docs(README): add an ArgoCD application resource as an example

This patch remove generation of a random string for the username and password of
the basic auth credentials.

The problem with the random generated basic auth credentials is, that this leads
to a new shasum of the secret. GitOps tools like ArgoCD detects a drift trigger
a rolling update.

To avoid this must now the basic auth credentials be defined to enable
prometheus metrics.

.gitea/workflows/helm.yaml

@@ -12,56 +12,31 @@ on:
 
 jobs:
   helm-lint:
-    container: docker.io/alpine/helm:3.19.0
+    container:
-    name: Execute helm lint
+      image: docker.io/volkerraschek/helm:3.19.0
-    runs-on: ubuntu-latest
+    runs-on:
+    - ubuntu-latest
     steps:
-      - name: Install additional tools
+    - name: Install tooling
-        run: |
+      run: |
-          apk update
+        apk update
-          apk add --update bash make nodejs
+        apk add git npm
-      - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v5.0.0
-      - name: Install helm chart dependencies
+    - name: Lint helm files
-        run: helm dependency build
+      run: |
-      - name: Execute helm lint
+        helm lint --values values.yaml .
-        run: helm lint
-
-  helm-template:
-    container: docker.io/alpine/helm:3.19.0
-    name: Execute helm template
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install additional tools
-        run: |
-          apk update
-          apk add --update bash make nodejs
-      - uses: actions/checkout@v5.0.0
-      - name: Extract repository owner and name
-        run: |
-          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
-          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)" >> $GITHUB_ENV
-      - name: Install helm chart dependencies
-        run: helm dependency build
-      - name: Execute helm template
-        run: helm template --debug "${REPOSITORY_NAME}" .
 
   helm-unittest:
-    container: docker.io/alpine/helm:3.19.0
+    container:
-    env:
+      image: docker.io/volkerraschek/helm:3.19.0
-      HELM_UNITTEST_VERSION: v1.0.1 # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
+    runs-on:
-    name: Execute helm unittest
+    - ubuntu-latest
-    runs-on: ubuntu-latest
     steps:
-      - name: Install additional tools
+    - name: Install tooling
-        run: |
+      run: |
-          apk update
+        apk update
-          apk add --update bash make nodejs npm yamllint ncurses
+        apk add git npm
-      - uses: actions/checkout@v5.0.0
+    - uses: actions/checkout@v5.0.0
-      - name: Install helm chart dependencies
+    - name: Unittest
-        run: helm dependency build
+      run: |
-      - name: Install helm plugin 'unittest'
+        helm unittest --strict --file 'unittests/**/*.yaml' ./
-        run: helm plugin install --version "${HELM_UNITTEST_VERSION}" https://github.com/helm-unittest/helm-unittest
-      - name: Execute helm unittest
-        env:
-          TERM: xterm
-        run: helm unittest --strict --file 'unittests/**/*.yaml' ./

README.md

@@ -16,10 +16,7 @@ Chapter [configuration and installation](#helm-configuration-and-installation) d
 and use it to deploy the exporter. It also contains further configuration examples.
 
 Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this
-helm chart is tested for deployment scenarios with **ArgoCD**, but please keep in mind, that this chart supports the
+helm chart is tested for deployment scenarios with **ArgoCD**.
-*[Automatically Roll Deployment](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments)*
-concept of Helm, which can trigger unexpected rolling releases. Further configuration instructions are described in a
-separate [chapter](#argocd).
 
 ## Helm: configuration and installation
 
@@ -125,6 +122,20 @@ deployment:
     secret.reloader.stakater.com/reload: "reposilite-tls"
 ```
 
+If the application is rolled out using ArgoCD, a rolling update from stakater's
+[reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state
+with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be
+initiated. Further information are available in the official
+[README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of
+stakater's reloader.
+
+```diff
+  deployment:
+    annotations:
+      reloader.stakater.com/auto: "true"
++     reloader.stakater.com/rollout-strategy: "restart"
+```
+
 #### Network policies
 
 Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
@@ -199,31 +210,51 @@ helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
 
 ## ArgoCD
 
-### Daily execution of rolling updates
+### Example Application
 
-The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in
+An application resource for the Helm chart is defined below. It serves as an example for your own deployment.
-connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll
-Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
 
-The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the
+```yaml
-content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version,
+apiVersion: argoproj.io/v1alpha1
-Helm render order, different timestamps).
+kind: Application
-
+spec:
-This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this
+  destination:
-can lead to unnecessary notifications from ArgoCD.
+    server: https://kubernetes.default.svc
-
+    namespace: reposilite
-To avoid this, the annotation with the shasum must be ignored. Below is a diff that adds the `Application` to ignore all
+  ignoreDifferences:
-annotations with the prefix `checksum`.
+  - group: apps
-
+    kind: Deployment
-```diff
+    jqPathExpressions:
-  apiVersion: argoproj.io/v1alpha1
+    # When HPA is enabled, ensure that a modification of the replicas does not lead to a
-  kind: Application
+    # drift.
-  spec:
+      - '.spec.replicas'
-+   ignoreDifferences:
+    # Ensure that changes of the annotations or environment variables added or modified by
-+   - group: apps/v1
+    # stakater's reloader does not lead to a drift.
-+     kind: Deployment
+    - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
-+     jqPathExpressions:
+    - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
-+     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))'
+  sources:
+  - repoURL: https://charts.cryptic.systems/volker.raschek
+    chart: reposilite
+    targetRevision: '0.*'
+    helm:
+      valueFiles:
+      - $values/values.yaml
+      releaseName: reposilite
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    managedNamespaceMetadata:
+      annotations: {}
+      labels: {}
+    syncOptions:
+    - ApplyOutOfSyncOnly=true
+    - CreateNamespace=true
+    - FailOnSharedResource=false
+    - Replace=false
+    - RespectIgnoreDifferences=false
+    - ServerSideApply=true
+    - Validate=true
 ```
 
 ## Parameters

renovate.json

@@ -23,7 +23,9 @@
     },
     {
       "customType": "regex",
-      "fileMatch": ["^README\\.md$"],
+      "fileMatch": [
+        "^README\\.md$"
+      ],
       "matchStrings": [
         "CHART_VERSION=(?<currentValue>.*)"
       ],
@@ -35,8 +37,8 @@
     {
       "customType": "regex",
       "datasourceTemplate": "github-releases",
-      "managerFilePatterns": [
+      "fileMatch": [
-        "/.vscode/settings\\.json$/"
+        ".vscode/settings\\.json$"
       ],
       "matchStrings": [
         "https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json"
@@ -52,12 +54,17 @@
       ]
     },
     {
+      "automerge": true,
       "groupName": "Update helm plugin 'unittest'",
       "matchDepNames": [
         "helm-unittest/helm-unittest"
       ],
       "matchDatasources": [
         "github-releases"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
       ]
     },
     {
@@ -111,4 +118,4 @@
     ],
     "executionMode": "update"
   }
-}
+}

templates/secretPrometheusBasicAuth.yaml

@@ -14,6 +14,6 @@ metadata:
   name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
   namespace: {{ .Release.Namespace }}
 stringData:
-  password: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthPassword }}
+  password: {{ required "Password for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthPassword }}
-  username: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthUsername }}
+  username: {{ required "Username for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthUsername }}
 {{- end }}

unittests/deployment/prometheusPodMonitor.yaml

@@ -13,6 +13,8 @@ tests:
   set:
     prometheus.metrics.enabled: true
     prometheus.metrics.podMonitor.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
   asserts:
   - exists:
       path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials

unittests/deployment/prometheusServiceMonitor.yaml

@@ -13,6 +13,8 @@ tests:
   set:
     prometheus.metrics.enabled: true
     prometheus.metrics.serviceMonitor.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
   asserts:
   - exists:
       path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials

unittests/secrets/basicAuth.yaml

@@ -13,9 +13,29 @@ tests:
   - hasDocuments:
       count: 0
 
+- it: Throw error for missing basic auth password
+  set:
+    prometheus.metrics.enabled: true
+    # prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+    - failedTemplate:
+        errorMessage: "Password for basic auth is required!"
+
+- it: Throw error for missing basic auth username
+  set:
+    prometheus.metrics.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    # prometheus.metrics.secret.new.basicAuthUsername: "my-username"
+  asserts:
+    - failedTemplate:
+        errorMessage: "Username for basic auth is required!"
+
 - it: Rendering secret with default values.
   set:
     prometheus.metrics.enabled: true
+    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
+    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
   asserts:
   - hasDocuments:
       count: 1
@@ -51,13 +71,13 @@ tests:
   asserts:
   - hasDocuments:
       count: 1
-  - exists:
+  - isSubset:
       path: metadata.annotations
-      value:
+      content:
         foo: bar
-  - exists:
+  - isSubset:
       path: metadata.labels
-      value:
+      content:
         bar: foo
   - equal:
       path: metadata.name

unittests/serviceAccount/serviceAccount.yaml

@@ -53,13 +53,13 @@ tests:
   asserts:
   - hasDocuments:
       count: 1
-  - exists:
+  - isSubset:
       path: metadata.annotations
-      value:
+      content:
         foo: bar
-  - exists:
+  - isSubset:
       path: metadata.labels
-      value:
+      content:
         bar: foo
   - equal:
       path: metadata.name

unittests/services/service.yaml

@@ -78,35 +78,35 @@ tests:
     service.internalTrafficPolicy: ""
   asserts:
   - failedTemplate:
-    errorMessage: No internal traffic policy defined!
+      errorMessage: No internal traffic policy defined!
 
 - it: Require port.
   set:
     service.port: ""
   asserts:
   - failedTemplate:
-    errorMessage: No service port defined!
+      errorMessage: No service port defined!
 
 - it: Require scheme.
   set:
     service.scheme: ""
   asserts:
   - failedTemplate:
-    errorMessage: No service scheme defined!
+      errorMessage: The scheme of the serviceMonitor is not defined!
 
 - it: Require sessionAffinity.
   set:
     service.sessionAffinity: ""
   asserts:
   - failedTemplate:
-    errorMessage: No session affinity defined!
+      errorMessage: No session affinity defined!
 
 - it: Require service type.
   set:
     service.type: ""
   asserts:
   - failedTemplate:
-    errorMessage: No service type defined!
+      errorMessage: No service type defined!
 
 - it: Render service with custom annotations and labels.
   set: