feat: enhance openshift support (#1063)

### Description of the change

Add options to values.yaml to make chart easier to install in restricted openshift environments

### Benefits

more people can run this

### Checklist

<!-- [Place an '[X]' (no spaces) in all applicable fields. Please remove unrelated fields.] -->

- [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
- [ ] Breaking changes are documented in the `README.md`
- [x] Helm templating unittests are added (required when changing anything in `templates` folder)
- [ ] Bash unittests are added (required when changing anything in `scripts` folder)
- [x] All added template resources MUST render a namespace in metadata

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/1063
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.com>
Co-committed-by: techknowlogick <techknowlogick@gitea.com>

unittests/helm/config/server-section_domain.yaml

@@ -65,3 +65,41 @@ tests:
         matchRegex:
           path: stringData.server
           pattern: \nROOT_URL=http://provided.example.com
+
+  ################################################
+
+  - it: "[route enabled] uses route host for DOMAIN|SSH_DOMAIN|ROOT_URL"
+    template: templates/gitea/config.yaml
+    set:
+      route:
+        enabled: true
+        host: route.example.com
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nDOMAIN=route.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nSSH_DOMAIN=route.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=http://route.example.com
+
+  ################################################
+
+  - it: "[route tls termination] uses https for ROOT_URL"
+    template: templates/gitea/config.yaml
+    set:
+      route:
+        enabled: true
+        host: route.example.com
+        tls:
+          termination: edge
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=https://route.example.com

unittests/helm/deployment/openshift.yaml

@@ -0,0 +1,96 @@
+suite: deployment template (openshift)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders openshift-compatible defaults for chart-managed containers
+    template: templates/gitea/deployment.yaml
+    set:
+      openshift.enabled: true
+    asserts:
+      - equal:
+          path: spec.template.spec.hostUsers
+          value: false
+      - notExists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.initContainers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+      - equal:
+          path: spec.template.spec.initContainers[1].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+      - equal:
+          path: spec.template.spec.initContainers[2].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+
+  - it: does not force runAsUser 1000 for command init containers on OpenShift
+    template: templates/gitea/deployment.yaml
+    set:
+      openshift.enabled: true
+      signing.enabled: true
+      signing.existingSecret: custom-gpg-secret
+    asserts:
+      - notExists:
+          path: spec.template.spec.initContainers[2].securityContext.runAsUser
+      - notExists:
+          path: spec.template.spec.initContainers[3].securityContext.runAsUser
+
+  - it: preserves explicit pod and container security context overrides on OpenShift
+    template: templates/gitea/deployment.yaml
+    set:
+      openshift:
+        enabled: true
+        hostUsers: true
+      podSecurityContext:
+        fsGroup: 1000620000
+      containerSecurityContext:
+        runAsUser: 1000620000
+        runAsGroup: 1000620000
+    asserts:
+      - equal:
+          path: spec.template.spec.hostUsers
+          value: true
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            fsGroup: 1000620000
+      - equal:
+          path: spec.template.spec.initContainers[2].securityContext.runAsUser
+          value: 1000620000
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsGroup
+          value: 1000620000

unittests/helm/route/basic.yaml

@@ -0,0 +1,58 @@
+suite: Test route.yaml
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/route.yaml
+tests:
+  - it: should create route when route.enabled is true
+    set:
+      route:
+        enabled: true
+        host: git.apps.example.com
+        path: /
+        annotations:
+          haproxy.router.openshift.io/timeout: 5m
+        tls:
+          termination: edge
+          insecureEdgeTerminationPolicy: Redirect
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: metadata.name
+          value: gitea-unittests
+      - equal:
+          path: metadata.annotations["haproxy.router.openshift.io/timeout"]
+          value: 5m
+      - equal:
+          path: spec.host
+          value: git.apps.example.com
+      - equal:
+          path: spec.path
+          value: /
+      - equal:
+          path: spec.to.kind
+          value: Service
+      - equal:
+          path: spec.to.name
+          value: gitea-unittests-http
+      - equal:
+          path: spec.port.targetPort
+          value: http
+      - equal:
+          path: spec.wildcardPolicy
+          value: None
+      - equal:
+          path: spec.tls.termination
+          value: edge
+      - equal:
+          path: spec.tls.insecureEdgeTerminationPolicy
+          value: Redirect
+
+  - it: should not create route when route.enabled is false
+    set:
+      route.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/tests/test-http-connection.yaml

@@ -0,0 +1,24 @@
+suite: test connection template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/tests/test-http-connection.yaml
+tests:
+  - it: renders openshift-compatible defaults for the test pod
+    set:
+      openshift.enabled: true
+    asserts:
+      - equal:
+          path: spec.hostUsers
+          value: false
+      - equal:
+          path: spec.containers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault