chore(deps): update dependency go-gitea/gitea to v1.26.2 (#1084)

Co-authored-by: Renovate Bot <renovate-bot@gitea.com>
Co-committed-by: Renovate Bot <renovate-bot@gitea.com>

.gitea/workflows/changelog.yml

@@ -8,7 +8,7 @@ on:
 jobs:
   changelog:
     runs-on: ubuntu-latest
-    container: docker.io/thegeeklab/git-sv:2.0.9
+    container: docker.io/thegeeklab/git-sv:2.1.1
     steps:
       - name: install tools
         run: |

.gitea/workflows/commitlint.yml

@@ -11,7 +11,7 @@ on:
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: commitlint/commitlint:20.4.3
+    container: commitlint/commitlint:20.5.3
     steps:
       - uses: actions/checkout@v6
       - name: check PR title

.gitea/workflows/release-version.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Install helm
         env:
           # renovate: datasource=docker depName=alpine/helm
-          HELM_VERSION: "4.1.4"
+          HELM_VERSION: "3.21.0"
         run: |
           curl --fail --location --output /dev/stdout --silent --show-error https://get.helm.sh/helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz | tar --extract --gzip --file /dev/stdin
           mv linux-$(dpkg --print-architecture)/helm /usr/local/bin/
@@ -53,7 +53,7 @@ jobs:
 
       - name: Import GPG key
         id: import_gpg
-        uses: https://github.com/crazy-max/ghaction-import-gpg@v6
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v7
         with:
           gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
           passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
@@ -86,7 +86,7 @@ jobs:
           helm registry logout registry-1.docker.io
 
       - name: aws credential configure
-        uses: https://github.com/aws-actions/configure-aws-credentials@v5
+        uses: https://github.com/aws-actions/configure-aws-credentials@v6
         with:
           aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -99,7 +99,7 @@ jobs:
   release-gitea:
     needs: generate-chart-publish
     runs-on: ubuntu-latest
-    container: docker.io/thegeeklab/git-sv:2.0.9
+    container: docker.io/thegeeklab/git-sv:2.1.1
     steps:
       - name: install tools
         run: |

.gitea/workflows/test-pr.yml

@@ -10,12 +10,12 @@ on:
 
 env:
   # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v1.0.3"
+  HELM_UNITTEST_VERSION: "v1.1.0"
 
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: alpine/helm:4.1.4
+    container: alpine/helm:3.21.0
     steps:
       - name: install tools
         run: |

.vscode/settings.json

@@ -1,6 +1,6 @@
 {
     "yaml.schemas": {
-        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.3/schema/helm-testsuite.json": [
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.1.0/schema/helm-testsuite.json": [
             "/unittests/**/*.yaml"
         ]
     },

CODEOWNERS

@@ -1 +1 @@
-* @rossigee @volker.raschek @ChristopherHX
+* @volker.raschek @ChristopherHX

Chart.yaml

@@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
-appVersion: 1.25.5
+appVersion: 1.26.2
 icon: https://gitea.com/assets/img/logo.svg
 
 annotations:
@@ -26,9 +26,6 @@ sources:
   - https://docker.gitea.com/gitea
 
 maintainers:
-  # https://gitea.com/rossigee
-  - name: Ross Golder
-    email: ross@golder.org
   # https://gitea.com/volker.raschek
   - name: Markus Pesch
     email: markus.pesch+apps@cryptic.systems

README.md

@@ -280,6 +280,37 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
 
   [see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations
 
+#### OpenShift Compatibility
+
+When installing on OpenShift, enable the compatibility profile so chart-managed pods render SCC-safe defaults and the Gitea init containers stop forcing `runAsUser: 1000`:
+
+```yaml
+openshift:
+  enabled: true
+```
+
+When enabled, the chart applies `allowPrivilegeEscalation: false`, drops all
+Linux capabilities, sets `runAsNonRoot: true`, uses
+`seccompProfile.type: RuntimeDefault`, and leaves `hostUsers` unset unless
+`openshift.hostUsers` is explicitly overridden.
+
+The deployment keeps the existing vanilla Kubernetes behavior when OpenShift
+compatibility is disabled. Auto-detection relies on the
+`security.openshift.io/v1/SecurityContextConstraints` API, so set
+`openshift.enabled: true` explicitly when rendering outside a live cluster.
+
+If you also want to expose Gitea through an OpenShift Route, enable the optional Route resource:
+
+```yaml
+route:
+  enabled: true
+  host: git.apps.example.com
+  tls:
+    termination: edge
+```
+
+When `route.host` is set, the chart uses it for `DOMAIN`, `SSH_DOMAIN`, and `ROOT_URL`. Setting `route.tls.termination` also switches the default `ROOT_URL` scheme to `https`.
+
 #### Session, Cache and Queue
 
 The session, cache and queue settings are set to use the built-in Valkey Cluster sub-chart dependency.
@@ -381,7 +412,7 @@ gitea:
 ```
 
 This would mount the two additional volumes (`oauth` and `some-additionals`) from different sources to the init container where the _app.ini_ gets updated.
-All files mounted that way will be read and converted to environment variables and then added to the _app.ini_ using [environment-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini).
+All files mounted that way will be read and converted to environment variables and then added to the _app.ini_ using [Gitea config edit-ini](https://docs.gitea.com/administration/config-cheat-sheet#use-environment-variables-to-setup-gitea).
 
 The key of such additional source represents the section inside the _app.ini_.
 The value for each key can be multiline ini-like definitions.
@@ -422,10 +453,10 @@ Users are able to define their own environment variables, which are loaded into
 We also support to directly interact with the generated _app.ini_.
 
 To inject self defined variables into the _app.ini_ a certain format needs to be honored.
-This is described in detail on the [env-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini) page.
+This is described in detail on the [Gitea config edit-ini](https://docs.gitea.com/administration/config-cheat-sheet#use-environment-variables-to-setup-gitea) page.
 
 Prior to Gitea 1.20 and Chart 9.0.0 the helm chart had a custom prefix `ENV_TO_INI`.
-After the support for a custom prefix was removed in Gite core, the prefix was changed to `GITEA`.
+After the support for a custom prefix was removed in Gitea core, the prefix was changed to `GITEA`.
 
 For example a database setting needs to have the following format:
 
@@ -975,12 +1006,14 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 
 ### Security
 
-| Name                         | Description                                                     | Value  |
-| ---------------------------- | --------------------------------------------------------------- | ------ |
-| `podSecurityContext.fsGroup` | Set the shared file system group for all containers in the pod. | `1000` |
-| `containerSecurityContext`   | Security context                                                | `{}`   |
-| `securityContext`            | Run init and Gitea containers as a specific securityContext     | `{}`   |
-| `podDisruptionBudget`        | Pod disruption budget                                           | `{}`   |
+| Name                       | Description                                                                                                                          | Value |
+| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ----- |
+| `openshift.enabled`        | Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API. | `nil` |
+| `openshift.hostUsers`      | Override the PodSpec hostUsers field for chart-managed pods. When unset, the field is omitted so the platform default is used.       | `nil` |
+| `podSecurityContext`       | Pod security context. On non-OpenShift clusters the chart defaults `fsGroup` to `1000` when this map is empty.                       | `{}`  |
+| `containerSecurityContext` | Security context                                                                                                                     | `{}`  |
+| `securityContext`          | Run init and Gitea containers as a specific securityContext                                                                          | `{}`  |
+| `podDisruptionBudget`      | Pod disruption budget                                                                                                                | `{}`  |
 
 ### Service
 
@@ -1026,6 +1059,22 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `ingress.hosts[0].paths[0].path` | Default Ingress path            | `/`               |
 | `ingress.tls`                    | Ingress tls settings            | `[]`              |
 
+### Route
+
+| Name                                      | Description                                                                                                    | Value   |
+| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------- |
+| `route.enabled`                           | Enable OpenShift Route                                                                                         | `false` |
+| `route.annotations`                       | Route annotations                                                                                              | `{}`    |
+| `route.host`                              | Route host. When unset, OpenShift may generate one and Gitea URL defaults fall back to ingress/service values. | `""`    |
+| `route.path`                              | Route path                                                                                                     | `""`    |
+| `route.wildcardPolicy`                    | Route wildcard policy                                                                                          | `None`  |
+| `route.tls.termination`                   | Route TLS termination type                                                                                     | `nil`   |
+| `route.tls.insecureEdgeTerminationPolicy` | Route insecure edge termination policy                                                                         | `nil`   |
+| `route.tls.key`                           | Route TLS key                                                                                                  | `nil`   |
+| `route.tls.certificate`                   | Route TLS certificate                                                                                          | `nil`   |
+| `route.tls.caCertificate`                 | Route TLS CA certificate                                                                                       | `nil`   |
+| `route.tls.destinationCACertificate`      | Route destination CA certificate                                                                               | `nil`   |
+
 ### deployment
 
 | Name                                       | Description                                            | Value |
@@ -1098,29 +1147,30 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 
 ### Gitea
 
-| Name                                         | Description                                                                                                                    | Value                |
-| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
-| `gitea.admin.username`                       | Username for the Gitea admin user                                                                                              | `gitea_admin`        |
-| `gitea.admin.existingSecret`                 | Use an existing secret to store admin user credentials                                                                         | `nil`                |
-| `gitea.admin.password`                       | Password for the Gitea admin user                                                                                              | `r8sA8CPHD9!bt6d`    |
-| `gitea.admin.email`                          | Email for the Gitea admin user                                                                                                 | `gitea@local.domain` |
-| `gitea.admin.passwordMode`                   | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated  | `keepUpdated`        |
-| `gitea.metrics.enabled`                      | Enable Gitea metrics                                                                                                           | `false`              |
-| `gitea.metrics.token`                        | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.              | `nil`                |
-| `gitea.metrics.serviceMonitor.enabled`       | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false`              |
-| `gitea.metrics.serviceMonitor.interval`      | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                      | `""`                 |
-| `gitea.metrics.serviceMonitor.relabelings`   | RelabelConfigs to apply to samples before scraping.                                                                            | `[]`                 |
-| `gitea.metrics.serviceMonitor.scheme`        | HTTP scheme to use for scraping. For example `http` or `https`. Default is http.                                               | `""`                 |
-| `gitea.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                           | `""`                 |
-| `gitea.metrics.serviceMonitor.tlsConfig`     | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                      | `{}`                 |
-| `gitea.ldap`                                 | LDAP configuration                                                                                                             | `[]`                 |
-| `gitea.oauth`                                | OAuth configuration                                                                                                            | `[]`                 |
-| `gitea.config.server.SSH_PORT`               | SSH port for rootlful Gitea image                                                                                              | `22`                 |
-| `gitea.config.server.SSH_LISTEN_PORT`        | SSH port for rootless Gitea image                                                                                              | `2222`               |
-| `gitea.additionalConfigSources`              | Additional configuration from secret or configmap                                                                              | `[]`                 |
-| `gitea.additionalConfigFromEnvs`             | Additional configuration sources from environment variables                                                                    | `[]`                 |
-| `gitea.podAnnotations`                       | Annotations for the Gitea pod                                                                                                  | `{}`                 |
-| `gitea.ssh.logLevel`                         | Configure OpenSSH's log level. Only available for root-based Gitea image.                                                      | `INFO`               |
+| Name                                         | Description                                                                                                                                                                     | Value                |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- |
+| `gitea.admin.username`                       | Username for the Gitea admin user                                                                                                                                               | `gitea_admin`        |
+| `gitea.admin.existingSecret`                 | Use an existing secret to store admin user credentials                                                                                                                          | `nil`                |
+| `gitea.admin.password`                       | Password for the Gitea admin user                                                                                                                                               | `r8sA8CPHD9!bt6d`    |
+| `gitea.admin.email`                          | Email for the Gitea admin user                                                                                                                                                  | `gitea@local.domain` |
+| `gitea.admin.passwordMode`                   | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated                                                   | `keepUpdated`        |
+| `gitea.metrics.enabled`                      | Enable Gitea metrics                                                                                                                                                            | `false`              |
+| `gitea.metrics.token`                        | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.                                                               | `nil`                |
+| `gitea.metrics.serviceMonitor.enabled`       | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally.                                                  | `false`              |
+| `gitea.metrics.serviceMonitor.interval`      | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                                                                       | `""`                 |
+| `gitea.metrics.serviceMonitor.relabelings`   | RelabelConfigs to apply to samples before scraping.                                                                                                                             | `[]`                 |
+| `gitea.metrics.serviceMonitor.scheme`        | HTTP scheme to use for scraping. For example `http` or `https`. Default is http.                                                                                                | `""`                 |
+| `gitea.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                                                                            | `""`                 |
+| `gitea.metrics.serviceMonitor.tlsConfig`     | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                                                                       | `{}`                 |
+| `gitea.ldap`                                 | LDAP configuration                                                                                                                                                              | `[]`                 |
+| `gitea.oauth`                                | OAuth configuration                                                                                                                                                             | `[]`                 |
+| `gitea.config.server.SSH_PORT`               | SSH port for rootlful Gitea image                                                                                                                                               | `22`                 |
+| `gitea.config.server.SSH_LISTEN_PORT`        | SSH port for rootless Gitea image                                                                                                                                               | `2222`               |
+| `gitea.additionalConfigSources`              | Additional configuration from secret or configmap                                                                                                                               | `[]`                 |
+| `gitea.additionalConfigFromEnvs`             | Additional configuration sources from environment variables                                                                                                                     | `[]`                 |
+| `gitea.extraEnvSourceFile`                   | Source environment variables from a file during init container startup. This is especially useful for reading environment variable files generated by the Vault agent-injector. | `nil`                |
+| `gitea.podAnnotations`                       | Annotations for the Gitea pod                                                                                                                                                   | `{}`                 |
+| `gitea.ssh.logLevel`                         | Configure OpenSSH's log level. Only available for root-based Gitea image.                                                                                                       | `INFO`               |
 
 ### LivenessProbe
 
@@ -1527,7 +1577,7 @@ mariadb:
 
 ### App.ini generation <!-- omit from toc -->
 
-The app.ini generation has changed and now utilizes the environment-to-ini script provided by newer Gitea versions.
+The app.ini generation has changed and now uses the `gitea config edit-ini` subcommand introduced in Gitea 1.26.
 This change ensures, that the app.ini is now persistent.
 
 ### Secret Key generation <!-- omit from toc -->

package-lock.json

@@ -33,9 +33,9 @@
       }
     },
     "node_modules/@types/debug": {
-      "version": "4.1.12",
-      "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.12.tgz",
-      "integrity": "sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==",
+      "version": "4.1.13",
+      "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.13.tgz",
+      "integrity": "sha512-KSVgmQmzMwPlmtljOomayoR89W4FynCAi3E8PPs7vmDVPe84hT+vGPKkJfThkmXs0x0jAaa9U8uW8bbfyS2fWw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -91,9 +91,9 @@
       "license": "MIT"
     },
     "node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -280,9 +280,9 @@
       "license": "ISC"
     },
     "node_modules/get-east-asian-width": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.5.0.tgz",
-      "integrity": "sha512-CQ+bEO+Tva/qlmw24dCejulK5pMzVnUOFOijVogd3KQs07HnRIgp8TGipvCCRT06xeYEbpbgwaCxglFyiuIcmA==",
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.6.0.tgz",
+      "integrity": "sha512-QRbvDIbx6YklUe6RxeTeleMR0yv3cYH6PsPZHcnVn7xv7zO1BHN8r0XETu8n6Ye3Q+ahtSarc3WgtNWmehIBfA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -432,9 +432,9 @@
       }
     },
     "node_modules/katex": {
-      "version": "0.16.38",
-      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.38.tgz",
-      "integrity": "sha512-cjHooZUmIAUmDsHBN+1n8LaZdpmbj03LtYeYPyuYB7OuloiaeaV6N4LcfjcnHVzGWjVQmKrxxTrpDcmSzEZQwQ==",
+      "version": "0.16.47",
+      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.47.tgz",
+      "integrity": "sha512-Eeo8Ys1doU1z+x8AZsPpQu+p/QcZBI5PeOo7QGQdy2x2m0MU/hYagBbGOmXwr5KVbEfVuWv9LpnQWeehogurjg==",
       "dev": true,
       "funding": [
         "https://opencollective.com/katex",
@@ -469,9 +469,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
       "dev": true,
       "license": "MIT"
     },
@@ -569,9 +569,9 @@
       }
     },
     "node_modules/markdownlint-cli/node_modules/brace-expansion": {
-      "version": "5.0.4",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
-      "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
+      "version": "5.0.6",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
+      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -592,13 +592,13 @@
       }
     },
     "node_modules/markdownlint-cli/node_modules/minimatch": {
-      "version": "10.2.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
-      "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==",
+      "version": "10.2.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.5.tgz",
+      "integrity": "sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==",
       "dev": true,
       "license": "BlueOak-1.0.0",
       "dependencies": {
-        "brace-expansion": "^5.0.2"
+        "brace-expansion": "^5.0.5"
       },
       "engines": {
         "node": "18 || 20 || >=22"
@@ -1221,9 +1221,9 @@
       }
     },
     "node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -1270,9 +1270,9 @@
       }
     },
     "node_modules/smol-toml": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.0.tgz",
-      "integrity": "sha512-4zemZi0HvTnYwLfrpk/CF9LOd9Lt87kAt50GnqhMpyF9U3poDAP2+iukq2bZsO/ufegbYehBkqINbsWxj4l4cw==",
+      "version": "1.6.1",
+      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.1.tgz",
+      "integrity": "sha512-dWUG8F5sIIARXih1DTaQAX4SsiTXhInKf1buxdY9DIg4ZYPZK5nGM1VRIYmEbDbsHt7USo99xSLFu5Q1IqTmsg==",
       "dev": true,
       "license": "BSD-3-Clause",
       "engines": {
@@ -1329,14 +1329,14 @@
       }
     },
     "node_modules/tinyglobby": {
-      "version": "0.2.15",
-      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
-      "integrity": "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==",
+      "version": "0.2.16",
+      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.16.tgz",
+      "integrity": "sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "fdir": "^6.5.0",
-        "picomatch": "^4.0.3"
+        "picomatch": "^4.0.4"
       },
       "engines": {
         "node": ">=12.0.0"
@@ -1360,9 +1360,9 @@
       "license": "ISC"
     },
     "node_modules/yaml": {
-      "version": "2.8.2",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz",
-      "integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==",
+      "version": "2.9.0",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.9.0.tgz",
+      "integrity": "sha512-2AvhNX3mb8zd6Zy7INTtSpl1F15HW6Wnqj0srWlkKLcpYl/gMIMJiyuGq2KeI2YFxUPjdlB+3Lc10seMLtL4cA==",
       "dev": true,
       "license": "ISC",
       "bin": {

scripts/init-containers/config/config_environment.sh

@@ -78,7 +78,6 @@ function env2ini::reload_preset_envs() {
   rm $TMP_EXISTING_ENVS_FILE
 }
 
-
 function env2ini::process_config_file() {
   local config_file="${1}"
   local section="$(basename "${config_file}")"
@@ -151,4 +150,4 @@ if [ -f ${GITEA_APP_INI} ]; then
   unset GITEA__SERVER__LFS_JWT_SECRET
 fi
 
-environment-to-ini -o $GITEA_APP_INI
+gitea config edit-ini --apply-env --config "$GITEA_APP_INI" --out "$GITEA_APP_INI"

templates/NOTES.txt

@@ -1,5 +1,12 @@
 1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
+{{- if .Values.route.enabled }}
+  {{- if .Values.route.host }}
+  {{ include "gitea.public_protocol" . }}://{{ tpl .Values.route.host . }}{{ .Values.route.path }}
+  {{- else }}
+  export ROUTE_HOST=$(kubectl get route --namespace {{ .Release.Namespace }} {{ include "gitea.fullname" . }} -o jsonpath="{.spec.host}")
+  echo {{ include "gitea.public_protocol" . }}://$ROUTE_HOST{{ .Values.route.path }}
+  {{- end }}
+{{- else if .Values.ingress.enabled }}
 {{- range $host := .Values.ingress.hosts }}
   {{- range .paths }}
   http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}

templates/_helpers.tpl

@@ -76,6 +76,87 @@ imagePullSecrets:
 {{- end }}
 {{- end -}}
 
+{{/*
+Return true when OpenShift compatibility defaults should be rendered.
+If openshift.enabled is unset, auto-detect via the SCC API.
+*/}}
+{{- define "gitea.openshift.enabled" -}}
+{{- if kindIs "bool" .Values.openshift.enabled -}}
+{{ ternary "true" "false" .Values.openshift.enabled }}
+{{- else if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the pod's hostUsers setting when OpenShift compatibility is enabled.
+*/}}
+{{- define "gitea.hostUsers" -}}
+{{- if eq (include "gitea.openshift.enabled" . | trim) "true" -}}
+{{- if kindIs "bool" .Values.openshift.hostUsers -}}
+{{ ternary "true" "false" .Values.openshift.hostUsers }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render pod securityContext. On non-OpenShift clusters an empty map defaults fsGroup to 1000.
+*/}}
+{{- define "gitea.podSecurityContext" -}}
+{{- $podSecurityContext := deepCopy .Values.podSecurityContext -}}
+{{- if and (ne (include "gitea.openshift.enabled" . | trim) "true") (not (hasKey $podSecurityContext "fsGroup")) -}}
+{{- $_ := set $podSecurityContext "fsGroup" 1000 -}}
+{{- end -}}
+{{- if gt (len $podSecurityContext) 0 -}}
+{{ toYaml $podSecurityContext }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render container securityContext with OpenShift restricted SCC defaults when enabled.
+*/}}
+{{- define "gitea.containerSecurityContext" -}}
+{{- $root := index . 0 -}}
+{{- $containerSecurityContext := deepCopy (index . 1) -}}
+{{- if eq (include "gitea.openshift.enabled" $root | trim) "true" -}}
+{{- $containerSecurityContext = mergeOverwrite (dict
+  "allowPrivilegeEscalation" false
+  "capabilities" (dict "drop" (list "ALL"))
+  "runAsNonRoot" true
+  "seccompProfile" (dict "type" "RuntimeDefault")
+) $containerSecurityContext -}}
+{{- end -}}
+{{- if gt (len $containerSecurityContext) 0 -}}
+{{ toYaml $containerSecurityContext }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render the securityContext for init containers that execute Gitea/GPG commands.
+These default to runAsUser 1000 outside OpenShift to preserve existing behavior.
+*/}}
+{{- define "gitea.commandInitContainerSecurityContext" -}}
+{{- $root := index . 0 -}}
+{{- $containerSecurityContext := deepCopy (index . 1) -}}
+{{- if and (ne (include "gitea.openshift.enabled" $root | trim) "true") (not (hasKey $containerSecurityContext "runAsUser")) -}}
+{{- $_ := set $containerSecurityContext "runAsUser" 1000 -}}
+{{- end -}}
+{{- include "gitea.containerSecurityContext" (list $root $containerSecurityContext) -}}
+{{- end -}}
+
+{{/*
+Render the runtime container securityContext while honoring the deprecated securityContext value.
+*/}}
+{{- define "gitea.runtimeContainerSecurityContext" -}}
+{{- $containerSecurityContext := deepCopy .Values.containerSecurityContext -}}
+{{- if and (eq (len $containerSecurityContext) 0) .Values.securityContext -}}
+{{- $containerSecurityContext = deepCopy .Values.securityContext -}}
+{{- end -}}
+{{- include "gitea.containerSecurityContext" (list . $containerSecurityContext) -}}
+{{- end -}}
+
 
 {{/*
 Storage Class
@@ -139,7 +220,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- else if (index .Values "valkey-cluster").enabled -}}
 {{- printf "redis+cluster://:%s@%s-valkey-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey-cluster").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey-cluster").service.ports.valkey -}}
 {{- else if (index .Values "valkey").enabled -}}
-{{- printf "redis://:%s@%s-valkey-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}}
+{{- printf "redis://:%s@%s-valkey-primary.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}}
 {{- end -}}
 {{- end -}}
 
@@ -153,9 +234,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 
 {{- define "valkey.servicename" -}}
 {{- if (index .Values "valkey-cluster").enabled -}}
-{{- printf "%s-valkey-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
+{{- printf "%s-valkey-cluster-headless.%s.svc" .Release.Name .Release.Namespace -}}
 {{- else if (index .Values "valkey").enabled -}}
-{{- printf "%s-valkey-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
+{{- printf "%s-valkey-primary.%s.svc" .Release.Name .Release.Namespace -}}
 {{- end -}}
 {{- end -}}
 
@@ -163,6 +244,16 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 
+{{- define "gitea.public_hostname" -}}
+{{- if and .Values.route.enabled .Values.route.host -}}
+{{ tpl .Values.route.host . }}
+{{- else if gt (len .Values.ingress.hosts) 0 -}}
+{{ tpl (index .Values.ingress.hosts 0).host $ }}
+{{- else -}}
+{{ include "gitea.default_domain" . }}
+{{- end -}}
+{{- end -}}
+
 {{- define "gitea.ldap_settings" -}}
 {{- $idx := index . 0 }}
 {{- $values := index . 1 }}
@@ -213,7 +304,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "gitea.public_protocol" -}}
-{{- if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}}
+{{- if and .Values.route.enabled .Values.route.tls.termination -}}
+https
+{{- else if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}}
 https
 {{- else -}}
 {{ .Values.gitea.config.server.PROTOCOL }}
@@ -346,11 +439,7 @@ https
     {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
   {{- end -}}
   {{- if not (.Values.gitea.config.server.DOMAIN) -}}
-    {{- if gt (len .Values.ingress.hosts) 0 -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
-    {{- else -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
-    {{- end -}}
+    {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.public_hostname" .) -}}
   {{- end -}}
   {{- if not .Values.gitea.config.server.ROOT_URL -}}
     {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}

templates/gitea/deployment.yaml

@@ -43,6 +43,11 @@ spec:
         {{- toYaml .Values.deployment.labels | nindent 8 }}
         {{- end }}
     spec:
+      {{- $hostUsers := include "gitea.hostUsers" . | trim }}
+      {{- $podSecurityContext := include "gitea.podSecurityContext" . | trim }}
+      {{- $containerSecurityContext := include "gitea.containerSecurityContext" (list . (deepCopy .Values.containerSecurityContext)) | trim }}
+      {{- $commandInitContainerSecurityContext := include "gitea.commandInitContainerSecurityContext" (list . (deepCopy .Values.containerSecurityContext)) | trim }}
+      {{- $runtimeContainerSecurityContext := include "gitea.runtimeContainerSecurityContext" . | trim }}
       {{- if .Values.schedulerName }}
       schedulerName: "{{ .Values.schedulerName }}"
       {{- end }}
@@ -52,9 +57,14 @@ spec:
       {{- if .Values.priorityClassName }}
       priorityClassName: "{{ .Values.priorityClassName }}"
       {{- end }}
+      {{- if $hostUsers }}
+      hostUsers: {{ $hostUsers }}
+      {{- end }}
       {{- include "gitea.images.pullSecrets" . | nindent 6 }}
+      {{- if $podSecurityContext }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- $podSecurityContext | nindent 8 }}
+      {{- end }}
       initContainers:
         {{- if .Values.preExtraInitContainers }}
         {{- toYaml .Values.preExtraInitContainers | nindent 8 }}
@@ -91,15 +101,25 @@ spec:
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
+          {{- if $containerSecurityContext }}
           securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- $containerSecurityContext | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
         - name: init-app-ini
           image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.gitea.extraEnvSourceFile }}
+          command:
+          - "/bin/bash"
+          - "-c"
+          args:
+          - "test -f {{ .Values.gitea.extraEnvSourceFile }} && source {{ .Values.gitea.extraEnvSourceFile }} || { echo 'ERROR: Failed to source {{ .Values.gitea.extraEnvSourceFile }}'; exit 1; } && {{ .Values.initContainersScriptsVolumeMountPath }}/config_environment.sh"
+          {{- else }}
           command:
           - "{{ .Values.initContainersScriptsVolumeMountPath }}/config_environment.sh"
+          {{- end }}
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -136,23 +156,30 @@ spec:
               mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/"
             {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
+          {{- if $containerSecurityContext }}
           securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- $containerSecurityContext | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
         {{- if .Values.signing.enabled }}
         - name: configure-gpg
           image: "{{ include "gitea.image" . }}"
+          {{- if .Values.gitea.extraEnvSourceFile }}
+          command:
+          - "/bin/bash"
+          - "-c"
+          args:
+          - "test -f {{ .Values.gitea.extraEnvSourceFile }} && source {{ .Values.gitea.extraEnvSourceFile }} || { echo 'ERROR: Failed to source {{ .Values.gitea.extraEnvSourceFile }}'; exit 1; } && {{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh"
+          {{- else }}
           command:
           - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh"
+          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if $commandInitContainerSecurityContext }}
           securityContext:
-            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
-            {{- $csc := deepCopy .Values.containerSecurityContext -}}
-            {{- if not (hasKey $csc "runAsUser") -}}
-            {{- $_ := set $csc "runAsUser" 1000 -}}
-            {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- $commandInitContainerSecurityContext | nindent 12 }}
+          {{- end }}
           env:
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}
@@ -177,16 +204,21 @@ spec:
         {{- end }}
         - name: configure-gitea
           image: "{{ include "gitea.image" . }}"
+          {{- if .Values.gitea.extraEnvSourceFile }}
+          command:
+          - "/bin/bash"
+          - "-c"
+          args:
+          - "test -f {{ .Values.gitea.extraEnvSourceFile }} && source {{ .Values.gitea.extraEnvSourceFile }} || { echo 'ERROR: Failed to source {{ .Values.gitea.extraEnvSourceFile }}'; exit 1; } && {{ .Values.initContainersScriptsVolumeMountPath }}/configure_gitea.sh"
+          {{- else }}
           command:
           - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gitea.sh"
+          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if $commandInitContainerSecurityContext }}
           securityContext:
-            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
-            {{- $csc := deepCopy .Values.containerSecurityContext -}}
-            {{- if not (hasKey $csc "runAsUser") -}}
-            {{- $_ := set $csc "runAsUser" 1000 -}}
-            {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- $commandInitContainerSecurityContext | nindent 12 }}
+          {{- end }}
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -344,13 +376,10 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- if $runtimeContainerSecurityContext }}
           securityContext:
-            {{- /* Honor the deprecated securityContext variable when defined */ -}}
-            {{- if .Values.containerSecurityContext -}}
-            {{ toYaml .Values.containerSecurityContext | nindent 12 -}}
-            {{- else -}}
-            {{ toYaml .Values.securityContext | nindent 12 -}}
-            {{- end }}
+            {{- $runtimeContainerSecurityContext | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: temp
               mountPath: /tmp

templates/gitea/init.yaml

@@ -123,7 +123,7 @@ stringData:
           #   should add it to prevent requiring frequent admin password resets.
           local -a change_args
           change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}")
-          if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then
+          if gitea admin user change-password --help | grep -F -- '--must-change-password' >/dev/null; then
             change_args+=(--must-change-password=false)
           fi
           gitea admin user change-password "${change_args[@]}"

templates/gitea/route.yaml

@@ -0,0 +1,52 @@
+{{- if .Values.route.enabled -}}
+{{- $fullName := include "gitea.fullname" . -}}
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+  {{- with .Values.route.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.route.host }}
+  host: {{ tpl .Values.route.host . | quote }}
+  {{- end }}
+  {{- if .Values.route.path }}
+  path: {{ tpl .Values.route.path . | quote }}
+  {{- end }}
+  to:
+    kind: Service
+    name: {{ $fullName }}-http
+  port:
+    targetPort: http
+  wildcardPolicy: {{ .Values.route.wildcardPolicy }}
+  {{- with .Values.route.tls }}
+  {{- if .termination }}
+  tls:
+    termination: {{ .termination }}
+    {{- if .insecureEdgeTerminationPolicy }}
+    insecureEdgeTerminationPolicy: {{ .insecureEdgeTerminationPolicy }}
+    {{- end }}
+    {{- if .key }}
+    key: |
+      {{- .key | nindent 6 }}
+    {{- end }}
+    {{- if .certificate }}
+    certificate: |
+      {{- .certificate | nindent 6 }}
+    {{- end }}
+    {{- if .caCertificate }}
+    caCertificate: |
+      {{- .caCertificate | nindent 6 }}
+    {{- end }}
+    {{- if .destinationCACertificate }}
+    destinationCACertificate: |
+      {{- .destinationCACertificate | nindent 6 }}
+    {{- end }}
+  {{- end }}
+  {{- end }}
+{{- end }}

templates/tests/test-http-connection.yaml

@@ -9,9 +9,18 @@ metadata:
   annotations:
     "helm.sh/hook": test-success
 spec:
+  {{- $hostUsers := include "gitea.hostUsers" . | trim }}
+  {{- $testContainerSecurityContext := include "gitea.containerSecurityContext" (list . (dict)) | trim }}
+  {{- if $hostUsers }}
+  hostUsers: {{ $hostUsers }}
+  {{- end }}
   containers:
     - name: wget
       image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}"
+      {{- if $testContainerSecurityContext }}
+      securityContext:
+        {{- $testContainerSecurityContext | nindent 8 }}
+      {{- end }}
       command: ['wget']
       args:  ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
   restartPolicy: Never

unittests/bash/tests/init-containers/config/config_environment.bats

@@ -9,27 +9,51 @@ function setup() {
   export GITEA_APP_INI="$BATS_TEST_TMPDIR/app.ini"
   export TMP_EXISTING_ENVS_FILE="$BATS_TEST_TMPDIR/existing-envs"
   export ENV_TO_INI_MOUNT_POINT="$BATS_TEST_TMPDIR/env-to-ini-mounts"
+  export GITEA_EDIT_INI_EXPECTED=0
+  export PATH="$BATS_TEST_TMPDIR/bin:$PATH"
 
-  stub gitea \
-      "generate secret INTERNAL_TOKEN : echo 'mocked-internal-token'" \
-      "generate secret SECRET_KEY : echo 'mocked-secret-key'" \
-      "generate secret JWT_SECRET : echo 'mocked-jwt-secret'" \
-      "generate secret LFS_JWT_SECRET : echo 'mocked-lfs-jwt-secret'"
+  mkdir -p "$BATS_TEST_TMPDIR/bin"
+  cat >"$BATS_TEST_TMPDIR/bin/gitea" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+
+case "$*" in
+  'generate secret INTERNAL_TOKEN')
+    echo 'mocked-internal-token'
+    ;;
+  'generate secret SECRET_KEY')
+    echo 'mocked-secret-key'
+    ;;
+  'generate secret JWT_SECRET')
+    echo 'mocked-jwt-secret'
+    ;;
+  'generate secret LFS_JWT_SECRET')
+    echo 'mocked-lfs-jwt-secret'
+    ;;
+  "config edit-ini --apply-env --config $GITEA_APP_INI --out $GITEA_APP_INI")
+    if [ "$GITEA_EDIT_INI_EXPECTED" -eq 1 ]; then
+      echo 'Stubbed gitea config edit-ini was called!'
+      exit 0
+    fi
+
+    echo 'Unexpected gitea config edit-ini invocation' >&2
+    exit 127
+    ;;
+  *)
+    echo "Unexpected gitea invocation: $*" >&2
+    exit 127
+    ;;
+esac
+EOF
+  chmod +x "$BATS_TEST_TMPDIR/bin/gitea"
 }
 
 function teardown() {
-  unstub gitea
-  # This condition exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
-  if [ $ENV_TO_INI_EXPECTED -eq 1 ]; then
-    unstub environment-to-ini
-  fi
+  :
 }
 
-# This function exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
-function expect_environment_to_ini_call() {
-  export ENV_TO_INI_EXPECTED=1
-  stub environment-to-ini \
-    "-o $GITEA_APP_INI : echo 'Stubbed environment-to-ini was called!'"
+function expect_gitea_config_edit_ini_call() {
+  export GITEA_EDIT_INI_EXPECTED=1
 }
 
 function execute_test_script() {
@@ -56,18 +80,18 @@ function write_mounted_file() {
 }
 
 @test "works as expected when nothing is configured" {
-  expect_environment_to_ini_call
+  expect_gitea_config_edit_ini_call
   run $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
 
   assert_success
   assert_line '...Initial secrets generated'
   assert_line 'Reloading preset envs...'
   assert_line '=== All configuration sources loaded ==='
-  assert_line 'Stubbed environment-to-ini was called!'
+  assert_line 'Stubbed gitea config edit-ini was called!'
 }
 
 @test "exports initial secrets" {
-  expect_environment_to_ini_call
+  expect_gitea_config_edit_ini_call
   run execute_test_script
 
   assert_success
@@ -78,7 +102,7 @@ function write_mounted_file() {
 }
 
 @test "does NOT export initial secrets when app.ini already exists" {
-  expect_environment_to_ini_call
+  expect_gitea_config_edit_ini_call
   touch $GITEA_APP_INI
 
   run execute_test_script
@@ -92,7 +116,7 @@ function write_mounted_file() {
 }
 
 @test "ensures that preset environment variables take precedence over auto-generated ones" {
-  expect_environment_to_ini_call
+  expect_gitea_config_edit_ini_call
   export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
 
   run execute_test_script
@@ -102,7 +126,7 @@ function write_mounted_file() {
 }
 
 @test "ensures that preset environment variables take precedence over mounted ones" {
-  expect_environment_to_ini_call
+  expect_gitea_config_edit_ini_call
   export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
   write_mounted_file "inlines" "oauth2" "$(cat << EOF
 JWT_SECRET=inline-jwt-secret
@@ -117,7 +141,7 @@ EOF
 }
 
 @test "ensures that additionals take precedence over inlines" {
-  expect_environment_to_ini_call
+  expect_gitea_config_edit_ini_call
   write_mounted_file "inlines" "oauth2" "$(cat << EOF
 JWT_SECRET=inline-jwt-secret
 EOF
@@ -136,7 +160,7 @@ EOF
 }
 
 @test "ensures that dotted/dashed sections are properly masked" {
-  expect_environment_to_ini_call
+  expect_gitea_config_edit_ini_call
   write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
 WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]
 EOF
@@ -152,7 +176,7 @@ EOF
 ##### THIS IS A BUG, BUT I WANT IT TO BE COVERED BY TESTS #####
 ###############################################################
 @test "ensures uppercase section and setting names (🐞)" {
-  expect_environment_to_ini_call
+  expect_gitea_config_edit_ini_call
   export GITEA__oauth2__JwT_Secret="pre-defined-jwt-secret"
   write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
 WORK_IN_progress_PREFIXES=WIP:,[WIP]
@@ -167,7 +191,7 @@ EOF
 }
 
 @test "treats top-level configuration as section-less" {
-  expect_environment_to_ini_call
+  expect_gitea_config_edit_ini_call
   write_mounted_file "inlines" "_generals_" "$(cat << EOF
 APP_NAME=Hello top-level configuration
 RUN_MODE=dev

unittests/helm/config/cache-config.yaml

@@ -31,7 +31,7 @@ tests:
           path: stringData.cache
           value: |-
             ADAPTER=redis
-            HOST=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            HOST=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled"
     template: templates/gitea/config.yaml

unittests/helm/config/config-environment-script.yaml

@@ -0,0 +1,14 @@
+suite: config template | config_environment.sh
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/config.yaml
+tests:
+  - it: uses `gitea config edit-ini` to write app.ini from environment variables
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 1
+        matchRegex:
+          path: stringData["config_environment.sh"]
+          pattern: 'gitea config edit-ini --apply-env --config .+GITEA_APP_INI.+ --out .+GITEA_APP_INI'

unittests/helm/config/queue-config.yaml

@@ -30,7 +30,7 @@ tests:
         equal:
           path: stringData.queue
           value: |-
-            CONN_STR=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            CONN_STR=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
             TYPE=redis
 
   - it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled"

unittests/helm/config/server-section_domain.yaml

@@ -65,3 +65,41 @@ tests:
         matchRegex:
           path: stringData.server
           pattern: \nROOT_URL=http://provided.example.com
+
+  ################################################
+
+  - it: "[route enabled] uses route host for DOMAIN|SSH_DOMAIN|ROOT_URL"
+    template: templates/gitea/config.yaml
+    set:
+      route:
+        enabled: true
+        host: route.example.com
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nDOMAIN=route.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nSSH_DOMAIN=route.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=http://route.example.com
+
+  ################################################
+
+  - it: "[route tls termination] uses https for ROOT_URL"
+    template: templates/gitea/config.yaml
+    set:
+      route:
+        enabled: true
+        host: route.example.com
+        tls:
+          termination: edge
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=https://route.example.com

unittests/helm/config/session-config.yaml

@@ -31,7 +31,7 @@ tests:
           path: stringData.session
           value: |-
             PROVIDER=redis
-            PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled"
     template: templates/gitea/config.yaml

unittests/helm/dependency-checks/customization-integrity-valkey-cluster.yaml

@@ -87,4 +87,4 @@ tests:
       - documentIndex: 0
         matchRegex:
           path: stringData["configure_gitea.sh"]
-          pattern: nc -vz -w2 gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local 6379
+          pattern: nc -vz -w2 gitea-unittests-valkey-cluster-headless.testing.svc 6379

unittests/helm/dependency-checks/customization-integrity-valkey.yaml

@@ -29,18 +29,19 @@ tests:
           path: data["valkey-password"]
           value: "Z2l0ZWEtcGFzc3dvcmQ="
   - it: "[valkey] renders the referenced service"
-    template: charts/valkey/templates/headless-svc.yaml
+    template: charts/valkey/templates/primary/service.yaml
     asserts:
       - containsDocument:
           kind: Service
           apiVersion: v1
-          name: gitea-unittests-valkey-headless
+          name: gitea-unittests-valkey-primary
           namespace: testing
       - documentIndex: 0
         contains:
           path: spec.ports
           content:
             name: tcp-redis
+            nodePort: null
             port: 6379
             targetPort: redis
   - it: "[gitea] waits for valkey to be up and running"
@@ -49,4 +50,4 @@ tests:
       - documentIndex: 0
         matchRegex:
           path: stringData["configure_gitea.sh"]
-          pattern: nc -vz -w2 gitea-unittests-valkey-headless.testing.svc.cluster.local 6379
+          pattern: nc -vz -w2 gitea-unittests-valkey-primary.testing.svc 6379

unittests/helm/deployment/extraEnvSourceFile.yaml

@@ -0,0 +1,82 @@
+suite: deployment template (extraEnvSourceFile)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: uses direct execution when extraEnvSourceFile is not set
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[1].command
+          value: ["/usr/sbinx/config_environment.sh"]
+      - notExists:
+          path: spec.template.spec.initContainers[1].args
+      - equal:
+          path: spec.template.spec.initContainers[2].command
+          value: ["/usr/sbinx/configure_gitea.sh"]
+      - notExists:
+          path: spec.template.spec.initContainers[2].args
+
+  - it: sources env file in init-app-ini when extraEnvSourceFile is set
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        extraEnvSourceFile: /vault/secrets/gitea
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[1].command
+          value: ["/bin/bash", "-c"]
+      - matchRegex:
+          path: spec.template.spec.initContainers[1].args[0]
+          pattern: source /vault/secrets/gitea
+      - matchRegex:
+          path: spec.template.spec.initContainers[1].args[0]
+          pattern: config_environment\.sh
+
+  - it: sources env file in configure-gitea when extraEnvSourceFile is set
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        extraEnvSourceFile: /vault/secrets/gitea
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[2].command
+          value: ["/bin/bash", "-c"]
+      - matchRegex:
+          path: spec.template.spec.initContainers[2].args[0]
+          pattern: source /vault/secrets/gitea
+      - matchRegex:
+          path: spec.template.spec.initContainers[2].args[0]
+          pattern: configure_gitea\.sh
+
+  - it: sources env file in configure-gpg when extraEnvSourceFile is set with signing enabled
+    template: templates/gitea/deployment.yaml
+    set:
+      signing:
+        enabled: true
+        existingSecret: "custom-gpg-secret"
+      gitea:
+        extraEnvSourceFile: /vault/secrets/gitea
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[2].command
+          value: ["/bin/bash", "-c"]
+      - matchRegex:
+          path: spec.template.spec.initContainers[2].args[0]
+          pattern: source /vault/secrets/gitea
+      - matchRegex:
+          path: spec.template.spec.initContainers[2].args[0]
+          pattern: configure_gpg_environment\.sh
+
+  - it: includes file existence check in source command
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        extraEnvSourceFile: /vault/secrets/gitea
+    asserts:
+      - matchRegex:
+          path: spec.template.spec.initContainers[1].args[0]
+          pattern: "test -f /vault/secrets/gitea"

unittests/helm/deployment/openshift.yaml

@@ -0,0 +1,106 @@
+suite: deployment template (openshift)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders openshift-compatible defaults for chart-managed containers
+    template: templates/gitea/deployment.yaml
+    set:
+      openshift.enabled: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.hostUsers
+      - notExists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.initContainers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+      - equal:
+          path: spec.template.spec.initContainers[1].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+      - equal:
+          path: spec.template.spec.initContainers[2].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+
+  - it: does not force runAsUser 1000 for command init containers on OpenShift
+    template: templates/gitea/deployment.yaml
+    set:
+      openshift.enabled: true
+      signing.enabled: true
+      signing.existingSecret: custom-gpg-secret
+    asserts:
+      - notExists:
+          path: spec.template.spec.initContainers[2].securityContext.runAsUser
+      - notExists:
+          path: spec.template.spec.initContainers[3].securityContext.runAsUser
+
+  - it: preserves explicit pod and container security context overrides on OpenShift
+    template: templates/gitea/deployment.yaml
+    set:
+      openshift:
+        enabled: true
+        hostUsers: true
+      podSecurityContext:
+        fsGroup: 1000620000
+      containerSecurityContext:
+        runAsUser: 1000620000
+        runAsGroup: 1000620000
+    asserts:
+      - equal:
+          path: spec.template.spec.hostUsers
+          value: true
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            fsGroup: 1000620000
+      - equal:
+          path: spec.template.spec.initContainers[2].securityContext.runAsUser
+          value: 1000620000
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsGroup
+          value: 1000620000
+
+  - it: renders an explicit hostUsers=false override on OpenShift
+    template: templates/gitea/deployment.yaml
+    set:
+      openshift:
+        enabled: true
+        hostUsers: false
+    asserts:
+      - equal:
+          path: spec.template.spec.hostUsers
+          value: false

unittests/helm/route/basic.yaml

@@ -0,0 +1,58 @@
+suite: Test route.yaml
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/route.yaml
+tests:
+  - it: should create route when route.enabled is true
+    set:
+      route:
+        enabled: true
+        host: git.apps.example.com
+        path: /
+        annotations:
+          haproxy.router.openshift.io/timeout: 5m
+        tls:
+          termination: edge
+          insecureEdgeTerminationPolicy: Redirect
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: metadata.name
+          value: gitea-unittests
+      - equal:
+          path: metadata.annotations["haproxy.router.openshift.io/timeout"]
+          value: 5m
+      - equal:
+          path: spec.host
+          value: git.apps.example.com
+      - equal:
+          path: spec.path
+          value: /
+      - equal:
+          path: spec.to.kind
+          value: Service
+      - equal:
+          path: spec.to.name
+          value: gitea-unittests-http
+      - equal:
+          path: spec.port.targetPort
+          value: http
+      - equal:
+          path: spec.wildcardPolicy
+          value: None
+      - equal:
+          path: spec.tls.termination
+          value: edge
+      - equal:
+          path: spec.tls.insecureEdgeTerminationPolicy
+          value: Redirect
+
+  - it: should not create route when route.enabled is false
+    set:
+      route.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/tests/test-http-connection.yaml

@@ -0,0 +1,33 @@
+suite: test connection template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/tests/test-http-connection.yaml
+tests:
+  - it: renders openshift-compatible defaults for the test pod
+    set:
+      openshift.enabled: true
+    asserts:
+      - notExists:
+          path: spec.hostUsers
+      - equal:
+          path: spec.containers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+
+  - it: renders an explicit hostUsers=false override for the test pod
+    set:
+      openshift:
+        enabled: true
+        hostUsers: false
+    asserts:
+      - equal:
+          path: spec.hostUsers
+          value: false

values.yaml

@@ -62,9 +62,14 @@ imagePullSecrets: []
 
 ## @section Security
 # Security context is only usable with rootless image due to image design
-## @param podSecurityContext.fsGroup Set the shared file system group for all containers in the pod.
-podSecurityContext:
-  fsGroup: 1000
+## @param openshift.enabled Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API.
+## @param openshift.hostUsers Override the PodSpec hostUsers field for chart-managed pods. When unset, the field is omitted so the platform default is used.
+openshift:
+  enabled: null
+  hostUsers: null
+
+## @param podSecurityContext Pod security context. On non-OpenShift clusters the chart defaults `fsGroup` to `1000` when this map is empty.
+podSecurityContext: {}
 
 ## @param containerSecurityContext Security context
 containerSecurityContext: {}
@@ -177,6 +182,32 @@ ingress:
   #    hosts:
   #      - git.example.com
 
+## @section Route
+## @param route.enabled Enable OpenShift Route
+## @param route.annotations Route annotations
+## @param route.host Route host. When unset, OpenShift may generate one and Gitea URL defaults fall back to ingress/service values.
+## @param route.path Route path
+## @param route.wildcardPolicy Route wildcard policy
+## @param route.tls.termination Route TLS termination type
+## @param route.tls.insecureEdgeTerminationPolicy Route insecure edge termination policy
+## @param route.tls.key Route TLS key
+## @param route.tls.certificate Route TLS certificate
+## @param route.tls.caCertificate Route TLS CA certificate
+## @param route.tls.destinationCACertificate Route destination CA certificate
+route:
+  enabled: false
+  annotations: {}
+  host: ""
+  path: ""
+  wildcardPolicy: None
+  tls:
+    termination:
+    insecureEdgeTerminationPolicy:
+    key:
+    certificate:
+    caCertificate:
+    destinationCACertificate:
+
 ## @section deployment
 #
 ## @param resources Kubernetes resources
@@ -446,6 +477,28 @@ gitea:
   ## @param gitea.additionalConfigFromEnvs Additional configuration sources from environment variables
   additionalConfigFromEnvs: []
 
+  ## @param gitea.extraEnvSourceFile Source environment variables from a file during init container startup. This is especially useful for reading environment variable files generated by the Vault agent-injector.
+  ## See the sample annotations below for reference.
+  ## podAnnotations:
+  ##   vault.hashicorp.com/agent-inject: "true"
+  ##   vault.hashicorp.com/agent-init-first: "true"
+  ##   vault.hashicorp.com/agent-inject-secret-gitea: <path/to/secret>
+  ##   vault.hashicorp.com/agent-inject-template-gitea: |
+  ##     {{- with secret "path/to/secret" -}}
+  ##     export GITEA__database__HOST="{{ .Data.data.db_host }}"
+  ##     export GITEA__database__NAME="{{ .Data.data.db_name }}"
+  ##     export GITEA__database__USER="{{ .Data.data.db_user }}"
+  ##     export GITEA__database__PASSWD="{{ .Data.data.db_password }}"
+  ##     export GITEA__queue__CONN_STR="{{ .Data.data.kv_conn_string }}"
+  ##     export GITEA__session__PROVIDER_CONFIG="{{ .Data.data.kv_conn_string }}"
+  ##     export GITEA__cache__HOST="{{ .Data.data.kv_conn_string }}"
+  ##     export GITEA_ADMIN_USERNAME="{{ .Data.data.gitea_admin_user }}"
+  ##     export GITEA_ADMIN_PASSWORD="{{ .Data.data.gitea_admin_password }}"
+  ##     {{- end }}
+
+  # extraEnvSourceFile: /vault/secrets/gitea
+  extraEnvSourceFile:
+
   ## @param gitea.podAnnotations Annotations for the Gitea pod
   podAnnotations: {}