docs(README): add an ArgoCD application resource as an example

This patch remove generation of a random string for the username and password of
the basic auth credentials.

The problem with the random generated basic auth credentials is, that this leads
to a new shasum of the secret. GitOps tools like ArgoCD detects a drift trigger
a rolling update.

To avoid this must now the basic auth credentials be defined to enable
prometheus metrics.

.gitea/workflows/generate-readme.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:24.8.0-alpine
+      image: docker.io/library/node:24.10.0-alpine
     runs-on:
     - ubuntu-latest
     steps:

.gitea/workflows/helm.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   helm-lint:
     container:
-      image: docker.io/volkerraschek/helm:3.18.5
+      image: docker.io/volkerraschek/helm:3.19.0
     runs-on:
     - ubuntu-latest
     steps:
@@ -28,7 +28,7 @@ jobs:
 
   helm-unittest:
     container:
-      image: docker.io/volkerraschek/helm:3.18.5
+      image: docker.io/volkerraschek/helm:3.19.0
     runs-on:
     - ubuntu-latest
     steps:

.gitea/workflows/markdown-linters.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:24.8.0-alpine
+      image: docker.io/library/node:24.10.0-alpine
     runs-on:
     - ubuntu-latest
     steps:
@@ -31,7 +31,7 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:24.8.0-alpine
+      image: docker.io/library/node:24.10.0-alpine
     runs-on:
     - ubuntu-latest
     steps:

.gitea/workflows/release.yaml

@@ -8,7 +8,7 @@ on:
 jobs:
   publish-chart:
     container:
-      image: docker.io/volkerraschek/helm:3.18.5
+      image: docker.io/volkerraschek/helm:3.19.0
     runs-on: ubuntu-latest
     steps:
       - name: Install packages via apk

.vscode/settings.json

@@ -0,0 +1,8 @@
+{
+  "yaml.schemas": {
+    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.2/schema/helm-testsuite.json": [
+      "/unittests/**/*.yaml"
+    ]
+  },
+  "yaml.schemaStore.enable": true
+}

Chart.yaml

@@ -5,7 +5,7 @@ annotations:
     - name: support
       url: https://git.cryptic.systems/volker.raschek/reposilite-charts/issues
 apiVersion: v2
-appVersion: "3.5.25"
+appVersion: "3.5.26"
 description: |
   Lightweight and easy-to-use repository management software
   dedicated for the Maven based artifacts in the JVM ecosystem

Makefile

@@ -4,13 +4,13 @@ CONTAINER_RUNTIME?=$(shell which podman)
 # HELM_IMAGE
 HELM_IMAGE_REGISTRY_HOST?=docker.io
 HELM_IMAGE_REPOSITORY?=volkerraschek/helm
-HELM_IMAGE_VERSION?=3.18.2 # renovate: datasource=docker registryUrl=https://registry-nexus.orbis.dedalus.com depName=volkerraschek/helm
+HELM_IMAGE_VERSION?=3.19.0 # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/volkerraschek/helm
 HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:${HELM_IMAGE_VERSION}
 
 # NODE_IMAGE
 NODE_IMAGE_REGISTRY_HOST?=docker.io
 NODE_IMAGE_REPOSITORY?=library/node
-NODE_IMAGE_VERSION?=24.8.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
+NODE_IMAGE_VERSION?=24.10.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
 NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
 
 # MISSING DOT
@@ -101,4 +101,4 @@ container-run/helm-lint:
 # ==============================================================================
 # Declare the contents of the PHONY variable as phony. We keep that information
 # in a variable so we can use it in if_changed.
-.PHONY: ${PHONY}
+.PHONY: ${PHONY}

README.md

@@ -37,7 +37,7 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
 versions can break something!
 
 ```bash
-CHART_VERSION=0.2.0
+CHART_VERSION=0.3.0
 helm show values volker.raschek/reposilite --version "${CHART_VERSION}" > values.yaml
 ```
 
@@ -51,7 +51,7 @@ The helm chart also contains a persistent volume claim definition. It persistent
 Use the `--set` argument to persist your data.
 
 ```bash
-CHART_VERSION=0.2.0
+CHART_VERSION=0.3.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   persistentVolumeClaim.enabled=true
 ```
@@ -72,7 +72,7 @@ connection problems.
 > error.
 
 ```bash
-CHART_VERSION=0.2.0
+CHART_VERSION=0.3.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   --set 'deployment.reposilite.env[1].name=REPOSILITE_LOCAL_SSLENABLED' \
   --set 'deployment.reposilite.env[1].value="true"' \
@@ -122,6 +122,20 @@ deployment:
     secret.reloader.stakater.com/reload: "reposilite-tls"
 ```
 
+If the application is rolled out using ArgoCD, a rolling update from stakater's
+[reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state
+with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be
+initiated. Further information are available in the official
+[README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of
+stakater's reloader.
+
+```diff
+  deployment:
+    annotations:
+      reloader.stakater.com/auto: "true"
++     reloader.stakater.com/rollout-strategy: "restart"
+```
+
 #### Network policies
 
 Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
@@ -187,13 +201,62 @@ be set the credentials manually.
 The following example enable Prometheus metrics with custom basic auth credentials:
 
 ```bash
-CHART_VERSION=0.2.0
+CHART_VERSION=0.3.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   --set 'prometheus.metrics.enabled=true' \
   --set 'prometheus.metrics.basicAuthUsername=my-username' \
   --set 'prometheus.metrics.basicAuthUsername=my-password'
 ```
 
+## ArgoCD
+
+### Example Application
+
+An application resource for the Helm chart is defined below. It serves as an example for your own deployment.
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: reposilite
+  ignoreDifferences:
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    # When HPA is enabled, ensure that a modification of the replicas does not lead to a
+    # drift.
+      - '.spec.replicas'
+    # Ensure that changes of the annotations or environment variables added or modified by
+    # stakater's reloader does not lead to a drift.
+    - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
+    - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
+  sources:
+  - repoURL: https://charts.cryptic.systems/volker.raschek
+    chart: reposilite
+    targetRevision: '0.*'
+    helm:
+      valueFiles:
+      - $values/values.yaml
+      releaseName: reposilite
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    managedNamespaceMetadata:
+      annotations: {}
+      labels: {}
+    syncOptions:
+    - ApplyOutOfSyncOnly=true
+    - CreateNamespace=true
+    - FailOnSharedResource=false
+    - Replace=false
+    - RespectIgnoreDifferences=false
+    - ServerSideApply=true
+    - Validate=true
+```
+
 ## Parameters
 
 ### Global
@@ -240,7 +303,7 @@ helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
 | `deployment.pluginContainer.args`                  | Arguments passed to the plugin container.                                                                  | `["--location","--fail","--max-time","60"]` |
 | `deployment.pluginContainer.image.registry`        | Image registry, eg. `docker.io`.                                                                           | `docker.io`                                 |
 | `deployment.pluginContainer.image.repository`      | Image repository, eg. `curlimages/curl`.                                                                   | `curlimages/curl`                           |
-| `deployment.pluginContainer.image.tag`             | Custom image tag, eg. `0.1.0`.                                                                             | `8.15.0`                                    |
+| `deployment.pluginContainer.image.tag`             | Custom image tag, eg. `0.1.0`.                                                                             | `8.16.0`                                    |
 | `deployment.pluginContainer.image.pullPolicy`      | Image pull policy.                                                                                         | `IfNotPresent`                              |
 | `deployment.priorityClassName`                     | PriorityClassName of the Reposilite deployment.                                                            | `""`                                        |
 | `deployment.replicas`                              | Number of replicas for the Reposilite deployment.                                                          | `1`                                         |
@@ -304,36 +367,42 @@ helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
 
 ### Prometheus
 
-| Name                                                | Description                                                                                                                                  | Value      |
+| Name                                                      | Description                                                                                                                                  | Value      |
-| --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
+| --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
-| `prometheus.metrics.enabled`                        | Enable of scraping metrics by Prometheus.                                                                                                    | `false`    |
+| `prometheus.metrics.enabled`                              | Enable of scraping metrics by Prometheus.                                                                                                    | `false`    |
-| `prometheus.metrics.basicAuthUsername`              | Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string.        | `""`       |
+| `prometheus.metrics.secret.existing.enabled`              | Use an existing secret containing the basic auth credentials.                                                                                | `false`    |
-| `prometheus.metrics.basicAuthPassword`              | Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string.         | `""`       |
+| `prometheus.metrics.secret.existing.secretName`           | Name of the secret containing the basic auth credentials.                                                                                    | `""`       |
-| `prometheus.metrics.podMonitor.enabled`             | Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource.                                                        | `false`    |
+| `prometheus.metrics.secret.existing.basicAuthUsernameKey` | Name of the key in the secret that contains the username for basic auth.                                                                     | `""`       |
-| `prometheus.metrics.podMonitor.annotations`         | Additional podMonitor annotations.                                                                                                           | `{}`       |
+| `prometheus.metrics.secret.existing.basicAuthPasswordKey` | Name of the key in the secret that contains the password for basic auth.                                                                     | `""`       |
-| `prometheus.metrics.podMonitor.enableHttp2`         | Enable HTTP2.                                                                                                                                | `false`    |
+| `prometheus.metrics.secret.new.annotations`               | Additional secret annotations.                                                                                                               | `{}`       |
-| `prometheus.metrics.podMonitor.followRedirects`     | FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.                                                                | `false`    |
+| `prometheus.metrics.secret.new.labels`                    | Additional secret labels.                                                                                                                    | `{}`       |
-| `prometheus.metrics.podMonitor.honorLabels`         | Honor labels.                                                                                                                                | `false`    |
+| `prometheus.metrics.secret.new.basicAuthUsername`         | Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string.        | `""`       |
-| `prometheus.metrics.podMonitor.labels`              | Additional podMonitor labels.                                                                                                                | `{}`       |
+| `prometheus.metrics.secret.new.basicAuthPassword`         | Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string.         | `""`       |
-| `prometheus.metrics.podMonitor.interval`            | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                                    | `60s`      |
+| `prometheus.metrics.podMonitor.enabled`                   | Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource.                                                        | `false`    |
-| `prometheus.metrics.podMonitor.path`                | HTTP path of the Reposilite pod for scraping Prometheus metrics.                                                                             | `/metrics` |
+| `prometheus.metrics.podMonitor.annotations`               | Additional podMonitor annotations.                                                                                                           | `{}`       |
-| `prometheus.metrics.podMonitor.port`                | HTTP port of the Reposilite pod for scraping Prometheus metrics.                                                                             | `http`     |
+| `prometheus.metrics.podMonitor.enableHttp2`               | Enable HTTP2.                                                                                                                                | `false`    |
-| `prometheus.metrics.podMonitor.relabelings`         | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | `[]`       |
+| `prometheus.metrics.podMonitor.followRedirects`           | FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.                                                                | `false`    |
-| `prometheus.metrics.podMonitor.scrapeTimeout`       | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                                         | `30s`      |
+| `prometheus.metrics.podMonitor.honorLabels`               | Honor labels.                                                                                                                                | `false`    |
-| `prometheus.metrics.podMonitor.scheme`              | HTTP scheme to use for scraping. For example `http` or `https`.                                                                              | `http`     |
+| `prometheus.metrics.podMonitor.labels`                    | Additional podMonitor labels.                                                                                                                | `{}`       |
-| `prometheus.metrics.podMonitor.tlsConfig`           | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                                    | `{}`       |
+| `prometheus.metrics.podMonitor.interval`                  | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                                    | `60s`      |
-| `prometheus.metrics.serviceMonitor.enabled`         | Enable creation of a serviceMonitor. Excludes the existence of a podMonitor resource.                                                        | `false`    |
+| `prometheus.metrics.podMonitor.path`                      | HTTP path of the Reposilite pod for scraping Prometheus metrics.                                                                             | `/metrics` |
-| `prometheus.metrics.serviceMonitor.annotations`     | Additional serviceMonitor annotations.                                                                                                       | `{}`       |
+| `prometheus.metrics.podMonitor.port`                      | HTTP port of the Reposilite pod for scraping Prometheus metrics.                                                                             | `http`     |
-| `prometheus.metrics.serviceMonitor.labels`          | Additional serviceMonitor labels.                                                                                                            | `{}`       |
+| `prometheus.metrics.podMonitor.relabelings`               | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | `[]`       |
-| `prometheus.metrics.serviceMonitor.enableHttp2`     | Enable HTTP2.                                                                                                                                | `false`    |
+| `prometheus.metrics.podMonitor.scrapeTimeout`             | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                                         | `30s`      |
-| `prometheus.metrics.serviceMonitor.followRedirects` | FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.                                                                | `false`    |
+| `prometheus.metrics.podMonitor.scheme`                    | HTTP scheme to use for scraping. For example `http` or `https`.                                                                              | `http`     |
-| `prometheus.metrics.serviceMonitor.honorLabels`     | Honor labels.                                                                                                                                | `false`    |
+| `prometheus.metrics.podMonitor.tlsConfig`                 | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                                    | `{}`       |
-| `prometheus.metrics.serviceMonitor.interval`        | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                                    | `60s`      |
+| `prometheus.metrics.serviceMonitor.enabled`               | Enable creation of a serviceMonitor. Excludes the existence of a podMonitor resource.                                                        | `false`    |
-| `prometheus.metrics.serviceMonitor.path`            | HTTP path for scraping Prometheus metrics.                                                                                                   | `/metrics` |
+| `prometheus.metrics.serviceMonitor.annotations`           | Additional serviceMonitor annotations.                                                                                                       | `{}`       |
-| `prometheus.metrics.serviceMonitor.relabelings`     | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | `[]`       |
+| `prometheus.metrics.serviceMonitor.labels`                | Additional serviceMonitor labels.                                                                                                            | `{}`       |
-| `prometheus.metrics.serviceMonitor.scrapeTimeout`   | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                                         | `30s`      |
+| `prometheus.metrics.serviceMonitor.enableHttp2`           | Enable HTTP2.                                                                                                                                | `false`    |
-| `prometheus.metrics.serviceMonitor.scheme`          | HTTP scheme to use for scraping. For example `http` or `https`.                                                                              | `http`     |
+| `prometheus.metrics.serviceMonitor.followRedirects`       | FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.                                                                | `false`    |
-| `prometheus.metrics.serviceMonitor.tlsConfig`       | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                                    | `{}`       |
+| `prometheus.metrics.serviceMonitor.honorLabels`           | Honor labels.                                                                                                                                | `false`    |
+| `prometheus.metrics.serviceMonitor.interval`              | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                                    | `60s`      |
+| `prometheus.metrics.serviceMonitor.path`                  | HTTP path for scraping Prometheus metrics.                                                                                                   | `/metrics` |
+| `prometheus.metrics.serviceMonitor.relabelings`           | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | `[]`       |
+| `prometheus.metrics.serviceMonitor.scrapeTimeout`         | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                                         | `30s`      |
+| `prometheus.metrics.serviceMonitor.scheme`                | HTTP scheme to use for scraping. For example `http` or `https`.                                                                              | `http`     |
+| `prometheus.metrics.serviceMonitor.tlsConfig`             | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                                    | `{}`       |
 
 ### Service
 

package-lock.json

@@ -1078,9 +1078,9 @@
       }
     },
     "node_modules/link-check": {
-      "version": "5.4.0",
+      "version": "5.5.0",
-      "resolved": "https://registry.npmjs.org/link-check/-/link-check-5.4.0.tgz",
+      "resolved": "https://registry.npmjs.org/link-check/-/link-check-5.5.0.tgz",
-      "integrity": "sha512-0Pf4xBVUnwJdbDgpBlhHNmWDtbVjHTpIFs+JaBuIsC9PKRxjv4KMGCO2Gc8lkVnqMf9B/yaNY+9zmMlO5MyToQ==",
+      "integrity": "sha512-CpMk2zMfyEMdDvFG92wO5pU/2I/wbw72/9pvUFhU9cDKkwhmVlPuvxQJzd/jXA2iVOgNgPLnS5zyOLW7OzNpdA==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -1137,16 +1137,16 @@
       }
     },
     "node_modules/markdown-link-check": {
-      "version": "3.13.7",
+      "version": "3.14.1",
-      "resolved": "https://registry.npmjs.org/markdown-link-check/-/markdown-link-check-3.13.7.tgz",
+      "resolved": "https://registry.npmjs.org/markdown-link-check/-/markdown-link-check-3.14.1.tgz",
-      "integrity": "sha512-Btn3HU8s2Uyh1ZfzmyZEkp64zp2+RAjwfQt1u4swq2Xa6w37OW0T2inQZrkSNVxDSa2jSN2YYhw/JkAp5jF1PQ==",
+      "integrity": "sha512-h1tihNL3kmOS3N7H4FyF4xKDxiHnNBNSgs/LWlDiRHlC8O0vfRX0LhDDvesRSs4HM7nS0F658glLxonaXBmuWw==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
         "async": "^3.2.6",
         "chalk": "^5.3.0",
-        "commander": "^13.1.0",
+        "commander": "^14.0.0",
-        "link-check": "^5.4.0",
+        "link-check": "^5.5.0",
         "markdown-link-extractor": "^4.0.2",
         "needle": "^3.3.1",
         "progress": "^2.0.3",
@@ -1157,6 +1157,16 @@
         "markdown-link-check": "markdown-link-check"
       }
     },
+    "node_modules/markdown-link-check/node_modules/commander": {
+      "version": "14.0.1",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.1.tgz",
+      "integrity": "sha512-2JkV3gUZUVrbNA+1sjBOYLsMZ5cEEl8GTFP2a4AVz5hvasAMCQ1D2l2le/cX+pV4N6ZU17zjUahLpIXRrnWL8A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      }
+    },
     "node_modules/markdown-link-extractor": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/markdown-link-extractor/-/markdown-link-extractor-4.0.2.tgz",

renovate.json

@@ -9,6 +9,7 @@
   ],
   "customManagers": [
     {
+      "customType": "regex",
       "fileMatch": [
         "^Chart\\.yaml$"
       ],
@@ -21,7 +22,10 @@
       "versioningTemplate": "semver"
     },
     {
-      "fileMatch": ["^README\\.md$"],
+      "customType": "regex",
+      "fileMatch": [
+        "^README\\.md$"
+      ],
       "matchStrings": [
         "CHART_VERSION=(?<currentValue>.*)"
       ],
@@ -29,9 +33,47 @@
       "packageNameTemplate": "https://git.cryptic.systems/volker.raschek/reposilite-charts",
       "datasourceTemplate": "git-tags",
       "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "datasourceTemplate": "github-releases",
+      "fileMatch": [
+        ".vscode/settings\\.json$"
+      ],
+      "matchStrings": [
+        "https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json"
+      ]
     }
   ],
   "packageRules": [
+    {
+      "groupName": "Update docker.io/volkerraschek/helm",
+      "matchDepNames": [
+        "docker.io/volkerraschek/helm",
+        "volkerraschek/helm"
+      ]
+    },
+    {
+      "automerge": true,
+      "groupName": "Update helm plugin 'unittest'",
+      "matchDepNames": [
+        "helm-unittest/helm-unittest"
+      ],
+      "matchDatasources": [
+        "github-releases"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ]
+    },
+    {
+      "groupName": "Update docker.io/library/node",
+      "matchDepNames": [
+        "docker.io/library/node",
+        "library/node"
+      ]
+    },
     {
       "addLabels": [
         "renovate/automerge",
@@ -76,4 +118,4 @@
     ],
     "executionMode": "update"
   }
-}
+}

templates/_deployment.tpl

@@ -27,8 +27,8 @@
 {{- end }}
 
 {{- if or (eq (include "reposilite.podMonitor.enabled" $ ) "true") (eq (include "reposilite.serviceMonitor.enabled" $ ) "true") -}}
-{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_USER" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" "username")))) }}
+{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_USER" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" (include "reposilite.secrets.prometheusBasicAuth.usernameKey" $))))) }}
-{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_PASSWORD" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" "password")))) }}
+{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_PASSWORD" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" (include "reposilite.secrets.prometheusBasicAuth.passwordKey" $))))) }}
 {{- end }}
 
 {{ toYaml (dict "env" $env) }}

templates/_pod.tpl

@@ -4,7 +4,7 @@
 
 {{- define "reposilite.pod.annotations" -}}
 {{ include "reposilite.annotations" . }}
-{{- if .Values.prometheus.metrics.enabled -}}
+{{- if and .Values.prometheus.metrics.enabled (not .Values.prometheus.metrics.secret.existing.enabled) -}}
 {{- printf "checksum/secret-%s: %s" (include "reposilite.secrets.prometheusBasicAuth.name" $) (include (print $.Template.BasePath "/secretPrometheusBasicAuth.yaml") . | sha256sum) }}
 {{- end -}}
 {{- end }}

templates/_secrets.tpl

@@ -4,16 +4,50 @@
 
 {{- define "reposilite.secrets.prometheusBasicAuth.annotations" -}}
 {{ include "reposilite.annotations" . }}
+{{- if .Values.prometheus.metrics.secret.new.annotations }}
+{{ toYaml .Values.prometheus.metrics.secret.new.annotations }}
+{{- end }}
 {{- end }}
 
 {{/* labels */}}
 
 {{- define "reposilite.secrets.prometheusBasicAuth.labels" -}}
 {{ include "reposilite.labels" . }}
+{{- if .Values.prometheus.metrics.secret.new.labels }}
+{{ toYaml .Values.prometheus.metrics.secret.new.labels }}
+{{- end }}
 {{- end }}
 
 {{/* names */}}
 
 {{- define "reposilite.secrets.prometheusBasicAuth.name" -}}
-{{ include "reposilite.fullname" . }}-basic-auth-credentials
+{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.secretName) 0) }}
-{{- end -}}
+{{- print .Values.prometheus.metrics.secret.existing.secretName -}}
+{{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.secretName) 0) }}
+{{ fail "Name of the existing secret that contains the credentials for basic auth is not defined!" }}
+{{- else if not .Values.prometheus.metrics.secret.existing.enabled }}
+{{- printf "%s-basic-auth-credentials" (include "reposilite.fullname" $) -}}
+{{- end }}
+{{- end }}
+
+{{/* secretKeyNames */}}
+
+{{- define "reposilite.secrets.prometheusBasicAuth.passwordKey" -}}
+{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey) 0) -}}
+{{- .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey -}}
+{{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey) 0) }}
+{{ fail "Name of the key in the secret that contains the password for basic auth is not defined!" }}
+{{- else if and (not .Values.prometheus.metrics.secret.existing.enabled) }}
+{{- print "password" -}}
+{{- end }}
+{{- end }}
+
+{{- define "reposilite.secrets.prometheusBasicAuth.usernameKey" -}}
+{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey) 0) -}}
+{{- .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey -}}
+{{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey) 0) }}
+{{ fail "Name of the key in the secret that contains the username for basic auth is not defined!" }}
+{{- else if and (not .Values.prometheus.metrics.secret.existing.enabled) }}
+{{- print "username" -}}
+{{- end }}
+{{- end }}

templates/podMonitor.yaml

@@ -17,10 +17,10 @@ spec:
   podMetricsEndpoints:
   - basicAuth:
       password:
-        key: password
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.passwordKey" . }}
         name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
       username:
-        key: username
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.usernameKey" . }}
         name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
     enableHttp2: {{ required "The enableHttp2 option of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.enableHttp2 }}
     followRedirects: {{ required "The followRedirects option of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.followRedirects }}

templates/secretPrometheusBasicAuth.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.prometheus.metrics.enabled }}
+{{- if and .Values.prometheus.metrics.enabled (not .Values.prometheus.metrics.secret.existing.enabled) }}
 ---
 apiVersion: v1
 kind: Secret
@@ -14,6 +14,6 @@ metadata:
   name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
   namespace: {{ .Release.Namespace }}
 stringData:
-  password: {{ default (randAlphaNum 16) .Values.prometheus.metrics.basicAuthPassword }}
+  password: {{ required "Password for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthPassword }}
-  username: {{ default (randAlphaNum 16) .Values.prometheus.metrics.basicAuthUsername }}
+  username: {{ required "Username for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthUsername }}
 {{- end }}

templates/serviceMonitor.yaml

@@ -17,10 +17,10 @@ spec:
   endpoints:
   - basicAuth:
       password:
-        key: password
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.passwordKey" . }}
         name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
       username:
-        key: username
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.usernameKey" . }}
         name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
     enableHttp2: {{ required "The enableHttp2 option of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.enableHttp2 }}
     followRedirects: {{ required "The followRedirects option of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.followRedirects }}

unittests/deployment/prometheusPodMonitor.yaml

@@ -13,6 +13,8 @@ tests:
   set:
     prometheus.metrics.enabled: true
     prometheus.metrics.podMonitor.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
   asserts:
   - exists:
       path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
@@ -35,3 +37,73 @@ tests:
             name: reposilite-unittest-basic-auth-credentials
             key: username
     template: templates/deployment.yaml
+
+- it: Rendering default environment variables with enabled prometheus metrics serviceMonitor and external secret
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: my-username-key
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: my-password-key
+    prometheus.metrics.secret.existing.secretName: my-secret
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - notExists:
+      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: my-secret
+            key: my-password-key
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_USER
+        valueFrom:
+          secretKeyRef:
+            name: my-secret
+            key: my-username-key
+    template: templates/deployment.yaml
+
+- it: Fail when existing secret name is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.secret.existing.secretName: ""
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the existing secret that contains the credentials for basic auth is not defined!"
+    template: templates/deployment.yaml
+
+- it: Fail when the name of the key in the secret that contains the username for basic auth is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: ""
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the key in the secret that contains the username for basic auth is not defined!"
+    template: templates/deployment.yaml
+
+- it: Fail when the name of the key in the secret that contains the password for basic auth is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: ""
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.podMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the key in the secret that contains the password for basic auth is not defined!"
+    template: templates/deployment.yaml

unittests/deployment/prometheusServiceMonitor.yaml

@@ -0,0 +1,109 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Add prometheus basic auth variables
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/deployment.yaml
+- templates/secretPrometheusBasicAuth.yaml
+tests:
+- it: Rendering default environment variables with enabled prometheus metrics serviceMonitor
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.serviceMonitor.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+  - exists:
+      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: reposilite-unittest-basic-auth-credentials
+            key: password
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_USER
+        valueFrom:
+          secretKeyRef:
+            name: reposilite-unittest-basic-auth-credentials
+            key: username
+    template: templates/deployment.yaml
+
+- it: Rendering default environment variables with enabled prometheus metrics serviceMonitor and external secret
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: my-username-key
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: my-password-key
+    prometheus.metrics.secret.existing.secretName: my-secret
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - notExists:
+      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: my-secret
+            key: my-password-key
+    template: templates/deployment.yaml
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: REPOSILITE_PROMETHEUS_USER
+        valueFrom:
+          secretKeyRef:
+            name: my-secret
+            key: my-username-key
+    template: templates/deployment.yaml
+
+- it: Fail when existing secret name is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.secret.existing.secretName: ""
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the existing secret that contains the credentials for basic auth is not defined!"
+    template: templates/deployment.yaml
+
+- it: Fail when the name of the key in the secret that contains the username for basic auth is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: ""
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the key in the secret that contains the username for basic auth is not defined!"
+    template: templates/deployment.yaml
+
+- it: Fail when the name of the key in the secret that contains the password for basic auth is undefined
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: ""
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.serviceMonitor.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: "Name of the key in the secret that contains the password for basic auth is not defined!"
+    template: templates/deployment.yaml

unittests/secrets/basicAuth.yaml

@@ -0,0 +1,98 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Secret reposilite template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/secretPrometheusBasicAuth.yaml
+tests:
+- it: Skip rendering
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Throw error for missing basic auth password
+  set:
+    prometheus.metrics.enabled: true
+    # prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+    - failedTemplate:
+        errorMessage: "Password for basic auth is required!"
+
+- it: Throw error for missing basic auth username
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    # prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+    - failedTemplate:
+        errorMessage: "Username for basic auth is required!"
+
+- it: Rendering secret with default values.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: v1
+      kind: Secret
+      name: reposilite-unittest-basic-auth-credentials
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: reposilite-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: reposilite
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: reposilite-0.1.0
+  - exists:
+      path: stringData.password
+  - exists:
+      path: stringData.username
+
+- it: Rendering secret with custom values.
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: foo
+    prometheus.metrics.secret.new.basicAuthUsername: bar
+    prometheus.metrics.secret.new.annotations:
+      foo: bar
+    prometheus.metrics.secret.new.labels:
+      bar: foo
+  asserts:
+  - hasDocuments:
+      count: 1
+  - isSubset:
+      path: metadata.annotations
+      content:
+        foo: bar
+  - isSubset:
+      path: metadata.labels
+      content:
+        bar: foo
+  - equal:
+      path: metadata.name
+      value: reposilite-unittest-basic-auth-credentials
+  - equal:
+      path: stringData.password
+      value: foo
+  - equal:
+      path: stringData.username
+      value: bar
+
+- it: Skip rendering if existing secret is used
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0

unittests/serviceAccount/serviceAccount.yaml

@@ -53,13 +53,13 @@ tests:
   asserts:
   - hasDocuments:
       count: 1
-  - exists:
+  - isSubset:
       path: metadata.annotations
-      value:
+      content:
         foo: bar
-  - exists:
+  - isSubset:
       path: metadata.labels
-      value:
+      content:
         bar: foo
   - equal:
       path: metadata.name

unittests/serviceMonitors/serviceMonitor.yaml

@@ -129,6 +129,10 @@ tests:
 - it: Change defaults
   set:
     prometheus.metrics.enabled: true
+    prometheus.metrics.secret.existing.enabled: true
+    prometheus.metrics.secret.existing.secretName: "my-secret"
+    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
+    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
     prometheus.metrics.serviceMonitor.enabled: true
     prometheus.metrics.serviceMonitor.enableHttp2: false
     prometheus.metrics.serviceMonitor.followRedirects: true
@@ -147,6 +151,15 @@ tests:
   asserts:
   - hasDocuments:
       count: 1
+  - isSubset:
+      path: spec.endpoints[0].basicAuth
+      content:
+        password:
+          key: my-password-key
+          name: my-secret
+        username:
+          key: my-username-key
+          name: my-secret
   - equal:
       path: spec.endpoints[0].enableHttp2
       value: false

unittests/services/service.yaml

@@ -78,35 +78,35 @@ tests:
     service.internalTrafficPolicy: ""
   asserts:
   - failedTemplate:
-    errorMessage: No internal traffic policy defined!
+      errorMessage: No internal traffic policy defined!
 
 - it: Require port.
   set:
     service.port: ""
   asserts:
   - failedTemplate:
-    errorMessage: No service port defined!
+      errorMessage: No service port defined!
 
 - it: Require scheme.
   set:
     service.scheme: ""
   asserts:
   - failedTemplate:
-    errorMessage: No service scheme defined!
+      errorMessage: The scheme of the serviceMonitor is not defined!
 
 - it: Require sessionAffinity.
   set:
     service.sessionAffinity: ""
   asserts:
   - failedTemplate:
-    errorMessage: No session affinity defined!
+      errorMessage: No session affinity defined!
 
 - it: Require service type.
   set:
     service.type: ""
   asserts:
   - failedTemplate:
-    errorMessage: No service type defined!
+      errorMessage: No service type defined!
 
 - it: Render service with custom annotations and labels.
   set:

values.yaml

@@ -175,7 +175,7 @@ deployment:
     image:
       registry: docker.io
       repository: curlimages/curl
-      tag: "8.15.0"
+      tag: "8.16.0"
       pullPolicy: IfNotPresent
 
   ## @param deployment.priorityClassName PriorityClassName of the Reposilite deployment.
@@ -396,13 +396,30 @@ persistentVolumeClaim:
 
 ## @section Prometheus
 prometheus:
-  ## @param prometheus.metrics.enabled Enable of scraping metrics by Prometheus.
-  ## @param prometheus.metrics.basicAuthUsername Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string.
-  ## @param prometheus.metrics.basicAuthPassword Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string.
   metrics:
+    ## @param prometheus.metrics.enabled Enable of scraping metrics by Prometheus.
     enabled: false
-    basicAuthUsername: ""
+
-    basicAuthPassword: ""
+    secret:
+      ## @param prometheus.metrics.secret.existing.enabled Use an existing secret containing the basic auth credentials.
+      ## @param prometheus.metrics.secret.existing.secretName Name of the secret containing the basic auth credentials.
+      ## @param prometheus.metrics.secret.existing.basicAuthUsernameKey Name of the key in the secret that contains the username for basic auth.
+      ## @param prometheus.metrics.secret.existing.basicAuthPasswordKey Name of the key in the secret that contains the password for basic auth.
+      existing:
+        enabled: false
+        secretName: ""
+        basicAuthUsernameKey: ""
+        basicAuthPasswordKey: ""
+
+      ## @param prometheus.metrics.secret.new.annotations Additional secret annotations.
+      ## @param prometheus.metrics.secret.new.labels Additional secret labels.
+      ## @param prometheus.metrics.secret.new.basicAuthUsername Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string.
+      ## @param prometheus.metrics.secret.new.basicAuthPassword Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string.
+      new:
+        annotations: {}
+        labels: {}
+        basicAuthUsername: ""
+        basicAuthPassword: ""
 
     ## @param prometheus.metrics.podMonitor.enabled Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource.
     ## @param prometheus.metrics.podMonitor.annotations Additional podMonitor annotations.