jobs:
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@v5.0.0
     - name: Generate parameter section in README
       run: |
         npm install

.gitea/workflows/helm.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   helm-lint:
     container:
-      image: docker.io/volkerraschek/helm:3.18.2
+      image: docker.io/volkerraschek/helm:3.19.0
     runs-on:
     - ubuntu-latest
     steps:
@@ -21,14 +21,14 @@ jobs:
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@v5.0.0
     - name: Lint helm files
       run: |
         helm lint --values values.yaml .
 
   helm-unittest:
     container:
-      image: docker.io/volkerraschek/helm:3.18.2
+      image: docker.io/volkerraschek/helm:3.19.0
     runs-on:
     - ubuntu-latest
     steps:
@@ -36,7 +36,7 @@ jobs:
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@v5.0.0
     - name: Unittest
       run: |
         helm unittest --strict --file 'unittests/**/*.yaml' ./

.gitea/workflows/markdown-linters.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:24.1.0-alpine
+      image: docker.io/library/node:24.9.0-alpine
     runs-on:
     - ubuntu-latest
     steps:
@@ -23,7 +23,7 @@ jobs:
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@v5.0.0
     - name: Verify links in markdown files
       run: |
         npm install
@@ -31,7 +31,7 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:24.1.0-alpine
+      image: docker.io/library/node:24.9.0-alpine
     runs-on:
     - ubuntu-latest
     steps:
@@ -39,7 +39,7 @@ jobs:
       run: |
         apk update
         apk add git
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@v5.0.0
     - name: Lint markdown files
       run: |
         npm install

.gitea/workflows/release.yaml

@@ -8,7 +8,7 @@ on:
 jobs:
   publish-chart:
     container:
-      image: docker.io/volkerraschek/helm:3.18.2
+      image: docker.io/volkerraschek/helm:3.19.0
     runs-on: ubuntu-latest
     steps:
       - name: Install packages via apk
@@ -16,7 +16,7 @@ jobs:
           apk update
           apk add git npm jq yq
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5.0.0
         with:
           fetch-depth: 0
 

.gitignore

@@ -1,6 +1,6 @@
 charts
 node_modules
 target
-values2.yml
-values2.yaml
+values[0-9].yml
+values[0-9].yaml
 *.tgz

Chart.yaml

@@ -5,7 +5,7 @@ annotations:
     - name: support
       url: https://git.cryptic.systems/volker.raschek/reposilite-charts/issues
 apiVersion: v2
-appVersion: "3.5.25"
+appVersion: "3.5.26"
 description: |
   Lightweight and easy-to-use repository management software
   dedicated for the Maven based artifacts in the JVM ecosystem

Makefile

@@ -4,13 +4,13 @@ CONTAINER_RUNTIME?=$(shell which podman)
 # HELM_IMAGE
 HELM_IMAGE_REGISTRY_HOST?=docker.io
 HELM_IMAGE_REPOSITORY?=volkerraschek/helm
-HELM_IMAGE_VERSION?=3.18.2 # renovate: datasource=docker registryUrl=https://registry-nexus.orbis.dedalus.com depName=volkerraschek/helm
+HELM_IMAGE_VERSION?=3.19.0 # renovate: datasource=docker registryUrl=https://docker.io depName=volkerraschek/helm
 HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:${HELM_IMAGE_VERSION}
 
 # NODE_IMAGE
 NODE_IMAGE_REGISTRY_HOST?=docker.io
 NODE_IMAGE_REPOSITORY?=library/node
-NODE_IMAGE_VERSION?=24.1.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
+NODE_IMAGE_VERSION?=24.9.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
 NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
 
 # MISSING DOT
@@ -18,6 +18,19 @@ NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:
 missing-dot:
 	grep --perl-regexp '## @(param|skip).*[^.]$$' values.yaml
 
+# README
+# ==============================================================================
+readme: readme/link readme/lint readme/parameters
+
+readme/link:
+	npm install && npm run readme:link
+
+readme/lint:
+	npm install && npm run readme:lint
+
+readme/parameters:
+	npm install && npm run readme:parameters
+
 # CONTAINER RUN - README
 # ==============================================================================
 PHONY+=container-run/readme

README.md

@@ -2,6 +2,10 @@
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/volker-raschek)](https://artifacthub.io/packages/search?repo=volker-raschek)
 
+> [!NOTE]
+> This is not the official helm chart of Reposilite. If you are looking for the official helm chart, checkout the GitHub
+> project [reposilite-playground](https://github.com/reposilite-playground/reposilite-helm).
+
 This helm chart enables the deployment of [Reposilite](https://github.com/dzikoysk/reposilite), a lightweight and
 easy-to-use repository management software dedicated for the Maven-based artifacts in the JVM ecosystem.
 
@@ -33,7 +37,7 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
 versions can break something!
 
 ```bash
-CHART_VERSION=0.1.0
+CHART_VERSION=0.2.0
 helm show values volker.raschek/reposilite --version "${CHART_VERSION}" > values.yaml
 ```
 
@@ -47,7 +51,7 @@ The helm chart also contains a persistent volume claim definition. It persistent
 Use the `--set` argument to persist your data.
 
 ```bash
-CHART_VERSION=0.1.0
+CHART_VERSION=0.2.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   persistentVolumeClaim.enabled=true
 ```
@@ -68,7 +72,7 @@ connection problems.
 > error.
 
 ```bash
-CHART_VERSION=0.1.0
+CHART_VERSION=0.2.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   --set 'deployment.reposilite.env[1].name=REPOSILITE_LOCAL_SSLENABLED' \
   --set 'deployment.reposilite.env[1].value="true"' \
@@ -118,14 +122,15 @@ deployment:
     secret.reloader.stakater.com/reload: "reposilite-tls"
 ```
 
-### Network policies
+#### Network policies
 
 Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
 network policy implementation of CNI plugins. It's support only the official API resource of `networking.k8s.io/v1`.
 
 The example below is an excerpt of the `values.yaml` file. The network policy contains ingress rules to allow incoming
-traffic from an ingress controller. Additionally one egress rule is defined, to allow the application outgoing access
-to the internal running DNS server `core-dns`.
+traffic from an ingress controller. Additionally two egress rules are defined. The first one to allow the application
+outgoing access to the internal running DNS server `core-dns`. The second rule to be able to access the Apache Maven
+Central repository via HTTPS.
 
 > [!IMPORTANT]
 > Please keep in mind, that the namespace and pod selector labels can be different from environment to environment. For
@@ -152,6 +157,10 @@ networkPolicies:
       protocol: TCP
     - port: 53
       protocol: UDP
+  - ports:
+    - port: 443
+      protocol: TCP
+
   ingress:
   - from:
     - namespaceSelector:
@@ -165,6 +174,26 @@ networkPolicies:
       protocol: TCP
 ```
 
+### Prometheus
+
+Reposilite is not able to expose metrics by default. Reposilite requires an additional plugin to expose the metrics via
+`/metrics`. The plugin will be downloaded from Apache Maven Central, when the plugin is enabled directly or the
+Prometheus feature has been enabled. The plugin is a simple JAR file, which will be stored in `/app/data/plugins`.
+
+Furthermore, Reposilite will not expose the metrics without protection. For this reason must be defined basic auth
+credentials. By default generate the helm chart a random username and password for basic auth. For debugging propose can
+be set the credentials manually.
+
+The following example enable Prometheus metrics with custom basic auth credentials:
+
+```bash
+CHART_VERSION=0.2.0
+helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
+  --set 'prometheus.metrics.enabled=true' \
+  --set 'prometheus.metrics.basicAuthUsername=my-username' \
+  --set 'prometheus.metrics.basicAuthUsername=my-password'
+```
+
 ## Parameters
 
 ### Global
@@ -174,44 +203,56 @@ networkPolicies:
 | `nameOverride`     | Individual release name suffix.           | `""`  |
 | `fullnameOverride` | Override the complete release name logic. | `""`  |
 
+### Config
+
+| Name                                | Description                                                                                                                                    | Value                                                                                                                                                     |
+| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `config.plugins.prometheus.enabled` | Download the Prometheus plugin via an additional init container. The Prometheus plugin will automatically enabled, when Prometheus is enabled. | `false`                                                                                                                                                   |
+| `config.plugins.prometheus.url`     | URL to download the plugin.                                                                                                                    | `https://maven.reposilite.com/releases/com/reposilite/plugin/prometheus-plugin/{{ .Chart.AppVersion }}/prometheus-plugin-{{ .Chart.AppVersion }}-all.jar` |
+
 ### Deployment
 
-| Name                                               | Description                                                                                                | Value                 |
-| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------- |
-| `deployment.annotations`                           | Additional deployment annotations.                                                                         | `{}`                  |
-| `deployment.labels`                                | Additional deployment labels.                                                                              | `{}`                  |
-| `deployment.additionalContainers`                  | List of additional containers.                                                                             | `[]`                  |
-| `deployment.affinity`                              | Affinity for the Reposilite deployment.                                                                    | `{}`                  |
-| `deployment.initContainers`                        | List of additional init containers.                                                                        | `[]`                  |
-| `deployment.dnsConfig`                             | dnsConfig of the Reposilite deployment.                                                                    | `{}`                  |
-| `deployment.dnsPolicy`                             | dnsPolicy of the Reposilite deployment.                                                                    | `""`                  |
-| `deployment.hostname`                              | Individual hostname of the pod.                                                                            | `""`                  |
-| `deployment.subdomain`                             | Individual domain of the pod.                                                                              | `""`                  |
-| `deployment.hostNetwork`                           | Use the kernel network namespace of the host system.                                                       | `false`               |
-| `deployment.imagePullSecrets`                      | Secret to use for pulling the image.                                                                       | `[]`                  |
-| `deployment.reposilite.args`                       | Arguments passed to the Reposilite container.                                                              | `[]`                  |
-| `deployment.reposilite.command`                    | Command passed to the Reposilite container.                                                                | `[]`                  |
-| `deployment.reposilite.env`                        | List of environment variables for the Reposilite container.                                                |                       |
-| `deployment.reposilite.envFrom`                    | List of environment variables mounted from configMaps or secrets for the Reposilite container.             | `[]`                  |
-| `deployment.reposilite.image.registry`             | Image registry, eg. `docker.io`.                                                                           | `docker.io`           |
-| `deployment.reposilite.image.repository`           | Image repository, eg. `library/busybox`.                                                                   | `dzikoysk/reposilite` |
-| `deployment.reposilite.image.tag`                  | Custom image tag, eg. `0.1.0`. Defaults to `appVersion`.                                                   | `""`                  |
-| `deployment.reposilite.image.pullPolicy`           | Image pull policy.                                                                                         | `IfNotPresent`        |
-| `deployment.reposilite.resources`                  | CPU and memory resources of the pod.                                                                       | `{}`                  |
-| `deployment.reposilite.securityContext`            | Security context of the container of the deployment.                                                       | `{}`                  |
-| `deployment.reposilite.volumeMounts`               | Additional volume mounts.                                                                                  | `[]`                  |
-| `deployment.nodeSelector`                          | NodeSelector of the Reposilite deployment.                                                                 | `{}`                  |
-| `deployment.priorityClassName`                     | PriorityClassName of the Reposilite deployment.                                                            | `""`                  |
-| `deployment.replicas`                              | Number of replicas for the Reposilite deployment.                                                          | `1`                   |
-| `deployment.restartPolicy`                         | Restart policy of the Reposilite deployment.                                                               | `""`                  |
-| `deployment.securityContext`                       | Security context of the Reposilite deployment.                                                             | `{}`                  |
-| `deployment.strategy.type`                         | Strategy type - `Recreate` or `RollingUpdate`.                                                             | `RollingUpdate`       |
-| `deployment.strategy.rollingUpdate.maxSurge`       | The maximum number of pods that can be scheduled above the desired number of pods during a rolling update. | `1`                   |
-| `deployment.strategy.rollingUpdate.maxUnavailable` | The maximum number of pods that can be unavailable during a rolling update.                                | `1`                   |
-| `deployment.terminationGracePeriodSeconds`         | How long to wait until forcefully kill the pod.                                                            | `60`                  |
-| `deployment.tolerations`                           | Tolerations of the Reposilite deployment.                                                                  | `[]`                  |
-| `deployment.topologySpreadConstraints`             | TopologySpreadConstraints of the Reposilite deployment.                                                    | `[]`                  |
-| `deployment.volumes`                               | Additional volumes to mount into the pods of the prometheus-exporter deployment.                           | `[]`                  |
+| Name                                               | Description                                                                                                | Value                                       |
+| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------------------------------------------- |
+| `deployment.annotations`                           | Additional deployment annotations.                                                                         | `{}`                                        |
+| `deployment.labels`                                | Additional deployment labels.                                                                              | `{}`                                        |
+| `deployment.additionalContainers`                  | List of additional containers.                                                                             | `[]`                                        |
+| `deployment.affinity`                              | Affinity for the Reposilite deployment.                                                                    | `{}`                                        |
+| `deployment.initContainers`                        | List of additional init containers.                                                                        | `[]`                                        |
+| `deployment.dnsConfig`                             | dnsConfig of the Reposilite deployment.                                                                    | `{}`                                        |
+| `deployment.dnsPolicy`                             | dnsPolicy of the Reposilite deployment.                                                                    | `""`                                        |
+| `deployment.hostname`                              | Individual hostname of the pod.                                                                            | `""`                                        |
+| `deployment.subdomain`                             | Individual domain of the pod.                                                                              | `""`                                        |
+| `deployment.hostNetwork`                           | Use the kernel network namespace of the host system.                                                       | `false`                                     |
+| `deployment.imagePullSecrets`                      | Secret to use for pulling the image.                                                                       | `[]`                                        |
+| `deployment.reposilite.args`                       | Arguments passed to the Reposilite container.                                                              | `[]`                                        |
+| `deployment.reposilite.command`                    | Command passed to the Reposilite container.                                                                | `[]`                                        |
+| `deployment.reposilite.env`                        | List of environment variables for the Reposilite container.                                                |                                             |
+| `deployment.reposilite.envFrom`                    | List of environment variables mounted from configMaps or secrets for the Reposilite container.             | `[]`                                        |
+| `deployment.reposilite.image.registry`             | Image registry, eg. `docker.io`.                                                                           | `docker.io`                                 |
+| `deployment.reposilite.image.repository`           | Image repository, eg. `library/busybox`.                                                                   | `dzikoysk/reposilite`                       |
+| `deployment.reposilite.image.tag`                  | Custom image tag, eg. `0.1.0`. Defaults to `appVersion`.                                                   | `""`                                        |
+| `deployment.reposilite.image.pullPolicy`           | Image pull policy.                                                                                         | `IfNotPresent`                              |
+| `deployment.reposilite.resources`                  | CPU and memory resources of the pod.                                                                       | `{}`                                        |
+| `deployment.reposilite.securityContext`            | Security context of the container of the deployment.                                                       | `{}`                                        |
+| `deployment.reposilite.volumeMounts`               | Additional volume mounts.                                                                                  | `[]`                                        |
+| `deployment.nodeSelector`                          | NodeSelector of the Reposilite deployment.                                                                 | `{}`                                        |
+| `deployment.pluginContainer.args`                  | Arguments passed to the plugin container.                                                                  | `["--location","--fail","--max-time","60"]` |
+| `deployment.pluginContainer.image.registry`        | Image registry, eg. `docker.io`.                                                                           | `docker.io`                                 |
+| `deployment.pluginContainer.image.repository`      | Image repository, eg. `curlimages/curl`.                                                                   | `curlimages/curl`                           |
+| `deployment.pluginContainer.image.tag`             | Custom image tag, eg. `0.1.0`.                                                                             | `8.16.0`                                    |
+| `deployment.pluginContainer.image.pullPolicy`      | Image pull policy.                                                                                         | `IfNotPresent`                              |
+| `deployment.priorityClassName`                     | PriorityClassName of the Reposilite deployment.                                                            | `""`                                        |
+| `deployment.replicas`                              | Number of replicas for the Reposilite deployment.                                                          | `1`                                         |
+| `deployment.restartPolicy`                         | Restart policy of the Reposilite deployment.                                                               | `""`                                        |
+| `deployment.securityContext`                       | Security context of the Reposilite deployment.                                                             | `{}`                                        |
+| `deployment.strategy.type`                         | Strategy type - `Recreate` or `RollingUpdate`.                                                             | `RollingUpdate`                             |
+| `deployment.strategy.rollingUpdate.maxSurge`       | The maximum number of pods that can be scheduled above the desired number of pods during a rolling update. | `1`                                         |
+| `deployment.strategy.rollingUpdate.maxUnavailable` | The maximum number of pods that can be unavailable during a rolling update.                                | `1`                                         |
+| `deployment.terminationGracePeriodSeconds`         | How long to wait until forcefully kill the pod.                                                            | `60`                                        |
+| `deployment.tolerations`                           | Tolerations of the Reposilite deployment.                                                                  | `[]`                                        |
+| `deployment.topologySpreadConstraints`             | TopologySpreadConstraints of the Reposilite deployment.                                                    | `[]`                                        |
+| `deployment.volumes`                               | Additional volumes to mount into the pods of the reposilite deployment.                                    | `[]`                                        |
 
 ### Horizontal Pod Autoscaler (HPA)
 
@@ -261,6 +302,45 @@ networkPolicies:
 | `persistentVolumeClaim.new.size`                           | Size of the persistent volume claim.                                                                                                                                                                 | `10Gi`          |
 | `persistentVolumeClaim.new.storageClass`                   | Custom storage class. Left it empty to use the clusters default storage class.                                                                                                                       | `""`            |
 
+### Prometheus
+
+| Name                                                      | Description                                                                                                                                  | Value      |
+| --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
+| `prometheus.metrics.enabled`                              | Enable of scraping metrics by Prometheus.                                                                                                    | `false`    |
+| `prometheus.metrics.secret.existing.enabled`              | Use an existing secret containing the basic auth credentials.                                                                                | `false`    |
+| `prometheus.metrics.secret.existing.secretName`           | Name of the secret containing the basic auth credentials.                                                                                    | `""`       |
+| `prometheus.metrics.secret.existing.basicAuthUsernameKey` | Name of the key in the secret that contains the username for basic auth.                                                                     | `""`       |
+| `prometheus.metrics.secret.existing.basicAuthPasswordKey` | Name of the key in the secret that contains the password for basic auth.                                                                     | `""`       |
+| `prometheus.metrics.secret.new.annotations`               | Additional secret annotations.                                                                                                               | `{}`       |
+| `prometheus.metrics.secret.new.labels`                    | Additional secret labels.                                                                                                                    | `{}`       |
+| `prometheus.metrics.secret.new.basicAuthUsername`         | Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string.        | `""`       |
+| `prometheus.metrics.secret.new.basicAuthPassword`         | Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string.         | `""`       |
+| `prometheus.metrics.podMonitor.enabled`                   | Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource.                                                        | `false`    |
+| `prometheus.metrics.podMonitor.annotations`               | Additional podMonitor annotations.                                                                                                           | `{}`       |
+| `prometheus.metrics.podMonitor.enableHttp2`               | Enable HTTP2.                                                                                                                                | `false`    |
+| `prometheus.metrics.podMonitor.followRedirects`           | FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.                                                                | `false`    |
+| `prometheus.metrics.podMonitor.honorLabels`               | Honor labels.                                                                                                                                | `false`    |
+| `prometheus.metrics.podMonitor.labels`                    | Additional podMonitor labels.                                                                                                                | `{}`       |
+| `prometheus.metrics.podMonitor.interval`                  | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                                    | `60s`      |
+| `prometheus.metrics.podMonitor.path`                      | HTTP path of the Reposilite pod for scraping Prometheus metrics.                                                                             | `/metrics` |
+| `prometheus.metrics.podMonitor.port`                      | HTTP port of the Reposilite pod for scraping Prometheus metrics.                                                                             | `http`     |
+| `prometheus.metrics.podMonitor.relabelings`               | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | `[]`       |
+| `prometheus.metrics.podMonitor.scrapeTimeout`             | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                                         | `30s`      |
+| `prometheus.metrics.podMonitor.scheme`                    | HTTP scheme to use for scraping. For example `http` or `https`.                                                                              | `http`     |
+| `prometheus.metrics.podMonitor.tlsConfig`                 | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                                    | `{}`       |
+| `prometheus.metrics.serviceMonitor.enabled`               | Enable creation of a serviceMonitor. Excludes the existence of a podMonitor resource.                                                        | `false`    |
+| `prometheus.metrics.serviceMonitor.annotations`           | Additional serviceMonitor annotations.                                                                                                       | `{}`       |
+| `prometheus.metrics.serviceMonitor.labels`                | Additional serviceMonitor labels.                                                                                                            | `{}`       |
+| `prometheus.metrics.serviceMonitor.enableHttp2`           | Enable HTTP2.                                                                                                                                | `false`    |
+| `prometheus.metrics.serviceMonitor.followRedirects`       | FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.                                                                | `false`    |
+| `prometheus.metrics.serviceMonitor.honorLabels`           | Honor labels.                                                                                                                                | `false`    |
+| `prometheus.metrics.serviceMonitor.interval`              | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                                    | `60s`      |
+| `prometheus.metrics.serviceMonitor.path`                  | HTTP path for scraping Prometheus metrics.                                                                                                   | `/metrics` |
+| `prometheus.metrics.serviceMonitor.relabelings`           | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | `[]`       |
+| `prometheus.metrics.serviceMonitor.scrapeTimeout`         | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                                         | `30s`      |
+| `prometheus.metrics.serviceMonitor.scheme`                | HTTP scheme to use for scraping. For example `http` or `https`.                                                                              | `http`     |
+| `prometheus.metrics.serviceMonitor.tlsConfig`             | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                                    | `{}`       |
+
 ### Service
 
 | Name                               | Description                                                                                                                                                                                                | Value       |
@@ -276,6 +356,7 @@ networkPolicies:
 | `service.loadBalancerIP`           | LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.                                                                                              | `""`        |
 | `service.loadBalancerSourceRanges` | Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.                                                                                                                           | `[]`        |
 | `service.port`                     | Port to forward the traffic to.                                                                                                                                                                            | `8080`      |
+| `service.scheme`                   | Name of the service port. This name is also used as scheme / port name of the service monitor resource.                                                                                                    | `http`      |
 | `service.sessionAffinity`          | Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.                                                                                                                    | `None`      |
 | `service.sessionAffinityConfig`    | Contains the configuration of the session affinity.                                                                                                                                                        | `{}`        |
 | `service.type`                     | Kubernetes service type for the traffic.                                                                                                                                                                   | `ClusterIP` |

renovate.json

@@ -64,5 +64,16 @@
         "patch"
       ]
     }
-  ]
+  ],
+  "postUpgradeTasks": {
+    "commands": [
+      "install-tool node",
+      "make readme"
+    ],
+    "fileFilters": [
+      "README.md",
+      "values.yaml"
+    ],
+    "executionMode": "update"
+  }
 }

templates/_deployment.tpl

@@ -17,11 +17,32 @@
 {{- if .Values.persistentVolumeClaim.enabled }}
 {{- $env = concat $env (list (dict "name" "REPOSILITE_DATA" "value" .Values.persistentVolumeClaim.path )) }}
 {{- end }}
+
+{{- if eq (include "reposilite.podMonitor.enabled" $) "true" }}
+{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_PATH" "value" .Values.prometheus.metrics.podMonitor.path )) }}
+{{- end }}
+
+{{- if eq (include "reposilite.serviceMonitor.enabled" $) "true" }}
+{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_PATH" "value" .Values.prometheus.metrics.serviceMonitor.path )) }}
+{{- end }}
+
+{{- if or (eq (include "reposilite.podMonitor.enabled" $ ) "true") (eq (include "reposilite.serviceMonitor.enabled" $ ) "true") -}}
+{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_USER" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" (include "reposilite.secrets.prometheusBasicAuth.usernameKey" $))))) }}
+{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_PASSWORD" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" (include "reposilite.secrets.prometheusBasicAuth.passwordKey" $))))) }}
+{{- end }}
+
 {{ toYaml (dict "env" $env) }}
 {{- end -}}
 
 {{/* image */}}
 
+{{- define "reposilite.deployment.images.plugin.fqin" -}}
+{{- $registry := .Values.deployment.pluginContainer.image.registry -}}
+{{- $repository := .Values.deployment.pluginContainer.image.repository -}}
+{{- $tag := default .Chart.AppVersion .Values.deployment.pluginContainer.image.tag -}}
+{{- printf "%s/%s:%s" $registry $repository $tag -}}
+{{- end -}}
+
 {{- define "reposilite.deployment.images.reposilite.fqin" -}}
 {{- $registry := .Values.deployment.reposilite.image.registry -}}
 {{- $repository := .Values.deployment.reposilite.image.repository -}}
@@ -38,6 +59,34 @@
 {{- end }}
 {{- end }}
 
+{{/* initContainers */}}
+
+{{- define "reposilite.deployment.initContainers" -}}
+{{- $initContainers := .Values.deployment.initContainers | default list -}}
+{{- $pluginContainerImage := (include "reposilite.deployment.images.plugin.fqin" . ) }}
+{{- $pluginContainerArgs := .Values.deployment.pluginContainer.args | default list }}
+{{- $pluginContainerArgs := concat $pluginContainerArgs (list "--output-dir" "/app/data/plugins" ) }}
+{{- $pluginContainerVolumeMounts := list (dict "name" "plugins" "mountPath" "/app/data/plugins") }}
+
+{{- if eq (include "reposilite.plugins.prometheus.enabled" $) "true" }}
+{{- $fileName := splitList "/" (tpl .Values.config.plugins.prometheus.url $) | last }}
+{{- $individualArgs := concat $pluginContainerArgs (list "--output" $fileName (tpl .Values.config.plugins.prometheus.url $)) }}
+{{- $initContainers = concat $initContainers (list (dict "args" $individualArgs "name" "download-prometheus-plugin" "image" $pluginContainerImage "volumeMounts" $pluginContainerVolumeMounts)) }}
+{{- end }}
+
+{{ toYaml (dict "initContainers" $initContainers) }}
+
+{{- end }}
+
+{{/* plugins */}}
+{{- define "reposilite.plugins.prometheus.enabled" -}}
+{{- if or .Values.config.plugins.prometheus.enabled .Values.prometheus.metrics.enabled -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
 {{/* serviceAccount */}}
 
 {{- define "reposilite.deployment.serviceAccount" -}}
@@ -55,6 +104,11 @@
 {{- if .Values.persistentVolumeClaim.enabled }}
 {{- $volumeMounts = concat $volumeMounts (list (dict "name" "data" "mountPath" .Values.persistentVolumeClaim.path )) }}
 {{- end }}
+
+{{- if eq (include "reposilite.plugins.prometheus.enabled" $) "true" }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "plugins" "mountPath" "/app/data/plugins")) }}
+{{- end }}
+
 {{ toYaml (dict "volumeMounts" $volumeMounts) }}
 {{- end -}}
 
@@ -66,6 +120,13 @@
 {{- if and .Values.persistentVolumeClaim.enabled (not .Values.persistentVolumeClaim.existing.enabled) }}
 {{- $persistentVolumeClaimName := include "reposilite.persistentVolumeClaim.name" $ -}}
 {{- $volumes = concat $volumes (list (dict "name" "data" "persistentVolumeClaim" (dict "claimName" $persistentVolumeClaimName))) }}
+{{- else if and .Values.persistentVolumeClaim.enabled .Values.persistentVolumeClaim.existing.enabled .Values.persistentVolumeClaim.existing.persistentVolumeClaimName -}}
+{{- $persistentVolumeClaimName := .Values.persistentVolumeClaim.existing.persistentVolumeClaimName -}}
+{{- $volumes = concat $volumes (list (dict "name" "data" "persistentVolumeClaim" (dict "claimName" $persistentVolumeClaimName))) }}
+{{- end }}
+
+{{- if eq (include "reposilite.plugins.prometheus.enabled" $) "true" }}
+{{- $volumes = concat $volumes (list (dict "name" "plugins" "emptyDir" dict)) }}
 {{- end }}
 
 {{ toYaml (dict "volumes" $volumes) }}

templates/_pod.tpl

@@ -4,6 +4,9 @@
 
 {{- define "reposilite.pod.annotations" -}}
 {{ include "reposilite.annotations" . }}
+{{- if and .Values.prometheus.metrics.enabled (not .Values.prometheus.metrics.secret.existing.enabled) -}}
+{{- printf "checksum/secret-%s: %s" (include "reposilite.secrets.prometheusBasicAuth.name" $) (include (print $.Template.BasePath "/secretPrometheusBasicAuth.yaml") . | sha256sum) }}
+{{- end -}}
 {{- end }}
 
 {{/* labels */}}

templates/_podMonitors.tpl

@@ -0,0 +1,27 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+{{- define "reposilite.podMonitor.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.prometheus.metrics.podMonitor.annotations }}
+{{ toYaml .Values.prometheus.metrics.podMonitor.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+{{- define "reposilite.podMonitor.enabled" -}}
+{{- if and .Values.prometheus.metrics.enabled .Values.prometheus.metrics.podMonitor.enabled (not .Values.prometheus.metrics.serviceMonitor.enabled) -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.podMonitor.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.prometheus.metrics.podMonitor.labels }}
+{{ toYaml .Values.prometheus.metrics.podMonitor.labels }}
+{{- end }}
+{{- end }}

templates/_secrets.tpl

@@ -0,0 +1,53 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "reposilite.secrets.prometheusBasicAuth.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.prometheus.metrics.secret.new.annotations }}
+{{ toYaml .Values.prometheus.metrics.secret.new.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.secrets.prometheusBasicAuth.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.prometheus.metrics.secret.new.labels }}
+{{ toYaml .Values.prometheus.metrics.secret.new.labels }}
+{{- end }}
+{{- end }}
+
+{{/* names */}}
+
+{{- define "reposilite.secrets.prometheusBasicAuth.name" -}}
+{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.secretName) 0) }}
+{{- print .Values.prometheus.metrics.secret.existing.secretName -}}
+{{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.secretName) 0) }}
+{{ fail "Name of the existing secret that contains the credentials for basic auth is not defined!" }}
+{{- else if not .Values.prometheus.metrics.secret.existing.enabled }}
+{{- printf "%s-basic-auth-credentials" (include "reposilite.fullname" $) -}}
+{{- end }}
+{{- end }}
+
+{{/* secretKeyNames */}}
+
+{{- define "reposilite.secrets.prometheusBasicAuth.passwordKey" -}}
+{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey) 0) -}}
+{{- .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey -}}
+{{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey) 0) }}
+{{ fail "Name of the key in the secret that contains the password for basic auth is not defined!" }}
+{{- else if and (not .Values.prometheus.metrics.secret.existing.enabled) }}
+{{- print "password" -}}
+{{- end }}
+{{- end }}
+
+{{- define "reposilite.secrets.prometheusBasicAuth.usernameKey" -}}
+{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey) 0) -}}
+{{- .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey -}}
+{{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey) 0) }}
+{{ fail "Name of the key in the secret that contains the username for basic auth is not defined!" }}
+{{- else if and (not .Values.prometheus.metrics.secret.existing.enabled) }}
+{{- print "username" -}}
+{{- end }}
+{{- end }}

templates/_serviceMonitors.tpl

@@ -0,0 +1,35 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "reposilite.serviceMonitor.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.prometheus.metrics.serviceMonitor.annotations }}
+{{ toYaml .Values.prometheus.metrics.serviceMonitor.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "reposilite.serviceMonitor.enabled" -}}
+{{- if and .Values.prometheus.metrics.enabled (not .Values.prometheus.metrics.podMonitor.enabled) .Values.prometheus.metrics.serviceMonitor.enabled .Values.service.enabled -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.serviceMonitor.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.prometheus.metrics.serviceMonitor.labels }}
+{{ toYaml .Values.prometheus.metrics.serviceMonitor.labels }}
+{{- end }}
+{{- end }}
+
+{{- define "reposilite.serviceMonitor.selectorLabels" -}}
+{{ include "reposilite.selectorLabels" . }}
+{{/* Add label to select the correct service via `selector.matchLabels` of the serviceMonitor resource. */}}
+app.kubernetes.io/service-name: {{ required "The scheme of the serviceMonitor is not defined!" .Values.service.scheme }}
+{{- end }}

templates/_services.tpl

@@ -16,6 +16,8 @@
 {{- if .Values.service.labels }}
 {{ toYaml .Values.service.labels }}
 {{- end }}
+{{/* Add label to select the correct service via `selector.matchLabels` of the serviceMonitor resource. */}}
+app.kubernetes.io/service-name: {{ required "The scheme of the serviceMonitor is not defined!" .Values.service.scheme }}
 {{- end }}
 
 {{/* names */}}

templates/deployment.yaml

@@ -68,7 +68,10 @@ spec:
         name: reposilite
         ports:
         - name: http
-          containerPort: {{ .Values.service.port }}
+          containerPort: 8080
+          protocol: TCP
+        - name: https
+          containerPort: 8443
           protocol: TCP
         readinessProbe:
           tcpSocket:
@@ -106,6 +109,11 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- $initContainers := (include "reposilite.deployment.initContainers" . | fromYaml) }}
+      {{- if and (hasKey $initContainers "initContainers") (gt (len $initContainers.initContainers) 0) }}
+      initContainers:
+      {{- toYaml $initContainers.initContainers | nindent 6 }}
+      {{- end }}
       {{- with .Values.deployment.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

templates/podMonitor.yaml

@@ -0,0 +1,47 @@
+{{- if eq (include "reposilite.podMonitor.enabled" $) "true" }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  {{- with (include "reposilite.podMonitor.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.podMonitor.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podMetricsEndpoints:
+  - basicAuth:
+      password:
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.passwordKey" . }}
+        name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
+      username:
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.usernameKey" . }}
+        name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
+    enableHttp2: {{ required "The enableHttp2 option of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.enableHttp2 }}
+    followRedirects: {{ required "The followRedirects option of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.followRedirects }}
+    honorLabels: {{ required "The honorLabels option of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.honorLabels }}
+    interval: {{ required "The scrape interval of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.interval }}
+    path: {{ required "The metric path of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.path }}
+    port: {{ required "The metric port of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.port | quote }}
+    {{- with .Values.prometheus.metrics.podMonitor.relabelings }}
+    relabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    scrapeTimeout: {{ required "The scrape timeout of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.scrapeTimeout }}
+    scheme: {{ required "The scheme of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.scheme }}
+    {{- with .Values.prometheus.metrics.podMonitor.tlsConfig }}
+    tlsConfig:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "reposilite.pod.selectorLabels" . | nindent 6 }}
+{{- end }}

templates/secretPrometheusBasicAuth.yaml

@@ -0,0 +1,19 @@
+{{- if and .Values.prometheus.metrics.enabled (not .Values.prometheus.metrics.secret.existing.enabled) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  {{- with (include "reposilite.secrets.prometheusBasicAuth.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.secrets.prometheusBasicAuth.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
+  namespace: {{ .Release.Namespace }}
+stringData:
+  password: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthPassword }}
+  username: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthUsername }}
+{{- end }}

templates/service.yaml

@@ -43,7 +43,7 @@ spec:
   {{- end }}
   {{- end }}
   ports:
-  - name: http
+  - name: {{ required "No service name defined. Either 'http' or 'https' is allowed!" .Values.service.scheme }}
     protocol: TCP
     port: {{ required "No service port defined!" .Values.service.port }}
   selector:

templates/serviceMonitor.yaml

@@ -0,0 +1,47 @@
+{{- if eq (include "reposilite.serviceMonitor.enabled" $) "true" }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  {{- with (include "reposilite.serviceMonitor.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.serviceMonitor.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpoints:
+  - basicAuth:
+      password:
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.passwordKey" . }}
+        name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
+      username:
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.usernameKey" . }}
+        name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
+    enableHttp2: {{ required "The enableHttp2 option of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.enableHttp2 }}
+    followRedirects: {{ required "The followRedirects option of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.followRedirects }}
+    honorLabels: {{ required "The honorLabels option of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.honorLabels }}
+    interval: {{ required "The scrape interval of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.interval }}
+    path: {{ required "The metric path of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.path }}
+    port: {{ required "The port of the serviceMonitor is not defined!" .Values.service.scheme }}
+    {{- with .Values.prometheus.metrics.serviceMonitor.relabelings }}
+    relabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    scrapeTimeout: {{ required "The scrape timeout of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.scrapeTimeout }}
+    scheme: {{ required "The scheme of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.scheme }}
+    {{- with .Values.prometheus.metrics.serviceMonitor.tlsConfig }}
+    tlsConfig:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "reposilite.serviceMonitor.selectorLabels" . | nindent 6 }}
+{{- end }}

unittests/deployment/configPlugins.yaml

@@ -0,0 +1,42 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Test reposilite plugins
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/deployment.yaml
+- templates/secretPrometheusBasicAuth.yaml
+tests:
+- it: Test init containers for prometheus
+  set:
+    config.plugins.prometheus.enabled: true
+    config.plugins.prometheus.url: "https://reposilite.com/plugins/prometheus.jar"
+    deployment.pluginContainer.image.tag: 0.1.0
+  asserts:
+  - contains:
+      path: spec.template.spec.initContainers
+      content:
+        args:
+        - --location
+        - --fail
+        - --max-time
+        - "60"
+        - --output-dir
+        - /app/data/plugins
+        - --output
+        - prometheus.jar
+        - https://reposilite.com/plugins/prometheus.jar
+        name: download-prometheus-plugin
+        image: docker.io/curlimages/curl:0.1.0
+        volumeMounts:
+        - mountPath: /app/data/plugins
+          name: plugins
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.volumes
+      content:
+        name: plugins
+        emptyDir: {}
+    template: templates/deployment.yaml

unittests/deployment/deployment.yaml

@@ -7,19 +7,23 @@ release:
   namespace: testing
 templates:
 - templates/deployment.yaml
+- templates/secretPrometheusBasicAuth.yaml
 tests:
 - it: Rendering default
   set: {}
   asserts:
   - hasDocuments:
       count: 1
+    template: templates/deployment.yaml
   - containsDocument:
       apiVersion: apps/v1
       kind: Deployment
       name: reposilite-unittest
       namespace: testing
+    template: templates/deployment.yaml
   - notExists:
       path: metadata.annotations
+    template: templates/deployment.yaml
   - equal:
       path: metadata.labels
       value:
@@ -28,14 +32,17 @@ tests:
         app.kubernetes.io/name: reposilite
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: reposilite-0.1.0
+    template: templates/deployment.yaml
   - equal:
       path: spec.replicas
       value: 1
+    template: templates/deployment.yaml
   - isSubset:
       path: spec.selector.matchLabels
       content:
         app.kubernetes.io/instance: reposilite-unittest
         app.kubernetes.io/name: reposilite
+    template: templates/deployment.yaml
   - equal:
       path: spec.strategy
       value:
@@ -43,9 +50,10 @@ tests:
         rollingUpdate:
           maxSurge: 1
           maxUnavailable: 1
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.metadata.annotations
-      value: sadsdf
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.metadata.labels
       value:
@@ -54,25 +62,33 @@ tests:
         app.kubernetes.io/name: reposilite
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: reposilite-0.1.0
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.affinity
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].args
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].command
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.containers[0].env
       content:
         name: JAVA_OPTS
         value: "-Xmx64M"
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].envFrom
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].image
       value: docker.io/dzikoysk/reposilite:0.1.0
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: IfNotPresent
+    template: templates/deployment.yaml
   - isSubset:
       path: spec.template.spec.containers[0].livenessProbe
       content:
@@ -83,15 +99,18 @@ tests:
         periodSeconds: 60
         successThreshold: 1
         timeoutSeconds: 3
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].name
       value: reposilite
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.containers[0].ports
       content:
         name: http
         containerPort: 8080
         protocol: TCP
+    template: templates/deployment.yaml
   - isSubset:
       path: spec.template.spec.containers[0].readinessProbe
       content:
@@ -102,42 +121,60 @@ tests:
         periodSeconds: 15
         successThreshold: 1
         timeoutSeconds: 3
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].resources
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].securityContext
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].volumeMounts
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.dnsConfig
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.dnsPolicy
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.hostname
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.hostNetwork
       value: false
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.imagePullSecrets
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.initContainers
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.nodeSelector
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.priorityClassName
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.restartPolicy
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.subdomain
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.terminationGracePeriodSeconds
       value: 60
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.tolerations
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.topologySpreadConstraints
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.volumes
+    template: templates/deployment.yaml
 
 - it: Test custom replicas
   set:
@@ -146,6 +183,7 @@ tests:
   - equal:
       path: spec.replicas
       value: 3
+    template: templates/deployment.yaml
 
 - it: Test custom strategy
   set:
@@ -162,6 +200,7 @@ tests:
         rollingUpdate:
           maxSurge: 10
           maxUnavailable: 5
+    template: templates/deployment.yaml
 
 - it: Test custom affinity
   set:
@@ -188,6 +227,7 @@ tests:
                 values:
                 - antarctica-east1
                 - antarctica-west1
+    template: templates/deployment.yaml
 
 - it: Test additional arguments
   set:
@@ -200,6 +240,7 @@ tests:
       value:
       - --foo=bar
       - --bar=foo
+    template: templates/deployment.yaml
 
 - it: Test additional commands
   set:
@@ -210,6 +251,7 @@ tests:
       path: spec.template.spec.containers[0].command
       value:
       - /bin/bash
+    template: templates/deployment.yaml
 
 - it: Test custom imageRegistry and imageRepository
   set:
@@ -220,6 +262,7 @@ tests:
   - equal:
       path: spec.template.spec.containers[0].image
       value: registry.example.local/path/special/reposilite:2.0.0
+    template: templates/deployment.yaml
 
 - it: Test custom imagePullPolicy
   set:
@@ -228,17 +271,7 @@ tests:
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: Always
-
-- it: Test custom port
-  set:
-    service.port: 8443
-  asserts:
-  - contains:
-      path: spec.template.spec.containers[0].ports
-      content:
-        name: http
-        containerPort: 8443
-        protocol: TCP
+    template: templates/deployment.yaml
 
 - it: Test custom resources
   set:
@@ -259,6 +292,7 @@ tests:
         requests:
           cpu: 25m
           memory: 100MB
+    template: templates/deployment.yaml
 
 - it: Test custom securityContext
   set:
@@ -285,6 +319,7 @@ tests:
         readOnlyRootFilesystem: true
         runAsNonRoot: true
         runAsUser: 1000
+    template: templates/deployment.yaml
 
 - it: Test custom volumeMounts
   set:
@@ -297,6 +332,7 @@ tests:
       content:
         name: data
         mountPath: /usr/lib/data
+    template: templates/deployment.yaml
 
 - it: Test dnsConfig
   set:
@@ -311,6 +347,7 @@ tests:
         nameservers:
         - "8.8.8.8"
         - "8.8.4.4"
+    template: templates/deployment.yaml
 
 - it: Test dnsPolicy
   set:
@@ -319,6 +356,7 @@ tests:
   - equal:
       path: spec.template.spec.dnsPolicy
       value: ClusterFirst
+    template: templates/deployment.yaml
 
 - it: Test hostNetwork, hostname, subdomain
   set:
@@ -329,12 +367,15 @@ tests:
   - equal:
       path: spec.template.spec.hostNetwork
       value: true
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.hostname
       value: pg-exporter
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.subdomain
       value: exporters.internal
+    template: templates/deployment.yaml
 
 - it: Test imagePullSecrets
   set:
@@ -347,6 +388,20 @@ tests:
       value:
       - name: my-pull-secret
       - name: my-special-secret
+    template: templates/deployment.yaml
+
+- it: Test initContainers
+  set:
+    deployment.initContainers:
+    - name: busybox
+      image: docker.io/library/busybox:latest
+  asserts:
+  - contains:
+      path: spec.template.spec.initContainers
+      content:
+        name: busybox
+        image: docker.io/library/busybox:latest
+    template: templates/deployment.yaml
 
 - it: Test nodeSelector
   set:
@@ -357,6 +412,7 @@ tests:
       path: spec.template.spec.nodeSelector
       value:
         foo: bar
+    template: templates/deployment.yaml
 
 - it: Test priorityClassName
   set:
@@ -365,6 +421,7 @@ tests:
   - equal:
       path: spec.template.spec.priorityClassName
       value: my-priority
+    template: templates/deployment.yaml
 
 - it: Test restartPolicy
   set:
@@ -373,6 +430,7 @@ tests:
   - equal:
       path: spec.template.spec.restartPolicy
       value: Always
+    template: templates/deployment.yaml
 
 - it: Test custom securityContext
   set:
@@ -389,6 +447,7 @@ tests:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 1000
+    template: templates/deployment.yaml
 
 - it: Test terminationGracePeriodSeconds
   set:
@@ -397,6 +456,7 @@ tests:
   - equal:
       path: spec.template.spec.terminationGracePeriodSeconds
       value: 120
+    template: templates/deployment.yaml
 
 - it: Test tolerations
   set:
@@ -413,6 +473,7 @@ tests:
         operator: Equal
         value: ssd
         effect: NoSchedule
+    template: templates/deployment.yaml
 
 - it: Test topologySpreadConstraints
   set:
@@ -431,6 +492,7 @@ tests:
         labelSelector:
           matchLabels:
             app.kubernetes.io/instance: reposilite
+    template: templates/deployment.yaml
 
 - it: Test additional volumes
   set:
@@ -445,3 +507,4 @@ tests:
       - name: data
         hostPath:
           path: /usr/lib/data
+    template: templates/deployment.yaml

unittests/deployment/mountPersistentVolumeClaim.yaml

@@ -7,6 +7,7 @@ release:
   namespace: testing
 templates:
 - templates/deployment.yaml
+- templates/secretPrometheusBasicAuth.yaml
 tests:
 - it: Rendering default volumes and volumeMounts with persistent volume claim
   set:
@@ -17,17 +18,20 @@ tests:
       content:
         name: REPOSILITE_DATA
         value: /app/data
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.containers[0].volumeMounts
       content:
         name: data
         mountPath: /app/data
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.volumes
       content:
         name: data
         persistentVolumeClaim:
           claimName: reposilite-unittest
+    template: templates/deployment.yaml
 
 - it: Rendering custom volumes and volumeMounts with persistent volume claim
   set:
@@ -39,14 +43,43 @@ tests:
       content:
         name: REPOSILITE_DATA
         value: /usr/lib/reposilite/data
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.containers[0].volumeMounts
       content:
         name: data
         mountPath: /usr/lib/reposilite/data
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.volumes
       content:
         name: data
         persistentVolumeClaim:
           claimName: reposilite-unittest
+    template: templates/deployment.yaml
+
+- it: Rendering custom volumes and volumeMounts with persistent volume claim
+  set:
+    persistentVolumeClaim.enabled: true
+    persistentVolumeClaim.existing.enabled: true
+    persistentVolumeClaim.existing.persistentVolumeClaimName: my-custom-pvc
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_DATA
+        value: /app/data
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].volumeMounts
+      content:
+        name: data
+        mountPath: /app/data
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.volumes
+      content:
+        name: data
+        persistentVolumeClaim:
+          claimName: my-custom-pvc
+    template: templates/deployment.yaml

unittests/deployment/prometheusPodMonitor.yaml

@@ -0,0 +1,107 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Add prometheus basic auth variables
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/deployment.yaml
+- templates/secretPrometheusBasicAuth.yaml
+tests:
+- it: Rendering default environment variables with enabled prometheus metrics podMonitor
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - exists:
+      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: reposilite-unittest-basic-auth-credentials
+            key: password
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_USER
+        valueFrom:
+          secretKeyRef:
+            name: reposilite-unittest-basic-auth-credentials
+            key: username
+    template: templates/deployment.yaml
+
+- it: Rendering default environment variables with enabled prometheus metrics serviceMonitor and external secret
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: my-username-key
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: my-password-key
+    prometheus.metrics.secret.existing.secretName: my-secret
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - notExists:
+      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: my-secret
+            key: my-password-key
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_USER
+        valueFrom:
+          secretKeyRef:
+            name: my-secret
+            key: my-username-key
+    template: templates/deployment.yaml
+
+- it: Fail when existing secret name is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.secret.existing.secretName: ""
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the existing secret that contains the credentials for basic auth is not defined!"
+    template: templates/deployment.yaml
+
+- it: Fail when the name of the key in the secret that contains the username for basic auth is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: ""
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the key in the secret that contains the username for basic auth is not defined!"
+    template: templates/deployment.yaml
+
+- it: Fail when the name of the key in the secret that contains the password for basic auth is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: ""
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the key in the secret that contains the password for basic auth is not defined!"
+    template: templates/deployment.yaml

unittests/deployment/prometheusServiceMonitor.yaml

@@ -0,0 +1,107 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Add prometheus basic auth variables
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/deployment.yaml
+- templates/secretPrometheusBasicAuth.yaml
+tests:
+- it: Rendering default environment variables with enabled prometheus metrics serviceMonitor
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - exists:
+      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: reposilite-unittest-basic-auth-credentials
+            key: password
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_USER
+        valueFrom:
+          secretKeyRef:
+            name: reposilite-unittest-basic-auth-credentials
+            key: username
+    template: templates/deployment.yaml
+
+- it: Rendering default environment variables with enabled prometheus metrics serviceMonitor and external secret
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: my-username-key
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: my-password-key
+    prometheus.metrics.secret.existing.secretName: my-secret
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - notExists:
+      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: my-secret
+            key: my-password-key
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_USER
+        valueFrom:
+          secretKeyRef:
+            name: my-secret
+            key: my-username-key
+    template: templates/deployment.yaml
+
+- it: Fail when existing secret name is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.secret.existing.secretName: ""
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the existing secret that contains the credentials for basic auth is not defined!"
+    template: templates/deployment.yaml
+
+- it: Fail when the name of the key in the secret that contains the username for basic auth is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: ""
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the key in the secret that contains the username for basic auth is not defined!"
+    template: templates/deployment.yaml
+
+- it: Fail when the name of the key in the secret that contains the password for basic auth is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: ""
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the key in the secret that contains the password for basic auth is not defined!"
+    template: templates/deployment.yaml

unittests/podMonitors/podMonitor.yaml

@@ -0,0 +1,179 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: PodMonitor template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/podMonitor.yaml
+tests:
+- it: Skip podMonitor when metrics are disabled.
+  set:
+    prometheus.metrics.enabled: false
+    prometheus.metrics.podMonitor.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip podMonitor when podMonitor is disabled.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.podMonitor.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip podMonitor when both monitor types are enabled.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.podMonitor.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Rendering podMonitor with default values - enabled manually.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: monitoring.coreos.com/v1
+      kind: PodMonitor
+      name: reposilite-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+  - isSubset:
+      path: spec.podMetricsEndpoints[0].basicAuth
+      content:
+        password:
+          key: password
+          name: reposilite-unittest-basic-auth-credentials
+        username:
+          key: username
+          name: reposilite-unittest-basic-auth-credentials
+  - equal:
+      path: spec.podMetricsEndpoints[0].enableHttp2
+      value: false
+  - equal:
+      path: spec.podMetricsEndpoints[0].followRedirects
+      value: false
+  - equal:
+      path: spec.podMetricsEndpoints[0].honorLabels
+      value: false
+  - equal:
+      path: spec.podMetricsEndpoints[0].interval
+      value: 60s
+  - equal:
+      path: spec.podMetricsEndpoints[0].path
+      value: /metrics
+  - equal:
+      path: spec.podMetricsEndpoints[0].port
+      value: http
+  - notExists:
+      path: spec.podMetricsEndpoints[0].relabelings
+  - equal:
+      path: spec.podMetricsEndpoints[0].scrapeTimeout
+      value: 30s
+  - equal:
+      path: spec.podMetricsEndpoints[0].scheme
+      value: http
+  - contains:
+      path: spec.namespaceSelector.matchNames
+      content:
+        testing
+  - equal:
+      path: spec.selector.matchLabels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/name: reposilite
+
+- it: Render podMonitor with custom annotations and labels.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.podMonitor.enabled: true
+    prometheus.metrics.podMonitor.annotations:
+      foo: bar
+    prometheus.metrics.podMonitor.labels:
+      bar: foo
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        bar: foo
+        helm.sh/chart: reposilite-0.1.0
+
+- it: Change defaults
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.podMonitor.enabled: true
+    prometheus.metrics.podMonitor.enableHttp2: false
+    prometheus.metrics.podMonitor.followRedirects: true
+    prometheus.metrics.podMonitor.honorLabels: true
+    prometheus.metrics.podMonitor.interval: "180s"
+    prometheus.metrics.podMonitor.path: "/my-metrics"
+    prometheus.metrics.podMonitor.port: "8443"
+    prometheus.metrics.podMonitor.relabelings:
+    - sourceLabels: [ container ]
+      separator: ";"
+      regex: "app"
+      replacement: "$1"
+      action: "drop"
+    prometheus.metrics.podMonitor.scheme: https
+    prometheus.metrics.podMonitor.scrapeTimeout: "5s"
+  asserts:
+  - hasDocuments:
+      count: 1
+  - equal:
+      path: spec.podMetricsEndpoints[0].enableHttp2
+      value: false
+  - equal:
+      path: spec.podMetricsEndpoints[0].followRedirects
+      value: true
+  - equal:
+      path: spec.podMetricsEndpoints[0].honorLabels
+      value: true
+  - equal:
+      path: spec.podMetricsEndpoints[0].interval
+      value: 180s
+  - equal:
+      path: spec.podMetricsEndpoints[0].path
+      value: /my-metrics
+  - equal:
+      path: spec.podMetricsEndpoints[0].port
+      value: "8443"
+  - contains:
+      path: spec.podMetricsEndpoints[0].relabelings
+      content:
+        sourceLabels: [ container ]
+        separator: ";"
+        regex: "app"
+        replacement: "$1"
+        action: "drop"
+  - equal:
+      path: spec.podMetricsEndpoints[0].scrapeTimeout
+      value: 5s
+  - equal:
+      path: spec.podMetricsEndpoints[0].scheme
+      value: https

unittests/secrets/basicAuth.yaml

@@ -0,0 +1,78 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Secret reposilite template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/secretPrometheusBasicAuth.yaml
+tests:
+- it: Skip rendering
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Rendering secret with default values.
+  set:
+    prometheus.metrics.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: v1
+      kind: Secret
+      name: reposilite-unittest-basic-auth-credentials
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+  - exists:
+      path: stringData.password
+  - exists:
+      path: stringData.username
+
+- it: Rendering secret with custom values.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: foo
+    prometheus.metrics.secret.new.basicAuthUsername: bar
+    prometheus.metrics.secret.new.annotations:
+      foo: bar
+    prometheus.metrics.secret.new.labels:
+      bar: foo
+  asserts:
+  - hasDocuments:
+      count: 1
+  - exists:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - exists:
+      path: metadata.labels
+      value:
+        bar: foo
+  - equal:
+      path: metadata.name
+      value: reposilite-unittest-basic-auth-credentials
+  - equal:
+      path: stringData.password
+      value: foo
+  - equal:
+      path: stringData.username
+      value: bar
+
+- it: Skip rendering if existing secret is used
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0

unittests/serviceMonitors/serviceMonitor.yaml

@@ -0,0 +1,194 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: ServiceMonitor template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/serviceMonitor.yaml
+tests:
+- it: Skip serviceMonitor when service is disabled.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip serviceMonitor when metrics are disabled.
+  set:
+    prometheus.metrics.enabled: false
+    prometheus.metrics.serviceMonitor.enabled: true
+    services.http.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip serviceMonitor when serviceMonitor is disabled.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: false
+    services.http.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Rendering serviceMonitor with default values - enabled manually.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: monitoring.coreos.com/v1
+      kind: ServiceMonitor
+      name: reposilite-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+  - isSubset:
+      path: spec.endpoints[0].basicAuth
+      content:
+        password:
+          key: password
+          name: reposilite-unittest-basic-auth-credentials
+        username:
+          key: username
+          name: reposilite-unittest-basic-auth-credentials
+  - equal:
+      path: spec.endpoints[0].enableHttp2
+      value: false
+  - equal:
+      path: spec.endpoints[0].followRedirects
+      value: false
+  - equal:
+      path: spec.endpoints[0].honorLabels
+      value: false
+  - equal:
+      path: spec.endpoints[0].interval
+      value: 60s
+  - equal:
+      path: spec.endpoints[0].path
+      value: /metrics
+  - notExists:
+      path: spec.endpoints[0].relabelings
+  - equal:
+      path: spec.endpoints[0].scrapeTimeout
+      value: 30s
+  - equal:
+      path: spec.endpoints[0].scheme
+      value: http
+  - equal:
+      path: spec.endpoints[0].port
+      value: http
+  - contains:
+      path: spec.namespaceSelector.matchNames
+      content:
+        testing
+  - equal:
+      path: spec.selector.matchLabels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/service-name: http
+
+- it: Render serviceMonitor with custom annotations and labels.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+    prometheus.metrics.serviceMonitor.annotations:
+      foo: bar
+    prometheus.metrics.serviceMonitor.labels:
+      bar: foo
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        bar: foo
+        helm.sh/chart: reposilite-0.1.0
+
+- it: Change defaults
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.serviceMonitor.enabled: true
+    prometheus.metrics.serviceMonitor.enableHttp2: false
+    prometheus.metrics.serviceMonitor.followRedirects: true
+    prometheus.metrics.serviceMonitor.honorLabels: true
+    prometheus.metrics.serviceMonitor.interval: "180s"
+    prometheus.metrics.serviceMonitor.path: "/my-metrics"
+    prometheus.metrics.serviceMonitor.relabelings:
+    - sourceLabels: [ container ]
+      separator: ";"
+      regex: "app"
+      replacement: "$1"
+      action: "drop"
+    prometheus.metrics.serviceMonitor.scrapeTimeout: "5s"
+    prometheus.metrics.serviceMonitor.scheme: "https"
+    service.scheme: https
+  asserts:
+  - hasDocuments:
+      count: 1
+  - isSubset:
+      path: spec.endpoints[0].basicAuth
+      content:
+        password:
+          key: my-password-key
+          name: my-secret
+        username:
+          key: my-username-key
+          name: my-secret
+  - equal:
+      path: spec.endpoints[0].enableHttp2
+      value: false
+  - equal:
+      path: spec.endpoints[0].followRedirects
+      value: true
+  - equal:
+      path: spec.endpoints[0].honorLabels
+      value: true
+  - equal:
+      path: spec.endpoints[0].interval
+      value: 180s
+  - equal:
+      path: spec.endpoints[0].path
+      value: /my-metrics
+  - equal:
+      path: spec.endpoints[0].port
+      value: https
+  - contains:
+      path: spec.endpoints[0].relabelings
+      content:
+        sourceLabels: [ container ]
+        separator: ";"
+        regex: "app"
+        replacement: "$1"
+        action: "drop"
+  - equal:
+      path: spec.endpoints[0].scrapeTimeout
+      value: 5s
+  - equal:
+      path: spec.endpoints[0].scheme
+      value: https

unittests/services/service.yaml

@@ -32,6 +32,7 @@ tests:
         app.kubernetes.io/instance: reposilite-unittest
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: reposilite
+        app.kubernetes.io/service-name: http
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: reposilite-0.1.0
   - notExists:
@@ -86,6 +87,13 @@ tests:
   - failedTemplate:
     errorMessage: No service port defined!
 
+- it: Require scheme.
+  set:
+    service.scheme: ""
+  asserts:
+  - failedTemplate:
+    errorMessage: No service scheme defined!
+
 - it: Require sessionAffinity.
   set:
     service.sessionAffinity: ""
@@ -106,6 +114,7 @@ tests:
       foo: bar
     service.labels:
       bar: foo
+    service.scheme: https
   asserts:
   - equal:
       path: metadata.annotations
@@ -117,6 +126,7 @@ tests:
         app.kubernetes.io/instance: reposilite-unittest
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: reposilite
+        app.kubernetes.io/service-name: https
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: reposilite-0.1.0
         bar: foo
@@ -134,6 +144,7 @@ tests:
     service.loadBalancerSourceRanges:
     - "11.12.0.0/17"
     service.port: 10443
+    service.scheme: https
     service.sessionAffinity: ClientIP
     service.type: LoadBalancer
   asserts:
@@ -161,6 +172,9 @@ tests:
       path: spec.loadBalancerSourceRanges
       value:
       - "11.12.0.0/17"
+  - equal:
+      path: spec.ports[0].name
+      value: https
   - equal:
       path: spec.ports[0].port
       value: 10443

values.yaml

@@ -6,6 +6,17 @@
 nameOverride: ""
 fullnameOverride: ""
 
+
+## @section Config
+config:
+  plugins:
+    ## @param config.plugins.prometheus.enabled Download the Prometheus plugin via an additional init container. The Prometheus plugin will automatically enabled, when Prometheus is enabled.
+    ## @param config.plugins.prometheus.url URL to download the plugin.
+    prometheus:
+      enabled: false
+      url: https://maven.reposilite.com/releases/com/reposilite/plugin/prometheus-plugin/{{ .Chart.AppVersion }}/prometheus-plugin-{{ .Chart.AppVersion }}-all.jar
+
+
 ## @section Deployment
 deployment:
   ## @param deployment.annotations Additional deployment annotations.
@@ -149,6 +160,24 @@ deployment:
   ## @param deployment.nodeSelector NodeSelector of the Reposilite deployment.
   nodeSelector: {}
 
+  pluginContainer:
+    ## @param deployment.pluginContainer.args Arguments passed to the plugin container.
+    args:
+    - "--location"
+    - "--fail"
+    - "--max-time"
+    - "60"
+
+    ## @param deployment.pluginContainer.image.registry Image registry, eg. `docker.io`.
+    ## @param deployment.pluginContainer.image.repository Image repository, eg. `curlimages/curl`.
+    ## @param deployment.pluginContainer.image.tag Custom image tag, eg. `0.1.0`.
+    ## @param deployment.pluginContainer.image.pullPolicy Image pull policy.
+    image:
+      registry: docker.io
+      repository: curlimages/curl
+      tag: "8.16.0"
+      pullPolicy: IfNotPresent
+
   ## @param deployment.priorityClassName PriorityClassName of the Reposilite deployment.
   priorityClassName: ""
 
@@ -183,13 +212,14 @@ deployment:
 
   ## @param deployment.topologySpreadConstraints TopologySpreadConstraints of the Reposilite deployment.
   topologySpreadConstraints: []
-  # - topologyKey: kubernetes.io/hostname
+  # - maxSkew: 1
+  #   topologyKey: kubernetes.io/hostname
   #   whenUnsatisfiable: DoNotSchedule
   #   labelSelector:
   #     matchLabels:
-  #       app.kubernetes.io/instance: prometheus-reposilite
+  #       app.kubernetes.io/instance: reposilite
 
-  ## @param deployment.volumes Additional volumes to mount into the pods of the prometheus-exporter deployment.
+  ## @param deployment.volumes Additional volumes to mount into the pods of the reposilite deployment.
   volumes: []
   # - name: my-configmap-volume
   #   config:
@@ -301,6 +331,11 @@ networkPolicy:
   #   - port: 53
   #     protocol: UDP
 
+  ## Allow outgoing HTTP traffic. For example to download maven artifacts from Apache Maven Central or Reposlite plugins from upstream.
+  # - ports:
+  #   - port: 443
+  #     protocol: TCP
+
   ingress: []
   # Allow incoming HTTP traffic from prometheus.
   #
@@ -314,6 +349,8 @@ networkPolicy:
   #   ports:
   #   - port: http
   #     protocol: TCP
+  #   - port: https
+  #     protocol: TCP
 
   # Allow incoming HTTP traffic from ingress-nginx.
   #
@@ -327,6 +364,8 @@ networkPolicy:
   #   ports:
   #   - port: http
   #     protocol: TCP
+  #   - port: https
+  #     protocol: TCP
 
 
 ## @section Persistent Volume Claim
@@ -355,6 +394,89 @@ persistentVolumeClaim:
     storageClass: ""
 
 
+## @section Prometheus
+prometheus:
+  metrics:
+    ## @param prometheus.metrics.enabled Enable of scraping metrics by Prometheus.
+    enabled: false
+
+    secret:
+      ## @param prometheus.metrics.secret.existing.enabled Use an existing secret containing the basic auth credentials.
+      ## @param prometheus.metrics.secret.existing.secretName Name of the secret containing the basic auth credentials.
+      ## @param prometheus.metrics.secret.existing.basicAuthUsernameKey Name of the key in the secret that contains the username for basic auth.
+      ## @param prometheus.metrics.secret.existing.basicAuthPasswordKey Name of the key in the secret that contains the password for basic auth.
+      existing:
+        enabled: false
+        secretName: ""
+        basicAuthUsernameKey: ""
+        basicAuthPasswordKey: ""
+
+      ## @param prometheus.metrics.secret.new.annotations Additional secret annotations.
+      ## @param prometheus.metrics.secret.new.labels Additional secret labels.
+      ## @param prometheus.metrics.secret.new.basicAuthUsername Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string.
+      ## @param prometheus.metrics.secret.new.basicAuthPassword Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string.
+      new:
+        annotations: {}
+        labels: {}
+        basicAuthUsername: ""
+        basicAuthPassword: ""
+
+    ## @param prometheus.metrics.podMonitor.enabled Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource.
+    ## @param prometheus.metrics.podMonitor.annotations Additional podMonitor annotations.
+    ## @param prometheus.metrics.podMonitor.enableHttp2 Enable HTTP2.
+    ## @param prometheus.metrics.podMonitor.followRedirects FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.
+    ## @param prometheus.metrics.podMonitor.honorLabels Honor labels.
+    ## @param prometheus.metrics.podMonitor.labels Additional podMonitor labels.
+    ## @param prometheus.metrics.podMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
+    ## @param prometheus.metrics.podMonitor.path HTTP path of the Reposilite pod for scraping Prometheus metrics.
+    ## @param prometheus.metrics.podMonitor.port HTTP port of the Reposilite pod for scraping Prometheus metrics.
+    ## @param prometheus.metrics.podMonitor.relabelings RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields.
+    ## @param prometheus.metrics.podMonitor.scrapeTimeout Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.
+    ## @param prometheus.metrics.podMonitor.scheme HTTP scheme to use for scraping. For example `http` or `https`.
+    ## @param prometheus.metrics.podMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
+    ## @skip prometheus.metrics.podMonitor.tlsConfig Skip individual TLS configuration.
+    podMonitor:
+      enabled: false
+      annotations: {}
+      enableHttp2: false
+      followRedirects: false
+      honorLabels: false
+      labels: {}
+      interval: "60s"
+      path: "/metrics"
+      port: "http"
+      relabelings: []
+      scrapeTimeout: "30s"
+      scheme: "http"
+      tlsConfig: {}
+
+    ## @param prometheus.metrics.serviceMonitor.enabled Enable creation of a serviceMonitor. Excludes the existence of a podMonitor resource.
+    ## @param prometheus.metrics.serviceMonitor.annotations Additional serviceMonitor annotations.
+    ## @param prometheus.metrics.serviceMonitor.labels Additional serviceMonitor labels.
+    ## @param prometheus.metrics.serviceMonitor.enableHttp2 Enable HTTP2.
+    ## @param prometheus.metrics.serviceMonitor.followRedirects FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.
+    ## @param prometheus.metrics.serviceMonitor.honorLabels Honor labels.
+    ## @param prometheus.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
+    ## @param prometheus.metrics.serviceMonitor.path HTTP path for scraping Prometheus metrics.
+    ## @param prometheus.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields.
+    ## @param prometheus.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.
+    ## @param prometheus.metrics.serviceMonitor.scheme HTTP scheme to use for scraping. For example `http` or `https`.
+    ## @param prometheus.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
+    ## @skip prometheus.metrics.serviceMonitor.tlsConfig Skip individual TLS configuration.
+    serviceMonitor:
+      enabled: false
+      annotations: {}
+      labels: {}
+      enableHttp2: false
+      followRedirects: false
+      honorLabels: false
+      interval: "60s"
+      path: "/metrics"
+      relabelings: []
+      scrapeTimeout: "30s"
+      scheme: "http"
+      tlsConfig: {}
+
 ## @section Service
 ## @param service.enabled Enable the service.
 ## @param service.annotations Additional service annotations.
@@ -367,6 +489,7 @@ persistentVolumeClaim:
 ## @param service.loadBalancerIP LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.
 ## @param service.loadBalancerSourceRanges Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.
 ## @param service.port Port to forward the traffic to.
+## @param service.scheme Name of the service port. This name is also used as scheme / port name of the service monitor resource.
 ## @param service.sessionAffinity Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.
 ## @param service.sessionAffinityConfig Contains the configuration of the session affinity.
 ## @param service.type Kubernetes service type for the traffic.
@@ -382,6 +505,7 @@ service:
   loadBalancerIP: ""
   loadBalancerSourceRanges: []
   port: 8080
+  scheme: http
   sessionAffinity: "None"
   sessionAffinityConfig: {}
   type: "ClusterIP"