Merge remote-tracking branch 'origin/master' into feat/support-gateway-api

Reviewed-on: #48

.gitea/workflows/generate-readme.yaml

@@ -15,15 +15,14 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:24.1.0-alpine
-    runs-on:
-    - ubuntu-latest
+      image: docker.io/library/node:26.3.0-alpine
+    runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - name: Generate parameter section in README
       run: |
         npm install

.gitea/workflows/helm.yaml

@@ -12,31 +12,26 @@ on:
 
 jobs:
   helm-lint:
-    container:
-      image: docker.io/volkerraschek/helm:3.18.2
-    runs-on:
-    - ubuntu-latest
+    runs-on: ubuntu-latest
     steps:
-    - name: Install tooling
-      run: |
-        apk update
-        apk add git npm
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+      with:
+        version: v4.1.4 # renovate: datasource=github-releases depName=helm/helm
     - name: Lint helm files
       run: |
         helm lint --values values.yaml .
 
   helm-unittest:
-    container:
-      image: docker.io/volkerraschek/helm:3.18.2
-    runs-on:
-    - ubuntu-latest
+    runs-on: ubuntu-latest
     steps:
-    - name: Install tooling
-      run: |
-        apk update
-        apk add git npm
-    - uses: actions/checkout@v4.2.2
-    - name: Unittest
-      run: |
-        helm unittest --strict --file 'unittests/**/*.yaml' ./
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+      with:
+        version: v4.1.4 # renovate: datasource=github-releases depName=helm/helm
+    - env:
+        HELM_UNITTEST_VERSION: v1.0.0 #renovate: datasource=github-releases depName=helm-unittest/helm-unittest
+      name: Install helm-unittest
+      run: helm plugin install --verify=false --version "${HELM_UNITTEST_VERSION}" https://github.com/helm-unittest/helm-unittest
+    - name: Execute helm unittests
+      run: helm unittest --strict --file 'unittests/**/*.yaml' .

.gitea/workflows/markdown-linters.yaml

@@ -15,15 +15,14 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:24.1.0-alpine
-    runs-on:
-    - ubuntu-latest
+      image: docker.io/library/node:26.3.0-alpine
+    runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - name: Verify links in markdown files
       run: |
         npm install
@@ -31,15 +30,14 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:24.1.0-alpine
-    runs-on:
-    - ubuntu-latest
+      image: docker.io/library/node:26.3.0-alpine
+    runs-on: ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - name: Lint markdown files
       run: |
         npm install

.gitea/workflows/release.yaml

@@ -8,7 +8,7 @@ on:
 jobs:
   publish-chart:
     container:
-      image: docker.io/volkerraschek/helm:3.18.2
+      image: docker.io/volkerraschek/helm:3.19.2
     runs-on: ubuntu-latest
     steps:
       - name: Install packages via apk
@@ -16,7 +16,7 @@ jobs:
           apk update
           apk add git npm jq yq
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
 

.gitignore

@@ -1,6 +1,8 @@
 charts
 node_modules
 target
-values2.yml
-values2.yaml
+!values.yaml
+!values.yml
+values*.yaml
+values*.yml
 *.tgz

.vscode/settings.json

@@ -0,0 +1,8 @@
+{
+  "yaml.schemas": {
+    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.1.1/schema/helm-testsuite.json": [
+      "/unittests/**/*.yaml"
+    ]
+  },
+  "yaml.schemaStore.enable": true
+}

Chart.yaml

@@ -5,7 +5,7 @@ annotations:
     - name: support
       url: https://git.cryptic.systems/volker.raschek/reposilite-charts/issues
 apiVersion: v2
-appVersion: "3.5.25"
+appVersion: "3.5.28"
 description: |
   Lightweight and easy-to-use repository management software
   dedicated for the Maven based artifacts in the JVM ecosystem

Makefile

@@ -1,16 +1,10 @@
 # CONTAINER_RUNTIME
 CONTAINER_RUNTIME?=$(shell which podman)
 
-# HELM_IMAGE
-HELM_IMAGE_REGISTRY_HOST?=docker.io
-HELM_IMAGE_REPOSITORY?=volkerraschek/helm
-HELM_IMAGE_VERSION?=3.18.2 # renovate: datasource=docker registryUrl=https://registry-nexus.orbis.dedalus.com depName=volkerraschek/helm
-HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:${HELM_IMAGE_VERSION}
-
 # NODE_IMAGE
 NODE_IMAGE_REGISTRY_HOST?=docker.io
 NODE_IMAGE_REPOSITORY?=library/node
-NODE_IMAGE_VERSION?=24.1.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
+NODE_IMAGE_VERSION?=24.11.1-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
 NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
 
 # MISSING DOT
@@ -18,6 +12,25 @@ NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:
 missing-dot:
 	grep --perl-regexp '## @(param|skip).*[^.]$$' values.yaml
 
+# README
+# ==============================================================================
+readme: readme/link readme/lint readme/parameters
+
+readme/link:
+	npm install && npm run readme:link
+
+readme/lint:
+	npm install && npm run readme:lint
+
+readme/parameters:
+	npm install && npm run readme:parameters
+
+# HELM UNITTESTS
+# ==============================================================================
+PHONY+=helm/unittest
+helm/unittest:
+	helm unittest --strict --file 'unittests/**/*.yaml' ./
+
 # CONTAINER RUN - README
 # ==============================================================================
 PHONY+=container-run/readme
@@ -47,32 +60,6 @@ container-run/readme/parameters:
 			${NODE_IMAGE_FULLY_QUALIFIED} \
 				npm install && npm run readme:parameters
 
-# CONTAINER RUN - HELM UNITTESTS
-# ==============================================================================
-PHONY+=container-run/helm-unittests
-container-run/helm-unittests:
-	${CONTAINER_RUNTIME} run \
-		--env HELM_REPO_PASSWORD=${CHART_SERVER_PASSWORD} \
-		--env HELM_REPO_USERNAME=${CHART_SERVER_USERNAME} \
-		--rm \
-		--volume $(shell pwd):$(shell pwd) \
-		--workdir $(shell pwd) \
-			${HELM_IMAGE_FULLY_QUALIFIED} \
-				unittest --strict --file 'unittests/**/*.yaml' ./
-
-# CONTAINER RUN - HELM UPDATE DEPENDENCIES
-# ==============================================================================
-PHONY+=container-run/helm-update-dependencies
-container-run/helm-update-dependencies:
-	${CONTAINER_RUNTIME} run \
-		--env HELM_REPO_PASSWORD=${CHART_SERVER_PASSWORD} \
-		--env HELM_REPO_USERNAME=${CHART_SERVER_USERNAME} \
-		--rm \
-		--volume $(shell pwd):$(shell pwd) \
-		--workdir $(shell pwd) \
-			${HELM_IMAGE_FULLY_QUALIFIED} \
-				dependency update
-
 # CONTAINER RUN - MARKDOWN-LINT
 # ==============================================================================
 PHONY+=container-run/helm-lint
@@ -88,4 +75,4 @@ container-run/helm-lint:
 # ==============================================================================
 # Declare the contents of the PHONY variable as phony. We keep that information
 # in a variable so we can use it in if_changed.
-.PHONY: ${PHONY}
+.PHONY: ${PHONY}

README.md

@@ -2,6 +2,10 @@
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/volker-raschek)](https://artifacthub.io/packages/search?repo=volker-raschek)
 
+> [!NOTE]
+> This is not the official helm chart of Reposilite. If you are looking for the official helm chart, checkout the GitHub
+> project [reposilite-playground](https://github.com/reposilite-playground/reposilite-helm).
+
 This helm chart enables the deployment of [Reposilite](https://github.com/dzikoysk/reposilite), a lightweight and
 easy-to-use repository management software dedicated for the Maven-based artifacts in the JVM ecosystem.
 
@@ -33,7 +37,7 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
 versions can break something!
 
 ```bash
-CHART_VERSION=0.1.0
+CHART_VERSION=1.0.0
 helm show values volker.raschek/reposilite --version "${CHART_VERSION}" > values.yaml
 ```
 
@@ -47,7 +51,7 @@ The helm chart also contains a persistent volume claim definition. It persistent
 Use the `--set` argument to persist your data.
 
 ```bash
-CHART_VERSION=0.1.0
+CHART_VERSION=1.0.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   persistentVolumeClaim.enabled=true
 ```
@@ -59,8 +63,9 @@ The following examples serve as individual configurations and as inspiration for
 #### TLS encryption
 
 The example describe how to deploy Reposilite with TLS encryption. If Reposilite is deployed behind reverse proxy, for
-example an ingress nginx controller, please instruct the ingress to establish an TLS encrypted connection to avoid
-connection problems.
+example an ingress nginx controller or Gateway API, please instruct the reserve proxy to establish an TLS encrypted
+connection to avoid connection problems. The documentation describe configuring [ingress NGINX](#ingress-nginx) as well
+as [NGINX Gateway Fabric](#gatewayapi-nginx-fabric).
 
 > [!WARNING]
 > The secret `reposilite-tls` containing the TLS certificate is already present. The keys `ca.crt`, `tls.key` and
@@ -68,7 +73,7 @@ connection problems.
 > error.
 
 ```bash
-CHART_VERSION=0.1.0
+CHART_VERSION=1.0.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   --set 'deployment.reposilite.env[1].name=REPOSILITE_LOCAL_SSLENABLED' \
   --set 'deployment.reposilite.env[1].value="true"' \
@@ -90,27 +95,124 @@ helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   --set 'service.port=8443'
 ```
 
+##### Ingress NGINX
+
+The following changes must be applied to enable TLS encryption and authentication on-top between the ingress and backend
+service.
+
+> [!IMPORTANT]
+> The HTTP Version between the ingress nginx and backend must be set to `1.1`, as well as the TLS protocol must be set
+> to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
+
+The secret `reposilite/ingress-nginx-controller-tls` contains TLS certificates for the nginx ingress controller. The TLS
+certificate must be created manually, for example via [cert-manager](https://cert-manager.io/). It is used by the nginx
+for TLS authentication.
+
+```yaml
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
+    nginx.ingress.kubernetes.io/proxy-ssl-secret: reposilite/ingress-nginx-controller-tls
+    nginx.ingress.kubernetes.io/proxy-ssl-protocols: TLSv1.2
+    nginx.ingress.kubernetes.io/proxy-ssl-name: reposilite
+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
+```
+
+##### GatewayAPI: NGINX Fabric
+
+The following changes must be applied to enable TLS encryption and authentication on-top between the ingress and backend
+service.
+
+> [!IMPORTANT]
+> The HTTP Version between the ingress nginx and backend must be set to `1.1`, as well as the TLS protocol must be set
+> to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
+
+The `gatewayAPI.core.backendTLSPolicy.validation.caCertificateRefs` must contains at least one secret containing the
+root or intermediate certificate of the issued TLS certificate used by reposilite to be able to validate the TLS certificate.
+
+```yaml
+gatewayAPI:
+  enabled: true
+  core:
+    backendTLSPolicy:
+      enabled: true
+      validation:
+        caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: "reposilite-ca"
+        hostname: "reposilite"
+
+    httpRoute:
+      hostnames:
+      - reposilite.example.local
+      parentRefs:
+      - name: nginx
+        kind: Gateway
+        group: gateway.networking.k8s.io
+        namespace: my-gateway-namespace
+        sectionName: reposilite-https
+```
+
+The Gateway resource is not part of the helm chart, but for illustrating the configuration example, here a GatewayAPI
+resource with configured backend TLS certificate. The TLS certificates `gateway-frontend-tls` and `gateway-backend-tls`
+must also be created manually, for example via [cert-manager](https://cert-manager.io/).
+
+```yaml
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: nginx
+  namespace: my-gateway-namespace
+spec:
+  gatewayClassName: nginx
+  listeners:
+    - allowedRoutes:
+        kinds:
+          - group: gateway.networking.k8s.io
+            kind: HTTPRoute
+        namespaces:
+          from: All
+      hostname: reposilite.example.local
+      name: https
+      port: 443
+      protocol: HTTPS
+      tls:
+        certificateRefs:
+          - group: ''
+            kind: Secret
+            name: gateway-frontend-tls
+            namespace: my-gateway-namespace
+        mode: Terminate
+  tls:
+    backend:
+      clientCertificateRef:
+        group: ''
+        kind: Secret
+        name: gateway-backend-tls
+        namespace: my-gateway-namespace
+```
+
 #### TLS certificate rotation
 
 If Reposilite uses TLS certificates that are mounted as a secret in the container file system like the example
-[above](#tls-encryption), Reposlite will not automatically apply them when the TLS certificates are rotated. Such a
+[above](#tls-encryption), Reposilite will not automatically apply them when the TLS certificates are rotated. Such a
 rotation can be for example triggered, when the [cert-manager](https://cert-manager.io/) issues new TLS certificates
 before expiring.
 
 Until Reposilite does not support rotating TLS certificate a workaround can be applied. For example stakater's
 [reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following
-annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted configMaps
-and secrets have been changed.
+annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted secret has
+been changed.
 
-```yaml
-deployment:
-  annotations:
-    reloader.stakater.com/auto: "true"
-```
-
-Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for
-individual items. For example, when the secret named `reposilite-tls` is mounted and the reloader controller should only
-listen for changes of this secret:
+> [!IMPORTANT]
+> The Helm chart already adds annotations to trigger a rolling release. Helm describes this approach under
+> [Automatically Roll Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
+> For this reason, **only external** configMaps or secrets need to be monitored by reloader.
 
 ```yaml
 deployment:
@@ -118,14 +220,29 @@ deployment:
     secret.reloader.stakater.com/reload: "reposilite-tls"
 ```
 
-### Network policies
+If the application is rolled out using ArgoCD, a rolling update from stakater's
+[reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state
+with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be
+initiated. Further information are available in the official
+[README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of
+stakater's reloader.
+
+```diff
+  deployment:
+    annotations:
++     reloader.stakater.com/rollout-strategy: "restart"
+      secret.reloader.stakater.com/reload: "reposilite-tls"
+```
+
+#### Network policies
 
 Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
 network policy implementation of CNI plugins. It's support only the official API resource of `networking.k8s.io/v1`.
 
 The example below is an excerpt of the `values.yaml` file. The network policy contains ingress rules to allow incoming
-traffic from an ingress controller. Additionally one egress rule is defined, to allow the application outgoing access
-to the internal running DNS server `core-dns`.
+traffic from an ingress controller. Additionally two egress rules are defined. The first one to allow the application
+outgoing access to the internal running DNS server `core-dns`. The second rule to be able to access the Apache Maven
+Central repository via HTTPS.
 
 > [!IMPORTANT]
 > Please keep in mind, that the namespace and pod selector labels can be different from environment to environment. For
@@ -152,19 +269,100 @@ networkPolicies:
       protocol: TCP
     - port: 53
       protocol: UDP
+  - ports:
+    - port: 443
+      protocol: TCP
+
   ingress:
   - from:
+    # Ingress NGINX
     - namespaceSelector:
         matchLabels:
           kubernetes.io/metadata.name: ingress-nginx
       podSelector:
         matchLabels:
           app.kubernetes.io/name: ingress-nginx
+    # NGINX GatewayAPI Fabric
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: gateway-nginx
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: gateway-nginx
     ports:
     - port: http
       protocol: TCP
 ```
 
+### Prometheus
+
+Reposilite is not able to expose metrics by default. Reposilite requires an additional plugin to expose the metrics via
+`/metrics`. The plugin will be downloaded from Apache Maven Central, when the plugin is enabled directly or the
+Prometheus feature has been enabled. The plugin is a simple JAR file, which will be stored in `/app/data/plugins`.
+
+Furthermore, Reposilite will not expose the metrics without protection. For this reason must be defined basic auth
+credentials. By default generate the helm chart a random username and password for basic auth. For debugging propose can
+be set the credentials manually.
+
+The following example enable Prometheus metrics with custom basic auth credentials:
+
+```bash
+CHART_VERSION=1.0.0
+helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
+  --set 'prometheus.metrics.enabled=true' \
+  --set 'prometheus.metrics.basicAuthUsername=my-username' \
+  --set 'prometheus.metrics.basicAuthUsername=my-password'
+```
+
+## ArgoCD
+
+### Example Application
+
+An application resource for the Helm chart is defined below. It serves as an example for your own deployment.
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: reposilite
+  ignoreDifferences:
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    # When HPA is enabled, ensure that a modification of the replicas does not lead to a
+    # drift.
+      - '.spec.replicas'
+    # Ensure that changes of the annotations or environment variables added or modified by
+    # stakater's reloader does not lead to a drift.
+    - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
+    - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
+  sources:
+  - repoURL: https://charts.cryptic.systems/volker.raschek
+    chart: reposilite
+    targetRevision: '0.*'
+    helm:
+      valueFiles:
+      - $values/values.yaml
+      releaseName: reposilite
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    managedNamespaceMetadata:
+      annotations: {}
+      labels: {}
+    syncOptions:
+    - ApplyOutOfSyncOnly=true
+    - CreateNamespace=true
+    - FailOnSharedResource=false
+    - Replace=false
+    - RespectIgnoreDifferences=false
+    - ServerSideApply=true
+    - Validate=true
+```
+
 ## Parameters
 
 ### Global
@@ -174,44 +372,80 @@ networkPolicies:
 | `nameOverride`     | Individual release name suffix.           | `""`  |
 | `fullnameOverride` | Override the complete release name logic. | `""`  |
 
+### Config
+
+| Name                                | Description                                                                                                                                    | Value                                                                                                                                                     |
+| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `config.plugins.prometheus.enabled` | Download the Prometheus plugin via an additional init container. The Prometheus plugin will automatically enabled, when Prometheus is enabled. | `false`                                                                                                                                                   |
+| `config.plugins.prometheus.url`     | URL to download the plugin.                                                                                                                    | `https://maven.reposilite.com/releases/com/reposilite/plugin/prometheus-plugin/{{ .Chart.AppVersion }}/prometheus-plugin-{{ .Chart.AppVersion }}-all.jar` |
+
 ### Deployment
 
-| Name                                               | Description                                                                                                | Value                 |
-| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------- |
-| `deployment.annotations`                           | Additional deployment annotations.                                                                         | `{}`                  |
-| `deployment.labels`                                | Additional deployment labels.                                                                              | `{}`                  |
-| `deployment.additionalContainers`                  | List of additional containers.                                                                             | `[]`                  |
-| `deployment.affinity`                              | Affinity for the Reposilite deployment.                                                                    | `{}`                  |
-| `deployment.initContainers`                        | List of additional init containers.                                                                        | `[]`                  |
-| `deployment.dnsConfig`                             | dnsConfig of the Reposilite deployment.                                                                    | `{}`                  |
-| `deployment.dnsPolicy`                             | dnsPolicy of the Reposilite deployment.                                                                    | `""`                  |
-| `deployment.hostname`                              | Individual hostname of the pod.                                                                            | `""`                  |
-| `deployment.subdomain`                             | Individual domain of the pod.                                                                              | `""`                  |
-| `deployment.hostNetwork`                           | Use the kernel network namespace of the host system.                                                       | `false`               |
-| `deployment.imagePullSecrets`                      | Secret to use for pulling the image.                                                                       | `[]`                  |
-| `deployment.reposilite.args`                       | Arguments passed to the Reposilite container.                                                              | `[]`                  |
-| `deployment.reposilite.command`                    | Command passed to the Reposilite container.                                                                | `[]`                  |
-| `deployment.reposilite.env`                        | List of environment variables for the Reposilite container.                                                |                       |
-| `deployment.reposilite.envFrom`                    | List of environment variables mounted from configMaps or secrets for the Reposilite container.             | `[]`                  |
-| `deployment.reposilite.image.registry`             | Image registry, eg. `docker.io`.                                                                           | `docker.io`           |
-| `deployment.reposilite.image.repository`           | Image repository, eg. `library/busybox`.                                                                   | `dzikoysk/reposilite` |
-| `deployment.reposilite.image.tag`                  | Custom image tag, eg. `0.1.0`. Defaults to `appVersion`.                                                   | `""`                  |
-| `deployment.reposilite.image.pullPolicy`           | Image pull policy.                                                                                         | `IfNotPresent`        |
-| `deployment.reposilite.resources`                  | CPU and memory resources of the pod.                                                                       | `{}`                  |
-| `deployment.reposilite.securityContext`            | Security context of the container of the deployment.                                                       | `{}`                  |
-| `deployment.reposilite.volumeMounts`               | Additional volume mounts.                                                                                  | `[]`                  |
-| `deployment.nodeSelector`                          | NodeSelector of the Reposilite deployment.                                                                 | `{}`                  |
-| `deployment.priorityClassName`                     | PriorityClassName of the Reposilite deployment.                                                            | `""`                  |
-| `deployment.replicas`                              | Number of replicas for the Reposilite deployment.                                                          | `1`                   |
-| `deployment.restartPolicy`                         | Restart policy of the Reposilite deployment.                                                               | `""`                  |
-| `deployment.securityContext`                       | Security context of the Reposilite deployment.                                                             | `{}`                  |
-| `deployment.strategy.type`                         | Strategy type - `Recreate` or `RollingUpdate`.                                                             | `RollingUpdate`       |
-| `deployment.strategy.rollingUpdate.maxSurge`       | The maximum number of pods that can be scheduled above the desired number of pods during a rolling update. | `1`                   |
-| `deployment.strategy.rollingUpdate.maxUnavailable` | The maximum number of pods that can be unavailable during a rolling update.                                | `1`                   |
-| `deployment.terminationGracePeriodSeconds`         | How long to wait until forcefully kill the pod.                                                            | `60`                  |
-| `deployment.tolerations`                           | Tolerations of the Reposilite deployment.                                                                  | `[]`                  |
-| `deployment.topologySpreadConstraints`             | TopologySpreadConstraints of the Reposilite deployment.                                                    | `[]`                  |
-| `deployment.volumes`                               | Additional volumes to mount into the pods of the prometheus-exporter deployment.                           | `[]`                  |
+| Name                                               | Description                                                                                                | Value                                       |
+| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------------------------------------------- |
+| `deployment.annotations`                           | Additional deployment annotations.                                                                         | `{}`                                        |
+| `deployment.labels`                                | Additional deployment labels.                                                                              | `{}`                                        |
+| `deployment.additionalContainers`                  | List of additional containers.                                                                             | `[]`                                        |
+| `deployment.affinity`                              | Affinity for the Reposilite deployment.                                                                    | `{}`                                        |
+| `deployment.initContainers`                        | List of additional init containers.                                                                        | `[]`                                        |
+| `deployment.dnsConfig`                             | dnsConfig of the Reposilite deployment.                                                                    | `{}`                                        |
+| `deployment.dnsPolicy`                             | dnsPolicy of the Reposilite deployment.                                                                    | `""`                                        |
+| `deployment.hostname`                              | Individual hostname of the pod.                                                                            | `""`                                        |
+| `deployment.subdomain`                             | Individual domain of the pod.                                                                              | `""`                                        |
+| `deployment.hostNetwork`                           | Use the kernel network namespace of the host system.                                                       | `false`                                     |
+| `deployment.imagePullSecrets`                      | Secret to use for pulling the image.                                                                       | `[]`                                        |
+| `deployment.reposilite.args`                       | Arguments passed to the Reposilite container.                                                              | `[]`                                        |
+| `deployment.reposilite.command`                    | Command passed to the Reposilite container.                                                                | `[]`                                        |
+| `deployment.reposilite.env`                        | List of environment variables for the Reposilite container.                                                |                                             |
+| `deployment.reposilite.envFrom`                    | List of environment variables mounted from configMaps or secrets for the Reposilite container.             | `[]`                                        |
+| `deployment.reposilite.image.registry`             | Image registry, eg. `docker.io`.                                                                           | `docker.io`                                 |
+| `deployment.reposilite.image.repository`           | Image repository, eg. `library/busybox`.                                                                   | `dzikoysk/reposilite`                       |
+| `deployment.reposilite.image.tag`                  | Custom image tag, eg. `0.1.0`. Defaults to `appVersion`.                                                   | `""`                                        |
+| `deployment.reposilite.image.pullPolicy`           | Image pull policy.                                                                                         | `IfNotPresent`                              |
+| `deployment.reposilite.resources`                  | CPU and memory resources of the pod.                                                                       | `{}`                                        |
+| `deployment.reposilite.securityContext`            | Security context of the container of the deployment.                                                       | `{}`                                        |
+| `deployment.reposilite.volumeMounts`               | Additional volume mounts.                                                                                  | `[]`                                        |
+| `deployment.nodeSelector`                          | NodeSelector of the Reposilite deployment.                                                                 | `{}`                                        |
+| `deployment.pluginContainer.args`                  | Arguments passed to the plugin container.                                                                  | `["--location","--fail","--max-time","60"]` |
+| `deployment.pluginContainer.image.registry`        | Image registry, eg. `docker.io`.                                                                           | `docker.io`                                 |
+| `deployment.pluginContainer.image.repository`      | Image repository, eg. `curlimages/curl`.                                                                   | `curlimages/curl`                           |
+| `deployment.pluginContainer.image.tag`             | Custom image tag, eg. `0.1.0`.                                                                             | `8.20.0`                                    |
+| `deployment.pluginContainer.image.pullPolicy`      | Image pull policy.                                                                                         | `IfNotPresent`                              |
+| `deployment.priorityClassName`                     | PriorityClassName of the Reposilite deployment.                                                            | `""`                                        |
+| `deployment.replicas`                              | Number of replicas for the Reposilite deployment.                                                          | `1`                                         |
+| `deployment.restartPolicy`                         | Restart policy of the Reposilite deployment.                                                               | `""`                                        |
+| `deployment.securityContext`                       | Security context of the Reposilite deployment.                                                             | `{}`                                        |
+| `deployment.strategy.type`                         | Strategy type - `Recreate` or `RollingUpdate`.                                                             | `RollingUpdate`                             |
+| `deployment.strategy.rollingUpdate.maxSurge`       | The maximum number of pods that can be scheduled above the desired number of pods during a rolling update. | `1`                                         |
+| `deployment.strategy.rollingUpdate.maxUnavailable` | The maximum number of pods that can be unavailable during a rolling update.                                | `1`                                         |
+| `deployment.terminationGracePeriodSeconds`         | How long to wait until forcefully kill the pod.                                                            | `60`                                        |
+| `deployment.tolerations`                           | Tolerations of the Reposilite deployment.                                                                  | `[]`                                        |
+| `deployment.topologySpreadConstraints`             | TopologySpreadConstraints of the Reposilite deployment.                                                    | `[]`                                        |
+| `deployment.volumes`                               | Additional volumes to mount into the pods of the reposilite deployment.                                    | `[]`                                        |
+
+### GatewayAPI
+
+| Name                                                        | Description                                                                                                                                                                                         | Value   |
+| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `gatewayAPI.enabled`                                        | Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.                                                                               | `false` |
+| `gatewayAPI.core.backendTLSPolicy.enabled`                  | Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.                                                                                                              | `false` |
+| `gatewayAPI.core.backendTLSPolicy.annotations`              | Additional annotations for the BackendTLSPolicy.                                                                                                                                                    | `{}`    |
+| `gatewayAPI.core.backendTLSPolicy.labels`                   | Additional labels for the BackendTLSPolicy.                                                                                                                                                         | `{}`    |
+| `gatewayAPI.core.backendTLSPolicy.validation`               | Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the Reposilite pod.                 | `{}`    |
+| `gatewayAPI.core.httpRoute.enabled`                         | Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `service.enabled` to be `true`.                                                                                               | `false` |
+| `gatewayAPI.core.httpRoute.annotations`                     | Additional annotations for the HTTPRoute.                                                                                                                                                           | `{}`    |
+| `gatewayAPI.core.httpRoute.labels`                          | Additional labels for the HTTPRoute.                                                                                                                                                                | `{}`    |
+| `gatewayAPI.core.httpRoute.hostnames`                       | Hostnames for the HTTPRoute.                                                                                                                                                                        | `[]`    |
+| `gatewayAPI.core.httpRoute.parentRefs`                      | ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.                                                                                       | `[]`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.enabled`             | Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.                                                                                                          | `false` |
+| `gatewayAPI.nginx.clientSettingsPolicy.annotations`         | Additional annotations for the ClientSettingsPolicy.                                                                                                                                                | `{}`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.labels`              | Additional labels for the ClientSettingsPolicy.                                                                                                                                                     | `{}`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize`   | ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.                                                  | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout`   | ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.                                                      | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests`   | KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.                   | `nil`   |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime`       | KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.                                                             | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout`    | KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.            | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout` | KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used. | `""`    |
 
 ### Horizontal Pod Autoscaler (HPA)
 
@@ -261,6 +495,45 @@ networkPolicies:
 | `persistentVolumeClaim.new.size`                           | Size of the persistent volume claim.                                                                                                                                                                 | `10Gi`          |
 | `persistentVolumeClaim.new.storageClass`                   | Custom storage class. Left it empty to use the clusters default storage class.                                                                                                                       | `""`            |
 
+### Prometheus
+
+| Name                                                      | Description                                                                                                                                  | Value      |
+| --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
+| `prometheus.metrics.enabled`                              | Enable of scraping metrics by Prometheus.                                                                                                    | `false`    |
+| `prometheus.metrics.secret.existing.enabled`              | Use an existing secret containing the basic auth credentials.                                                                                | `false`    |
+| `prometheus.metrics.secret.existing.secretName`           | Name of the secret containing the basic auth credentials.                                                                                    | `""`       |
+| `prometheus.metrics.secret.existing.basicAuthUsernameKey` | Name of the key in the secret that contains the username for basic auth.                                                                     | `""`       |
+| `prometheus.metrics.secret.existing.basicAuthPasswordKey` | Name of the key in the secret that contains the password for basic auth.                                                                     | `""`       |
+| `prometheus.metrics.secret.new.annotations`               | Additional secret annotations.                                                                                                               | `{}`       |
+| `prometheus.metrics.secret.new.labels`                    | Additional secret labels.                                                                                                                    | `{}`       |
+| `prometheus.metrics.secret.new.basicAuthUsername`         | Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string.        | `""`       |
+| `prometheus.metrics.secret.new.basicAuthPassword`         | Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string.         | `""`       |
+| `prometheus.metrics.podMonitor.enabled`                   | Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource.                                                        | `false`    |
+| `prometheus.metrics.podMonitor.annotations`               | Additional podMonitor annotations.                                                                                                           | `{}`       |
+| `prometheus.metrics.podMonitor.enableHttp2`               | Enable HTTP2.                                                                                                                                | `false`    |
+| `prometheus.metrics.podMonitor.followRedirects`           | FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.                                                                | `false`    |
+| `prometheus.metrics.podMonitor.honorLabels`               | Honor labels.                                                                                                                                | `false`    |
+| `prometheus.metrics.podMonitor.labels`                    | Additional podMonitor labels.                                                                                                                | `{}`       |
+| `prometheus.metrics.podMonitor.interval`                  | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                                    | `60s`      |
+| `prometheus.metrics.podMonitor.path`                      | HTTP path of the Reposilite pod for scraping Prometheus metrics.                                                                             | `/metrics` |
+| `prometheus.metrics.podMonitor.port`                      | HTTP port of the Reposilite pod for scraping Prometheus metrics.                                                                             | `http`     |
+| `prometheus.metrics.podMonitor.relabelings`               | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | `[]`       |
+| `prometheus.metrics.podMonitor.scrapeTimeout`             | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                                         | `30s`      |
+| `prometheus.metrics.podMonitor.scheme`                    | HTTP scheme to use for scraping. For example `http` or `https`.                                                                              | `http`     |
+| `prometheus.metrics.podMonitor.tlsConfig`                 | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                                    | `{}`       |
+| `prometheus.metrics.serviceMonitor.enabled`               | Enable creation of a serviceMonitor. Excludes the existence of a podMonitor resource.                                                        | `false`    |
+| `prometheus.metrics.serviceMonitor.annotations`           | Additional serviceMonitor annotations.                                                                                                       | `{}`       |
+| `prometheus.metrics.serviceMonitor.labels`                | Additional serviceMonitor labels.                                                                                                            | `{}`       |
+| `prometheus.metrics.serviceMonitor.enableHttp2`           | Enable HTTP2.                                                                                                                                | `false`    |
+| `prometheus.metrics.serviceMonitor.followRedirects`       | FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.                                                                | `false`    |
+| `prometheus.metrics.serviceMonitor.honorLabels`           | Honor labels.                                                                                                                                | `false`    |
+| `prometheus.metrics.serviceMonitor.interval`              | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                                    | `60s`      |
+| `prometheus.metrics.serviceMonitor.path`                  | HTTP path for scraping Prometheus metrics.                                                                                                   | `/metrics` |
+| `prometheus.metrics.serviceMonitor.relabelings`           | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | `[]`       |
+| `prometheus.metrics.serviceMonitor.scrapeTimeout`         | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                                         | `30s`      |
+| `prometheus.metrics.serviceMonitor.scheme`                | HTTP scheme to use for scraping. For example `http` or `https`.                                                                              | `http`     |
+| `prometheus.metrics.serviceMonitor.tlsConfig`             | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                                    | `{}`       |
+
 ### Service
 
 | Name                               | Description                                                                                                                                                                                                | Value       |
@@ -276,6 +549,7 @@ networkPolicies:
 | `service.loadBalancerIP`           | LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.                                                                                              | `""`        |
 | `service.loadBalancerSourceRanges` | Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.                                                                                                                           | `[]`        |
 | `service.port`                     | Port to forward the traffic to.                                                                                                                                                                            | `8080`      |
+| `service.scheme`                   | Name of the service port. This name is also used as scheme / port name of the service monitor resource.                                                                                                    | `http`      |
 | `service.sessionAffinity`          | Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.                                                                                                                    | `None`      |
 | `service.sessionAffinityConfig`    | Contains the configuration of the session affinity.                                                                                                                                                        | `{}`        |
 | `service.type`                     | Kubernetes service type for the traffic.                                                                                                                                                                   | `ClusterIP` |

package.json

@@ -16,6 +16,6 @@
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
     "markdown-link-check": "^3.13.6",
-    "markdownlint-cli": "^0.45.0"
+    "markdownlint-cli": "^0.48.0"
   }
 }

renovate.json

@@ -4,16 +4,18 @@
     "local>volker.raschek/renovate-config:default#master",
     "local>volker.raschek/renovate-config:container#master",
     "local>volker.raschek/renovate-config:actions#master",
+    "local>volker.raschek/renovate-config:helm#master",
     "local>volker.raschek/renovate-config:npm#master",
     "local>volker.raschek/renovate-config:regexp#master"
   ],
   "customManagers": [
     {
+      "customType": "regex",
       "fileMatch": [
         "^Chart\\.yaml$"
       ],
       "matchStrings": [
-        "appVersion: \"(?<currentValue>.*?)\"\\s+"
+        "^appVersion: \"?(?<currentValue>.*)\"?"
       ],
       "datasourceTemplate": "docker",
       "depNameTemplate": "dzikoysk/reposilite",
@@ -21,7 +23,10 @@
       "versioningTemplate": "semver"
     },
     {
-      "fileMatch": ["^README\\.md$"],
+      "customType": "regex",
+      "fileMatch": [
+        "^README\\.md$"
+      ],
       "matchStrings": [
         "CHART_VERSION=(?<currentValue>.*)"
       ],
@@ -32,6 +37,13 @@
     }
   ],
   "packageRules": [
+    {
+      "groupName": "Update docker.io/library/node",
+      "matchDepNames": [
+        "docker.io/library/node",
+        "library/node"
+      ]
+    },
     {
       "addLabels": [
         "renovate/automerge",
@@ -64,5 +76,16 @@
         "patch"
       ]
     }
-  ]
+  ],
+  "postUpgradeTasks": {
+    "commands": [
+      "install-tool node",
+      "make readme"
+    ],
+    "fileFilters": [
+      "README.md",
+      "values.yaml"
+    ],
+    "executionMode": "update"
+  }
 }

templates/_backendTLSPolicy.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "reposilite.backendTLSPolicy.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
+{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "reposilite.backendTLSPolicy.enabled" -}}
+{{- if and .Values.gatewayAPI.enabled
+           .Values.gatewayAPI.core.backendTLSPolicy.enabled
+           .Values.service.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.backendTLSPolicy.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.gatewayAPI.core.backendTLSPolicy.labels }}
+{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_clientSettingsPolicy.tpl

@@ -0,0 +1,31 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "reposilite.clientSettingsPolicy.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
+{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "reposilite.clientSettingsPolicy.enabled" -}}
+{{- if and (eq (include "reposilite.httpRoute.enabled" $) "true")
+           .Values.gatewayAPI.nginx.clientSettingsPolicy.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.clientSettingsPolicy.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
+{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_deployment.tpl

@@ -17,11 +17,32 @@
 {{- if .Values.persistentVolumeClaim.enabled }}
 {{- $env = concat $env (list (dict "name" "REPOSILITE_DATA" "value" .Values.persistentVolumeClaim.path )) }}
 {{- end }}
+
+{{- if eq (include "reposilite.podMonitor.enabled" $) "true" }}
+{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_PATH" "value" .Values.prometheus.metrics.podMonitor.path )) }}
+{{- end }}
+
+{{- if eq (include "reposilite.serviceMonitor.enabled" $) "true" }}
+{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_PATH" "value" .Values.prometheus.metrics.serviceMonitor.path )) }}
+{{- end }}
+
+{{- if or (eq (include "reposilite.podMonitor.enabled" $ ) "true") (eq (include "reposilite.serviceMonitor.enabled" $ ) "true") -}}
+{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_USER" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" (include "reposilite.secrets.prometheusBasicAuth.usernameKey" $))))) }}
+{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_PASSWORD" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" (include "reposilite.secrets.prometheusBasicAuth.passwordKey" $))))) }}
+{{- end }}
+
 {{ toYaml (dict "env" $env) }}
 {{- end -}}
 
 {{/* image */}}
 
+{{- define "reposilite.deployment.images.plugin.fqin" -}}
+{{- $registry := .Values.deployment.pluginContainer.image.registry -}}
+{{- $repository := .Values.deployment.pluginContainer.image.repository -}}
+{{- $tag := default .Chart.AppVersion .Values.deployment.pluginContainer.image.tag -}}
+{{- printf "%s/%s:%s" $registry $repository $tag -}}
+{{- end -}}
+
 {{- define "reposilite.deployment.images.reposilite.fqin" -}}
 {{- $registry := .Values.deployment.reposilite.image.registry -}}
 {{- $repository := .Values.deployment.reposilite.image.repository -}}
@@ -38,6 +59,34 @@
 {{- end }}
 {{- end }}
 
+{{/* initContainers */}}
+
+{{- define "reposilite.deployment.initContainers" -}}
+{{- $initContainers := .Values.deployment.initContainers | default list -}}
+{{- $pluginContainerImage := (include "reposilite.deployment.images.plugin.fqin" . ) }}
+{{- $pluginContainerArgs := .Values.deployment.pluginContainer.args | default list }}
+{{- $pluginContainerArgs := concat $pluginContainerArgs (list "--output-dir" "/app/data/plugins" ) }}
+{{- $pluginContainerVolumeMounts := list (dict "name" "plugins" "mountPath" "/app/data/plugins") }}
+
+{{- if eq (include "reposilite.plugins.prometheus.enabled" $) "true" }}
+{{- $fileName := splitList "/" (tpl .Values.config.plugins.prometheus.url $) | last }}
+{{- $individualArgs := concat $pluginContainerArgs (list "--output" $fileName (tpl .Values.config.plugins.prometheus.url $)) }}
+{{- $initContainers = concat $initContainers (list (dict "args" $individualArgs "name" "download-prometheus-plugin" "image" $pluginContainerImage "volumeMounts" $pluginContainerVolumeMounts)) }}
+{{- end }}
+
+{{ toYaml (dict "initContainers" $initContainers) }}
+
+{{- end }}
+
+{{/* plugins */}}
+{{- define "reposilite.plugins.prometheus.enabled" -}}
+{{- if or .Values.config.plugins.prometheus.enabled .Values.prometheus.metrics.enabled -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
 {{/* serviceAccount */}}
 
 {{- define "reposilite.deployment.serviceAccount" -}}
@@ -55,6 +104,11 @@
 {{- if .Values.persistentVolumeClaim.enabled }}
 {{- $volumeMounts = concat $volumeMounts (list (dict "name" "data" "mountPath" .Values.persistentVolumeClaim.path )) }}
 {{- end }}
+
+{{- if eq (include "reposilite.plugins.prometheus.enabled" $) "true" }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "plugins" "mountPath" "/app/data/plugins")) }}
+{{- end }}
+
 {{ toYaml (dict "volumeMounts" $volumeMounts) }}
 {{- end -}}
 
@@ -71,6 +125,10 @@
 {{- $volumes = concat $volumes (list (dict "name" "data" "persistentVolumeClaim" (dict "claimName" $persistentVolumeClaimName))) }}
 {{- end }}
 
+{{- if eq (include "reposilite.plugins.prometheus.enabled" $) "true" }}
+{{- $volumes = concat $volumes (list (dict "name" "plugins" "emptyDir" dict)) }}
+{{- end }}
+
 {{ toYaml (dict "volumes" $volumes) }}
 
 {{- end -}}

templates/_httpRoute.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "reposilite.httpRoute.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.gatewayAPI.core.httpRoute.annotations }}
+{{ toYaml .Values.gatewayAPI.core.httpRoute.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "reposilite.httpRoute.enabled" -}}
+{{- if and .Values.gatewayAPI.enabled
+           .Values.gatewayAPI.core.httpRoute.enabled
+           .Values.service.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.httpRoute.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.gatewayAPI.core.httpRoute.labels }}
+{{ toYaml .Values.gatewayAPI.core.httpRoute.labels }}
+{{- end }}
+{{- end }}

templates/_pod.tpl

@@ -4,6 +4,9 @@
 
 {{- define "reposilite.pod.annotations" -}}
 {{ include "reposilite.annotations" . }}
+{{- if and .Values.prometheus.metrics.enabled (not .Values.prometheus.metrics.secret.existing.enabled) -}}
+{{- printf "checksum/secret-%s: %s" (include "reposilite.secrets.prometheusBasicAuth.name" $) (include (print $.Template.BasePath "/secretPrometheusBasicAuth.yaml") . | sha256sum) }}
+{{- end -}}
 {{- end }}
 
 {{/* labels */}}

templates/_podMonitors.tpl

@@ -0,0 +1,27 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+{{- define "reposilite.podMonitor.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.prometheus.metrics.podMonitor.annotations }}
+{{ toYaml .Values.prometheus.metrics.podMonitor.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+{{- define "reposilite.podMonitor.enabled" -}}
+{{- if and .Values.prometheus.metrics.enabled .Values.prometheus.metrics.podMonitor.enabled (not .Values.prometheus.metrics.serviceMonitor.enabled) -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.podMonitor.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.prometheus.metrics.podMonitor.labels }}
+{{ toYaml .Values.prometheus.metrics.podMonitor.labels }}
+{{- end }}
+{{- end }}

templates/_secrets.tpl

@@ -0,0 +1,53 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "reposilite.secrets.prometheusBasicAuth.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.prometheus.metrics.secret.new.annotations }}
+{{ toYaml .Values.prometheus.metrics.secret.new.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.secrets.prometheusBasicAuth.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.prometheus.metrics.secret.new.labels }}
+{{ toYaml .Values.prometheus.metrics.secret.new.labels }}
+{{- end }}
+{{- end }}
+
+{{/* names */}}
+
+{{- define "reposilite.secrets.prometheusBasicAuth.name" -}}
+{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.secretName) 0) }}
+{{- print .Values.prometheus.metrics.secret.existing.secretName -}}
+{{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.secretName) 0) }}
+{{ fail "Name of the existing secret that contains the credentials for basic auth is not defined!" }}
+{{- else if not .Values.prometheus.metrics.secret.existing.enabled }}
+{{- printf "%s-basic-auth-credentials" (include "reposilite.fullname" $) -}}
+{{- end }}
+{{- end }}
+
+{{/* secretKeyNames */}}
+
+{{- define "reposilite.secrets.prometheusBasicAuth.passwordKey" -}}
+{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey) 0) -}}
+{{- .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey -}}
+{{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey) 0) }}
+{{ fail "Name of the key in the secret that contains the password for basic auth is not defined!" }}
+{{- else if and (not .Values.prometheus.metrics.secret.existing.enabled) }}
+{{- print "password" -}}
+{{- end }}
+{{- end }}
+
+{{- define "reposilite.secrets.prometheusBasicAuth.usernameKey" -}}
+{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey) 0) -}}
+{{- .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey -}}
+{{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey) 0) }}
+{{ fail "Name of the key in the secret that contains the username for basic auth is not defined!" }}
+{{- else if and (not .Values.prometheus.metrics.secret.existing.enabled) }}
+{{- print "username" -}}
+{{- end }}
+{{- end }}

templates/_serviceMonitors.tpl

@@ -0,0 +1,35 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "reposilite.serviceMonitor.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.prometheus.metrics.serviceMonitor.annotations }}
+{{ toYaml .Values.prometheus.metrics.serviceMonitor.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "reposilite.serviceMonitor.enabled" -}}
+{{- if and .Values.prometheus.metrics.enabled (not .Values.prometheus.metrics.podMonitor.enabled) .Values.prometheus.metrics.serviceMonitor.enabled .Values.service.enabled -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.serviceMonitor.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.prometheus.metrics.serviceMonitor.labels }}
+{{ toYaml .Values.prometheus.metrics.serviceMonitor.labels }}
+{{- end }}
+{{- end }}
+
+{{- define "reposilite.serviceMonitor.selectorLabels" -}}
+{{ include "reposilite.selectorLabels" . }}
+{{/* Add label to select the correct service via `selector.matchLabels` of the serviceMonitor resource. */}}
+app.kubernetes.io/service-name: {{ required "The scheme of the serviceMonitor is not defined!" .Values.service.scheme }}
+{{- end }}

templates/_services.tpl

@@ -16,6 +16,8 @@
 {{- if .Values.service.labels }}
 {{ toYaml .Values.service.labels }}
 {{- end }}
+{{/* Add label to select the correct service via `selector.matchLabels` of the serviceMonitor resource. */}}
+app.kubernetes.io/service-name: {{ required "The scheme of the serviceMonitor is not defined!" .Values.service.scheme }}
 {{- end }}
 
 {{/* names */}}

templates/backendTLSPolicy.yaml

@@ -0,0 +1,25 @@
+{{- if eq (include "reposilite.backendTLSPolicy.enabled" $) "true" }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  {{- with (include "reposilite.backendTLSPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.backendTLSPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRefs:
+    - group: ""
+      kind: Service
+      name: {{ include "reposilite.service.name" . }}
+  {{- with .Values.gatewayAPI.core.backendTLSPolicy.validation }}
+  validation:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

templates/clientSettingsPolicy.yaml

@@ -0,0 +1,50 @@
+{{- if eq (include "reposilite.clientSettingsPolicy.enabled" $) "true" }}
+apiVersion: gateway.nginx.org/v1alpha1
+kind: ClientSettingsPolicy
+metadata:
+  {{- with (include "reposilite.clientSettingsPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.clientSettingsPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: {{ include "reposilite.fullname" . }}
+  {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout
+  }}
+  body:
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize }}
+    maxSize: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout }}
+    timeout: {{ . }}
+    {{- end }}
+  {{- end }}
+  {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout
+  }}
+  keepAlive:
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests }}
+    requests: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime }}
+    time: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout }}
+    timeout: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout }}
+    minTimeout: {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end -}}

templates/deployment.yaml

@@ -68,7 +68,10 @@ spec:
         name: reposilite
         ports:
         - name: http
-          containerPort: {{ .Values.service.port }}
+          containerPort: 8080
+          protocol: TCP
+        - name: https
+          containerPort: 8443
           protocol: TCP
         readinessProbe:
           tcpSocket:
@@ -106,6 +109,11 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- $initContainers := (include "reposilite.deployment.initContainers" . | fromYaml) }}
+      {{- if and (hasKey $initContainers "initContainers") (gt (len $initContainers.initContainers) 0) }}
+      initContainers:
+      {{- toYaml $initContainers.initContainers | nindent 6 }}
+      {{- end }}
       {{- with .Values.deployment.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

templates/httpRoute.yaml

@@ -0,0 +1,36 @@
+{{- if eq (include "reposilite.httpRoute.enabled" $) "true" }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  {{- with (include "reposilite.httpRoute.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.httpRoute.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- with .Values.gatewayAPI.core.httpRoute.hostnames }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.gatewayAPI.core.httpRoute.parentRefs }}
+  parentRefs:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    - backendRefs:
+        - kind: Service
+          name: {{ include "reposilite.service.name" . }}
+          namespace: {{ .Release.Namespace }}
+          port: {{ .Values.service.port }}
+          weight: 1
+      {{- with .Values.gatewayAPI.core.httpRoute.matches }}
+      matches:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}

templates/podMonitor.yaml

@@ -0,0 +1,47 @@
+{{- if eq (include "reposilite.podMonitor.enabled" $) "true" }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  {{- with (include "reposilite.podMonitor.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.podMonitor.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podMetricsEndpoints:
+  - basicAuth:
+      password:
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.passwordKey" . }}
+        name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
+      username:
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.usernameKey" . }}
+        name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
+    enableHttp2: {{ required "The enableHttp2 option of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.enableHttp2 }}
+    followRedirects: {{ required "The followRedirects option of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.followRedirects }}
+    honorLabels: {{ required "The honorLabels option of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.honorLabels }}
+    interval: {{ required "The scrape interval of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.interval }}
+    path: {{ required "The metric path of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.path }}
+    port: {{ required "The metric port of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.port | quote }}
+    {{- with .Values.prometheus.metrics.podMonitor.relabelings }}
+    relabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    scrapeTimeout: {{ required "The scrape timeout of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.scrapeTimeout }}
+    scheme: {{ required "The scheme of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.scheme }}
+    {{- with .Values.prometheus.metrics.podMonitor.tlsConfig }}
+    tlsConfig:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "reposilite.pod.selectorLabels" . | nindent 6 }}
+{{- end }}

templates/secretPrometheusBasicAuth.yaml

@@ -0,0 +1,19 @@
+{{- if and .Values.prometheus.metrics.enabled (not .Values.prometheus.metrics.secret.existing.enabled) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  {{- with (include "reposilite.secrets.prometheusBasicAuth.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.secrets.prometheusBasicAuth.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
+  namespace: {{ .Release.Namespace }}
+stringData:
+  password: {{ required "Password for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthPassword }}
+  username: {{ required "Username for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthUsername }}
+{{- end }}

templates/service.yaml

@@ -43,7 +43,7 @@ spec:
   {{- end }}
   {{- end }}
   ports:
-  - name: http
+  - name: {{ required "No service name defined. Either 'http' or 'https' is allowed!" .Values.service.scheme }}
     protocol: TCP
     port: {{ required "No service port defined!" .Values.service.port }}
   selector:

templates/serviceMonitor.yaml

@@ -0,0 +1,47 @@
+{{- if eq (include "reposilite.serviceMonitor.enabled" $) "true" }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  {{- with (include "reposilite.serviceMonitor.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.serviceMonitor.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpoints:
+  - basicAuth:
+      password:
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.passwordKey" . }}
+        name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
+      username:
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.usernameKey" . }}
+        name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
+    enableHttp2: {{ required "The enableHttp2 option of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.enableHttp2 }}
+    followRedirects: {{ required "The followRedirects option of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.followRedirects }}
+    honorLabels: {{ required "The honorLabels option of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.honorLabels }}
+    interval: {{ required "The scrape interval of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.interval }}
+    path: {{ required "The metric path of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.path }}
+    port: {{ required "The port of the serviceMonitor is not defined!" .Values.service.scheme }}
+    {{- with .Values.prometheus.metrics.serviceMonitor.relabelings }}
+    relabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    scrapeTimeout: {{ required "The scrape timeout of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.scrapeTimeout }}
+    scheme: {{ required "The scheme of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.scheme }}
+    {{- with .Values.prometheus.metrics.serviceMonitor.tlsConfig }}
+    tlsConfig:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "reposilite.serviceMonitor.selectorLabels" . | nindent 6 }}
+{{- end }}

unittests/backendTLSPolicy/backendTLSPolicy.yaml

@@ -0,0 +1,130 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: backendTLSPolicy template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/backendTLSPolicy.yaml
+tests:
+- it: Skip rendering when disabled 1/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Render default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.networking.k8s.io/v1
+      kind: BackendTLSPolicy
+      name: reposilite-unittest
+      namespace: testing
+  - contains:
+      path: spec.targetRefs
+      content:
+        group: ""
+        kind: Service
+        name: reposilite-unittest
+  - notExists:
+      path: spec.validation.caCertificateRefs
+
+- it: Render with custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy:
+      enabled: true
+      annotations:
+        foo: bar
+      labels:
+        bar: foo
+    service.enabled: true
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        app.kubernetes.io/managed-by: Helm
+        helm.sh/chart: reposilite-0.1.0
+        bar: foo
+
+- it: Render with custom validation
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    gatewayAPI.core.backendTLSPolicy.validation:
+      caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: reposilite-ca
+      hostname: reposilite.svc.cluster.local
+    service.enabled: true
+  asserts:
+  - isSubset:
+      path: spec.validation
+      content:
+        caCertificateRefs:
+          - group: ""
+            kind: Secret
+            name: reposilite-ca

unittests/clientSettingsPolicy/clientSettingsPolicy.yaml

@@ -0,0 +1,190 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: ClientSettingsPolicy template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/clientSettingsPolicy.yaml
+tests:
+- it: Skip rendering when disabled 1/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 7/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 8/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Render default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.nginx.org/v1alpha1
+      kind: ClientSettingsPolicy
+      name: reposilite-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+  - isSubset:
+      path: spec.targetRef
+      content:
+        group: gateway.networking.k8s.io
+        kind: HTTPRoute
+        name: reposilite-unittest
+  - notExists:
+      path: spec.body
+  - notExists:
+      path: spec.keepAlive
+
+- it: Render custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      annotations:
+        foo: "bar"
+      labels:
+        bar: "foo"
+    service.enabled: true
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: "bar"
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+        bar: "foo"
+
+- it: Render with custom body settings
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      clientMaxBodySize: 10m
+      clientBodyTimeout: 30s
+    service.enabled: true
+  asserts:
+  - isSubset:
+      path: spec.body
+      content:
+        maxSize: 10m
+        timeout: 30s
+  - notExists:
+      path: spec.keepAlive
+
+- it: Render with custom keepAlive settings
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      keepaliveRequests: 100
+      keepaliveTime: 60s
+      keepaliveTimeout: 60s
+      keepaliveMinTimeout: 10s
+    service.enabled: true
+  asserts:
+  - notExists:
+      path: spec.body
+  - isSubset:
+      path: spec.keepAlive
+      content:
+        requests: 100
+        time: 60s
+        timeout: 60s
+        minTimeout: 10s

unittests/deployment/configPlugins.yaml

@@ -0,0 +1,42 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Test reposilite plugins
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/deployment.yaml
+- templates/secretPrometheusBasicAuth.yaml
+tests:
+- it: Test init containers for prometheus
+  set:
+    config.plugins.prometheus.enabled: true
+    config.plugins.prometheus.url: "https://reposilite.com/plugins/prometheus.jar"
+    deployment.pluginContainer.image.tag: 0.1.0
+  asserts:
+  - contains:
+      path: spec.template.spec.initContainers
+      content:
+        args:
+        - --location
+        - --fail
+        - --max-time
+        - "60"
+        - --output-dir
+        - /app/data/plugins
+        - --output
+        - prometheus.jar
+        - https://reposilite.com/plugins/prometheus.jar
+        name: download-prometheus-plugin
+        image: docker.io/curlimages/curl:0.1.0
+        volumeMounts:
+        - mountPath: /app/data/plugins
+          name: plugins
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.volumes
+      content:
+        name: plugins
+        emptyDir: {}
+    template: templates/deployment.yaml

unittests/deployment/deployment.yaml

@@ -7,19 +7,23 @@ release:
   namespace: testing
 templates:
 - templates/deployment.yaml
+- templates/secretPrometheusBasicAuth.yaml
 tests:
 - it: Rendering default
   set: {}
   asserts:
   - hasDocuments:
       count: 1
+    template: templates/deployment.yaml
   - containsDocument:
       apiVersion: apps/v1
       kind: Deployment
       name: reposilite-unittest
       namespace: testing
+    template: templates/deployment.yaml
   - notExists:
       path: metadata.annotations
+    template: templates/deployment.yaml
   - equal:
       path: metadata.labels
       value:
@@ -28,14 +32,17 @@ tests:
         app.kubernetes.io/name: reposilite
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: reposilite-0.1.0
+    template: templates/deployment.yaml
   - equal:
       path: spec.replicas
       value: 1
+    template: templates/deployment.yaml
   - isSubset:
       path: spec.selector.matchLabels
       content:
         app.kubernetes.io/instance: reposilite-unittest
         app.kubernetes.io/name: reposilite
+    template: templates/deployment.yaml
   - equal:
       path: spec.strategy
       value:
@@ -43,9 +50,10 @@ tests:
         rollingUpdate:
           maxSurge: 1
           maxUnavailable: 1
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.metadata.annotations
-      value: sadsdf
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.metadata.labels
       value:
@@ -54,25 +62,33 @@ tests:
         app.kubernetes.io/name: reposilite
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: reposilite-0.1.0
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.affinity
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].args
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].command
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.containers[0].env
       content:
         name: JAVA_OPTS
         value: "-Xmx64M"
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].envFrom
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].image
       value: docker.io/dzikoysk/reposilite:0.1.0
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: IfNotPresent
+    template: templates/deployment.yaml
   - isSubset:
       path: spec.template.spec.containers[0].livenessProbe
       content:
@@ -83,15 +99,18 @@ tests:
         periodSeconds: 60
         successThreshold: 1
         timeoutSeconds: 3
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].name
       value: reposilite
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.containers[0].ports
       content:
         name: http
         containerPort: 8080
         protocol: TCP
+    template: templates/deployment.yaml
   - isSubset:
       path: spec.template.spec.containers[0].readinessProbe
       content:
@@ -102,42 +121,60 @@ tests:
         periodSeconds: 15
         successThreshold: 1
         timeoutSeconds: 3
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].resources
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].securityContext
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].volumeMounts
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.dnsConfig
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.dnsPolicy
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.hostname
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.hostNetwork
       value: false
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.imagePullSecrets
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.initContainers
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.nodeSelector
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.priorityClassName
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.restartPolicy
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.subdomain
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.terminationGracePeriodSeconds
       value: 60
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.tolerations
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.topologySpreadConstraints
+    template: templates/deployment.yaml
   - notExists:
       path: spec.template.spec.volumes
+    template: templates/deployment.yaml
 
 - it: Test custom replicas
   set:
@@ -146,6 +183,7 @@ tests:
   - equal:
       path: spec.replicas
       value: 3
+    template: templates/deployment.yaml
 
 - it: Test custom strategy
   set:
@@ -162,6 +200,7 @@ tests:
         rollingUpdate:
           maxSurge: 10
           maxUnavailable: 5
+    template: templates/deployment.yaml
 
 - it: Test custom affinity
   set:
@@ -188,6 +227,7 @@ tests:
                 values:
                 - antarctica-east1
                 - antarctica-west1
+    template: templates/deployment.yaml
 
 - it: Test additional arguments
   set:
@@ -200,6 +240,7 @@ tests:
       value:
       - --foo=bar
       - --bar=foo
+    template: templates/deployment.yaml
 
 - it: Test additional commands
   set:
@@ -210,6 +251,7 @@ tests:
       path: spec.template.spec.containers[0].command
       value:
       - /bin/bash
+    template: templates/deployment.yaml
 
 - it: Test custom imageRegistry and imageRepository
   set:
@@ -220,6 +262,7 @@ tests:
   - equal:
       path: spec.template.spec.containers[0].image
       value: registry.example.local/path/special/reposilite:2.0.0
+    template: templates/deployment.yaml
 
 - it: Test custom imagePullPolicy
   set:
@@ -228,17 +271,7 @@ tests:
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: Always
-
-- it: Test custom port
-  set:
-    service.port: 8443
-  asserts:
-  - contains:
-      path: spec.template.spec.containers[0].ports
-      content:
-        name: http
-        containerPort: 8443
-        protocol: TCP
+    template: templates/deployment.yaml
 
 - it: Test custom resources
   set:
@@ -259,6 +292,7 @@ tests:
         requests:
           cpu: 25m
           memory: 100MB
+    template: templates/deployment.yaml
 
 - it: Test custom securityContext
   set:
@@ -285,6 +319,7 @@ tests:
         readOnlyRootFilesystem: true
         runAsNonRoot: true
         runAsUser: 1000
+    template: templates/deployment.yaml
 
 - it: Test custom volumeMounts
   set:
@@ -297,6 +332,7 @@ tests:
       content:
         name: data
         mountPath: /usr/lib/data
+    template: templates/deployment.yaml
 
 - it: Test dnsConfig
   set:
@@ -311,6 +347,7 @@ tests:
         nameservers:
         - "8.8.8.8"
         - "8.8.4.4"
+    template: templates/deployment.yaml
 
 - it: Test dnsPolicy
   set:
@@ -319,6 +356,7 @@ tests:
   - equal:
       path: spec.template.spec.dnsPolicy
       value: ClusterFirst
+    template: templates/deployment.yaml
 
 - it: Test hostNetwork, hostname, subdomain
   set:
@@ -329,12 +367,15 @@ tests:
   - equal:
       path: spec.template.spec.hostNetwork
       value: true
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.hostname
       value: pg-exporter
+    template: templates/deployment.yaml
   - equal:
       path: spec.template.spec.subdomain
       value: exporters.internal
+    template: templates/deployment.yaml
 
 - it: Test imagePullSecrets
   set:
@@ -347,6 +388,20 @@ tests:
       value:
       - name: my-pull-secret
       - name: my-special-secret
+    template: templates/deployment.yaml
+
+- it: Test initContainers
+  set:
+    deployment.initContainers:
+    - name: busybox
+      image: docker.io/library/busybox:latest
+  asserts:
+  - contains:
+      path: spec.template.spec.initContainers
+      content:
+        name: busybox
+        image: docker.io/library/busybox:latest
+    template: templates/deployment.yaml
 
 - it: Test nodeSelector
   set:
@@ -357,6 +412,7 @@ tests:
       path: spec.template.spec.nodeSelector
       value:
         foo: bar
+    template: templates/deployment.yaml
 
 - it: Test priorityClassName
   set:
@@ -365,6 +421,7 @@ tests:
   - equal:
       path: spec.template.spec.priorityClassName
       value: my-priority
+    template: templates/deployment.yaml
 
 - it: Test restartPolicy
   set:
@@ -373,6 +430,7 @@ tests:
   - equal:
       path: spec.template.spec.restartPolicy
       value: Always
+    template: templates/deployment.yaml
 
 - it: Test custom securityContext
   set:
@@ -389,6 +447,7 @@ tests:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 1000
+    template: templates/deployment.yaml
 
 - it: Test terminationGracePeriodSeconds
   set:
@@ -397,6 +456,7 @@ tests:
   - equal:
       path: spec.template.spec.terminationGracePeriodSeconds
       value: 120
+    template: templates/deployment.yaml
 
 - it: Test tolerations
   set:
@@ -413,6 +473,7 @@ tests:
         operator: Equal
         value: ssd
         effect: NoSchedule
+    template: templates/deployment.yaml
 
 - it: Test topologySpreadConstraints
   set:
@@ -431,6 +492,7 @@ tests:
         labelSelector:
           matchLabels:
             app.kubernetes.io/instance: reposilite
+    template: templates/deployment.yaml
 
 - it: Test additional volumes
   set:
@@ -445,3 +507,4 @@ tests:
       - name: data
         hostPath:
           path: /usr/lib/data
+    template: templates/deployment.yaml

unittests/deployment/mountPersistentVolumeClaim.yaml

@@ -7,6 +7,7 @@ release:
   namespace: testing
 templates:
 - templates/deployment.yaml
+- templates/secretPrometheusBasicAuth.yaml
 tests:
 - it: Rendering default volumes and volumeMounts with persistent volume claim
   set:
@@ -17,17 +18,20 @@ tests:
       content:
         name: REPOSILITE_DATA
         value: /app/data
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.containers[0].volumeMounts
       content:
         name: data
         mountPath: /app/data
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.volumes
       content:
         name: data
         persistentVolumeClaim:
           claimName: reposilite-unittest
+    template: templates/deployment.yaml
 
 - it: Rendering custom volumes and volumeMounts with persistent volume claim
   set:
@@ -39,17 +43,20 @@ tests:
       content:
         name: REPOSILITE_DATA
         value: /usr/lib/reposilite/data
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.containers[0].volumeMounts
       content:
         name: data
         mountPath: /usr/lib/reposilite/data
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.volumes
       content:
         name: data
         persistentVolumeClaim:
           claimName: reposilite-unittest
+    template: templates/deployment.yaml
 
 - it: Rendering custom volumes and volumeMounts with persistent volume claim
   set:
@@ -62,14 +69,17 @@ tests:
       content:
         name: REPOSILITE_DATA
         value: /app/data
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.containers[0].volumeMounts
       content:
         name: data
         mountPath: /app/data
+    template: templates/deployment.yaml
   - contains:
       path: spec.template.spec.volumes
       content:
         name: data
         persistentVolumeClaim:
-          claimName: my-custom-pvc
+          claimName: my-custom-pvc
+    template: templates/deployment.yaml

unittests/deployment/prometheusPodMonitor.yaml

@@ -0,0 +1,109 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Add prometheus basic auth variables
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/deployment.yaml
+- templates/secretPrometheusBasicAuth.yaml
+tests:
+- it: Rendering default environment variables with enabled prometheus metrics podMonitor
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.podMonitor.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+  - exists:
+      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: reposilite-unittest-basic-auth-credentials
+            key: password
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_USER
+        valueFrom:
+          secretKeyRef:
+            name: reposilite-unittest-basic-auth-credentials
+            key: username
+    template: templates/deployment.yaml
+
+- it: Rendering default environment variables with enabled prometheus metrics serviceMonitor and external secret
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: my-username-key
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: my-password-key
+    prometheus.metrics.secret.existing.secretName: my-secret
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - notExists:
+      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: my-secret
+            key: my-password-key
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_USER
+        valueFrom:
+          secretKeyRef:
+            name: my-secret
+            key: my-username-key
+    template: templates/deployment.yaml
+
+- it: Fail when existing secret name is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.secret.existing.secretName: ""
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the existing secret that contains the credentials for basic auth is not defined!"
+    template: templates/deployment.yaml
+
+- it: Fail when the name of the key in the secret that contains the username for basic auth is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: ""
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the key in the secret that contains the username for basic auth is not defined!"
+    template: templates/deployment.yaml
+
+- it: Fail when the name of the key in the secret that contains the password for basic auth is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: ""
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the key in the secret that contains the password for basic auth is not defined!"
+    template: templates/deployment.yaml

unittests/deployment/prometheusServiceMonitor.yaml

@@ -0,0 +1,109 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Add prometheus basic auth variables
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/deployment.yaml
+- templates/secretPrometheusBasicAuth.yaml
+tests:
+- it: Rendering default environment variables with enabled prometheus metrics serviceMonitor
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+  - exists:
+      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: reposilite-unittest-basic-auth-credentials
+            key: password
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_USER
+        valueFrom:
+          secretKeyRef:
+            name: reposilite-unittest-basic-auth-credentials
+            key: username
+    template: templates/deployment.yaml
+
+- it: Rendering default environment variables with enabled prometheus metrics serviceMonitor and external secret
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: my-username-key
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: my-password-key
+    prometheus.metrics.secret.existing.secretName: my-secret
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - notExists:
+      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: my-secret
+            key: my-password-key
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_USER
+        valueFrom:
+          secretKeyRef:
+            name: my-secret
+            key: my-username-key
+    template: templates/deployment.yaml
+
+- it: Fail when existing secret name is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.secret.existing.secretName: ""
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the existing secret that contains the credentials for basic auth is not defined!"
+    template: templates/deployment.yaml
+
+- it: Fail when the name of the key in the secret that contains the username for basic auth is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: ""
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the key in the secret that contains the username for basic auth is not defined!"
+    template: templates/deployment.yaml
+
+- it: Fail when the name of the key in the secret that contains the password for basic auth is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: ""
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the key in the secret that contains the password for basic auth is not defined!"
+    template: templates/deployment.yaml

unittests/httpRoute/httpRoute.yaml

@@ -0,0 +1,194 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: HTTPRoute template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/httpRoute.yaml
+tests:
+- it: Skip rendering when disabled 1/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Rendering default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.networking.k8s.io/v1
+      kind: HTTPRoute
+      name: reposilite-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+  - notExists:
+      path: spec.hostnames
+  - notExists:
+      path: spec.parentRefs
+  - contains:
+      path: spec.rules[0].backendRefs
+      content:
+        kind: Service
+        name: reposilite-unittest
+        namespace: testing
+        port: 8080
+        weight: 1
+  - contains:
+      path: spec.rules[0].matches
+      content:
+        path:
+          type: PathPrefix
+          value: /
+
+- it: Rendering custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      annotations:
+        foo: bar
+      labels:
+        bar: foo
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        bar: foo
+        helm.sh/chart: reposilite-0.1.0
+
+- it: Rendering custom service port
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service:
+      enabled: true
+      port: 9090
+  asserts:
+  - equal:
+      path: spec.rules[0].backendRefs[0].port
+      value: 9090
+
+- it: Rendering custom matches
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      matches:
+      - path:
+          type: PathPrefix
+          value: /foo
+    service.enabled: true
+  asserts:
+  - contains:
+      path: spec.rules[0].matches
+      content:
+        path:
+          type: PathPrefix
+          value: /foo
+
+- it: Rendering custom hostnames and parentRefs
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      hostnames:
+      - reposilite.example.local
+      parentRefs:
+      - name: gateway
+        namespace: testing
+        kind: Gateway
+        sectionName: reposilite-debug-gateway
+    service.enabled: true
+  asserts:
+  - lengthEqual:
+      path: spec.hostnames
+      count: 1
+  - contains:
+      path: spec.hostnames
+      content:
+        reposilite.example.local
+  - lengthEqual:
+      path: spec.parentRefs
+      count: 1
+  - contains:
+      path: spec.parentRefs
+      content:
+        name: gateway
+        namespace: testing
+        kind: Gateway
+        sectionName: reposilite-debug-gateway

unittests/podMonitors/podMonitor.yaml

@@ -0,0 +1,179 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: PodMonitor template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/podMonitor.yaml
+tests:
+- it: Skip podMonitor when metrics are disabled.
+  set:
+    prometheus.metrics.enabled: false
+    prometheus.metrics.podMonitor.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip podMonitor when podMonitor is disabled.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.podMonitor.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip podMonitor when both monitor types are enabled.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.podMonitor.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Rendering podMonitor with default values - enabled manually.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: monitoring.coreos.com/v1
+      kind: PodMonitor
+      name: reposilite-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+  - isSubset:
+      path: spec.podMetricsEndpoints[0].basicAuth
+      content:
+        password:
+          key: password
+          name: reposilite-unittest-basic-auth-credentials
+        username:
+          key: username
+          name: reposilite-unittest-basic-auth-credentials
+  - equal:
+      path: spec.podMetricsEndpoints[0].enableHttp2
+      value: false
+  - equal:
+      path: spec.podMetricsEndpoints[0].followRedirects
+      value: false
+  - equal:
+      path: spec.podMetricsEndpoints[0].honorLabels
+      value: false
+  - equal:
+      path: spec.podMetricsEndpoints[0].interval
+      value: 60s
+  - equal:
+      path: spec.podMetricsEndpoints[0].path
+      value: /metrics
+  - equal:
+      path: spec.podMetricsEndpoints[0].port
+      value: http
+  - notExists:
+      path: spec.podMetricsEndpoints[0].relabelings
+  - equal:
+      path: spec.podMetricsEndpoints[0].scrapeTimeout
+      value: 30s
+  - equal:
+      path: spec.podMetricsEndpoints[0].scheme
+      value: http
+  - contains:
+      path: spec.namespaceSelector.matchNames
+      content:
+        testing
+  - equal:
+      path: spec.selector.matchLabels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/name: reposilite
+
+- it: Render podMonitor with custom annotations and labels.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.podMonitor.enabled: true
+    prometheus.metrics.podMonitor.annotations:
+      foo: bar
+    prometheus.metrics.podMonitor.labels:
+      bar: foo
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        bar: foo
+        helm.sh/chart: reposilite-0.1.0
+
+- it: Change defaults
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.podMonitor.enabled: true
+    prometheus.metrics.podMonitor.enableHttp2: false
+    prometheus.metrics.podMonitor.followRedirects: true
+    prometheus.metrics.podMonitor.honorLabels: true
+    prometheus.metrics.podMonitor.interval: "180s"
+    prometheus.metrics.podMonitor.path: "/my-metrics"
+    prometheus.metrics.podMonitor.port: "8443"
+    prometheus.metrics.podMonitor.relabelings:
+    - sourceLabels: [ container ]
+      separator: ";"
+      regex: "app"
+      replacement: "$1"
+      action: "drop"
+    prometheus.metrics.podMonitor.scheme: https
+    prometheus.metrics.podMonitor.scrapeTimeout: "5s"
+  asserts:
+  - hasDocuments:
+      count: 1
+  - equal:
+      path: spec.podMetricsEndpoints[0].enableHttp2
+      value: false
+  - equal:
+      path: spec.podMetricsEndpoints[0].followRedirects
+      value: true
+  - equal:
+      path: spec.podMetricsEndpoints[0].honorLabels
+      value: true
+  - equal:
+      path: spec.podMetricsEndpoints[0].interval
+      value: 180s
+  - equal:
+      path: spec.podMetricsEndpoints[0].path
+      value: /my-metrics
+  - equal:
+      path: spec.podMetricsEndpoints[0].port
+      value: "8443"
+  - contains:
+      path: spec.podMetricsEndpoints[0].relabelings
+      content:
+        sourceLabels: [ container ]
+        separator: ";"
+        regex: "app"
+        replacement: "$1"
+        action: "drop"
+  - equal:
+      path: spec.podMetricsEndpoints[0].scrapeTimeout
+      value: 5s
+  - equal:
+      path: spec.podMetricsEndpoints[0].scheme
+      value: https

unittests/secrets/basicAuth.yaml

@@ -0,0 +1,98 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Secret reposilite template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/secretPrometheusBasicAuth.yaml
+tests:
+- it: Skip rendering
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Throw error for missing basic auth password
+  set:
+    prometheus.metrics.enabled: true
+    # prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+    - failedTemplate:
+        errorMessage: "Password for basic auth is required!"
+
+- it: Throw error for missing basic auth username
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    # prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+    - failedTemplate:
+        errorMessage: "Username for basic auth is required!"
+
+- it: Rendering secret with default values.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: v1
+      kind: Secret
+      name: reposilite-unittest-basic-auth-credentials
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+  - exists:
+      path: stringData.password
+  - exists:
+      path: stringData.username
+
+- it: Rendering secret with custom values.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: foo
+    prometheus.metrics.secret.new.basicAuthUsername: bar
+    prometheus.metrics.secret.new.annotations:
+      foo: bar
+    prometheus.metrics.secret.new.labels:
+      bar: foo
+  asserts:
+  - hasDocuments:
+      count: 1
+  - isSubset:
+      path: metadata.annotations
+      content:
+        foo: bar
+  - isSubset:
+      path: metadata.labels
+      content:
+        bar: foo
+  - equal:
+      path: metadata.name
+      value: reposilite-unittest-basic-auth-credentials
+  - equal:
+      path: stringData.password
+      value: foo
+  - equal:
+      path: stringData.username
+      value: bar
+
+- it: Skip rendering if existing secret is used
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0

unittests/serviceAccount/serviceAccount.yaml

@@ -53,13 +53,13 @@ tests:
   asserts:
   - hasDocuments:
       count: 1
-  - exists:
+  - isSubset:
       path: metadata.annotations
-      value:
+      content:
         foo: bar
-  - exists:
+  - isSubset:
       path: metadata.labels
-      value:
+      content:
         bar: foo
   - equal:
       path: metadata.name

unittests/serviceMonitors/serviceMonitor.yaml

@@ -0,0 +1,194 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: ServiceMonitor template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/serviceMonitor.yaml
+tests:
+- it: Skip serviceMonitor when service is disabled.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip serviceMonitor when metrics are disabled.
+  set:
+    prometheus.metrics.enabled: false
+    prometheus.metrics.serviceMonitor.enabled: true
+    services.http.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip serviceMonitor when serviceMonitor is disabled.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: false
+    services.http.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Rendering serviceMonitor with default values - enabled manually.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: monitoring.coreos.com/v1
+      kind: ServiceMonitor
+      name: reposilite-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+  - isSubset:
+      path: spec.endpoints[0].basicAuth
+      content:
+        password:
+          key: password
+          name: reposilite-unittest-basic-auth-credentials
+        username:
+          key: username
+          name: reposilite-unittest-basic-auth-credentials
+  - equal:
+      path: spec.endpoints[0].enableHttp2
+      value: false
+  - equal:
+      path: spec.endpoints[0].followRedirects
+      value: false
+  - equal:
+      path: spec.endpoints[0].honorLabels
+      value: false
+  - equal:
+      path: spec.endpoints[0].interval
+      value: 60s
+  - equal:
+      path: spec.endpoints[0].path
+      value: /metrics
+  - notExists:
+      path: spec.endpoints[0].relabelings
+  - equal:
+      path: spec.endpoints[0].scrapeTimeout
+      value: 30s
+  - equal:
+      path: spec.endpoints[0].scheme
+      value: http
+  - equal:
+      path: spec.endpoints[0].port
+      value: http
+  - contains:
+      path: spec.namespaceSelector.matchNames
+      content:
+        testing
+  - equal:
+      path: spec.selector.matchLabels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/service-name: http
+
+- it: Render serviceMonitor with custom annotations and labels.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+    prometheus.metrics.serviceMonitor.annotations:
+      foo: bar
+    prometheus.metrics.serviceMonitor.labels:
+      bar: foo
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        bar: foo
+        helm.sh/chart: reposilite-0.1.0
+
+- it: Change defaults
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.serviceMonitor.enabled: true
+    prometheus.metrics.serviceMonitor.enableHttp2: false
+    prometheus.metrics.serviceMonitor.followRedirects: true
+    prometheus.metrics.serviceMonitor.honorLabels: true
+    prometheus.metrics.serviceMonitor.interval: "180s"
+    prometheus.metrics.serviceMonitor.path: "/my-metrics"
+    prometheus.metrics.serviceMonitor.relabelings:
+    - sourceLabels: [ container ]
+      separator: ";"
+      regex: "app"
+      replacement: "$1"
+      action: "drop"
+    prometheus.metrics.serviceMonitor.scrapeTimeout: "5s"
+    prometheus.metrics.serviceMonitor.scheme: "https"
+    service.scheme: https
+  asserts:
+  - hasDocuments:
+      count: 1
+  - isSubset:
+      path: spec.endpoints[0].basicAuth
+      content:
+        password:
+          key: my-password-key
+          name: my-secret
+        username:
+          key: my-username-key
+          name: my-secret
+  - equal:
+      path: spec.endpoints[0].enableHttp2
+      value: false
+  - equal:
+      path: spec.endpoints[0].followRedirects
+      value: true
+  - equal:
+      path: spec.endpoints[0].honorLabels
+      value: true
+  - equal:
+      path: spec.endpoints[0].interval
+      value: 180s
+  - equal:
+      path: spec.endpoints[0].path
+      value: /my-metrics
+  - equal:
+      path: spec.endpoints[0].port
+      value: https
+  - contains:
+      path: spec.endpoints[0].relabelings
+      content:
+        sourceLabels: [ container ]
+        separator: ";"
+        regex: "app"
+        replacement: "$1"
+        action: "drop"
+  - equal:
+      path: spec.endpoints[0].scrapeTimeout
+      value: 5s
+  - equal:
+      path: spec.endpoints[0].scheme
+      value: https

unittests/services/service.yaml

@@ -32,6 +32,7 @@ tests:
         app.kubernetes.io/instance: reposilite-unittest
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: reposilite
+        app.kubernetes.io/service-name: http
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: reposilite-0.1.0
   - notExists:
@@ -77,28 +78,35 @@ tests:
     service.internalTrafficPolicy: ""
   asserts:
   - failedTemplate:
-    errorMessage: No internal traffic policy defined!
+      errorMessage: No internal traffic policy defined!
 
 - it: Require port.
   set:
     service.port: ""
   asserts:
   - failedTemplate:
-    errorMessage: No service port defined!
+      errorMessage: No service port defined!
+
+- it: Require scheme.
+  set:
+    service.scheme: ""
+  asserts:
+  - failedTemplate:
+      errorMessage: The scheme of the serviceMonitor is not defined!
 
 - it: Require sessionAffinity.
   set:
     service.sessionAffinity: ""
   asserts:
   - failedTemplate:
-    errorMessage: No session affinity defined!
+      errorMessage: No session affinity defined!
 
 - it: Require service type.
   set:
     service.type: ""
   asserts:
   - failedTemplate:
-    errorMessage: No service type defined!
+      errorMessage: No service type defined!
 
 - it: Render service with custom annotations and labels.
   set:
@@ -106,6 +114,7 @@ tests:
       foo: bar
     service.labels:
       bar: foo
+    service.scheme: https
   asserts:
   - equal:
       path: metadata.annotations
@@ -117,6 +126,7 @@ tests:
         app.kubernetes.io/instance: reposilite-unittest
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: reposilite
+        app.kubernetes.io/service-name: https
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: reposilite-0.1.0
         bar: foo
@@ -134,6 +144,7 @@ tests:
     service.loadBalancerSourceRanges:
     - "11.12.0.0/17"
     service.port: 10443
+    service.scheme: https
     service.sessionAffinity: ClientIP
     service.type: LoadBalancer
   asserts:
@@ -161,6 +172,9 @@ tests:
       path: spec.loadBalancerSourceRanges
       value:
       - "11.12.0.0/17"
+  - equal:
+      path: spec.ports[0].name
+      value: https
   - equal:
       path: spec.ports[0].port
       value: 10443

values.yaml

@@ -6,6 +6,17 @@
 nameOverride: ""
 fullnameOverride: ""
 
+
+## @section Config
+config:
+  plugins:
+    ## @param config.plugins.prometheus.enabled Download the Prometheus plugin via an additional init container. The Prometheus plugin will automatically enabled, when Prometheus is enabled.
+    ## @param config.plugins.prometheus.url URL to download the plugin.
+    prometheus:
+      enabled: false
+      url: https://maven.reposilite.com/releases/com/reposilite/plugin/prometheus-plugin/{{ .Chart.AppVersion }}/prometheus-plugin-{{ .Chart.AppVersion }}-all.jar
+
+
 ## @section Deployment
 deployment:
   ## @param deployment.annotations Additional deployment annotations.
@@ -149,6 +160,24 @@ deployment:
   ## @param deployment.nodeSelector NodeSelector of the Reposilite deployment.
   nodeSelector: {}
 
+  pluginContainer:
+    ## @param deployment.pluginContainer.args Arguments passed to the plugin container.
+    args:
+    - "--location"
+    - "--fail"
+    - "--max-time"
+    - "60"
+
+    ## @param deployment.pluginContainer.image.registry Image registry, eg. `docker.io`.
+    ## @param deployment.pluginContainer.image.repository Image repository, eg. `curlimages/curl`.
+    ## @param deployment.pluginContainer.image.tag Custom image tag, eg. `0.1.0`.
+    ## @param deployment.pluginContainer.image.pullPolicy Image pull policy.
+    image:
+      registry: docker.io
+      repository: curlimages/curl
+      tag: "8.20.0"
+      pullPolicy: IfNotPresent
+
   ## @param deployment.priorityClassName PriorityClassName of the Reposilite deployment.
   priorityClassName: ""
 
@@ -183,13 +212,14 @@ deployment:
 
   ## @param deployment.topologySpreadConstraints TopologySpreadConstraints of the Reposilite deployment.
   topologySpreadConstraints: []
-  # - topologyKey: kubernetes.io/hostname
+  # - maxSkew: 1
+  #   topologyKey: kubernetes.io/hostname
   #   whenUnsatisfiable: DoNotSchedule
   #   labelSelector:
   #     matchLabels:
-  #       app.kubernetes.io/instance: prometheus-reposilite
+  #       app.kubernetes.io/instance: reposilite
 
-  ## @param deployment.volumes Additional volumes to mount into the pods of the prometheus-exporter deployment.
+  ## @param deployment.volumes Additional volumes to mount into the pods of the reposilite deployment.
   volumes: []
   # - name: my-configmap-volume
   #   config:
@@ -199,6 +229,71 @@ deployment:
   #     secretName: my-secret
 
 
+## @section GatewayAPI
+gatewayAPI:
+  ## @param gatewayAPI.enabled Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.
+  enabled: false
+
+  core:
+    ## @param gatewayAPI.core.backendTLSPolicy.enabled Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
+    ## @param gatewayAPI.core.backendTLSPolicy.annotations Additional annotations for the BackendTLSPolicy.
+    ## @param gatewayAPI.core.backendTLSPolicy.labels Additional labels for the BackendTLSPolicy.
+    ## @param gatewayAPI.core.backendTLSPolicy.validation Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the Reposilite pod.
+    backendTLSPolicy:
+      enabled: false
+      annotations: {}
+      labels: {}
+      validation: {}
+        # caCertificateRefs:
+        # - group: ""
+        #   kind: Secret
+        #   name: "reposilite-ca"
+        # hostname: "reposilite"
+
+    ## @param gatewayAPI.core.httpRoute.enabled Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `service.enabled` to be `true`.
+    ## @param gatewayAPI.core.httpRoute.annotations Additional annotations for the HTTPRoute.
+    ## @param gatewayAPI.core.httpRoute.labels Additional labels for the HTTPRoute.
+    ## @param gatewayAPI.core.httpRoute.hostnames Hostnames for the HTTPRoute.
+    ## @skip gatewayAPI.core.httpRoute.matches Match conditions for the HTTPRoute. You can specify path based match conditions to route traffic to the Reposilite service.
+    ## @param gatewayAPI.core.httpRoute.parentRefs ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.
+    httpRoute:
+      enabled: false
+      annotations: {}
+      labels: {}
+      hostnames: []
+      matches:
+      - path:
+          type: PathPrefix
+          value: /
+      parentRefs: []
+      # - name: gateway
+      #   kind: Gateway
+      #   group: gateway.networking.k8s.io
+      #   namespace: default
+      #   sectionName: reposilite-http
+
+  nginx:
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.enabled Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.annotations Additional annotations for the ClientSettingsPolicy.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.labels Additional labels for the ClientSettingsPolicy.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
+    clientSettingsPolicy:
+      enabled: false
+      annotations: {}
+      labels: {}
+      clientMaxBodySize: ""
+      clientBodyTimeout: ""
+      keepaliveRequests:
+      keepaliveTime: ""
+      keepaliveTimeout: ""
+      keepaliveMinTimeout: ""
+
+
 ## @section Horizontal Pod Autoscaler (HPA)
 # In order for the HPA to function successfully, a metric server is required, especially for resource consumption. The
 # metric server enables the CPU and memory utilisation to be recorded. If such a metric server is not available, the HPA
@@ -301,6 +396,11 @@ networkPolicy:
   #   - port: 53
   #     protocol: UDP
 
+  ## Allow outgoing HTTP traffic. For example to download maven artifacts from Apache Maven Central or Reposlite plugins from upstream.
+  # - ports:
+  #   - port: 443
+  #     protocol: TCP
+
   ingress: []
   # Allow incoming HTTP traffic from prometheus.
   #
@@ -314,6 +414,8 @@ networkPolicy:
   #   ports:
   #   - port: http
   #     protocol: TCP
+  #   - port: https
+  #     protocol: TCP
 
   # Allow incoming HTTP traffic from ingress-nginx.
   #
@@ -327,6 +429,8 @@ networkPolicy:
   #   ports:
   #   - port: http
   #     protocol: TCP
+  #   - port: https
+  #     protocol: TCP
 
 
 ## @section Persistent Volume Claim
@@ -355,6 +459,89 @@ persistentVolumeClaim:
     storageClass: ""
 
 
+## @section Prometheus
+prometheus:
+  metrics:
+    ## @param prometheus.metrics.enabled Enable of scraping metrics by Prometheus.
+    enabled: false
+
+    secret:
+      ## @param prometheus.metrics.secret.existing.enabled Use an existing secret containing the basic auth credentials.
+      ## @param prometheus.metrics.secret.existing.secretName Name of the secret containing the basic auth credentials.
+      ## @param prometheus.metrics.secret.existing.basicAuthUsernameKey Name of the key in the secret that contains the username for basic auth.
+      ## @param prometheus.metrics.secret.existing.basicAuthPasswordKey Name of the key in the secret that contains the password for basic auth.
+      existing:
+        enabled: false
+        secretName: ""
+        basicAuthUsernameKey: ""
+        basicAuthPasswordKey: ""
+
+      ## @param prometheus.metrics.secret.new.annotations Additional secret annotations.
+      ## @param prometheus.metrics.secret.new.labels Additional secret labels.
+      ## @param prometheus.metrics.secret.new.basicAuthUsername Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string.
+      ## @param prometheus.metrics.secret.new.basicAuthPassword Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string.
+      new:
+        annotations: {}
+        labels: {}
+        basicAuthUsername: ""
+        basicAuthPassword: ""
+
+    ## @param prometheus.metrics.podMonitor.enabled Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource.
+    ## @param prometheus.metrics.podMonitor.annotations Additional podMonitor annotations.
+    ## @param prometheus.metrics.podMonitor.enableHttp2 Enable HTTP2.
+    ## @param prometheus.metrics.podMonitor.followRedirects FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.
+    ## @param prometheus.metrics.podMonitor.honorLabels Honor labels.
+    ## @param prometheus.metrics.podMonitor.labels Additional podMonitor labels.
+    ## @param prometheus.metrics.podMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
+    ## @param prometheus.metrics.podMonitor.path HTTP path of the Reposilite pod for scraping Prometheus metrics.
+    ## @param prometheus.metrics.podMonitor.port HTTP port of the Reposilite pod for scraping Prometheus metrics.
+    ## @param prometheus.metrics.podMonitor.relabelings RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields.
+    ## @param prometheus.metrics.podMonitor.scrapeTimeout Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.
+    ## @param prometheus.metrics.podMonitor.scheme HTTP scheme to use for scraping. For example `http` or `https`.
+    ## @param prometheus.metrics.podMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
+    ## @skip prometheus.metrics.podMonitor.tlsConfig Skip individual TLS configuration.
+    podMonitor:
+      enabled: false
+      annotations: {}
+      enableHttp2: false
+      followRedirects: false
+      honorLabels: false
+      labels: {}
+      interval: "60s"
+      path: "/metrics"
+      port: "http"
+      relabelings: []
+      scrapeTimeout: "30s"
+      scheme: "http"
+      tlsConfig: {}
+
+    ## @param prometheus.metrics.serviceMonitor.enabled Enable creation of a serviceMonitor. Excludes the existence of a podMonitor resource.
+    ## @param prometheus.metrics.serviceMonitor.annotations Additional serviceMonitor annotations.
+    ## @param prometheus.metrics.serviceMonitor.labels Additional serviceMonitor labels.
+    ## @param prometheus.metrics.serviceMonitor.enableHttp2 Enable HTTP2.
+    ## @param prometheus.metrics.serviceMonitor.followRedirects FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.
+    ## @param prometheus.metrics.serviceMonitor.honorLabels Honor labels.
+    ## @param prometheus.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
+    ## @param prometheus.metrics.serviceMonitor.path HTTP path for scraping Prometheus metrics.
+    ## @param prometheus.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields.
+    ## @param prometheus.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.
+    ## @param prometheus.metrics.serviceMonitor.scheme HTTP scheme to use for scraping. For example `http` or `https`.
+    ## @param prometheus.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
+    ## @skip prometheus.metrics.serviceMonitor.tlsConfig Skip individual TLS configuration.
+    serviceMonitor:
+      enabled: false
+      annotations: {}
+      labels: {}
+      enableHttp2: false
+      followRedirects: false
+      honorLabels: false
+      interval: "60s"
+      path: "/metrics"
+      relabelings: []
+      scrapeTimeout: "30s"
+      scheme: "http"
+      tlsConfig: {}
+
 ## @section Service
 ## @param service.enabled Enable the service.
 ## @param service.annotations Additional service annotations.
@@ -367,6 +554,7 @@ persistentVolumeClaim:
 ## @param service.loadBalancerIP LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.
 ## @param service.loadBalancerSourceRanges Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.
 ## @param service.port Port to forward the traffic to.
+## @param service.scheme Name of the service port. This name is also used as scheme / port name of the service monitor resource.
 ## @param service.sessionAffinity Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.
 ## @param service.sessionAffinityConfig Contains the configuration of the session affinity.
 ## @param service.type Kubernetes service type for the traffic.
@@ -382,6 +570,7 @@ service:
   loadBalancerIP: ""
   loadBalancerSourceRanges: []
   port: 8080
+  scheme: http
   sessionAffinity: "None"
   sessionAffinityConfig: {}
   type: "ClusterIP"