fix(ci): improve workflows (#959)

🤖 Split up helm chart workflows

The following patch adapts the CI workflows. The worflows has been splitted into
dedicated parts. For example the `helm template` and `helm unittest` command is
now a seperate step to notice that a change affects the template mechanism but
not the unittest. This was priviously not possible, because both commands were
part of one step.

🤖 Changelog Issue

Additionally has the changelog workflow be improved. The shell commands has
been migrated to a dedicated file named `.gitea/scripts/changelog.sh`. This has
the advantage, that the shellcheck plugin of IDE's support developers by
developing such shell scripts. Furthermore, the used container image has been
replaced by the ubuntu:latest image of the act_runner. This make it more
comfortable in using `curl` or `jq`, because the complete set of features/flags
are
avialable instead of the previously used container image
`docker.io/thegeeklab/git-sv:2.0.5`. Final note to the shell script
`changelog.sh`, this can now be executed locally as well as on ARM-based
act_runners and helps to test the helm chart in own Gitea environments
beforehand.

🤖 Markdown linter

In addition, a new workflow for markdown files has now been introduced. This
checks the `README.md` file for links, ensures that it is properly formatted,
and verifies that the parameters match those in `values.yaml`. Here, too, the
commands have been outsourced to separate jobs so that more precise interaction
is possible in the event of an error.

⚠️ Warning

This patch also requires an adjustment in branch protection. There, the
workflows that must be successful before a merge must be redefined.

Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/959
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Markus Pesch <markus.pesch@cryptic.systems>
Co-committed-by: Markus Pesch <markus.pesch@cryptic.systems>

.gitea/scripts/update-changelog.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+
+DEFAULT_GITEA_SERVER_URL="${GITHUB_SERVER_URL:-"https://gitea.com"}"
+DEFAULT_GITEA_REPOSITORY="${GITHUB_REPOSITORY:-"gitea/helm-gitea"}"
+DEFAULT_GITEA_TOKEN="${ISSUE_RW_TOKEN:-""}"
+
+if [ -z "${1}" ]; then
+  read -p "Enter hostname of the Gitea instance [${DEFAULT_GITEA_SERVER_URL}]: " CURRENT_GITEA_SERVER_URL
+  if [ -z "${CURRENT_GITEA_SERVER_URL}" ]; then
+    CURRENT_GITEA_SERVER_URL="${DEFAULT_GITEA_SERVER_URL}"
+  fi
+else
+  CURRENT_GITEA_SERVER_URL=$1
+fi
+
+if [ -z "${2}" ]; then
+  read -p "Enter name of the git repository [${DEFAULT_GITEA_REPOSITORY}]: " CURRENT_GITEA_REPOSITORY
+  if [ -z "${CURRENT_GITEA_REPOSITORY}" ]; then
+    CURRENT_GITEA_REPOSITORY="${DEFAULT_GITEA_REPOSITORY}"
+  fi
+else
+  CURRENT_GITEA_REPOSITORY=$2
+fi
+
+if [ -z "${3}" ]; then
+  read -p "Enter token to access the Gitea instance [${DEFAULT_GITEA_TOKEN}]: " CURRENT_GITEA_TOKEN
+  if [ -z "${CURRENT_GITEA_TOKEN}" ]; then
+    CURRENT_GITEA_TOKEN="${DEFAULT_GITEA_TOKEN}"
+  fi
+else
+  CURRENT_GITEA_TOKEN=$3
+fi
+
+if ! git sv rn -o /tmp/changelog.md; then
+  echo "ERROR: Failed to generate /tmp/changelog.md" 1>&2
+  exit 1
+fi
+
+CURL_ARGS=(
+  "--data-urlencode" "q=Changelog for upcoming version"
+  # "--data-urlencode=\"q=Changelog for upcoming version\""
+  "--data-urlencode" "state=open"
+  "--fail"
+  "--header" "Accept: application/json"
+  "--header" "Authorization: token ${CURRENT_GITEA_TOKEN}"
+  "--request" "GET"
+  "--silent"
+)
+
+if ! ISSUE_NUMBER="$(curl "${CURL_ARGS[@]}" "${CURRENT_GITEA_SERVER_URL}/api/v1/repos/${CURRENT_GITEA_REPOSITORY}/issues" | jq '.[].number')"; then
+  echo "ERROR: Failed query issue number" 1>&2
+  exit 1
+fi
+export ISSUE_NUMBER
+
+if ! echo "" | jq --raw-input --slurp --arg title "Changelog for upcoming version" --arg body "$(cat /tmp/changelog.md)" '{title: $title, body: $body}' 1> /tmp/payload.json; then
+  echo "ERROR: Failed to create JSON payload file" 1>&2
+  exit 1
+fi
+
+CURL_ARGS=(
+  "--data" "@/tmp/payload.json"
+  "--fail"
+  "--header" "Authorization: token ${CURRENT_GITEA_TOKEN}"
+  "--header" "Content-Type: application/json"
+  "--location"
+  "--silent"
+  "--output" "/dev/null"
+)
+
+if [ -z "${ISSUE_NUMBER}" ]; then
+  if ! curl "${CURL_ARGS[@]}" --request POST "${CURRENT_GITEA_SERVER_URL}/api/v1/repos/${CURRENT_GITEA_REPOSITORY}/issues"; then
+    echo "ERROR: Failed to create new issue!" 1>&2
+    exit 1
+  else
+    echo "INFO: Successfully created new issue!"
+  fi
+else
+  if ! curl "${CURL_ARGS[@]}" --request PATCH "${CURRENT_GITEA_SERVER_URL}/api/v1/repos/${CURRENT_GITEA_REPOSITORY}/issues/${ISSUE_NUMBER}"; then
+    echo "ERROR: Failed to update issue with ID ${ISSUE_NUMBER}!" 1>&2
+    exit 1
+  else
+    echo "INFO: Successfully updated existing issue with ID ${ISSUE_NUMBER}!"
+    echo "INFO: ${CURRENT_GITEA_SERVER_URL}/${CURRENT_GITEA_REPOSITORY}/issues/${ISSUE_NUMBER}"
+  fi
+fi

.gitea/workflows/changelog.yml

@@ -1,32 +0,0 @@
-name: changelog
-
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  changelog:
-    runs-on: ubuntu-latest
-    container: docker.io/thegeeklab/git-sv:2.0.5
-    steps:
-      - name: install tools
-        run: |
-          apk add -q --update --no-cache nodejs curl jq sed
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-      - name: Generate upcoming changelog
-        run: |
-          git sv rn -o changelog.md
-          export RELEASE_NOTES=$(cat changelog.md)
-          export ISSUE_NUMBER=$(curl -s "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues?state=open&q=Changelog%20for%20upcoming%20version" | jq '.[].number')
-
-          echo $RELEASE_NOTES
-          JSON_DATA=$(echo "" | jq -Rs --arg title 'Changelog for upcoming version' --arg body "$(cat changelog.md)" '{title: $title, body: $body}')
-
-          if [ -z "$ISSUE_NUMBER" ]; then
-            curl -s -X POST "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
-          else
-            curl -s -X PATCH "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues/$ISSUE_NUMBER" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
-          fi

.gitea/workflows/commitlint.yml

@@ -1,19 +1,17 @@
-name: commitlint
+name: Rum commitlint
 
 on:
   pull_request:
-    branches:
+    branches: [ '**' ]
-      - "*"
+    types: [ "opened", "edited" ]
-    types:
-      - opened
-      - edited
 
 jobs:
   check-and-test:
+    container: docker.io/commitlint/commitlint:19.9.1
+    name: Execute commitlint
     runs-on: ubuntu-latest
-    container: commitlint/commitlint:19.9.1
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v5.0.0
-      - name: check PR title
+      - name: Check PR title
         run: |
           echo "${{ gitea.event.pull_request.title }}" | commitlint --config .commitlintrc.json

.gitea/workflows/helm.yml

@@ -0,0 +1,75 @@
+name: Run Helm tests
+
+on:
+  pull_request:
+    branches: [ '**' ]
+  push:
+    branches: [ '**' ]
+    tags-ignore: [ '**' ]
+  workflow_call: {}
+
+env:
+  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
+  HELM_UNITTEST_VERSION: "v1.0.1"
+
+jobs:
+  helm-lint:
+    container: docker.io/alpine/helm:3.18.6
+    name: Execute helm lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install additional tools
+        run: |
+          apk update
+          apk add --update bash make nodejs
+      - uses: actions/checkout@v5.0.0
+      - name: Install helm chart dependencies
+        run: helm dependency build
+      - name: Execute helm lint
+        run: helm lint
+
+  helm-template:
+    container: docker.io/alpine/helm:3.18.6
+    name: Execute helm template
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install additional tools
+        run: |
+          apk update
+          apk add --update bash make nodejs
+      - uses: actions/checkout@v5.0.0
+      - name: Install helm chart dependencies
+        run: helm dependency build
+      - name: Execute helm template
+        run: helm template --debug gitea-helm .
+
+  helm-unittest:
+    container: docker.io/alpine/helm:3.18.6
+    name: Execute helm unittest
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install additional tools
+        run: |
+          apk update
+          apk add --update bash make nodejs npm yamllint ncurses
+      - uses: actions/checkout@v5.0.0
+      - name: Install helm chart dependencies
+        run: helm dependency build
+      - name: Install helm plugin 'unittest'
+        run: |
+          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
+          git submodule update --init --recursive
+      - name: Execute helm unittest
+        env:
+          TERM: xterm
+        run: make unittests
+
+
+
+
+      # - name: verify readme
+      #   run: |
+      #     make readme
+      #     git diff --exit-code --name-only README.md
+      # - name: yaml lint
+      #   uses: https://github.com/ibiqlik/action-yamllint@v3

.gitea/workflows/markdown-linters.yml

@@ -0,0 +1,52 @@
+name: Markdown linter
+
+on:
+  pull_request:
+    types: [ "opened", "reopened", "synchronize" ]
+  push:
+    branches: [ '**' ]
+    tags-ignore: [ '**' ]
+  workflow_dispatch: {}
+
+jobs:
+  readme-link:
+    container:
+      image: docker.io/library/node:24.9.0-alpine
+    name: Execute npm run readme:link
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5.0.0
+    - name: Execute npm run readme:link
+      run: |
+        npm install
+        npm run readme:link
+
+  readme-lint:
+    container:
+      image: docker.io/library/node:24.9.0-alpine
+    name: Execute npm run readme:lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5.0.0
+    - name: Execute npm run readme:lint
+      run: |
+        npm install
+        npm run readme:lint
+
+  readme-parameters:
+    container:
+      image: docker.io/library/node:24.9.0-alpine
+    name: Execute npm run readme:parameters
+    runs-on: ubuntu-latest
+    steps:
+    - name: Install tooling
+      run: |
+        apk update
+        apk add git
+    - uses: actions/checkout@v5.0.0
+    - name: Execute npm run readme:parameters
+      run: |
+        npm install
+        npm run readme:parameters
+    - name: Compare diff
+      run: git diff --exit-code --name-only README.md

.gitea/workflows/release-version.yml

@@ -2,14 +2,13 @@ name: generate-chart
 
 on:
   push:
-    tags:
+    tags: [ '**' ]
-      - "*"
 
 jobs:
   generate-chart-publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v5.0.0
         with:
           fetch-depth: 0
 
@@ -65,11 +64,11 @@ jobs:
           OLD_TAG="$(git tag --sort=-version:refname | head --lines 2 | tail --lines 1)"
           .gitea/scripts/add-annotations.sh "${OLD_TAG}" "${NEW_TAG}"
 
-      - name: Print Chart.yaml
+      - name: Print Chart.yaml on stdout
         run: cat Chart.yaml
 
       # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
-      - name: package chart
+      - name: Package Helm chart
         run: |
           echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
           # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
@@ -85,7 +84,7 @@ jobs:
           helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
           helm registry logout registry-1.docker.io
 
-      - name: aws credential configure
+      - name: Configure AWS credentials
         uses: https://github.com/aws-actions/configure-aws-credentials@v5
         with:
           aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
@@ -97,14 +96,14 @@ jobs:
           aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
 
   release-gitea:
+    container: docker.io/thegeeklab/git-sv:2.0.5
     needs: generate-chart-publish
     runs-on: ubuntu-latest
-    container: docker.io/thegeeklab/git-sv:2.0.5
     steps:
-      - name: install tools
+      - name: Install packages via apt
         run: |
           apk add -q --update --no-cache nodejs
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v5.0.0
         with:
           fetch-tags: true
           fetch-depth: 0

.gitea/workflows/test-pr.yml

@@ -1,45 +0,0 @@
-name: check-and-test
-
-on:
-  pull_request:
-    branches:
-      - "*"
-  push:
-    branches:
-      - main
-
-env:
-  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v1.0.1"
-
-jobs:
-  check-and-test:
-    runs-on: ubuntu-latest
-    container: alpine/helm:3.18.6
-    steps:
-      - name: install tools
-        run: |
-          apk update
-          apk add --update bash make nodejs npm yamllint ncurses
-      - uses: actions/checkout@v5
-      - name: install chart dependencies
-        run: helm dependency build
-      - name: lint
-        run: helm lint
-      - name: template
-        run: helm template --debug gitea-helm .
-      - name: prepare unit test environment
-        run: |
-          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
-          git submodule update --init --recursive
-      - name: unit tests
-        env:
-          TERM: xterm
-        run: |
-          make unittests
-      - name: verify readme
-        run: |
-          make readme
-          git diff --exit-code --name-only README.md
-      - name: yaml lint
-        uses: https://github.com/ibiqlik/action-yamllint@v3

.gitea/workflows/update-changelog.yml

@@ -0,0 +1,29 @@
+name: Update changelog
+
+on:
+  push:
+    branches: [ "main" ]
+  workflow_dispatch: {}
+
+jobs:
+  changelog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install packages via apt-get
+        run: |
+          apt-get update &&
+          apt-get install --yes curl jq
+      - uses: actions/checkout@v5.0.0
+        with:
+          fetch-depth: 0
+      - name: Install git-sv
+        env:
+          GIT_SV_VERSION: v2.0.4 # renovate: datasource=github-releases depName=thegeeklab/git-sv
+        run: |
+          curl --fail --location --output /usr/local/bin/git-sv --silent --show-error https://github.com/thegeeklab/git-sv/releases/download/${GIT_SV_VERSION}/git-sv-linux-$(dpkg --print-architecture)
+          chmod +x /usr/local/bin/git-sv
+          git-sv --version
+      - name: Update changelog issue
+        env:
+          ISSUE_RW_TOKEN: ${{ secrets.ISSUE_RW_TOKEN }}
+        run: .gitea/scripts/update-changelog.sh

.markdownlink.json

@@ -0,0 +1,8 @@
+{
+  "projectBaseUrl":"${workspaceFolder}",
+  "ignorePatterns": [
+    {
+      "pattern": "^http://localhost"
+    }
+  ]
+}

CONTRIBUTING.md

@@ -44,8 +44,7 @@ be used:
    `helm install --dependency-update gitea . -f values.yaml`.
 1. Gitea is now deployed in `minikube`.
    To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace
-default port-forward svc/gitea-http 3000:3000`.
+default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
-   Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
 
 ### Unit tests
 

README.md

@@ -17,7 +17,7 @@
     - [Rootless Defaults](#rootless-defaults)
     - [Session, Cache and Queue](#session-cache-and-queue)
   - [Single-Pod Configurations](#single-pod-configurations)
-  - [Additional _app.ini_ settings](#additional-appini-settings)
+  - [Additional app.ini settings](#additional-appini-settings)
     - [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
   - [External Database](#external-database)
   - [Ports and external url](#ports-and-external-url)
@@ -72,7 +72,7 @@ Additionally, this chart allows to provide LDAP and admin user configuration wit
 ## Update and versioning policy
 
 The Gitea helm chart versioning does not follow Gitea's versioning.
-The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-gitea/releases).
+The latest chart version can be looked up in [https://dl.gitea.com/charts/](https://dl.gitea.com/charts/) or in the [repository releases](https://gitea.com/gitea/helm-gitea/releases).
 
 The chart aims to follow Gitea's releases closely.
 There might be times when the chart is behind the latest Gitea release.
@@ -266,7 +266,7 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
 
 - `$HOME` becomes `/data/gitea/git`
 
-  [see deployment.yaml](./templates/gitea/deployment.yaml) template inside (init-)container "env" declarations
+  [see deployment.yaml](./templates/deployment.yaml) template inside (init-)container "env" declarations
 
 - `START_SSH_SERVER: true` (Unless explicity overwritten by `gitea.config.server.START_SSH_SERVER`)
 
@@ -278,7 +278,7 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
 
 - `SSH_LOG_LEVEL` environment variable is not injected into the container
 
-  [see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations
+  [see deployment.yaml](./templates/deployment.yaml) template inside container "env" declarations
 
 #### Session, Cache and Queue
 
@@ -360,7 +360,7 @@ If HA is not needed/desired, the following configurations can be used to deploy
 
    </details>
 
-### Additional _app.ini_ settings
+### Additional app.ini settings
 
 > **The [generic](https://docs.gitea.com/administration/config-cheat-sheet#overall-default)
 > section cannot be defined that way.**
@@ -1158,6 +1158,17 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `gitea.startupProbe.successThreshold`    | Success threshold for startup probe             | `1`     |
 | `gitea.startupProbe.failureThreshold`    | Failure threshold for startup probe             | `10`    |
 
+### Network Policy
+
+| Name                        | Description                                                               | Value   |
+| --------------------------- | ------------------------------------------------------------------------- | ------- |
+| `networkPolicy.enabled`     | Enable network policies in general.                                       | `false` |
+| `networkPolicy.annotations` | Additional network policy annotations.                                    | `{}`    |
+| `networkPolicy.labels`      | Additional network policy labels.                                         | `{}`    |
+| `networkPolicy.policyTypes` | List of policy types. Supported is ingress, egress or ingress and egress. | `[]`    |
+| `networkPolicy.egress`      | Concrete egress network policy implementation.                            | `[]`    |
+| `networkPolicy.ingress`     | Concrete ingress network policy implementation.                           | `[]`    |
+
 ### valkey-cluster
 
 Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time.

package.json

@@ -9,11 +9,13 @@
     "npm": ">=8.0.0"
   },
   "scripts": {
+    "readme:link": "markdown-link-check --config .markdownlink.json *.md",
     "readme:lint": "markdownlint *.md -f",
     "readme:parameters": "readme-generator -v values.yaml -r README.md"
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
+    "markdown-link-check": "^3.13.6",
     "markdownlint-cli": "^0.45.0"
   }
 }

templates/_helpers.tpl

@@ -87,6 +87,12 @@ storageClassName: {{ $storageClass | quote }}
 {{- end }}
 {{- end -}}
 
+{{/*
+Common annotations
+*/}}
+{{- define "gitea.annotations" -}}
+{{- end }}
+
 {{/*
 Common labels
 */}}

templates/_networkPolicy.tpl

@@ -0,0 +1,19 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "gitea.networkPolicy.annotations" -}}
+{{ include "gitea.annotations" . }}
+{{- if .Values.networkPolicy.annotations }}
+{{ toYaml .Values.networkPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "gitea.networkPolicy.labels" -}}
+{{ include "gitea.labels" . }}
+{{- if .Values.networkPolicy.labels }}
+{{ toYaml .Values.networkPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_pod.tpl

@@ -0,0 +1,17 @@
+---
+
+{{/* labels */}}
+
+{{- define "gitea.pod.labels" -}}
+{{- include "gitea.labels" . }}
+{{- if .Values.deployment.labels }}
+{{ toYaml .Values.deployment.labels }}
+{{- end }}
+{{- end }}
+
+{{- define "gitea.pod.selectorLabels" -}}
+{{- include "gitea.selectorLabels" . }}
+{{- if .Values.deployment.labels }}
+{{ toYaml .Values.deployment.labels }}
+{{- end }}
+{{- end }}

templates/deployment.yaml

@@ -23,14 +23,11 @@ spec:
     {{- end }}
   selector:
     matchLabels:
-      {{- include "gitea.selectorLabels" . | nindent 6 }}
+      {{- include "gitea.pod.selectorLabels" . | nindent 6 }}
-      {{- if .Values.deployment.labels }}
-      {{- toYaml .Values.deployment.labels | nindent 6 }}
-      {{- end }}
   template:
     metadata:
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
+        checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
         {{- range $idx, $value := .Values.gitea.ldap }}
         checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }}
         {{- end }}
@@ -41,10 +38,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
-        {{- include "gitea.labels" . | nindent 8 }}
+        {{- include "gitea.pod.labels" . | nindent 8 }}
-        {{- if .Values.deployment.labels }}
-        {{- toYaml .Values.deployment.labels | nindent 8 }}
-        {{- end }}
     spec:
       {{- if .Values.schedulerName }}
       schedulerName: "{{ .Values.schedulerName }}"

templates/networkPolicy.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.networkPolicy.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  {{- with (include "gitea.networkPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+  {{- with (include "gitea.networkPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "gitea.pod.selectorLabels" $ | nindent 6 }}
+  {{- with .Values.networkPolicy.policyTypes }}
+  policyTypes:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.networkPolicy.egress }}
+  egress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.networkPolicy.ingress }}
+  ingress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}

unittests/helm/config/actions-config.yaml

@@ -3,17 +3,17 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: "actions are enabled by default (based on vanilla Gitea behavior)"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         notExists:
           path: stringData.actions
 
   - it: "actions can be disabled via inline config"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea.config.actions.ENABLED: false
     asserts:

unittests/helm/config/cache-config.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: "cache is configured correctly for valkey-cluster"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: true
@@ -19,7 +19,7 @@ tests:
             HOST=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "cache is configured correctly for valkey"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -34,7 +34,7 @@ tests:
             HOST=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -49,7 +49,7 @@ tests:
             HOST=
 
   - it: "cache can be customized when valkey (or valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false

unittests/helm/config/metrics-section_metrics-token.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: metrics token is set
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea:
         metrics:
@@ -18,7 +18,7 @@ tests:
             ENABLED=true
             TOKEN=somepassword
   - it: metrics token is empty
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea:
         metrics:
@@ -31,7 +31,7 @@ tests:
           value: |-
             ENABLED=true
   - it: metrics token is nil
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea:
         metrics:
@@ -44,7 +44,7 @@ tests:
           value: |-
             ENABLED=true
   - it: does not configures a token if metrics are disabled
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea:
         metrics:

unittests/helm/config/queue-config.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: "queue is configured correctly for valkey-cluster"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: true
@@ -19,7 +19,7 @@ tests:
             TYPE=redis
 
   - it: "queue is configured correctly for valkey"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -34,7 +34,7 @@ tests:
             TYPE=redis
 
   - it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -49,7 +49,7 @@ tests:
             TYPE=level
 
   - it: "queue can be customized when valkey (and valkey-cluster) are disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false

unittests/helm/config/server-section_domain.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: "[default values] uses ingress host for DOMAIN|SSH_DOMAIN|ROOT_URL"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:
@@ -22,7 +22,7 @@ tests:
   ################################################
 
   - it: "[no ingress hosts] uses gitea http service for DOMAIN|SSH_DOMAIN|ROOT_URL"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       ingress:
         hosts: []
@@ -43,7 +43,7 @@ tests:
   ################################################
 
   - it: "[provided via values] uses that for DOMAIN|SSH_DOMAIN|ROOT_URL"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea.config.server.DOMAIN: provided.example.com
       ingress:

unittests/helm/config/session-config.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: "session is configured correctly for valkey-cluster"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: true
@@ -19,7 +19,7 @@ tests:
             PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "session is configured correctly for valkey"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -34,7 +34,7 @@ tests:
             PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -49,7 +49,7 @@ tests:
             PROVIDER_CONFIG=
 
   - it: "session can be customized when valkey (and valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false

unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml

@@ -106,14 +106,14 @@ tests:
           name: gitea-unittests-postgresql-ha-pgpool
           namespace: testing
   - it: "[gitea] connects to pgpool service"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:
           path: stringData.database
           pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:1234
   - it: "[gitea] connects to configured database"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:

unittests/helm/dependency-checks/customization-integrity-postgresql.yaml

@@ -65,14 +65,14 @@ tests:
           name: gitea-unittests-postgresql
           namespace: testing
   - it: "[gitea] connects to postgresql service"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:
           path: stringData.database
           pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:1234
   - it: "[gitea] connects to configured database"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:

unittests/helm/dependency-checks/customization-integrity-valkey-cluster.yaml

@@ -82,7 +82,7 @@ tests:
             port: 6379
             targetPort: tcp-redis
   - it: "[gitea] waits for valkey-cluster to be up and running"
-    template: templates/gitea/init.yaml
+    template: templates/init.yaml
     asserts:
       - documentIndex: 0
         matchRegex:

unittests/helm/dependency-checks/customization-integrity-valkey.yaml

@@ -44,7 +44,7 @@ tests:
             port: 6379
             targetPort: redis
   - it: "[gitea] waits for valkey to be up and running"
-    template: templates/gitea/init.yaml
+    template: templates/init.yaml
     asserts:
       - documentIndex: 0
         matchRegex:

unittests/helm/deployment/HA.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: fails with multiple replicas and "GIT_GC_REPOS" enabled
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       replicaCount: 2
       persistence:
@@ -22,14 +22,14 @@ tests:
       - failedTemplate:
           errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'."
   - it: fails with multiple replicas and RWX file system not set
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       replicaCount: 2
     asserts:
       - failedTemplate:
           errorMessage: "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany."
   - it: fails with multiple replicas and bleve issue indexer
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       replicaCount: 2
       persistence:
@@ -43,7 +43,7 @@ tests:
       - failedTemplate:
           errorMessage: "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)."
   - it: fails with multiple replicas and bleve repo indexer
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       replicaCount: 2
       persistence:

unittests/helm/deployment/basic.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: renders a deployment
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - hasDocuments:
           count: 1
@@ -16,7 +16,7 @@ tests:
           apiVersion: apps/v1
           name: gitea-unittests
   - it: deployment labels are set
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       deployment.labels:
         hello: world
@@ -30,7 +30,7 @@ tests:
           content:
             hello: world
   - it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container"
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - contains:
           path: spec.template.spec.initContainers[1].env
@@ -38,7 +38,7 @@ tests:
             name: TMP_EXISTING_ENVS_FILE
             value: /tmp/existing-envs
   - it: "injects ENV_TO_INI_MOUNT_POINT as environment variable to 'init-app-ini' init container"
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - contains:
           path: spec.template.spec.initContainers[1].env
@@ -46,7 +46,7 @@ tests:
             name: ENV_TO_INI_MOUNT_POINT
             value: /env-to-ini-mounts
   - it: CPU resources are defined as well as GOMAXPROCS
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       resources:
         limits:
@@ -74,7 +74,7 @@ tests:
               cpu: 100ms
               memory: 100Mi
   - it: Init containers have correct volumeMount path
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       initContainersScriptsVolumeMountPath: "/custom/init/path"
     asserts:
@@ -85,7 +85,7 @@ tests:
           path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="config")].mountPath
           value: "/custom/init/path"
   - it: Init containers have correct volumeMount path if there is no override
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - equal:
           path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="init")].mountPath

unittests/helm/deployment/deployment-additional-config.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: Renders a deployment
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - hasDocuments:
           count: 1
@@ -16,7 +16,7 @@ tests:
           apiVersion: apps/v1
           name: gitea-unittests
   - it: Deployment with empty additionalConfigFromEnvs
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.additionalConfigFromEnvs: []
     asserts:
@@ -44,7 +44,7 @@ tests:
               - name: ENV_TO_INI_MOUNT_POINT
                 value: /env-to-ini-mounts
   - it: Deployment with standard additionalConfigFromEnvs
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.additionalConfigFromEnvs: [{name: GITEA_database_HOST, value: my-db:123}, {name: GITEA_database_USER, value: my-user}]
     asserts:
@@ -76,7 +76,7 @@ tests:
               - name: GITEA_database_USER
                 value: my-user
   - it: Deployment with templated additionalConfigFromEnvs
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.misc.host: my-db-host:321
       gitea.misc.user: my-db-user
@@ -110,7 +110,7 @@ tests:
               - name: GITEA_database_USER
                 value: my-db-user
   - it: Deployment with additionalConfigFromEnvs templated secret name
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.misc.existingSecret: my-db-secret
       gitea.additionalConfigFromEnvs[0]:

unittests/helm/deployment/extraInitContainers.yaml

@@ -3,18 +3,18 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: Render the deployment (default)
     asserts:
       - hasDocuments:
           count: 1
-        template: templates/gitea/deployment.yaml
+        template: templates/deployment.yaml
       - lengthEqual:
           path: spec.template.spec.initContainers
           count: 3
-        template: templates/gitea/deployment.yaml
+        template: templates/deployment.yaml
 
   - it: Render the deployment (signing)
     set:
@@ -22,11 +22,11 @@ tests:
     asserts:
       - hasDocuments:
           count: 1
-        template: templates/gitea/deployment.yaml
+        template: templates/deployment.yaml
       - lengthEqual:
           path: spec.template.spec.initContainers
           count: 4
-        template: templates/gitea/deployment.yaml
+        template: templates/deployment.yaml
 
   - it: Render the deployment (extraInitContainers)
     set:
@@ -40,20 +40,20 @@ tests:
     asserts:
       - hasDocuments:
           count: 1
-        template: templates/gitea/deployment.yaml
+        template: templates/deployment.yaml
       - lengthEqual:
           path: spec.template.spec.initContainers
           count: 6
-        template: templates/gitea/deployment.yaml
+        template: templates/deployment.yaml
       - contains:
           path: spec.template.spec.initContainers
           content:
             name: foo
             image: docker.io/library/busybox:latest
-        template: templates/gitea/deployment.yaml
+        template: templates/deployment.yaml
       - contains:
           path: spec.template.spec.initContainers
           content:
             name: bar
             image: docker.io/library/busybox:latest
-        template: templates/gitea/deployment.yaml
+        template: templates/deployment.yaml

unittests/helm/deployment/image-configuration.yaml

@@ -6,17 +6,17 @@ chart:
   # Override appVersion to be consistent with used digest :)
   appVersion: 1.19.3
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: default values
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3-rootless"
   - it: tag override
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.tag: "1.19.4"
     asserts:
@@ -24,7 +24,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.4-rootless"
   - it: root-based image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.rootless: false
     asserts:
@@ -32,7 +32,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3"
   - it: scoped registry
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.registry: "example.com"
     asserts:
@@ -40,7 +40,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "example.com/gitea:1.19.3-rootless"
   - it: global registry
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       global.imageRegistry: "global.example.com"
     asserts:
@@ -48,7 +48,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "global.example.com/gitea:1.19.3-rootless"
   - it: digest for rootless image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image:
         rootless: true
@@ -58,7 +58,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: image fullOverride (does not append rootless)
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image:
         fullOverride: docker.gitea.com/gitea:1.19.3
@@ -73,7 +73,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3"
   - it: digest for root-based image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image:
         rootless: false
@@ -83,7 +83,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: digest and global registry
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       global.imageRegistry: "global.example.com"
       image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
@@ -92,7 +92,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "global.example.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: correctly renders floating tag references
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-gitea/issues/631
     asserts:

unittests/helm/deployment/ingress-configuration.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress tpl use
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: Ingress Class using TPL
     set:

unittests/helm/deployment/inline-config.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: inline config stringData.server using TPL
     set:

unittests/helm/deployment/probes.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: renders default liveness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notExists:
           path: spec.template.spec.containers[0].livenessProbe.enabled
@@ -22,7 +22,7 @@ tests:
               port: http
             timeoutSeconds: 1
   - it: renders default readiness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notExists:
           path: spec.template.spec.containers[0].readinessProbe.enabled
@@ -37,12 +37,12 @@ tests:
               port: http
             timeoutSeconds: 1
   - it: does not render a default startup probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notExists:
           path: spec.template.spec.containers[0].startupProbe
   - it: allows enabling a startup probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.startupProbe.enabled: true
     asserts:
@@ -60,7 +60,7 @@ tests:
             timeoutSeconds: 1
 
   - it: allows overwriting the default port of the liveness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         livenessProbe:
@@ -74,7 +74,7 @@ tests:
               port: my-port
 
   - it: allows overwriting the default port of the readiness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         readinessProbe:
@@ -88,7 +88,7 @@ tests:
               port: my-port
 
   - it: allows overwriting the default port of the startup probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         startupProbe:
@@ -103,7 +103,7 @@ tests:
               port: my-port
 
   - it: allows using a non-default method as liveness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         livenessProbe:
@@ -131,7 +131,7 @@ tests:
             timeoutSeconds: 13372
 
   - it: allows using a non-default method as readiness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         readinessProbe:
@@ -159,7 +159,7 @@ tests:
             timeoutSeconds: 13372
 
   - it: allows using a non-default method as startup probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         startupProbe:

unittests/helm/deployment/sidecar-container.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: supports adding a sidecar container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       extraContainers:
         - name: sidecar-bob

unittests/helm/deployment/signing-disabled.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: skips gpg init container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notContains:
           path: spec.template.spec.initContainers
@@ -15,7 +15,7 @@ tests:
           content:
             name: configure-gpg
   - it: skips gpg env in `init-directories` init container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing.enabled: false
     asserts:
@@ -25,14 +25,14 @@ tests:
             name: GNUPGHOME
             value: /data/git/.gnupg
   - it: skips gpg env in runtime container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notContains:
           path: spec.template.spec.containers[0].env
           content:
             name: GNUPGHOME
   - it: skips gpg volume spec
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notContains:
           path: spec.template.spec.volumes

unittests/helm/deployment/signing-enabled.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: adds gpg init container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing:
         enabled: true
@@ -41,7 +41,7 @@ tests:
               mountPath: /raw
               readOnly: true
   - it: adds gpg env in `init-directories` init container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing.enabled: true
       signing.existingSecret: "custom-gpg-secret"
@@ -52,7 +52,7 @@ tests:
             name: GNUPGHOME
             value: /data/git/.gnupg
   - it: adds gpg env in runtime container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing.enabled: true
       signing.existingSecret: "custom-gpg-secret"
@@ -63,7 +63,7 @@ tests:
             name: GNUPGHOME
             value: /data/git/.gnupg
   - it: adds gpg volume spec
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing:
         enabled: true
@@ -80,7 +80,7 @@ tests:
                   path: private.asc
               defaultMode: 0100
   - it: supports gpg volume spec with external reference
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing:
         enabled: true

unittests/helm/deployment/ssh-configuration.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: supports defining SSH log level for root based image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.rootless: false
     asserts:
@@ -17,7 +17,7 @@ tests:
             name: SSH_LOG_LEVEL
             value: "INFO"
   - it: supports overriding SSH log level
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.rootless: false
       gitea.ssh.logLevel: "DEBUG"
@@ -28,7 +28,7 @@ tests:
             name: SSH_LOG_LEVEL
             value: "DEBUG"
   - it: supports overriding SSH log level (even when image.fullOverride set)
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: false
@@ -40,7 +40,7 @@ tests:
             name: SSH_LOG_LEVEL
             value: "DEBUG"
   - it: skips SSH_LOG_LEVEL for rootless image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.rootless: true
       gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
@@ -51,7 +51,7 @@ tests:
           content:
             name: SSH_LOG_LEVEL
   - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: true

unittests/helm/deployment/storage-class-configuration.yaml

@@ -7,11 +7,11 @@ release:
   namespace: testing
 
 templates:
-  - templates/gitea/pvc.yaml
+  - templates/pvc.yaml
 
 tests:
   - it: should set storageClassName when persistence.storageClass is defined
-    template: templates/gitea/pvc.yaml
+    template: templates/pvc.yaml
     set:
       persistence.storageClass: "my-storage-class"
     asserts:
@@ -20,7 +20,7 @@ tests:
           value: "my-storage-class"
 
   - it: should set global.storageClass when persistence.storageClass is not defined
-    template: templates/gitea/pvc.yaml
+    template: templates/pvc.yaml
     set:
       global.storageClass: "default-storage-class"
     asserts:
@@ -29,7 +29,7 @@ tests:
           value: "default-storage-class"
 
   - it: should set storageClassName when persistence.storageClass is defined and global.storageClass is defined
-    template: templates/gitea/pvc.yaml
+    template: templates/pvc.yaml
     set:
       global.storageClass: "default-storage-class"
       persistence.storageClass: "my-storage-class"

unittests/helm/deployment/svc-configuration.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/ssh-svc.yaml
+  - templates/ssh-svc.yaml
-  - templates/gitea/http-svc.yaml
+  - templates/http-svc.yaml
 tests:
   - it: supports adding custom labels to ssh-svc
-    template: templates/gitea/ssh-svc.yaml
+    template: templates/ssh-svc.yaml
     set:
       service:
         ssh:
@@ -19,7 +19,7 @@ tests:
           value: "testvalue"
 
   - it: keeps existing labels (ssh)
-    template: templates/gitea/ssh-svc.yaml
+    template: templates/ssh-svc.yaml
     set:
       service:
         ssh:
@@ -29,7 +29,7 @@ tests:
           path: metadata.labels["app"]
 
   - it: supports adding custom labels to http-svc
-    template: templates/gitea/http-svc.yaml
+    template: templates/http-svc.yaml
     set:
       service:
         http:
@@ -41,7 +41,7 @@ tests:
           value: "testvalue"
 
   - it: keeps existing labels (http)
-    template: templates/gitea/http-svc.yaml
+    template: templates/http-svc.yaml
     set:
       service:
         http:
@@ -51,7 +51,7 @@ tests:
           path: metadata.labels["app"]
 
   - it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
-    template: templates/gitea/ssh-svc.yaml
+    template: templates/ssh-svc.yaml
     set:
       service:
         ssh:
@@ -73,7 +73,7 @@ tests:
           value: ["1.2.3.4/32", "5.6.7.8/32"]
 
   - it: does not render when loadbalancer properties are set but type is not loadBalancerClass
-    template: templates/gitea/http-svc.yaml
+    template: templates/http-svc.yaml
     set:
       service:
         http:
@@ -92,7 +92,7 @@ tests:
           path: spec.loadBalancerSourceRanges
 
   - it: does not render loadBalancerClass by default even when type is LoadBalancer
-    template: templates/gitea/http-svc.yaml
+    template: templates/http-svc.yaml
     set:
       service:
         http:
@@ -107,8 +107,8 @@ tests:
 
   - it: both ssh and http services exist
     templates:
-      - templates/gitea/ssh-svc.yaml
+      - templates/ssh-svc.yaml
-      - templates/gitea/http-svc.yaml
+      - templates/http-svc.yaml
     asserts:
       - matchRegex:
           path: metadata.name

unittests/helm/gpg-secret/signing-disabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/gpg-secret.yaml
+  - templates/gpg-secret.yaml
 tests:
   - it: renders nothing
     set:

unittests/helm/gpg-secret/signing-enabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/gpg-secret.yaml
+  - templates/gpg-secret.yaml
 tests:
   - it: fails rendering when nothing is configured
     set:

unittests/helm/ingress/basic.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress.yaml
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: should enable ingress when ingress.enabled is true
     set:

unittests/helm/ingress/implicit-defaults.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress with implicit path defaults
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: should use default path and pathType when no paths are specified
     set:

unittests/helm/ingress/ingress.tpl.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress tpl use
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: Ingress Class using TPL
     set:

unittests/helm/ingress/structured-paths.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress with structured paths
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: should work with structured path definitions
     set:

unittests/helm/init/basic.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/init.yaml
+  - templates/init.yaml
 tests:
   - it: renders a secret
     asserts:

unittests/helm/init/init_directory_structure.sh-rootless.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/init.yaml
+  - templates/init.yaml
 tests:
   - it: runs gpg in batch mode
     set:
@@ -63,7 +63,7 @@ tests:
               chown -v 1000:1000 "${GNUPGHOME}"
             fi
   - it: it does not chown /data even when image.fullOverride is set
-    template: templates/gitea/init.yaml
+    template: templates/init.yaml
     set:
       image.fullOverride: docker.gitea.com/gitea:1.20.5
     asserts:

unittests/helm/init/init_directory_structure.sh.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/init.yaml
+  - templates/init.yaml
 tests:
   - it: runs gpg in batch mode
     set:

unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/metrics-secret.yaml
+  - templates/metrics-secret.yaml
 tests:
   - it: renders nothing if monitoring disabled and gitea.metrics.token empty
     set:

unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/metrics-secret.yaml
+  - templates/metrics-secret.yaml
 tests:
   - it: renders nothing if monitoring enabled and gitea.metrics.token empty
     set:

unittests/helm/networkPolicy/networkPolicy.yaml

@@ -0,0 +1,100 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: NetworkPolicy template
+release:
+  name: gitea-unittest
+  namespace: testing
+templates:
+  - templates/networkPolicy.yaml
+tests:
+  - it: Skip rendering networkPolicy
+    set:
+      networkPolicy.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: Render default networkPolicy
+    set:
+      networkPolicy.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          apiVersion: networking.k8s.io/v1
+          kind: NetworkPolicy
+          name: gitea-unittest
+          namespace: testing
+      - notExists:
+          path: metadata.annotations
+      - equal:
+          path: metadata.labels
+          value:
+            app: gitea
+            app.kubernetes.io/instance: gitea-unittest
+            app.kubernetes.io/managed-by: Helm
+            app.kubernetes.io/name: gitea
+            app.kubernetes.io/version: 0.1.0
+            helm.sh/chart: gitea-0.1.0
+            version: 0.1.0
+      - equal:
+          path: spec.podSelector.matchLabels
+          value:
+            app.kubernetes.io/instance: gitea-unittest
+            app.kubernetes.io/name: gitea
+      - notExists:
+          path: spec.policyTypes
+      - notExists:
+          path: spec.egress
+      - notExists:
+          path: spec.ingress
+
+  - it: Template networkPolicy with policyTypes, egress and ingress configuration
+    set:
+      networkPolicy.enabled: true
+      networkPolicy.policyTypes:
+        - Egress
+        - Ingress
+      networkPolicy.ingress:
+        - from:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: monitoring
+              podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: prometheus
+      networkPolicy.egress:
+        - to:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: ingress-nginx
+              podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: ingress-nginx
+    asserts:
+      - equal:
+          path: spec.policyTypes
+          value:
+            - Egress
+            - Ingress
+      - equal:
+          path: spec.egress
+          value:
+            - to:
+                - namespaceSelector:
+                    matchLabels:
+                      kubernetes.io/metadata.name: ingress-nginx
+                  podSelector:
+                    matchLabels:
+                      app.kubernetes.io/name: ingress-nginx
+      - equal:
+          path: spec.ingress
+          value:
+            - from:
+                - namespaceSelector:
+                    matchLabels:
+                      kubernetes.io/metadata.name: monitoring
+                  podSelector:
+                    matchLabels:
+                      app.kubernetes.io/name: prometheus

unittests/helm/pvc/pvc-configuration.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/pvc.yaml
+  - templates/pvc.yaml
 tests:
   - it: Storage Class using TPL
     set:

unittests/helm/serviceaccount/basic.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/serviceaccount.yaml
+  - templates/serviceaccount.yaml
 tests:
   - it: skips rendering by default
     asserts:

unittests/helm/serviceaccount/reference.yaml

@@ -3,17 +3,17 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/serviceaccount.yaml
+  - templates/serviceaccount.yaml
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: does not modify the deployment by default
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notExists:
           path: spec.serviceAccountName
   - it: adds the reference to the deployment with serviceAccount.create=true
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       serviceAccount.create: true
     asserts:
@@ -21,7 +21,7 @@ tests:
           path: spec.template.spec.serviceAccountName
           value: gitea-unittests
   - it: allows referencing an externally created ServiceAccount to the deployment
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       serviceAccount:
         create: false # explicitly set to define rendering behavior

unittests/helm/servicemonitor/basic.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/servicemonitor.yaml
+  - templates/servicemonitor.yaml
 tests:
   - it: skips rendering by default
     asserts:

unittests/helm/servicemonitor/servicemonitor-disabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/servicemonitor.yaml
+  - templates/servicemonitor.yaml
 tests:
   - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty
     set:

unittests/helm/servicemonitor/servicemonitor-enabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/servicemonitor.yaml
+  - templates/servicemonitor.yaml
 tests:
   - it: renders unsecure ServiceMonitor if gitea.metrics.token nil
     set:

values.yaml

@@ -20,7 +20,7 @@ global:
   #   hostnames:
   #   - example.com
 
-## @param namespace An explicit namespace to deploy gitea into. Defaults to the release namespace if not specified
+## @param namespace An explicit namespace to deploy Gitea into. Defaults to the release namespace if not specified
 namespace: ""
 
 ## @param replicaCount number of replicas for the deployment
@@ -281,13 +281,13 @@ extraContainers: []
 #    image: busybox
 #    command: [/bin/sh, -c, 'echo "Hello world"']
 
-## @param preExtraInitContainers Additional init containers to run in the pod before gitea runs it owns init containers.
+## @param preExtraInitContainers Additional init containers to run in the pod before Gitea runs it owns init containers.
 preExtraInitContainers: []
 # - name: pre-init-container
 #   image: docker.io/library/busybox
 #   command: [ /bin/sh, -c, 'echo "Hello world! I am a pre init container."' ]
 
-## @param postExtraInitContainers Additional init containers to run in the pod after gitea runs it owns init containers.
+## @param postExtraInitContainers Additional init containers to run in the pod after Gitea runs it owns init containers.
 postExtraInitContainers: []
 # - name: post-init-container
 #   image: docker.io/library/busybox
@@ -513,6 +513,100 @@ gitea:
     successThreshold: 1
     failureThreshold: 10
 
+
+## @section Network Policy
+networkPolicy:
+  ## @param networkPolicy.enabled Enable network policies in general.
+  ## @param networkPolicy.annotations Additional network policy annotations.
+  ## @param networkPolicy.labels Additional network policy labels.
+  ## @param networkPolicy.policyTypes List of policy types. Supported is ingress, egress or ingress and egress.
+  ## @param networkPolicy.egress Concrete egress network policy implementation.
+  ## @skip networkPolicy.egress Skip individual egress configuration.
+  ## @param networkPolicy.ingress Concrete ingress network policy implementation.
+  ## @skip networkPolicy.ingress Skip individual ingress configuration.
+  enabled: false
+  annotations: {}
+  labels: {}
+  policyTypes: []
+  # - Egress
+  # - Ingress
+  egress: []
+  # Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns.
+  #
+  # - to:
+  #   - namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: kube-system
+  #     podSelector:
+  #       matchLabels:
+  #        k8s-app: kube-dns
+  #   ports:
+  #   - port: 53
+  #     protocol: TCP
+  #   - port: 53
+  #     protocol: UDP
+
+  # Allow outgoing traffic via HTTPS. For example for oAuth2, Gravatar and other third party APIs.
+  #
+  # - to:
+  #   ports:
+  #   - port: 443
+  #     protocol: TCP
+
+  # Allow outgoing traffic to PostgreSQL.
+  #
+  # - to:
+  #   - podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: postgresql-ha
+  #   ports: []
+  #   # Avoid explicit list of ports, because Gitea tries to ping the PostgreSQL database during the initialization
+  #   # process. The ICMP protocol is currently not supported as list of protocols by kubernetes. For this reason would
+  #   # lead listing of the ports to an issue. Therefore, please handle the database ports with care.
+  #   #
+  #   # - port: 5432
+  #   #   protocol: TCP
+
+  # Allow outgoing traffic to Valkey.
+  #
+  # - to:
+  #   - podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: valkey-cluster
+  #   ports:
+  #   - port: 6379
+  #     protocol: TCP
+  #   - port: 16379
+  #     protocol: TCP
+
+  ingress: []
+  # Allow incoming HTTP traffic from prometheus.
+  #
+  # - from:
+  #   - namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: monitoring
+  #     podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: prometheus
+  #   ports:
+  #   - port: http
+  #     protocol: TCP
+
+  # Allow incoming HTTP traffic from ingress-nginx.
+  #
+  # - from:
+  #   - namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: ingress-nginx
+  #     podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: ingress-nginx
+  #   ports:
+  #   - port: http
+  #     protocol: TCP
+
+
 ## @section valkey-cluster
 ## @param valkey-cluster.enabled Enable valkey cluster
 # ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).