Merge remote-tracking branch 'origin/master' into feat/support-gateway-api

Reviewed-on: #48

.gitea/workflows/generate-readme.yaml

@@ -15,15 +15,14 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:24.9.0-alpine
+      image: docker.io/library/node:26.3.0-alpine
-    runs-on:
+    runs-on: ubuntu-latest
-    - ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - name: Generate parameter section in README
       run: |
         npm install

.gitea/workflows/helm.yaml

@@ -12,31 +12,26 @@ on:
 
 jobs:
   helm-lint:
-    container:
+    runs-on: ubuntu-latest
-      image: docker.io/volkerraschek/helm:3.19.0
-    runs-on:
-    - ubuntu-latest
     steps:
-    - name: Install tooling
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-      run: |
+    - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-        apk update
+      with:
-        apk add git npm
+        version: v4.1.4 # renovate: datasource=github-releases depName=helm/helm
-    - uses: actions/checkout@v5.0.0
     - name: Lint helm files
       run: |
         helm lint --values values.yaml .
 
   helm-unittest:
-    container:
+    runs-on: ubuntu-latest
-      image: docker.io/volkerraschek/helm:3.19.0
-    runs-on:
-    - ubuntu-latest
     steps:
-    - name: Install tooling
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-      run: |
+    - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-        apk update
+      with:
-        apk add git npm
+        version: v4.1.4 # renovate: datasource=github-releases depName=helm/helm
-    - uses: actions/checkout@v5.0.0
+    - env:
-    - name: Unittest
+        HELM_UNITTEST_VERSION: v1.0.0 #renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-      run: |
+      name: Install helm-unittest
-        helm unittest --strict --file 'unittests/**/*.yaml' ./
+      run: helm plugin install --verify=false --version "${HELM_UNITTEST_VERSION}" https://github.com/helm-unittest/helm-unittest
+    - name: Execute helm unittests
+      run: helm unittest --strict --file 'unittests/**/*.yaml' .

.gitea/workflows/markdown-linters.yaml

@@ -15,15 +15,14 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:24.9.0-alpine
+      image: docker.io/library/node:26.3.0-alpine
-    runs-on:
+    runs-on: ubuntu-latest
-    - ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git npm
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - name: Verify links in markdown files
       run: |
         npm install
@@ -31,15 +30,14 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:24.9.0-alpine
+      image: docker.io/library/node:26.3.0-alpine
-    runs-on:
+    runs-on: ubuntu-latest
-    - ubuntu-latest
     steps:
     - name: Install tooling
       run: |
         apk update
         apk add git
-    - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - name: Lint markdown files
       run: |
         npm install

.gitea/workflows/release.yaml

@@ -8,7 +8,7 @@ on:
 jobs:
   publish-chart:
     container:
-      image: docker.io/volkerraschek/helm:3.19.0
+      image: docker.io/volkerraschek/helm:3.19.2
     runs-on: ubuntu-latest
     steps:
       - name: Install packages via apk
@@ -16,7 +16,7 @@ jobs:
           apk update
           apk add git npm jq yq
 
-      - uses: actions/checkout@v5.0.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
 

.gitignore

@@ -1,6 +1,8 @@
 charts
 node_modules
 target
-values[0-9].yml
+!values.yaml
-values[0-9].yaml
+!values.yml
+values*.yaml
+values*.yml
 *.tgz

.vscode/settings.json

@@ -0,0 +1,8 @@
+{
+  "yaml.schemas": {
+    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.1.1/schema/helm-testsuite.json": [
+      "/unittests/**/*.yaml"
+    ]
+  },
+  "yaml.schemaStore.enable": true
+}

Chart.yaml

@@ -5,7 +5,7 @@ annotations:
     - name: support
       url: https://git.cryptic.systems/volker.raschek/reposilite-charts/issues
 apiVersion: v2
-appVersion: "3.5.26"
+appVersion: "3.5.28"
 description: |
   Lightweight and easy-to-use repository management software
   dedicated for the Maven based artifacts in the JVM ecosystem

Makefile

@@ -1,16 +1,10 @@
 # CONTAINER_RUNTIME
 CONTAINER_RUNTIME?=$(shell which podman)
 
-# HELM_IMAGE
-HELM_IMAGE_REGISTRY_HOST?=docker.io
-HELM_IMAGE_REPOSITORY?=volkerraschek/helm
-HELM_IMAGE_VERSION?=3.19.0 # renovate: datasource=docker registryUrl=https://docker.io depName=volkerraschek/helm
-HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:${HELM_IMAGE_VERSION}
-
 # NODE_IMAGE
 NODE_IMAGE_REGISTRY_HOST?=docker.io
 NODE_IMAGE_REPOSITORY?=library/node
-NODE_IMAGE_VERSION?=24.9.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
+NODE_IMAGE_VERSION?=24.11.1-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
 NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
 
 # MISSING DOT
@@ -31,6 +25,12 @@ readme/lint:
 readme/parameters:
 	npm install && npm run readme:parameters
 
+# HELM UNITTESTS
+# ==============================================================================
+PHONY+=helm/unittest
+helm/unittest:
+	helm unittest --strict --file 'unittests/**/*.yaml' ./
+
 # CONTAINER RUN - README
 # ==============================================================================
 PHONY+=container-run/readme
@@ -60,32 +60,6 @@ container-run/readme/parameters:
 			${NODE_IMAGE_FULLY_QUALIFIED} \
 				npm install && npm run readme:parameters
 
-# CONTAINER RUN - HELM UNITTESTS
-# ==============================================================================
-PHONY+=container-run/helm-unittests
-container-run/helm-unittests:
-	${CONTAINER_RUNTIME} run \
-		--env HELM_REPO_PASSWORD=${CHART_SERVER_PASSWORD} \
-		--env HELM_REPO_USERNAME=${CHART_SERVER_USERNAME} \
-		--rm \
-		--volume $(shell pwd):$(shell pwd) \
-		--workdir $(shell pwd) \
-			${HELM_IMAGE_FULLY_QUALIFIED} \
-				unittest --strict --file 'unittests/**/*.yaml' ./
-
-# CONTAINER RUN - HELM UPDATE DEPENDENCIES
-# ==============================================================================
-PHONY+=container-run/helm-update-dependencies
-container-run/helm-update-dependencies:
-	${CONTAINER_RUNTIME} run \
-		--env HELM_REPO_PASSWORD=${CHART_SERVER_PASSWORD} \
-		--env HELM_REPO_USERNAME=${CHART_SERVER_USERNAME} \
-		--rm \
-		--volume $(shell pwd):$(shell pwd) \
-		--workdir $(shell pwd) \
-			${HELM_IMAGE_FULLY_QUALIFIED} \
-				dependency update
-
 # CONTAINER RUN - MARKDOWN-LINT
 # ==============================================================================
 PHONY+=container-run/helm-lint
@@ -101,4 +75,4 @@ container-run/helm-lint:
 # ==============================================================================
 # Declare the contents of the PHONY variable as phony. We keep that information
 # in a variable so we can use it in if_changed.
-.PHONY: ${PHONY}
+.PHONY: ${PHONY}

README.md

@@ -37,7 +37,7 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
 versions can break something!
 
 ```bash
-CHART_VERSION=0.2.0
+CHART_VERSION=1.0.0
 helm show values volker.raschek/reposilite --version "${CHART_VERSION}" > values.yaml
 ```
 
@@ -51,7 +51,7 @@ The helm chart also contains a persistent volume claim definition. It persistent
 Use the `--set` argument to persist your data.
 
 ```bash
-CHART_VERSION=0.2.0
+CHART_VERSION=1.0.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   persistentVolumeClaim.enabled=true
 ```
@@ -63,8 +63,9 @@ The following examples serve as individual configurations and as inspiration for
 #### TLS encryption
 
 The example describe how to deploy Reposilite with TLS encryption. If Reposilite is deployed behind reverse proxy, for
-example an ingress nginx controller, please instruct the ingress to establish an TLS encrypted connection to avoid
+example an ingress nginx controller or Gateway API, please instruct the reserve proxy to establish an TLS encrypted
-connection problems.
+connection to avoid connection problems. The documentation describe configuring [ingress NGINX](#ingress-nginx) as well
+as [NGINX Gateway Fabric](#gatewayapi-nginx-fabric).
 
 > [!WARNING]
 > The secret `reposilite-tls` containing the TLS certificate is already present. The keys `ca.crt`, `tls.key` and
@@ -72,7 +73,7 @@ connection problems.
 > error.
 
 ```bash
-CHART_VERSION=0.2.0
+CHART_VERSION=1.0.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   --set 'deployment.reposilite.env[1].name=REPOSILITE_LOCAL_SSLENABLED' \
   --set 'deployment.reposilite.env[1].value="true"' \
@@ -94,27 +95,124 @@ helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   --set 'service.port=8443'
 ```
 
+##### Ingress NGINX
+
+The following changes must be applied to enable TLS encryption and authentication on-top between the ingress and backend
+service.
+
+> [!IMPORTANT]
+> The HTTP Version between the ingress nginx and backend must be set to `1.1`, as well as the TLS protocol must be set
+> to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
+
+The secret `reposilite/ingress-nginx-controller-tls` contains TLS certificates for the nginx ingress controller. The TLS
+certificate must be created manually, for example via [cert-manager](https://cert-manager.io/). It is used by the nginx
+for TLS authentication.
+
+```yaml
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
+    nginx.ingress.kubernetes.io/proxy-ssl-secret: reposilite/ingress-nginx-controller-tls
+    nginx.ingress.kubernetes.io/proxy-ssl-protocols: TLSv1.2
+    nginx.ingress.kubernetes.io/proxy-ssl-name: reposilite
+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
+```
+
+##### GatewayAPI: NGINX Fabric
+
+The following changes must be applied to enable TLS encryption and authentication on-top between the ingress and backend
+service.
+
+> [!IMPORTANT]
+> The HTTP Version between the ingress nginx and backend must be set to `1.1`, as well as the TLS protocol must be set
+> to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
+
+The `gatewayAPI.core.backendTLSPolicy.validation.caCertificateRefs` must contains at least one secret containing the
+root or intermediate certificate of the issued TLS certificate used by reposilite to be able to validate the TLS certificate.
+
+```yaml
+gatewayAPI:
+  enabled: true
+  core:
+    backendTLSPolicy:
+      enabled: true
+      validation:
+        caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: "reposilite-ca"
+        hostname: "reposilite"
+
+    httpRoute:
+      hostnames:
+      - reposilite.example.local
+      parentRefs:
+      - name: nginx
+        kind: Gateway
+        group: gateway.networking.k8s.io
+        namespace: my-gateway-namespace
+        sectionName: reposilite-https
+```
+
+The Gateway resource is not part of the helm chart, but for illustrating the configuration example, here a GatewayAPI
+resource with configured backend TLS certificate. The TLS certificates `gateway-frontend-tls` and `gateway-backend-tls`
+must also be created manually, for example via [cert-manager](https://cert-manager.io/).
+
+```yaml
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: nginx
+  namespace: my-gateway-namespace
+spec:
+  gatewayClassName: nginx
+  listeners:
+    - allowedRoutes:
+        kinds:
+          - group: gateway.networking.k8s.io
+            kind: HTTPRoute
+        namespaces:
+          from: All
+      hostname: reposilite.example.local
+      name: https
+      port: 443
+      protocol: HTTPS
+      tls:
+        certificateRefs:
+          - group: ''
+            kind: Secret
+            name: gateway-frontend-tls
+            namespace: my-gateway-namespace
+        mode: Terminate
+  tls:
+    backend:
+      clientCertificateRef:
+        group: ''
+        kind: Secret
+        name: gateway-backend-tls
+        namespace: my-gateway-namespace
+```
+
 #### TLS certificate rotation
 
 If Reposilite uses TLS certificates that are mounted as a secret in the container file system like the example
-[above](#tls-encryption), Reposlite will not automatically apply them when the TLS certificates are rotated. Such a
+[above](#tls-encryption), Reposilite will not automatically apply them when the TLS certificates are rotated. Such a
 rotation can be for example triggered, when the [cert-manager](https://cert-manager.io/) issues new TLS certificates
 before expiring.
 
 Until Reposilite does not support rotating TLS certificate a workaround can be applied. For example stakater's
 [reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following
-annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted configMaps
+annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted secret has
-and secrets have been changed.
+been changed.
 
-```yaml
+> [!IMPORTANT]
-deployment:
+> The Helm chart already adds annotations to trigger a rolling release. Helm describes this approach under
-  annotations:
+> [Automatically Roll Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
-    reloader.stakater.com/auto: "true"
+> For this reason, **only external** configMaps or secrets need to be monitored by reloader.
-```
-
-Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for
-individual items. For example, when the secret named `reposilite-tls` is mounted and the reloader controller should only
-listen for changes of this secret:
 
 ```yaml
 deployment:
@@ -122,6 +220,20 @@ deployment:
     secret.reloader.stakater.com/reload: "reposilite-tls"
 ```
 
+If the application is rolled out using ArgoCD, a rolling update from stakater's
+[reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state
+with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be
+initiated. Further information are available in the official
+[README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of
+stakater's reloader.
+
+```diff
+  deployment:
+    annotations:
++     reloader.stakater.com/rollout-strategy: "restart"
+      secret.reloader.stakater.com/reload: "reposilite-tls"
+```
+
 #### Network policies
 
 Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
@@ -163,12 +275,20 @@ networkPolicies:
 
   ingress:
   - from:
+    # Ingress NGINX
     - namespaceSelector:
         matchLabels:
           kubernetes.io/metadata.name: ingress-nginx
       podSelector:
         matchLabels:
           app.kubernetes.io/name: ingress-nginx
+    # NGINX GatewayAPI Fabric
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: gateway-nginx
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: gateway-nginx
     ports:
     - port: http
       protocol: TCP
@@ -187,13 +307,62 @@ be set the credentials manually.
 The following example enable Prometheus metrics with custom basic auth credentials:
 
 ```bash
-CHART_VERSION=0.2.0
+CHART_VERSION=1.0.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   --set 'prometheus.metrics.enabled=true' \
   --set 'prometheus.metrics.basicAuthUsername=my-username' \
   --set 'prometheus.metrics.basicAuthUsername=my-password'
 ```
 
+## ArgoCD
+
+### Example Application
+
+An application resource for the Helm chart is defined below. It serves as an example for your own deployment.
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: reposilite
+  ignoreDifferences:
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    # When HPA is enabled, ensure that a modification of the replicas does not lead to a
+    # drift.
+      - '.spec.replicas'
+    # Ensure that changes of the annotations or environment variables added or modified by
+    # stakater's reloader does not lead to a drift.
+    - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
+    - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
+  sources:
+  - repoURL: https://charts.cryptic.systems/volker.raschek
+    chart: reposilite
+    targetRevision: '0.*'
+    helm:
+      valueFiles:
+      - $values/values.yaml
+      releaseName: reposilite
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    managedNamespaceMetadata:
+      annotations: {}
+      labels: {}
+    syncOptions:
+    - ApplyOutOfSyncOnly=true
+    - CreateNamespace=true
+    - FailOnSharedResource=false
+    - Replace=false
+    - RespectIgnoreDifferences=false
+    - ServerSideApply=true
+    - Validate=true
+```
+
 ## Parameters
 
 ### Global
@@ -240,7 +409,7 @@ helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
 | `deployment.pluginContainer.args`                  | Arguments passed to the plugin container.                                                                  | `["--location","--fail","--max-time","60"]` |
 | `deployment.pluginContainer.image.registry`        | Image registry, eg. `docker.io`.                                                                           | `docker.io`                                 |
 | `deployment.pluginContainer.image.repository`      | Image repository, eg. `curlimages/curl`.                                                                   | `curlimages/curl`                           |
-| `deployment.pluginContainer.image.tag`             | Custom image tag, eg. `0.1.0`.                                                                             | `8.16.0`                                    |
+| `deployment.pluginContainer.image.tag`             | Custom image tag, eg. `0.1.0`.                                                                             | `8.20.0`                                    |
 | `deployment.pluginContainer.image.pullPolicy`      | Image pull policy.                                                                                         | `IfNotPresent`                              |
 | `deployment.priorityClassName`                     | PriorityClassName of the Reposilite deployment.                                                            | `""`                                        |
 | `deployment.replicas`                              | Number of replicas for the Reposilite deployment.                                                          | `1`                                         |
@@ -254,6 +423,30 @@ helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
 | `deployment.topologySpreadConstraints`             | TopologySpreadConstraints of the Reposilite deployment.                                                    | `[]`                                        |
 | `deployment.volumes`                               | Additional volumes to mount into the pods of the reposilite deployment.                                    | `[]`                                        |
 
+### GatewayAPI
+
+| Name                                                        | Description                                                                                                                                                                                         | Value   |
+| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `gatewayAPI.enabled`                                        | Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.                                                                               | `false` |
+| `gatewayAPI.core.backendTLSPolicy.enabled`                  | Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.                                                                                                              | `false` |
+| `gatewayAPI.core.backendTLSPolicy.annotations`              | Additional annotations for the BackendTLSPolicy.                                                                                                                                                    | `{}`    |
+| `gatewayAPI.core.backendTLSPolicy.labels`                   | Additional labels for the BackendTLSPolicy.                                                                                                                                                         | `{}`    |
+| `gatewayAPI.core.backendTLSPolicy.validation`               | Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the Reposilite pod.                 | `{}`    |
+| `gatewayAPI.core.httpRoute.enabled`                         | Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `service.enabled` to be `true`.                                                                                               | `false` |
+| `gatewayAPI.core.httpRoute.annotations`                     | Additional annotations for the HTTPRoute.                                                                                                                                                           | `{}`    |
+| `gatewayAPI.core.httpRoute.labels`                          | Additional labels for the HTTPRoute.                                                                                                                                                                | `{}`    |
+| `gatewayAPI.core.httpRoute.hostnames`                       | Hostnames for the HTTPRoute.                                                                                                                                                                        | `[]`    |
+| `gatewayAPI.core.httpRoute.parentRefs`                      | ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.                                                                                       | `[]`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.enabled`             | Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.                                                                                                          | `false` |
+| `gatewayAPI.nginx.clientSettingsPolicy.annotations`         | Additional annotations for the ClientSettingsPolicy.                                                                                                                                                | `{}`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.labels`              | Additional labels for the ClientSettingsPolicy.                                                                                                                                                     | `{}`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize`   | ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.                                                  | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout`   | ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.                                                      | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests`   | KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.                   | `nil`   |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime`       | KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.                                                             | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout`    | KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.            | `""`    |
+| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout` | KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used. | `""`    |
+
 ### Horizontal Pod Autoscaler (HPA)
 
 | Name                     | Description                                                                                        | Value       |

package.json

@@ -16,6 +16,6 @@
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
     "markdown-link-check": "^3.13.6",
-    "markdownlint-cli": "^0.45.0"
+    "markdownlint-cli": "^0.48.0"
   }
 }

renovate.json

@@ -4,16 +4,18 @@
     "local>volker.raschek/renovate-config:default#master",
     "local>volker.raschek/renovate-config:container#master",
     "local>volker.raschek/renovate-config:actions#master",
+    "local>volker.raschek/renovate-config:helm#master",
     "local>volker.raschek/renovate-config:npm#master",
     "local>volker.raschek/renovate-config:regexp#master"
   ],
   "customManagers": [
     {
+      "customType": "regex",
       "fileMatch": [
         "^Chart\\.yaml$"
       ],
       "matchStrings": [
-        "appVersion: \"(?<currentValue>.*?)\"\\s+"
+        "^appVersion: \"?(?<currentValue>.*)\"?"
       ],
       "datasourceTemplate": "docker",
       "depNameTemplate": "dzikoysk/reposilite",
@@ -21,7 +23,10 @@
       "versioningTemplate": "semver"
     },
     {
-      "fileMatch": ["^README\\.md$"],
+      "customType": "regex",
+      "fileMatch": [
+        "^README\\.md$"
+      ],
       "matchStrings": [
         "CHART_VERSION=(?<currentValue>.*)"
       ],
@@ -32,6 +37,13 @@
     }
   ],
   "packageRules": [
+    {
+      "groupName": "Update docker.io/library/node",
+      "matchDepNames": [
+        "docker.io/library/node",
+        "library/node"
+      ]
+    },
     {
       "addLabels": [
         "renovate/automerge",

templates/_backendTLSPolicy.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "reposilite.backendTLSPolicy.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
+{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "reposilite.backendTLSPolicy.enabled" -}}
+{{- if and .Values.gatewayAPI.enabled
+           .Values.gatewayAPI.core.backendTLSPolicy.enabled
+           .Values.service.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.backendTLSPolicy.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.gatewayAPI.core.backendTLSPolicy.labels }}
+{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_clientSettingsPolicy.tpl

@@ -0,0 +1,31 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "reposilite.clientSettingsPolicy.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
+{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "reposilite.clientSettingsPolicy.enabled" -}}
+{{- if and (eq (include "reposilite.httpRoute.enabled" $) "true")
+           .Values.gatewayAPI.nginx.clientSettingsPolicy.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.clientSettingsPolicy.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
+{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_httpRoute.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "reposilite.httpRoute.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.gatewayAPI.core.httpRoute.annotations }}
+{{ toYaml .Values.gatewayAPI.core.httpRoute.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "reposilite.httpRoute.enabled" -}}
+{{- if and .Values.gatewayAPI.enabled
+           .Values.gatewayAPI.core.httpRoute.enabled
+           .Values.service.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.httpRoute.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.gatewayAPI.core.httpRoute.labels }}
+{{ toYaml .Values.gatewayAPI.core.httpRoute.labels }}
+{{- end }}
+{{- end }}

templates/backendTLSPolicy.yaml

@@ -0,0 +1,25 @@
+{{- if eq (include "reposilite.backendTLSPolicy.enabled" $) "true" }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  {{- with (include "reposilite.backendTLSPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.backendTLSPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRefs:
+    - group: ""
+      kind: Service
+      name: {{ include "reposilite.service.name" . }}
+  {{- with .Values.gatewayAPI.core.backendTLSPolicy.validation }}
+  validation:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

templates/clientSettingsPolicy.yaml

@@ -0,0 +1,50 @@
+{{- if eq (include "reposilite.clientSettingsPolicy.enabled" $) "true" }}
+apiVersion: gateway.nginx.org/v1alpha1
+kind: ClientSettingsPolicy
+metadata:
+  {{- with (include "reposilite.clientSettingsPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.clientSettingsPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: {{ include "reposilite.fullname" . }}
+  {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout
+  }}
+  body:
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize }}
+    maxSize: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout }}
+    timeout: {{ . }}
+    {{- end }}
+  {{- end }}
+  {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout
+            .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout
+  }}
+  keepAlive:
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests }}
+    requests: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime }}
+    time: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout }}
+    timeout: {{ . }}
+    {{- end }}
+    {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout }}
+    minTimeout: {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end -}}

templates/httpRoute.yaml

@@ -0,0 +1,36 @@
+{{- if eq (include "reposilite.httpRoute.enabled" $) "true" }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  {{- with (include "reposilite.httpRoute.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.httpRoute.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- with .Values.gatewayAPI.core.httpRoute.hostnames }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.gatewayAPI.core.httpRoute.parentRefs }}
+  parentRefs:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    - backendRefs:
+        - kind: Service
+          name: {{ include "reposilite.service.name" . }}
+          namespace: {{ .Release.Namespace }}
+          port: {{ .Values.service.port }}
+          weight: 1
+      {{- with .Values.gatewayAPI.core.httpRoute.matches }}
+      matches:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}

templates/secretPrometheusBasicAuth.yaml

@@ -14,6 +14,6 @@ metadata:
   name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
   namespace: {{ .Release.Namespace }}
 stringData:
-  password: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthPassword }}
+  password: {{ required "Password for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthPassword }}
-  username: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthUsername }}
+  username: {{ required "Username for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthUsername }}
 {{- end }}

unittests/backendTLSPolicy/backendTLSPolicy.yaml

@@ -0,0 +1,130 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: backendTLSPolicy template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/backendTLSPolicy.yaml
+tests:
+- it: Skip rendering when disabled 1/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Render default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.networking.k8s.io/v1
+      kind: BackendTLSPolicy
+      name: reposilite-unittest
+      namespace: testing
+  - contains:
+      path: spec.targetRefs
+      content:
+        group: ""
+        kind: Service
+        name: reposilite-unittest
+  - notExists:
+      path: spec.validation.caCertificateRefs
+
+- it: Render with custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy:
+      enabled: true
+      annotations:
+        foo: bar
+      labels:
+        bar: foo
+    service.enabled: true
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        app.kubernetes.io/managed-by: Helm
+        helm.sh/chart: reposilite-0.1.0
+        bar: foo
+
+- it: Render with custom validation
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSPolicy.enabled: true
+    gatewayAPI.core.backendTLSPolicy.validation:
+      caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: reposilite-ca
+      hostname: reposilite.svc.cluster.local
+    service.enabled: true
+  asserts:
+  - isSubset:
+      path: spec.validation
+      content:
+        caCertificateRefs:
+          - group: ""
+            kind: Secret
+            name: reposilite-ca

unittests/clientSettingsPolicy/clientSettingsPolicy.yaml

@@ -0,0 +1,190 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: ClientSettingsPolicy template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/clientSettingsPolicy.yaml
+tests:
+- it: Skip rendering when disabled 1/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/8
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 7/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 8/8
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Render default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.nginx.org/v1alpha1
+      kind: ClientSettingsPolicy
+      name: reposilite-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+  - isSubset:
+      path: spec.targetRef
+      content:
+        group: gateway.networking.k8s.io
+        kind: HTTPRoute
+        name: reposilite-unittest
+  - notExists:
+      path: spec.body
+  - notExists:
+      path: spec.keepAlive
+
+- it: Render custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      annotations:
+        foo: "bar"
+      labels:
+        bar: "foo"
+    service.enabled: true
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: "bar"
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+        bar: "foo"
+
+- it: Render with custom body settings
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      clientMaxBodySize: 10m
+      clientBodyTimeout: 30s
+    service.enabled: true
+  asserts:
+  - isSubset:
+      path: spec.body
+      content:
+        maxSize: 10m
+        timeout: 30s
+  - notExists:
+      path: spec.keepAlive
+
+- it: Render with custom keepAlive settings
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    gatewayAPI.nginx.clientSettingsPolicy:
+      enabled: true
+      keepaliveRequests: 100
+      keepaliveTime: 60s
+      keepaliveTimeout: 60s
+      keepaliveMinTimeout: 10s
+    service.enabled: true
+  asserts:
+  - notExists:
+      path: spec.body
+  - isSubset:
+      path: spec.keepAlive
+      content:
+        requests: 100
+        time: 60s
+        timeout: 60s
+        minTimeout: 10s

unittests/deployment/prometheusPodMonitor.yaml

@@ -13,6 +13,8 @@ tests:
   set:
     prometheus.metrics.enabled: true
     prometheus.metrics.podMonitor.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
   asserts:
   - exists:
       path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials

unittests/deployment/prometheusServiceMonitor.yaml

@@ -13,6 +13,8 @@ tests:
   set:
     prometheus.metrics.enabled: true
     prometheus.metrics.serviceMonitor.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
   asserts:
   - exists:
       path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials

unittests/httpRoute/httpRoute.yaml

@@ -0,0 +1,194 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: HTTPRoute template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/httpRoute.yaml
+tests:
+- it: Skip rendering when disabled 1/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Rendering default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.networking.k8s.io/v1
+      kind: HTTPRoute
+      name: reposilite-unittest
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+  - notExists:
+      path: spec.hostnames
+  - notExists:
+      path: spec.parentRefs
+  - contains:
+      path: spec.rules[0].backendRefs
+      content:
+        kind: Service
+        name: reposilite-unittest
+        namespace: testing
+        port: 8080
+        weight: 1
+  - contains:
+      path: spec.rules[0].matches
+      content:
+        path:
+          type: PathPrefix
+          value: /
+
+- it: Rendering custom annotations and labels
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      annotations:
+        foo: bar
+      labels:
+        bar: foo
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - equal:
+      path: metadata.annotations
+      value:
+        foo: bar
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        bar: foo
+        helm.sh/chart: reposilite-0.1.0
+
+- it: Rendering custom service port
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute.enabled: true
+    service:
+      enabled: true
+      port: 9090
+  asserts:
+  - equal:
+      path: spec.rules[0].backendRefs[0].port
+      value: 9090
+
+- it: Rendering custom matches
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      matches:
+      - path:
+          type: PathPrefix
+          value: /foo
+    service.enabled: true
+  asserts:
+  - contains:
+      path: spec.rules[0].matches
+      content:
+        path:
+          type: PathPrefix
+          value: /foo
+
+- it: Rendering custom hostnames and parentRefs
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.httpRoute:
+      enabled: true
+      hostnames:
+      - reposilite.example.local
+      parentRefs:
+      - name: gateway
+        namespace: testing
+        kind: Gateway
+        sectionName: reposilite-debug-gateway
+    service.enabled: true
+  asserts:
+  - lengthEqual:
+      path: spec.hostnames
+      count: 1
+  - contains:
+      path: spec.hostnames
+      content:
+        reposilite.example.local
+  - lengthEqual:
+      path: spec.parentRefs
+      count: 1
+  - contains:
+      path: spec.parentRefs
+      content:
+        name: gateway
+        namespace: testing
+        kind: Gateway
+        sectionName: reposilite-debug-gateway

unittests/secrets/basicAuth.yaml

@@ -13,9 +13,29 @@ tests:
   - hasDocuments:
       count: 0
 
+- it: Throw error for missing basic auth password
+  set:
+    prometheus.metrics.enabled: true
+    # prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+    - failedTemplate:
+        errorMessage: "Password for basic auth is required!"
+
+- it: Throw error for missing basic auth username
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    # prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+    - failedTemplate:
+        errorMessage: "Username for basic auth is required!"
+
 - it: Rendering secret with default values.
   set:
     prometheus.metrics.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
   asserts:
   - hasDocuments:
       count: 1
@@ -51,13 +71,13 @@ tests:
   asserts:
   - hasDocuments:
       count: 1
-  - exists:
+  - isSubset:
       path: metadata.annotations
-      value:
+      content:
         foo: bar
-  - exists:
+  - isSubset:
       path: metadata.labels
-      value:
+      content:
         bar: foo
   - equal:
       path: metadata.name

unittests/serviceAccount/serviceAccount.yaml

@@ -53,13 +53,13 @@ tests:
   asserts:
   - hasDocuments:
       count: 1
-  - exists:
+  - isSubset:
       path: metadata.annotations
-      value:
+      content:
         foo: bar
-  - exists:
+  - isSubset:
       path: metadata.labels
-      value:
+      content:
         bar: foo
   - equal:
       path: metadata.name

unittests/services/service.yaml

@@ -78,35 +78,35 @@ tests:
     service.internalTrafficPolicy: ""
   asserts:
   - failedTemplate:
-    errorMessage: No internal traffic policy defined!
+      errorMessage: No internal traffic policy defined!
 
 - it: Require port.
   set:
     service.port: ""
   asserts:
   - failedTemplate:
-    errorMessage: No service port defined!
+      errorMessage: No service port defined!
 
 - it: Require scheme.
   set:
     service.scheme: ""
   asserts:
   - failedTemplate:
-    errorMessage: No service scheme defined!
+      errorMessage: The scheme of the serviceMonitor is not defined!
 
 - it: Require sessionAffinity.
   set:
     service.sessionAffinity: ""
   asserts:
   - failedTemplate:
-    errorMessage: No session affinity defined!
+      errorMessage: No session affinity defined!
 
 - it: Require service type.
   set:
     service.type: ""
   asserts:
   - failedTemplate:
-    errorMessage: No service type defined!
+      errorMessage: No service type defined!
 
 - it: Render service with custom annotations and labels.
   set:

values.yaml

@@ -175,7 +175,7 @@ deployment:
     image:
       registry: docker.io
       repository: curlimages/curl
-      tag: "8.16.0"
+      tag: "8.20.0"
       pullPolicy: IfNotPresent
 
   ## @param deployment.priorityClassName PriorityClassName of the Reposilite deployment.
@@ -229,6 +229,71 @@ deployment:
   #     secretName: my-secret
 
 
+## @section GatewayAPI
+gatewayAPI:
+  ## @param gatewayAPI.enabled Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.
+  enabled: false
+
+  core:
+    ## @param gatewayAPI.core.backendTLSPolicy.enabled Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
+    ## @param gatewayAPI.core.backendTLSPolicy.annotations Additional annotations for the BackendTLSPolicy.
+    ## @param gatewayAPI.core.backendTLSPolicy.labels Additional labels for the BackendTLSPolicy.
+    ## @param gatewayAPI.core.backendTLSPolicy.validation Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the Reposilite pod.
+    backendTLSPolicy:
+      enabled: false
+      annotations: {}
+      labels: {}
+      validation: {}
+        # caCertificateRefs:
+        # - group: ""
+        #   kind: Secret
+        #   name: "reposilite-ca"
+        # hostname: "reposilite"
+
+    ## @param gatewayAPI.core.httpRoute.enabled Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `service.enabled` to be `true`.
+    ## @param gatewayAPI.core.httpRoute.annotations Additional annotations for the HTTPRoute.
+    ## @param gatewayAPI.core.httpRoute.labels Additional labels for the HTTPRoute.
+    ## @param gatewayAPI.core.httpRoute.hostnames Hostnames for the HTTPRoute.
+    ## @skip gatewayAPI.core.httpRoute.matches Match conditions for the HTTPRoute. You can specify path based match conditions to route traffic to the Reposilite service.
+    ## @param gatewayAPI.core.httpRoute.parentRefs ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.
+    httpRoute:
+      enabled: false
+      annotations: {}
+      labels: {}
+      hostnames: []
+      matches:
+      - path:
+          type: PathPrefix
+          value: /
+      parentRefs: []
+      # - name: gateway
+      #   kind: Gateway
+      #   group: gateway.networking.k8s.io
+      #   namespace: default
+      #   sectionName: reposilite-http
+
+  nginx:
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.enabled Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.annotations Additional annotations for the ClientSettingsPolicy.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.labels Additional labels for the ClientSettingsPolicy.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
+    ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
+    clientSettingsPolicy:
+      enabled: false
+      annotations: {}
+      labels: {}
+      clientMaxBodySize: ""
+      clientBodyTimeout: ""
+      keepaliveRequests:
+      keepaliveTime: ""
+      keepaliveTimeout: ""
+      keepaliveMinTimeout: ""
+
+
 ## @section Horizontal Pod Autoscaler (HPA)
 # In order for the HPA to function successfully, a metric server is required, especially for resource consumption. The
 # metric server enables the CPU and memory utilisation to be recorded. If such a metric server is not available, the HPA