fix(ci): replace volker.raschek/helm with docker.io/alpine/helm

.gitea/workflows/generate-readme.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:24.11.1-alpine
+      image: docker.io/library/node:24.10.0-alpine
     runs-on:
     - ubuntu-latest
     steps:

.gitea/workflows/helm.yaml

@@ -12,31 +12,56 @@ on:
 
 jobs:
   helm-lint:
-    container:
+    container: docker.io/alpine/helm:3.19.0
-      image: docker.io/volkerraschek/helm:4.0.0
+    name: Execute helm lint
-    runs-on:
+    runs-on: ubuntu-latest
-    - ubuntu-latest
     steps:
-    - name: Install tooling
+      - name: Install additional tools
         run: |
           apk update
-        apk add git npm
+          apk add --update bash make nodejs
       - uses: actions/checkout@v5.0.0
-    - name: Lint helm files
+      - name: Install helm chart dependencies
+        run: helm dependency build
+      - name: Execute helm lint
+        run: helm lint
+
+  helm-template:
+    container: docker.io/alpine/helm:3.19.0
+    name: Execute helm template
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install additional tools
         run: |
-        helm lint --values values.yaml .
+          apk update
+          apk add --update bash make nodejs
+      - uses: actions/checkout@v5.0.0
+      - name: Extract repository owner and name
+        run: |
+          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
+          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)" >> $GITHUB_ENV
+      - name: Install helm chart dependencies
+        run: helm dependency build
+      - name: Execute helm template
+        run: helm template --debug "${REPOSITORY_NAME}" .
 
   helm-unittest:
-    container:
+    container: docker.io/alpine/helm:3.19.0
-      image: docker.io/volkerraschek/helm:4.0.0
+    env:
-    runs-on:
+      HELM_UNITTEST_VERSION: v1.0.1 # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-    - ubuntu-latest
+    name: Execute helm unittest
+    runs-on: ubuntu-latest
     steps:
-    - name: Install tooling
+      - name: Install additional tools
         run: |
           apk update
-        apk add git npm
+          apk add --update bash make nodejs npm yamllint ncurses
       - uses: actions/checkout@v5.0.0
-    - name: Unittest
+      - name: Install helm chart dependencies
-      run: |
+        run: helm dependency build
-        helm unittest --strict --file 'unittests/**/*.yaml' ./
+      - name: Install helm plugin 'unittest'
+        run: helm plugin install --version "${HELM_UNITTEST_VERSION}" https://github.com/helm-unittest/helm-unittest
+      - name: Execute helm unittest
+        env:
+          TERM: xterm
+        run: helm unittest --strict --file 'unittests/**/*.yaml' ./

.gitea/workflows/markdown-linters.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:24.11.1-alpine
+      image: docker.io/library/node:24.10.0-alpine
     runs-on:
     - ubuntu-latest
     steps:
@@ -31,7 +31,7 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:24.11.1-alpine
+      image: docker.io/library/node:24.10.0-alpine
     runs-on:
     - ubuntu-latest
     steps:

.gitea/workflows/release.yaml

@@ -8,7 +8,7 @@ on:
 jobs:
   publish-chart:
     container:
-      image: docker.io/volkerraschek/helm:4.0.0
+      image: docker.io/volkerraschek/helm:3.19.0
     runs-on: ubuntu-latest
     steps:
       - name: Install packages via apk

Makefile

@@ -10,7 +10,7 @@ HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:
 # NODE_IMAGE
 NODE_IMAGE_REGISTRY_HOST?=docker.io
 NODE_IMAGE_REPOSITORY?=library/node
-NODE_IMAGE_VERSION?=24.11.1-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
+NODE_IMAGE_VERSION?=24.10.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
 NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
 
 # MISSING DOT

README.md

@@ -16,7 +16,10 @@ Chapter [configuration and installation](#helm-configuration-and-installation) d
 and use it to deploy the exporter. It also contains further configuration examples.
 
 Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this
-helm chart is tested for deployment scenarios with **ArgoCD**.
+helm chart is tested for deployment scenarios with **ArgoCD**, but please keep in mind, that this chart supports the
+*[Automatically Roll Deployment](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments)*
+concept of Helm, which can trigger unexpected rolling releases. Further configuration instructions are described in a
+separate [chapter](#argocd).
 
 ## Helm: configuration and installation
 
@@ -37,7 +40,7 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
 versions can break something!
 
 ```bash
-CHART_VERSION=1.0.0
+CHART_VERSION=0.3.0
 helm show values volker.raschek/reposilite --version "${CHART_VERSION}" > values.yaml
 ```
 
@@ -51,7 +54,7 @@ The helm chart also contains a persistent volume claim definition. It persistent
 Use the `--set` argument to persist your data.
 
 ```bash
-CHART_VERSION=1.0.0
+CHART_VERSION=0.3.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   persistentVolumeClaim.enabled=true
 ```
@@ -72,7 +75,7 @@ connection problems.
 > error.
 
 ```bash
-CHART_VERSION=1.0.0
+CHART_VERSION=0.3.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   --set 'deployment.reposilite.env[1].name=REPOSILITE_LOCAL_SSLENABLED' \
   --set 'deployment.reposilite.env[1].value="true"' \
@@ -122,20 +125,6 @@ deployment:
     secret.reloader.stakater.com/reload: "reposilite-tls"
 ```
 
-If the application is rolled out using ArgoCD, a rolling update from stakater's
-[reloader](https://github.com/stakater/Reloader) can lead to a drift. ArgoCD will attempt to restore the original state
-with a rolling update. To avoid this, instead of a rolling update triggered by the reloader, a restart of the pod can be
-initiated. Further information are available in the official
-[README](https://github.com/stakater/Reloader?tab=readme-ov-file#4-%EF%B8%8F-workload-specific-rollout-strategy) of
-stakater's reloader.
-
-```diff
-  deployment:
-    annotations:
-      reloader.stakater.com/auto: "true"
-+     reloader.stakater.com/rollout-strategy: "restart"
-```
-
 #### Network policies
 
 Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
@@ -201,7 +190,7 @@ be set the credentials manually.
 The following example enable Prometheus metrics with custom basic auth credentials:
 
 ```bash
-CHART_VERSION=1.0.0
+CHART_VERSION=0.3.0
 helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
   --set 'prometheus.metrics.enabled=true' \
   --set 'prometheus.metrics.basicAuthUsername=my-username' \
@@ -210,51 +199,31 @@ helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \
 
 ## ArgoCD
 
-### Example Application
+### Daily execution of rolling updates
 
-An application resource for the Helm chart is defined below. It serves as an example for your own deployment.
+The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in
+connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll
+Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
 
-```yaml
+The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the
+content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version,
+Helm render order, different timestamps).
+
+This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this
+can lead to unnecessary notifications from ArgoCD.
+
+To avoid this, the annotation with the shasum must be ignored. Below is a diff that adds the `Application` to ignore all
+annotations with the prefix `checksum`.
+
+```diff
   apiVersion: argoproj.io/v1alpha1
   kind: Application
   spec:
-  destination:
++   ignoreDifferences:
-    server: https://kubernetes.default.svc
++   - group: apps/v1
-    namespace: reposilite
++     kind: Deployment
-  ignoreDifferences:
++     jqPathExpressions:
-  - group: apps
++     - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))'
-    kind: Deployment
-    jqPathExpressions:
-    # When HPA is enabled, ensure that a modification of the replicas does not lead to a
-    # drift.
-      - '.spec.replicas'
-    # Ensure that changes of the annotations or environment variables added or modified by
-    # stakater's reloader does not lead to a drift.
-    - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("reloader")))'
-    - '.spec.template.spec.containers[].env[] | select(.name | startswith("STAKATER_"))'
-  sources:
-  - repoURL: https://charts.cryptic.systems/volker.raschek
-    chart: reposilite
-    targetRevision: '0.*'
-    helm:
-      valueFiles:
-      - $values/values.yaml
-      releaseName: reposilite
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    managedNamespaceMetadata:
-      annotations: {}
-      labels: {}
-    syncOptions:
-    - ApplyOutOfSyncOnly=true
-    - CreateNamespace=true
-    - FailOnSharedResource=false
-    - Replace=false
-    - RespectIgnoreDifferences=false
-    - ServerSideApply=true
-    - Validate=true
 ```
 
 ## Parameters
@@ -303,7 +272,7 @@ spec:
 | `deployment.pluginContainer.args`                  | Arguments passed to the plugin container.                                                                  | `["--location","--fail","--max-time","60"]` |
 | `deployment.pluginContainer.image.registry`        | Image registry, eg. `docker.io`.                                                                           | `docker.io`                                 |
 | `deployment.pluginContainer.image.repository`      | Image repository, eg. `curlimages/curl`.                                                                   | `curlimages/curl`                           |
-| `deployment.pluginContainer.image.tag`             | Custom image tag, eg. `0.1.0`.                                                                             | `8.17.0`                                    |
+| `deployment.pluginContainer.image.tag`             | Custom image tag, eg. `0.1.0`.                                                                             | `8.16.0`                                    |
 | `deployment.pluginContainer.image.pullPolicy`      | Image pull policy.                                                                                         | `IfNotPresent`                              |
 | `deployment.priorityClassName`                     | PriorityClassName of the Reposilite deployment.                                                            | `""`                                        |
 | `deployment.replicas`                              | Number of replicas for the Reposilite deployment.                                                          | `1`                                         |

renovate.json

@@ -23,9 +23,7 @@
     },
     {
       "customType": "regex",
-      "fileMatch": [
+      "fileMatch": ["^README\\.md$"],
-        "^README\\.md$"
-      ],
       "matchStrings": [
         "CHART_VERSION=(?<currentValue>.*)"
       ],
@@ -37,8 +35,8 @@
     {
       "customType": "regex",
       "datasourceTemplate": "github-releases",
-      "fileMatch": [
+      "managerFilePatterns": [
-        ".vscode/settings\\.json$"
+        "/.vscode/settings\\.json$/"
       ],
       "matchStrings": [
         "https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json"
@@ -54,17 +52,12 @@
       ]
     },
     {
-      "automerge": true,
       "groupName": "Update helm plugin 'unittest'",
       "matchDepNames": [
         "helm-unittest/helm-unittest"
       ],
       "matchDatasources": [
         "github-releases"
-      ],
-      "matchUpdateTypes": [
-        "minor",
-        "patch"
       ]
     },
     {

templates/secretPrometheusBasicAuth.yaml

@@ -14,6 +14,6 @@ metadata:
   name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
   namespace: {{ .Release.Namespace }}
 stringData:
-  password: {{ required "Password for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthPassword }}
+  password: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthPassword }}
-  username: {{ required "Username for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthUsername }}
+  username: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthUsername }}
 {{- end }}

unittests/deployment/prometheusPodMonitor.yaml

@@ -13,8 +13,6 @@ tests:
   set:
     prometheus.metrics.enabled: true
     prometheus.metrics.podMonitor.enabled: true
-    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
-    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
   asserts:
   - exists:
       path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials

unittests/deployment/prometheusServiceMonitor.yaml

@@ -13,8 +13,6 @@ tests:
   set:
     prometheus.metrics.enabled: true
     prometheus.metrics.serviceMonitor.enabled: true
-    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
-    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
   asserts:
   - exists:
       path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials

unittests/secrets/basicAuth.yaml

@@ -13,29 +13,9 @@ tests:
   - hasDocuments:
       count: 0
 
-- it: Throw error for missing basic auth password
-  set:
-    prometheus.metrics.enabled: true
-    # prometheus.metrics.secret.new.basicAuthPassword: "my-password"
-    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
-  asserts:
-    - failedTemplate:
-        errorMessage: "Password for basic auth is required!"
-
-- it: Throw error for missing basic auth username
-  set:
-    prometheus.metrics.enabled: true
-    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
-    # prometheus.metrics.secret.new.basicAuthUsername: "my-username"
-  asserts:
-    - failedTemplate:
-        errorMessage: "Username for basic auth is required!"
-
 - it: Rendering secret with default values.
   set:
     prometheus.metrics.enabled: true
-    prometheus.metrics.secret.new.basicAuthPassword: "my-password"
-    prometheus.metrics.secret.new.basicAuthUsername: "my-username"
   asserts:
   - hasDocuments:
       count: 1
@@ -71,13 +51,13 @@ tests:
   asserts:
   - hasDocuments:
       count: 1
-  - isSubset:
+  - exists:
       path: metadata.annotations
-      content:
+      value:
         foo: bar
-  - isSubset:
+  - exists:
       path: metadata.labels
-      content:
+      value:
         bar: foo
   - equal:
       path: metadata.name

unittests/serviceAccount/serviceAccount.yaml

@@ -53,13 +53,13 @@ tests:
   asserts:
   - hasDocuments:
       count: 1
-  - isSubset:
+  - exists:
       path: metadata.annotations
-      content:
+      value:
         foo: bar
-  - isSubset:
+  - exists:
       path: metadata.labels
-      content:
+      value:
         bar: foo
   - equal:
       path: metadata.name

unittests/services/service.yaml

@@ -92,7 +92,7 @@ tests:
     service.scheme: ""
   asserts:
   - failedTemplate:
-      errorMessage: The scheme of the serviceMonitor is not defined!
+    errorMessage: No service scheme defined!
 
 - it: Require sessionAffinity.
   set:

values.yaml

@@ -175,7 +175,7 @@ deployment:
     image:
       registry: docker.io
       repository: curlimages/curl
-      tag: "8.17.0"
+      tag: "8.16.0"
       pullPolicy: IfNotPresent
 
   ## @param deployment.priorityClassName PriorityClassName of the Reposilite deployment.