96 changed files with 1396 additions and 7204 deletions
--- a/.commitlintrc.json
+++ b/.commitlintrc.json
@ -1,7 +0,0 @@
 {
  "extends": ["@commitlint/config-conventional"],
  "rules": {
    "type-enum": [2, "always", ["feat", "fix", "chore", "docs", "style", "refactor", "test", "perf", "ci", "WIP"]],
    "type-case": [0, "always", "lower-case"]
  }
 }
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,87 @@
 ---
 kind: pipeline
 type: docker
 name: lint
 platform:
  os: linux
  arch: arm64
 steps:
 - name: helm lint
  pull: always
  image: alpine:3.16
  commands:
  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
  - helm lint
 - name: helm template
  pull: always
  image: alpine:3.16
  commands:
  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
  - helm dependency update
  - helm template --debug gitea-helm .
 - name: verify readme
  pull: always
  image: alpine:3.16
  commands:
  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make npm git
  - make readme
  - git diff --exit-code --name-only README.md
 - name: discord
  pull: always
  image: appleboy/drone-discord:1.2.4
  environment:
    DISCORD_WEBHOOK_ID:
      from_secret: discord_webhook_id
    DISCORD_WEBHOOK_TOKEN:
      from_secret: discord_webhook_token
  when:
    status:
    - changed
    - failure
 ---
 kind: pipeline
 type: docker
 name: release-version
 platform:
  os: linux
  arch: arm64
 trigger:
  event:
  - tag
 steps:
 - name: generate-chart
  pull: always
  image: alpine:3.16
  commands:
    - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
    - apk add --no-cache curl
    - helm dependency update
    - helm package --version "${DRONE_TAG##v}" ./
    - mkdir gitea
    - mv gitea*.tgz gitea/
    - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
    - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
 - name: upload-chart
  pull: always
  image: plugins/s3:latest
  settings:
    bucket: gitea-artifacts
    endpoint: https://ams3.digitaloceanspaces.com
    access_key:
      from_secret: aws_access_key_id
    secret_key:
      from_secret: aws_secret_access_key
    source: gitea/*
    target: /charts
    strip_prefix: gitea/
--- a/.editorconfig
+++ b/.editorconfig
@ -1,12 +0,0 @@
 # EditorConfig is awesome: https://EditorConfig.org
 # top-most EditorConfig file
 root = true
 [*]
 indent_style = space
 indent_size = 2
 end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = false
 insert_final_newline = false
--- a/.gitea/PULL_REQUEST_TEMPLATE.md
+++ b/.gitea/PULL_REQUEST_TEMPLATE.md
@ -23,7 +23,7 @@
 ### Applicable issues
 <!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
- Fixes #
+  - fixes #
 ### Additional information
@ -39,6 +39,3 @@
 - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
 - [ ] Breaking changes are documented in the `README.md`
 - [ ] Helm templating unittests are added (required when changing anything in `templates` folder)
 - [ ] Bash unittests are added (required when changing anything in `scripts` folder)
 - [ ] All added template resources MUST render a namespace in metadata
--- a/.gitea/scripts/add-annotations.sh
+++ b/.gitea/scripts/add-annotations.sh
@ -1,114 +0,0 @@
 #!/bin/bash
 set -e
 CHART_FILE="Chart.yaml"
 if [ ! -f "${CHART_FILE}" ]; then
  echo "ERROR: ${CHART_FILE} not found!" 1>&2
  exit 1
 fi
 DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
 DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
 if [ -z "${1}" ]; then
  read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
  if [ -z "${OLD_TAG}" ]; then
    OLD_TAG="${DEFAULT_OLD_TAG}"
  fi
  while [ -z "$(git tag --list "${OLD_TAG}")" ]; do
    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
    read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
    if [ -z "${OLD_TAG}" ]; then
      OLD_TAG="${DEFAULT_OLD_TAG}"
    fi
  done
 else
  OLD_TAG=${1}
  if [ -z "$(git tag --list "${OLD_TAG}")" ]; then
    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
    exit 1
  fi
 fi
 if [ -z "${2}" ]; then
  read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
  if [ -z "${NEW_TAG}" ]; then
    NEW_TAG="${DEFAULT_NEW_TAG}"
  fi
  while [ -z "$(git tag --list "${NEW_TAG}")" ]; do
    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
    read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
    if [ -z "${NEW_TAG}" ]; then
      NEW_TAG="${DEFAULT_NEW_TAG}"
    fi
  done
 else
  NEW_TAG=${2}
  if [ -z "$(git tag --list "${NEW_TAG}")" ]; then
    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
    exit 1
  fi
 fi
 CHANGE_LOG_YAML=$(mktemp)
 echo "[]" > "${CHANGE_LOG_YAML}"
 function map_type_to_kind() {
  case "${1}" in
    feat)
      echo "added"
    ;;
    fix)
      echo "fixed"
    ;;
    chore|style|test|ci|docs|refac)
      echo "changed"
    ;;
    revert)
      echo "removed"
    ;;
    sec)
      echo "security"
    ;;
    *)
      echo "skip"
    ;;
  esac
 }
 COMMIT_TITLES="$(git log --pretty=format:"%s" "${OLD_TAG}..${NEW_TAG}")"
 echo "INFO: Generate change log entries from ${OLD_TAG} until ${NEW_TAG}"
 while IFS= read -r line; do
  if [[ "${line}" =~ ^([a-zA-Z]+)(\([^\)]+\))?\:\ (.+)$ ]]; then
    TYPE="${BASH_REMATCH[1]}"
    KIND=$(map_type_to_kind "${TYPE}")
    if [ "${KIND}" == "skip" ]; then
      continue
    fi
    DESC="${BASH_REMATCH[3]}"
    echo "- ${KIND}: ${DESC}"
    jq --arg kind changed --arg description "$DESC" '. += [ $ARGS.named ]' < ${CHANGE_LOG_YAML} > ${CHANGE_LOG_YAML}.new
    mv ${CHANGE_LOG_YAML}.new ${CHANGE_LOG_YAML}
  fi
 done <<< "${COMMIT_TITLES}"
 if [ -s "${CHANGE_LOG_YAML}" ]; then
  yq --inplace --input-format json --output-format yml "${CHANGE_LOG_YAML}"
  yq --no-colors --inplace ".annotations.\"artifacthub.io/changes\" |= loadstr(\"${CHANGE_LOG_YAML}\") | sort_keys(.)" "${CHART_FILE}"
 else
  echo "ERROR: Changelog file is empty: ${CHANGE_LOG_YAML}" 1>&2
  exit 1
 fi
 rm "${CHANGE_LOG_YAML}"
--- a/.gitea/workflows/release-version.yml
+++ b/.gitea/workflows/release-version.yml
@ -1,146 +0,0 @@
 name: generate-chart
 on:
  push:
    branches:
      - "*"
 env:
  # renovate: datasource=docker depName=alpine/helm
  HELM_VERSION: "3.17.3"
 jobs:
  generate-chart-publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Determine Architecture and Operating System to support x86_64 and ARM based CI nodes
        run: |
          # determine operating system
          OS=$(uname | tr '[:upper:]' '[:lower:]')
          echo "OS=${OS}" >> $GITHUB_ENV
          echo "INFO: Set environment variable OS=${OS}"
          # determine architecture
          ARCH="$(uname -m)"
          case "${ARCH}" in
            aarch64) ARCH=arm64;;
            x86_64) ARCH=amd64;;
          esac
          echo "ARCH=${ARCH}" >> $GITHUB_ENV
          echo "INFO: Set environment variable ARCH=${ARCH}"
      - name: Install packages via apt
        run: |
          apt update --yes
          echo "INFO: Install packages via apt"
          apt install --yes curl ca-certificates curl gnupg jq
      - name: Install helm
        run: |
          curl --fail --location --output /dev/stdout --silent --show-error https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-${OS}-${ARCH}.tar.gz | tar --extract --gzip --file /dev/stdin
          mv ${OS}-${ARCH}/helm /usr/local/bin/
          rm --force --recursive ${OS}-${ARCH} helm-v${{ env.HELM_VERSION }}-${OS}-${ARCH}.tar.gz
          helm version
      - name: Install yq
        env:
          YQ_VERSION: v4.45.4 # renovate: datasource=github-releases depName=mikefarah/yq
        run: |
          curl --fail --location --output /dev/stdout --silent --show-error https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_${OS}_${ARCH}.tar.gz | tar --extract --gzip --file /dev/stdin
          mv yq_${OS}_${ARCH} /usr/local/bin
          rm --force --recursive yq_${OS}_${ARCH} yq_${OS}_${ARCH}.tar.gz
          yq --version
      - name: Install docker-ce via apt
        run: |
          echo "INFO: Install docker"
          install -m 0755 -d /etc/apt/keyrings
          curl --fail --location --silent --show-error https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
          chmod a+r /etc/apt/keyrings/docker.gpg
          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
          apt update --yes
          apt install --yes python3 python3-pip apt-transport-https docker-ce-cli
      - name: Install awscli
        run: |
          echo "INFO: Install awscli via python pip"
          pip install awscli --break-system-packages
          aws --version
  #     - name: Import GPG key
  #       id: import_gpg
  #       uses: https://github.com/crazy-max/ghaction-import-gpg@v6
  #       with:
  #         gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
  #         passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
  #         fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
      - name: Add Artifacthub.io annotations
        run: |
          NEW_TAG=v12.0.0
          OLD_TAG=v11.0.1
          # NEW_TAG="$(git tag --sort=-version:refname | head --lines 1)"
          # OLD_TAG="$(git tag --sort=-version:refname | head --lines 2 | tail --lines 1)"
          .gitea/scripts/add-annotations.sh "${OLD_TAG}" "${NEW_TAG}"
      - name: Print Chart.yaml
        run: cat Chart.yaml
  #     # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
  #     - name: package chart
  #       run: |
  #         echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
  #         # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
  #         helm plugin install https://github.com/pat-s/helm-gpg
  #         helm dependency build
  #         helm package --version "${GITHUB_REF#refs/tags/v}" ./
  #         mkdir gitea
  #         mv gitea*.tgz gitea/
  #         curl --fail --location --output gitea/index.yaml --silent --show-error https://dl.gitea.com/charts/index.yaml
  #         helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
  #         # push to dockerhub
  #         echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
  #         helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
  #         helm registry logout registry-1.docker.io
  #     - name: aws credential configure
  #       uses: https://github.com/aws-actions/configure-aws-credentials@v4
  #       with:
  #         aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
  #         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  #         aws-region: ${{ secrets.AWS_REGION }}
  #     - name: Copy files to S3 and clear cache
  #       run: |
  #         aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
  # release-gitea:
  #   # needs: generate-chart-publish
  #   runs-on: ubuntu-latest
  #   container: docker.io/thegeeklab/git-sv:2.0.1
  #   steps:
  #     - name: install tools
  #       run: |
  #         apk add -q --update --no-cache nodejs
  #     - uses: actions/checkout@v4
  #       with:
  #         fetch-tags: true
  #         fetch-depth: 0
  #     - name: Create changelog
  #       run: |
  #         git sv current-version
  #         git sv release-notes -t ${GITHUB_REF#refs/tags/} -o CHANGELOG.md
  #         sed -i '1,2d' CHANGELOG.md # remove version
  #         cat CHANGELOG.md
  #     - name: Release
  #       uses: https://github.com/akkuman/gitea-release-action@v1
  #       with:
  #         body_path: CHANGELOG.md
  #         token: "${{ secrets.RELEASE_TOKEN }}"
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,3 @@
 charts/
 node_modules/
 .DS_Store
 unittests/*/__snapshot__/
--- a/.gitmodules
+++ b/.gitmodules
@ -1,12 +0,0 @@
 [submodule "unittests/bash/bats"]
 	path = unittests/bash/bats
 	url = https://github.com/bats-core/bats-core.git
 [submodule "unittests/bash/test_helper/bats-support"]
 	path = unittests/bash/test_helper/bats-support
 	url = https://github.com/bats-core/bats-support.git
 [submodule "unittests/bash/test_helper/bats-assert"]
 	path = unittests/bash/test_helper/bats-assert
 	url = https://github.com/bats-core/bats-assert.git
 [submodule "unittests/bash/test_helper/bats-mock"]
 	path = unittests/bash/test_helper/bats-mock
 	url = https://github.com/jasonkarns/bats-mock.git
--- a/.gitsv/config.yaml
+++ b/.gitsv/config.yaml
@ -1,57 +0,0 @@
 version: '1.1' # Configuration version.
 versioning:
  update-major: [breaking] # Commit types used to bump major.
  update-minor: [feat, perf] # Commit types used to bump minor.
  update-patch: [build, ci, chore, fix, perf, refactor, test] # Commit types used to bump patch.
  # When type is not present on update rules and is unknown (not mapped on commit message types);
  # if ignore-unknown=false bump patch, if ignore-unknown=true do not bump version.
  ignore-unknown: false
 tag:
  pattern: 'v%d.%d.%d' # Pattern used to create git tag.
  filter: '' # Enables you to filter for considerable tags using git pattern syntax.
 release-notes:
  sections: # Array with each section of release note. Check template section for more information.
    - name: Breaking Changes
      section-type: breaking-changes
    - name: Features # Name used on section.
      section-type: commits # Type of the section, supported types: commits, breaking-changes.
      commit-types: [feat, perf] # Commit types for commit section-type, one commit type cannot be in more than one section.
    - name: Bug Fixes
      section-type: commits
      commit-types: [fix]
    - name: Maintenance
      section-type: commits
      commit-types: [chore, refactor]
    - name: Documentation
      commit-types: [docs]
      section-type: commits
    - name: CI
      commit-types: [ci]
      section-type: commits
 branches: # Git branches config.
  prefix: ([a-z]+\/)? # Prefix used on branch name, it should be a regex group.
  suffix: (-.*)? # Suffix used on branch name, it should be a regex group.
  disable-issue: false # Set true if there is no need to recover issue id from branch name.
  skip: [] # List of branch names ignored on commit message validation.
  skip-detached: false # Set true if a detached branch should be ignored on commit message validation.
 commit-message:
  # Supported commit types.
  types: [build, ci, chore, docs, feat, fix, perf, refactor, revert, style, test]
  header-selector: '' # You can put in a regex here to select only a certain part of the commit message. Please define a regex group 'header'.
  scope:
    # Define supported scopes, if blank, scope will not be validated, if not, only scope listed will be valid.
    # Don't forget to add "" on your list if you need to define scopes and keep it optional.
    values: []
  footer:
    issue: # Use "issue: {}" if you wish to disable issue footer.
      key: jira # Name used to define an issue on footer metadata.
      key-synonyms: [Jira, JIRA] # Supported variations for footer metadata.
      use-hash: false # If false, use :<space> separator. If true, use <space># separator.
      add-value-prefix: '' # Add a prefix to issue value.
  issue:
    regex: '[A-Z]+-[0-9]+' # Regex for issue id.
--- a/.helmignore
+++ b/.helmignore
@ -5,7 +5,6 @@
 # Common VCS dirs
 .git/
 .gitignore
 .gitmodules
 .bzr/
 .bzrignore
 .hg/
@ -26,16 +25,3 @@ node_modules/
 package.json
 package-lock.json
 .gitea/
 Makefile
 .markdownlintignore
 .markdownlint.yaml
 .drone.yml
 CONTRIBUTING.md
 unittests/
 .editorconfig
 .prettierignore
 .yamllint
 CODEOWNERS
 renovate.json5
 .commitlintrc.json
 .gitsv/
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@ -47,7 +47,7 @@ MD013:
  # Number of characters
  line_length: 200
  # Number of characters for headings
-  heading_line_length: 100
+  heading_line_length: 80
  # Number of characters for code blocks
  code_block_line_length: 80
  # Include code blocks
@ -73,7 +73,7 @@ MD022:
 # MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
 MD024:
  # Only check sibling headings
-  siblings_only: true
+  allow_different_nesting: true
 # MD025/single-title/single-h1 - Multiple top-level headings in the same document
 MD025:
@ -106,7 +106,7 @@ MD030:
 # MD033/no-inline-html - Inline HTML
 MD033:
  # Allowed elements
-  allowed_elements: [details, summary]
+  allowed_elements: []
 # MD035/hr-style - Horizontal rule style
 MD035:
@ -129,9 +129,10 @@ MD041:
 MD044:
  # List of proper names
  names:
    - docker.gitea.com
  - Gitea
  - PostgreSQL
  - MariaDB
  - MySQL
  - Memcached
  - Prometheus
  - Git
--- a/.markdownlintignore
+++ b/.markdownlintignore
@ -1,4 +1,3 @@
 .gitea/
 node_modules/
 charts/
 Chart.lock
--- a/.prettierignore
+++ b/.prettierignore
@ -1 +0,0 @@
 Chart.lock
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -1,9 +0,0 @@
 {
    "recommendations": [
        "yzhang.markdown-all-in-one",
        "DavidAnson.vscode-markdownlint",
        "Tim-Koehler.helm-intellisense",
        "esbenp.prettier-vscode",
        "jetmartin.bats"
    ]
  }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,15 +0,0 @@
 {
    "yaml.schemas": {
        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.8.2/schema/helm-testsuite.json": [
            "/unittests/**/*.yaml"
        ]
    },
    "yaml.schemaStore.enable": true,
    "[bats]": {
        "editor.tabSize": 2
    },
    "[shellscript]": {
        "files.eol": "\n",
        "editor.tabSize": 2
    }
 }
--- a/.yamllint
+++ b/.yamllint
@ -1,20 +0,0 @@
 ---
 extends: default
 ignore: |
  .yamllint
  node_modules
  templates
  unittests/bash
 rules:
  truthy:
    allowed-values: ['true', 'false']
    check-keys: False
    level: error
  line-length: disable
  document-start: disable
  comments:
    min-spaces-from-content: 1
  braces:
    max-spaces-inside: 2
--- a/1
+++ b/1
@ -1 +0,0 @@
 charts/* @justusbunsi @pat-s
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -9,16 +9,20 @@ refactorings for easier maintainability or documentation improvements.
 - [`helm`](https://helm.sh/docs/intro/install/)
 - `make` is optional; you may call the commands directly
-When using Visual Studio Code as IDE, a [ready-to-use profile](.vscode/) is available.
+When using Visual Studio Code as IDE, following plugins might be useful:
 - [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
 - [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
 - [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
 ## Documentation Requirements
-The `README.md` must include all configuration options.
+The `README.md` must include all configuration options. The parameters section
-The parameters section is generated by extracting the parameter annotations from the `values.yaml` file, by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
+is generated by extracting the parameter annotations from the `values.yaml` file,
 by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
-If changes were made on configuration options, run `make readme` to update the README file.
+If changes were made on configuration options, run `make readme` to update the
-
+README file.
 The ToC is created via the VSCode [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one) extension which can/must also be used used to update it.
 ## Pull Request Requirements
@ -29,7 +33,6 @@ When submitting or updating a PR:
 - try to avoid rebases. They make code reviews for large PRs and comments much harder.
 - if applicable, use the PR template for a well-defined PR description.
 - clearly mark breaking changes.
 - format the PR title following the [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/#specification) schema
 ## Local development & testing
@ -37,44 +40,13 @@ For local development and testing of pull requests, the following workflow can
 be used:
 1. Install `minikube` and `helm`.
-1. Start a `minikube` cluster via `minikube start`.
+2. Start a `minikube` cluster via `minikube start`.
-1. From the `gitea/helm-gitea` directory execute the following command.
+3. From the `gitea/helm-chart` directory execute the following command. This
-   This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
+   will install the dependencies listed in `Chart.yml` and deploy the current
-   If you want to test a branch, make sure to switch to the respective branch first.
+   state of the helm chart found locally. If you want to test a branch, make
   sure to switch to the respective branch first.
  `helm install --dependency-update gitea . -f values.yaml`.
-1. Gitea is now deployed in `minikube`.
+4. Gitea is now deployed in `minikube`. To access it, it's port needs to be
-   To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace
+   forwarded first from `minikube` to localhost first via `kubectl --namespace
-default port-forward svc/gitea-http 3000:3000`.
+   default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
-   Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
+   [http://localhost:3000](http://localhost:3000).
 ### Unit tests
 #### Helm templating tests
 ```bash
 # install the unittest plugin
 $ helm plugin install https://github.com/helm-unittest/helm-unittest
 # run the Helm unittests
 make unittests-helm
 ```
 See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
 #### Bash script tests
 ```bash
 # setup the environment
 git submodule update --init --recursive
 # run the bash tests
 make unittests-bash
 ```
 See [bats documentation](https://bats-core.readthedocs.io/en/stable/) for usage instructions.
 ## Release process
 1. Ensure you have [`git-sv`](https://github.com/thegeeklab/git-sv) installed
 1. Run `git sv tag` (this creates and pushes the tag following the respective next tag according to the semver commits issued since the last release)
 1. Let CI do it's work
--- a/Chart.lock
+++ b/Chart.lock
@ -1,15 +1,15 @@
 dependencies:
 - name: memcached
  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
  version: 5.9.0
 - name: mysql
  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
  version: 6.14.10
 - name: postgresql
-  repository: oci://registry-1.docker.io/bitnamicharts
+  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 16.7.4
+  version: 10.3.17
- name: postgresql-ha
+- name: mariadb
-  repository: oci://registry-1.docker.io/bitnamicharts
+  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 16.0.6
+  version: 9.3.6
- name: valkey-cluster
+digest: sha256:08f967276fa0c083e9756a974a9791a487a71be0a226dc14351b3e5a2641e8fd
-  repository: oci://registry-1.docker.io/bitnamicharts
+generated: "2022-06-11T12:18:36.672047+02:00"
  version: 3.0.10
 - name: valkey
  repository: oci://registry-1.docker.io/bitnamicharts
  version: 3.0.9
 digest: sha256:aeafc605b86db0ff3999cd808af1c9ca3a6a749aae0d42f2fdae89803b3bb60a
 generated: "2025-05-25T00:23:17.804516988Z"
--- a/Chart.yaml
+++ b/Chart.yaml
@ -3,9 +3,8 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-# renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
+appVersion: 1.17.3
-appVersion: 1.23.8
+icon: https://docs.gitea.io/images/gitea.png
 icon: https://gitea.com/assets/img/logo.svg
 keywords:
  - git
@ -15,9 +14,9 @@ keywords:
  - gitea
  - gogs
 sources:
-  - https://gitea.com/gitea/helm-gitea
+  - https://gitea.com/gitea/helm-chart
  - https://github.com/go-gitea/gitea
-  - https://docker.gitea.com/gitea
+  - https://hub.docker.com/r/gitea/gitea/
 maintainers:
  - name: Charlie Drage
    email: charlie@charliedrage.com
@ -29,27 +28,22 @@ maintainers:
    email: lucas.hahn@novum-rgi.de
  - name: Steven Kriegler
    email: sk.bunsenbrenner@gmail.com
  - name: Patrick Schratz
    email: patrick.schratz@gmail.com
 # Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
-  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
+- name: memcached
  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
  version: 5.9.0
  condition: memcached.enabled
 - name: mysql
  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
  version: 6.14.10
  condition: mysql.enabled
 - name: postgresql
-    repository: oci://registry-1.docker.io/bitnamicharts
+  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-    version: 16.7.4
+  version: 10.3.17
  condition: postgresql.enabled
-  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
+- name: mariadb
-  - name: postgresql-ha
+  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-    repository: oci://registry-1.docker.io/bitnamicharts
+  version: 9.3.6
-    version: 16.0.6
+  condition: mariadb.enabled
    condition: postgresql-ha.enabled
  # https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml
  - name: valkey-cluster
    repository: oci://registry-1.docker.io/bitnamicharts
    version: 3.0.10
    condition: valkey-cluster.enabled
  # https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml
  - name: valkey
    repository: oci://registry-1.docker.io/bitnamicharts
    version: 3.0.9
    condition: valkey.enabled
--- a/18
+++ b/18
@ -1,5 +1,3 @@
 SHELL := /usr/bin/env bash -O globstar
 .PHONY: prepare-environment
 prepare-environment:
 	npm install
@ -8,19 +6,3 @@ prepare-environment:
 readme: prepare-environment
 	npm run readme:parameters
 	npm run readme:lint
 .PHONY: unittests
 unittests: unittests-helm unittests-bash
 .PHONY: unittests-helm
 unittests-helm:
 	helm unittest --strict -f 'unittests/helm/**/*.yaml' -f 'unittests/helm/values-conflicting-checks.yaml' ./
 .PHONY: unittests-bash
 unittests-bash:
 	./unittests/bash/bats/bin/bats --pretty ./unittests/bash/tests/**/*.bats
 .PHONY: helm
 update-helm-dependencies:
 	helm dependency update
--- a/README.md
+++ b/README.md
--- a/docs/ha-setup.md
+++ b/docs/ha-setup.md
@ -1,178 +0,0 @@
 # High Availability
 All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment.
 The following document explains how to achieve this for all individual components.
 The resulting Gitea deployment will consist of ~ 10 pods (depending on the chosen components and their replicas).
 One should evaluate upfront whether a HA-deployment is required as switching between HA/non-HA comes with some effort.
 For production instances, HA is always recommended to increase uptime and have a frictionless update process.
 A general comment about chart dependencies and external services:
 Instead of relying on chart dependencies, it is often better to rely on an external, (managed) instances (in-memory database, asset storage provider, database, etc.).
 Many cloud providers offer such services, at least for databases or in-memory databases.
 They might cost a bit more than using a self-hosted k8s variant but are usually easier to maintain and scale, if needed.
 Also they can be centrally managed and are not linked to the Gitea helm chart or namespace.
 Please consider using external services before you start with your Gitea HA setup, it will make your life (and the life of the Gitea maintainers) easier.
 This helm chart tries to help as much as possible to simplify and assert the provisioning of a HA-ready Gitea instance by implementing smart conditionals if `replicaCount` is set to a value > 1.
 Nevertheless, we cannot guarantee for every possible combination of Gitea settings to work together perfectly in a HA setup.
 As a general advice, we recommend to have a test environment aside on which to test possible changes/upgrades before applying these to a production installation.
 ## Requirements for HA
 Storage-wise, the HA-Gitea setup requires a RWX file-system which can be shared among the deployment-based replica pods.
 In addition, the following components are required for full HA-readiness:
 - A HA-ready issue (and optionally code) indexer: `elasticsearch` or `meilisearch`
 - A HA-ready external object/asset storage (`minio`) (optional, assets can also be stored on the RWX file-system)
 - A HA-ready cache (`valkey-cluster`)
 - A HA-ready DB
 `postgres.enabled`, which default to `true`, must be set to `false` for a HA setup.
 The default `postgres` chart dependency is not HA-ready (there's a dedicated `postgres-ha` chart).
 The following sections discuss each of the components in more detail.
 Note that for each component discussed, the shown configurations only provides a (working) starting point, not necessarily the most optimal setup.
 We try to optimize this document over time as we have gained more experience with HA setups from users.
 ## Indexers (Issues and code/repo)
 The default code indexer `bleve` is not able to allow multiple connections and hence cannot be used in a HA setup.
 Alternatives are `elasticsearch` and `meilisearch` (as of >= 1.19.2).
 Unless you have an existing `elasticsearch` cluster, we recommend using `meilisearch` as it is faster and requires way less resources.
 Unfortunately, `meilisearch` does only support the `ISSUE_INDEXER` and not the `REPO_INDEXER` yet ([tracking issue](https://github.com/go-gitea/gitea/pull/24149)).
 This means that the `REPO_INDEXER` must still be disabled for a HA setup right now.
 An alternative to the two options above for the `ISSUE_INDEXER` is `"db"`, however we recommend to just go with `meilisearch` in this case and to not bother the DB with indexing.
 To configure `meilisearch` within Gitea, do the following:
 ```yml
 gitea:
  config:
    indexer:
      ISSUE_INDEXER_CONN_STR: <http://meilisearch.<namespace>.svc.cluster.local:7700>
      ISSUE_INDEXER_ENABLED: true
      ISSUE_INDEXER_TYPE: meilisearch
      REPO_INDEXER_ENABLED: false
      # REPO_INDEXER_TYPE: meilisearch # not yet working
 ```
 Unfortunately `meilisearch` cannot be deployed in HA as of now.
 Nevertheless it allows for multiple Gitea requests at the same time and is therefore required in a HA setup.
 Exemplary configuration for the [meilisearch-kubernetes](https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch) chart:
 ```yaml
 persistence:
  enabled: true
  accessMode: ReadWriteOnce
  size: 5Gi
 ```
 ## Cache, session and queue
 A `valkey` instance is required for the in-memory cache.
 Two options exist:
 - `valkey`
 - `valkey-cluster`
 The chart provides `valkey-cluster` as a dependency as this one can be used for both HA and non-HA setups.
 You're also welcome to go with `valkey` if you prefer or already have a running instance.
 It should be noted that `valkey-cluster` support is only available starting with Gitea 1.19.2.
 You can also configure an external (managed) `valkey` instance to be used.
 To do so, you need to set the following configuration values yourself:
 - `gitea.config.queue.TYPE`: valkey`
 - `gitea.config.queue.CONN_STR`: `<your valkey connection string>`
 - `gitea.config.session.PROVIDER`: `valkey`
 - `gitea.config.session.PROVIDER_CONFIG`: `<your valkey connection string>`
 - `gitea.config.cache.ENABLED`: `true`
 - `gitea.config.cache.ADAPTER`: `valkey`
 - `gitea.config.cache.HOST`: `<your valkey connection string>`
 By default, the `valkey-cluster` chart provisions three standalone master nodes of which each has a single replica.
 To reduce the number of pods for a default Gitea deployment, we opted to omit the replicas (`replicas: 0`) by default.
 Only the minimum required number of master pods for a functional `valkey-cluster` deployment are provisioned.
 For a "proper" `valkey-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`.
 ## Object and asset storage
 Object/asset storage refers to the storage of attachments, avatars, LFS files, etc.
 While most of these can be stored on the RWX file-system, it is recommended to use an external S3-compatible object storage for such, mainly for performance reasons.
 By default the chart provisions a single RWO volume to store everything (repos, avatars, packages, etc.).
 This volume cannot be mounted by multiple pods.
 Hence, a RWX volume is required and (optionally) an external HA-ready object storage.
 > **Note:** Double-check that the file permissions are set correctly on the RWX volume! That is everything should be owned by the `git` user which usually has `uid=1000` and `gid=1000`.
 To use `minio` you need to deploy and configure an external `minio` instance yourself and explicitly define the `STORAGE_TYPE` values as shown below.
 Note that `MINIO_BUCKET` here is just a name and does not refer to a S3 bucket.
 It's the root access point for all objects belonging to the respective application, i.e., to Gitea in this case.
 ```yaml
 gitea:
  config:
    attachment:
      STORAGE_TYPE: minio
    lfs:
      STORAGE_TYPE: minio
    picture:
      AVATAR_STORAGE_TYPE: minio
    "storage.packages":
      STORAGE_TYPE: minio
    storage:
      MINIO_ENDPOINT: <minio-headless.<namespace>.svc.cluster.local:9000>
      MINIO_LOCATION: <location>
      MINIO_ACCESS_KEY_ID: <access key>
      MINIO_SECRET_ACCESS_KEY: <secret key>
      MINIO_BUCKET: <bucket name>
      MINIO_USE_SSL: false
 ```
 Exemplary configuration for the [bitnami minio](https://github.com/bitnami/charts/blob/main/bitnami/minio) chart:
 ```yaml
 auth:
  rootUser: minio
 mode: distributed
 replicaCount: 4
 persistence:
  enabled: true
  size: 20Gi
  accessModes:
    - ReadWriteOnce
 ```
 ## Database
 If you do not have an HA-ready DB, using a managed database service in the cloud might be the easiest and most robust solution.
 Remember: disable the built-in `postgres` dependency and configure the database connection manually via `gitea.config.database`:
 ```yml
 gitea:
  database:
    builtIn:
      postgresql:
        enabled: false
  config:
    database:
      DB_TYPE: postgres
      HOST: <host>
      NAME: <name>
      USER: <user>
 ```
 ## Known issues
 - Currently Cron jobs are run on all replicas as no leader election is implemented.
  See [https://github.com/go-gitea/gitea/issues/13791](https://github.com/go-gitea/gitea/issues/13791) for a discussion and possible solution.
 - Running with multiple replicas slows down Gitea a bit, i.e. page loading time increases. 
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
-  "name": "gitea-helm",
+  "name": "gitea-helm-chart",
-  "homepage": "https://gitea.com/gitea/helm-gitea.git",
+  "homepage": "https://gitea.com/gitea/helm-chart.git",
  "license": "MIT",
  "private": true,
  "engineStrict": true,
@ -13,7 +13,7 @@
    "readme:parameters": "readme-generator -v values.yaml -r README.md"
  },
  "devDependencies": {
-    "@bitnami/readme-generator-for-helm": "^2.5.0",
+    "markdownlint-cli": "^0.31.1",
-    "markdownlint-cli": "^0.44.0"
+    "readme-generator-for-helm": "https://github.com/bitnami-labs/readme-generator-for-helm/tarball/498ea5d19478a36556f1636e1e041a7510d09289"
  }
 }
--- a/renovate.json5
+++ b/renovate.json5
@ -1,124 +0,0 @@
 {
  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
  extends: [
    'gitea>gitea/renovate-config',
    ':automergeMinor',
    'schedule:automergeDaily',
    'schedule:weekends',
  ],
  labels: [
    'kind/dependency',
  ],
  digest: {
    automerge: true,
  },
  automergeStrategy: 'squash',
  'git-submodules': {
    enabled: true,
  },
  customManagers: [
    {
      description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
      customType: 'regex',
      managerFilePatterns: [
        '/.gitea/workflows/.+\\.ya?ml$/',
      ],
      matchStrings: [
        '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?<currentValue>.+?)["\']?\\s',
      ],
    },
    {
      description: 'Detect helm-unittest yaml schema file',
      customType: 'regex',
      managerFilePatterns: [
        '/.vscode/settings\\.json$/',
      ],
      matchStrings: [
        'https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json',
      ],
      datasourceTemplate: 'github-releases',
    },
    {
      description: 'Automatically detect new Gitea releases',
      customType: 'regex',
      managerFilePatterns: [
        '/(^|/)Chart\\.yaml$/',
      ],
      matchStrings: [
        '# renovate datasource=(?<datasource>\\S+) depName=(?<depName>\\S+) extractVersion=(?<extractVersion>\\S+)\\nappVersion:\\s?(?<currentValue>\\S+)\\n',
      ],
    },
  ],
  packageRules: [
    {
      groupName: 'subcharts (minor & patch)',
      matchManagers: [
        'helmv3',
      ],
      matchUpdateTypes: [
        'minor',
        'patch',
        'digest',
      ],
    },
    {
      groupName: 'bats testing framework',
      matchManagers: [
        'git-submodules',
      ],
      matchUpdateTypes: [
        'minor',
        'patch',
        'digest',
      ],
    },
    {
      groupName: 'workflow dependencies (minor & patch)',
      matchManagers: [
        'github-actions',
        'npm',
        'custom.regex',
      ],
      matchUpdateTypes: [
        'minor',
        'patch',
        'digest',
      ],
      matchFileNames: [
        '!Chart.yaml',
      ],
    },
    {
      description: 'Update README.md on changes in values.yaml',
      matchManagers: [
        'helm-values',
      ],
      postUpgradeTasks: {
        commands: [
          'install-tool node',
          'make readme',
        ],
        fileFilters: [
          'README.md',
        ],
        executionMode: 'update',
      },
    },
    {
      description: 'Override changelog url for Helm image, to have release notes in our PRs',
      matchDepNames: [
        'alpine/helm',
      ],
      changelogUrl: 'https://github.com/helm/helm',
    },
    {
      description: 'Bump Gitea as fast as possible - not only on weekends',
      matchDepNames: [
        'go-gitea/gitea',
      ],
      schedule: [
        'at any time',
      ],
    },
  ],
 }
--- a/scripts/act_runner/token.sh
+++ b/scripts/act_runner/token.sh
@ -1,43 +0,0 @@
 #!/bin/sh
 set -eu
 timeout_delay=15
 check_token() {
  set +e
  echo "Checking for existing token..."
  token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
  [ $? -ne 0 ] && return 1
  [ -z "$token" ] && return 2
  return 0
 }
 create_token() {
  echo "Waiting for new token to be generated..."
  begin=$(date +%s)
  end=$((begin + timeout_delay))
  while true; do
    [ -f /data/actions/token ] && return 0
    [ "$(date +%s)" -gt $end ] && return 1
    sleep 5
  done
 }
 store_token() {
  echo "Storing the token in Kubernetes secret..."
  kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
 }
 if check_token; then
  echo "Key already in place, exiting."
  exit
 fi
 if ! create_token; then
  echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
  exit 1
 fi
 store_token
--- a/scripts/init-containers/config/config_environment.sh
+++ b/scripts/init-containers/config/config_environment.sh
@ -1,154 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 function env2ini::log() {
  printf "${1}\n"
 }
 function env2ini::read_config_to_env() {
  local section="${1}"
  local line="${2}"
  if [[ -z "${line}" ]]; then
    # skip empty line
    return
  fi
  # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
  local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
  if [[ -z "${setting}" ]]; then
    env2ini::log '  ! invalid setting'
    exit 1
  fi
  local value=''
  local regex="^${setting}(\s*)=(\s*)(.*)"
  if [[ $line =~ $regex ]]; then
    value="${BASH_REMATCH[3]}"
  else
    env2ini::log '  ! invalid setting'
    exit 1
  fi
  env2ini::log "    + '${setting}'"
  if [[ -z "${section}" ]]; then
    export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
    return
  fi
  local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
  masked_section="${masked_section//-/_0X2D_}"
  export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
 }
 function env2ini::reload_preset_envs() {
  env2ini::log "Reloading preset envs..."
  while read -r line; do
    if [[ -z "${line}" ]]; then
      # skip empty line
      return
    fi
    # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
    local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
    if [[ -z "${setting}" ]]; then
      env2ini::log '  ! invalid setting'
      exit 1
    fi
    local value=''
    local regex="^${setting}(\s*)=(\s*)(.*)"
    if [[ $line =~ $regex ]]; then
      value="${BASH_REMATCH[3]}"
    else
      env2ini::log '  ! invalid setting'
      exit 1
    fi
    env2ini::log "  + '${setting}'"
    export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
  done < "$TMP_EXISTING_ENVS_FILE"
  rm $TMP_EXISTING_ENVS_FILE
 }
 function env2ini::process_config_file() {
  local config_file="${1}"
  local section="$(basename "${config_file}")"
  if [[ $section == '_generals_' ]]; then
    env2ini::log "  [ini root]"
    section=''
  else
    env2ini::log "  ${section}"
  fi
  while read -r line; do
    env2ini::read_config_to_env "${section}" "${line}"
  done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
 }
 function env2ini::load_config_sources() {
  local path="${1}"
  if [[ -d "${path}" ]]; then
    env2ini::log "Processing $(basename "${path}")..."
    while read -d '' configFile; do
      env2ini::process_config_file "${configFile}"
    done < <(find "${path}" -type l -not -name '..data' -print0)
    env2ini::log "\n"
  fi
 }
 function env2ini::generate_initial_secrets() {
  # These environment variables will either be
  #   - overwritten with user defined values,
  #   - initially used to set up Gitea
  # Anyway, they won't harm existing app.ini files
  export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
  export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
  export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
  export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
  env2ini::log "...Initial secrets generated\n"
 }
 # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
 env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE
 # MUST BE CALLED BEFORE OTHER CONFIGURATION
 env2ini::generate_initial_secrets
 env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/"
 env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/"
 # load existing envs to override auto generated envs
 env2ini::reload_preset_envs
 env2ini::log "=== All configuration sources loaded ===\n"
 # safety to prevent rewrite of secret keys if an app.ini already exists
 if [ -f ${GITEA_APP_INI} ]; then
  env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
  env2ini::log '  - security.INTERNAL_TOKEN'
  env2ini::log '  - security.SECRET_KEY'
  env2ini::log '  - oauth2.JWT_SECRET'
  env2ini::log '  - server.LFS_JWT_SECRET'
  unset GITEA__SECURITY__INTERNAL_TOKEN
  unset GITEA__SECURITY__SECRET_KEY
  unset GITEA__OAUTH2__JWT_SECRET
  unset GITEA__SERVER__LFS_JWT_SECRET
 fi
 environment-to-ini -o $GITEA_APP_INI
--- a/scripts/init-containers/init/configure_gpg_environment.sh
+++ b/scripts/init-containers/init/configure_gpg_environment.sh
@ -1,4 +0,0 @@
 #!/usr/bin/env bash
 set -eu
 gpg --batch --import "$TMP_RAW_GPG_KEY"
--- a/templates/NOTES.txt
+++ b/templates/NOTES.txt
@ -18,19 +18,3 @@
  echo "Visit http://127.0.0.1:{{ .Values.service.http.port }} to use your application"
  kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ .Release.Name }}-http {{ .Values.service.http.port }}:{{ .Values.service.http.port }}
 {{- end }}
 {{- $warnings := list -}}
 {{- if eq (get .Values.gitea.config.cache "ADAPTER") "memory" -}}
  {{- $warnings = append $warnings "Gitea uses 'memory' for caching which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#cache-cache for available options." -}}
 {{- end }}
 {{- if eq (get .Values.gitea.config.queue "TYPE") "level" -}}
  {{- $warnings = append $warnings "Gitea uses 'leveldb' for queue actions which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#queue-queue-and-queue for available options." -}}
 {{- end }}
 {{- if eq (get .Values.gitea.config.session "PROVIDER") "memory" -}}
  {{- $warnings = append $warnings "Gitea uses 'memory' for sessions which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#session-session for available options." -}}
 {{- end }}
 {{- if gt (len $warnings) 0 }}
 2. Review these warnings:
 {{- range $warnings }}
  - {{ . }}
 {{- end }}
 {{- end }}
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -2,7 +2,6 @@
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "gitea.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
@ -25,13 +24,6 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 {{/*
 Create a default worker name.
 */}}
 {{- define "gitea.workername" -}}
 {{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@ -43,22 +35,14 @@ Create chart name and version as used by the chart label.
 Create image name and tag used by the deployment.
 */}}
 {{- define "gitea.image" -}}
 {{- $fullOverride := .Values.image.fullOverride | default "" -}}
 {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
-{{- $repository := .Values.image.repository -}}
+{{- $name := .Values.image.repository -}}
-{{- $separator := ":" -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
 {{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
-{{- $digest := "" -}}
+{{- if $registry -}}
-{{- if .Values.image.digest }}
+  {{- printf "%s/%s:%s%s" $registry $name $tag $rootless -}}
    {{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}}
 {{- end -}}
 {{- if $fullOverride }}
    {{- printf "%s" $fullOverride -}}
 {{- else if $registry }}
    {{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}}
 {{- else -}}
-    {{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}}
+  {{- printf "%s:%s%s" $name $tag $rootless -}}
 {{- end -}}
 {{- end -}}
@ -81,7 +65,7 @@ imagePullSecrets:
 Storage Class
 */}}
 {{- define "gitea.persistence.storageClass" -}}
-{{- $storageClass :=  (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }}
+{{- $storageClass := .Values.global.storageClass | default .Values.persistence.storageClass }}
 {{- if $storageClass }}
 storageClassName: {{ $storageClass | quote }}
 {{- end }}
@ -99,15 +83,6 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 {{- define "gitea.labels.actRunner" -}}
 helm.sh/chart: {{ include "gitea.chart" . }}
 app: {{ include "gitea.name" . }}-act-runner
 {{ include "gitea.selectorLabels.actRunner" . }}
 app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 {{/*
 Selector labels
 */}}
@ -116,51 +91,24 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 {{- define "gitea.selectorLabels.actRunner" -}}
 app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 {{- define "postgresql-ha.dns" -}}
 {{- if (index .Values "postgresql-ha").enabled -}}
 {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
 {{- end -}}
 {{- end -}}
 {{- define "postgresql.dns" -}}
-{{- if (index .Values "postgresql").enabled -}}
+{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.servicePort -}}
 {{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}}
 {{- end -}}
 {{- end -}}
-{{- define "valkey.dns" -}}
+{{- define "mysql.dns" -}}
-{{- if and ((index .Values "valkey-cluster").enabled) ((index .Values "valkey").enabled) -}}
+{{- printf "%s-mysql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mysql.service.port | trunc 63 | trimSuffix "-" -}}
 {{- fail "valkey and valkey-cluster cannot be enabled at the same time. Please only choose one." -}}
 {{- else if (index .Values "valkey-cluster").enabled -}}
 {{- printf "redis+cluster://:%s@%s-valkey-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey-cluster").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey-cluster").service.ports.valkey -}}
 {{- else if (index .Values "valkey").enabled -}}
 {{- printf "redis://:%s@%s-valkey-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}}
 {{- end -}}
 {{- end -}}
-{{- define "valkey.port" -}}
+{{- define "mariadb.dns" -}}
-{{- if (index .Values "valkey-cluster").enabled -}}
+{{- printf "%s-mariadb.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mariadb.primary.service.port | trunc 63 | trimSuffix "-" -}}
 {{ (index .Values "valkey-cluster").service.ports.valkey }}
 {{- else if (index .Values "valkey").enabled -}}
 {{ (index .Values "valkey").master.service.ports.valkey }}
 {{- end -}}
 {{- end -}}
-{{- define "valkey.servicename" -}}
+{{- define "memcached.dns" -}}
-{{- if (index .Values "valkey-cluster").enabled -}}
+{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.port | trunc 63 | trimSuffix "-" -}}
 {{- printf "%s-valkey-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
 {{- else if (index .Values "valkey").enabled -}}
 {{- printf "%s-valkey-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 {{- end -}}
 {{- define "gitea.default_domain" -}}
-{{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
+{{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- define "gitea.ldap_settings" -}}
@ -242,7 +190,6 @@ https
      {{- else -}}
        {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
      {{- end -}}
    {{- end }}
  {{- end }}
@ -272,21 +219,6 @@ https
  {{- if not (hasKey .Values.gitea.config "oauth2") -}}
    {{- $_ := set .Values.gitea.config "oauth2" dict -}}
  {{- end -}}
  {{- if not (hasKey .Values.gitea.config "session") -}}
    {{- $_ := set .Values.gitea.config "session" dict -}}
  {{- end -}}
  {{- if not (hasKey .Values.gitea.config "queue") -}}
    {{- $_ := set .Values.gitea.config "queue" dict -}}
  {{- end -}}
  {{- if not (hasKey .Values.gitea.config "queue.issue_indexer") -}}
    {{- $_ := set .Values.gitea.config "queue.issue_indexer" dict -}}
  {{- end -}}
  {{- if not (hasKey .Values.gitea.config "indexer") -}}
    {{- $_ := set .Values.gitea.config "indexer" dict -}}
  {{- end -}}
  {{- if not (hasKey .Values.gitea.config "actions") -}}
    {{- $_ := set .Values.gitea.config "actions" dict -}}
  {{- end -}}
 {{- end -}}
 {{- define "gitea.inline_configuration.defaults" -}}
@ -302,39 +234,12 @@ https
  {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
  {{- end -}}
-  {{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}}
+  {{- if .Values.memcached.enabled -}}
-    {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}}
+    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
    {{- if not (.Values.gitea.config.cache.HOST) -}}
      {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
    {{- end -}}
  {{- /* valkey queue */ -}}
  {{- if or ((index .Values "valkey-cluster").enabled) ((index .Values "valkey").enabled) -}}
    {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
    {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "valkey.dns" .) -}}
    {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
    {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "valkey.dns" .) -}}
    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
    {{- $_ := set .Values.gitea.config.cache "HOST" (include "valkey.dns" .) -}}
  {{- else -}}
    {{- if not (get .Values.gitea.config.session "PROVIDER") -}}
      {{- $_ := set .Values.gitea.config.session "PROVIDER" "memory" -}}
    {{- end -}}
    {{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
      {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" "" -}}
    {{- end -}}
    {{- if not (get .Values.gitea.config.queue "TYPE") -}}
      {{- $_ := set .Values.gitea.config.queue "TYPE" "level" -}}
    {{- end -}}
    {{- if not (get .Values.gitea.config.queue "CONN_STR") -}}
      {{- $_ := set .Values.gitea.config.queue "CONN_STR" "" -}}
    {{- end -}}
    {{- if not (get .Values.gitea.config.cache "ADAPTER") -}}
      {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memory" -}}
    {{- end -}}
    {{- if not (get .Values.gitea.config.cache "HOST") -}}
      {{- $_ := set .Values.gitea.config.cache "HOST" "" -}}
    {{- end -}}
  {{- end -}}
  {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
     {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
  {{- end -}}
 {{- end -}}
@ -347,7 +252,7 @@ https
  {{- end -}}
  {{- if not (.Values.gitea.config.server.DOMAIN) -}}
    {{- if gt (len .Values.ingress.hosts) 0 -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
    {{- else -}}
      {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
    {{- end -}}
@ -382,23 +287,30 @@ https
 {{- end -}}
 {{- define "gitea.inline_configuration.defaults.database" -}}
-  {{- if (index .Values "postgresql-ha" "enabled") -}}
+  {{- if .Values.postgresql.enabled -}}
    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
    {{- if not (.Values.gitea.config.database.HOST) -}}
      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql-ha.dns" .) -}}
    {{- end -}}
    {{- $_ := set .Values.gitea.config.database "NAME"      (index .Values "postgresql-ha" "global" "postgresql" "database") -}}
    {{- $_ := set .Values.gitea.config.database "USER"      (index .Values "postgresql-ha" "global" "postgresql" "username") -}}
    {{- $_ := set .Values.gitea.config.database "PASSWD"    (index .Values "postgresql-ha" "global" "postgresql" "password") -}}
  {{- end -}}
  {{- if (index .Values "postgresql" "enabled") -}}
    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
    {{- if not (.Values.gitea.config.database.HOST) -}}
      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.auth.database -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.auth.username -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.auth.password -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
  {{- else if .Values.mysql.enabled -}}
    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
    {{- if not (.Values.gitea.config.database.HOST) -}}
      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
    {{- end -}}
    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
  {{- else if .Values.mariadb.enabled -}}
    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
    {{- if not (.Values.gitea.config.database.HOST) -}}
      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
    {{- end -}}
    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.auth.database -}}
    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.auth.username -}}
    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
  {{- end -}}
 {{- end -}}
@ -419,53 +331,3 @@ https
    {{- toYaml .Values.extraVolumeMounts -}}
  {{- end -}}
 {{- end -}}
 {{- define "gitea.gpg-key-secret-name" -}}
 {{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
 {{- end -}}
 {{- define "gitea.serviceAccountName" -}}
 {{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
 {{- end -}}
 {{- define "ingress.annotations" -}}
  {{- if .Values.ingress.annotations }}
  annotations:
    {{- $tp := typeOf .Values.ingress.annotations }}
    {{- if eq $tp "string" }}
      {{- tpl .Values.ingress.annotations . | nindent 4 }}
    {{- else }}
      {{- toYaml .Values.ingress.annotations | nindent 4 }}
    {{- end }}
  {{- end }}
 {{- end -}}
 {{- define "gitea.admin.passwordMode" -}}
 {{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
 {{ .Values.gitea.admin.passwordMode }}
 {{- else -}}
 {{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
 {{- end -}}
 {{- end -}}
 {{/* Create a functioning probe object for rendering. Given argument must be either a livenessProbe, readinessProbe, or startupProbe */}}
 {{- define "gitea.deployment.probe" -}}
  {{- $probe := unset . "enabled" -}}
  {{- $probeKeys := keys $probe -}}
  {{- $containsCustomMethod := false -}}
  {{- $chartDefaultMethod := "tcpSocket" -}}
  {{- $nonChartDefaultMethods := list "exec" "httpGet" "grpc" -}}
  {{- range $probeKeys -}}
    {{- if has . $nonChartDefaultMethods -}}
      {{- $containsCustomMethod = true -}}
    {{- end -}}
  {{- end -}}
  {{- if $containsCustomMethod -}}
    {{- $probe = unset . $chartDefaultMethod -}}
  {{- end -}}
  {{- toYaml $probe -}}
 {{- end -}}
 {{- define "gitea.metrics-secret-name" -}}
 {{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }}
 {{- end -}}
--- a/templates/gitea/check-actions-not-present.yaml
+++ b/templates/gitea/check-actions-not-present.yaml
@ -1,3 +0,0 @@
 {{- if .Values.actions -}}
    {{- fail "The actions sub-chart has been outsourced to a dedicated chart available at https://gitea.com/gitea/helm-actions. For assistance with the migration process, check https://gitea.com/gitea/helm-actions/issues/9." -}}
 {{- end -}}
--- a/templates/gitea/config.yaml
+++ b/templates/gitea/config.yaml
@ -2,7 +2,6 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}-inline-config
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@ -13,45 +12,161 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-{{ (.Files.Glob "scripts/init-containers/config/*.sh").AsConfig | indent 2 }}
+  config_environment.sh: |-
-  assertions: |
+    #!/usr/bin/env bash
    set -euo pipefail
-    {{- /*assert that only one PG dep is enabled */ -}}
+    function env2ini::log() {
-    {{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
+      printf "${1}\n"
-      {{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
+    }
    {{- end }}
-    {{- /* multiple replicas assertions */ -}}
+    function env2ini::read_config_to_env() {
-    {{- if gt .Values.replicaCount 1.0 -}}
+      local section="${1}"
-      {{- if .Values.gitea.config.cron -}}
+      local line="${2}"
        {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
          {{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}}
            {{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'." }}
          {{- end }}
        {{- end }}
      {{- end }}
-      {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
+      if [[ -z "${line}" ]]; then
-        {{- fail "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany." -}}
+        # skip empty line
-      {{- end }}
+        return
-      {{- if .Values.gitea.config.indexer -}}
+      fi
        {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
          {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
        {{- end }}
        {{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
          {{- if eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve" -}}
            {{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
              {{- if eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED true -}}
                {{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
              {{- end }}
            {{- end }}
          {{- end }}
        {{- end }}
      {{- end }}
-    {{- end }}
+      # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
      local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
      if [[ -z "${setting}" ]]; then
        env2ini::log '  ! invalid setting'
        exit 1
      fi
      local value=''
      local regex="^${setting}(\s*)=(\s*)(.*)"
      if [[ $line =~ $regex ]]; then
        value="${BASH_REMATCH[3]}"
      else
        env2ini::log '  ! invalid setting'
        exit 1
      fi
      env2ini::log "    + '${setting}'"
      if [[ -z "${section}" ]]; then
        export "ENV_TO_INI____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
        return
      fi
      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
      masked_section="${masked_section//-/_0X2D_}"
      export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
    }
    function env2ini::reload_preset_envs() {
      env2ini::log "Reloading preset envs..."
      while read -r line; do
        if [[ -z "${line}" ]]; then
          # skip empty line
          return
        fi
        # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
        local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
        if [[ -z "${setting}" ]]; then
          env2ini::log '  ! invalid setting'
          exit 1
        fi
        local value=''
        local regex="^${setting}(\s*)=(\s*)(.*)"
        if [[ $line =~ $regex ]]; then
          value="${BASH_REMATCH[3]}"
        else
          env2ini::log '  ! invalid setting'
          exit 1
        fi
        env2ini::log "  + '${setting}'"
        export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
      done < "/tmp/existing-envs"
      rm /tmp/existing-envs
    }
    function env2ini::process_config_file() {
      local config_file="${1}"
      local section="$(basename "${config_file}")"
      if [[ $section == '_generals_' ]]; then
        env2ini::log "  [ini root]"
        section=''
      else
        env2ini::log "  ${section}"
      fi
      while read -r line; do
        env2ini::read_config_to_env "${section}" "${line}"
      done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
    }
    function env2ini::load_config_sources() {
      local path="${1}"
      if [[ -d "${path}" ]]; then
        env2ini::log "Processing $(basename "${path}")..."
        while read -d '' configFile; do
          env2ini::process_config_file "${configFile}"
        done < <(find "${path}" -type l -not -name '..data' -print0)
        env2ini::log "\n"
      fi
    }
    function env2ini::generate_initial_secrets() {
      # These environment variables will either be
      #   - overwritten with user defined values,
      #   - initially used to set up Gitea
      # Anyway, they won't harm existing app.ini files
      export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
      export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
      export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
      export ENV_TO_INI__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
      env2ini::log "...Initial secrets generated\n"
    }
    env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs
    # MUST BE CALLED BEFORE OTHER CONFIGURATION
    env2ini::generate_initial_secrets
    env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
    env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
    # load existing envs to override auto generated envs
    env2ini::reload_preset_envs
    env2ini::log "=== All configuration sources loaded ===\n"
    # safety to prevent rewrite of secret keys if an app.ini already exists
    if [ -f ${GITEA_APP_INI} ]; then
      env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
      env2ini::log '  - security.INTERNAL_TOKEN'
      env2ini::log '  - security.SECRET_KEY'
      env2ini::log '  - oauth2.JWT_SECRET'
      env2ini::log '  - server.LFS_JWT_SECRET'
      unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
      unset ENV_TO_INI__SECURITY__SECRET_KEY
      unset ENV_TO_INI__OAUTH2__JWT_SECRET
      unset ENV_TO_INI__SERVER__LFS_JWT_SECRET
    fi
    environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI
--- a/templates/gitea/extra-list.yaml
+++ b/templates/gitea/extra-list.yaml
@ -1,8 +0,0 @@
 {{- range .Values.extraDeploy }}
 ---
 {{- if typeIs "string" . }}
    {{- tpl . $ }}
 {{- else }}
    {{- tpl (. | toYaml) $ }}
 {{- end }}
 {{- end }}
--- a/templates/gitea/gpg-secret.yaml
+++ b/templates/gitea/gpg-secret.yaml
@ -1,17 +0,0 @@
 {{- if .Values.signing.enabled -}}
 {{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}}
  {{- fail "Either specify `signing.privateKey` or `signing.existingSecret`" -}}
 {{- end }}
 {{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.gpg-key-secret-name" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 data:
  privateKey: {{ .Values.signing.privateKey | b64enc }}
 {{- end }}
 {{- end }}
--- a/templates/gitea/http-svc.yaml
+++ b/templates/gitea/http-svc.yaml
@ -2,21 +2,13 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "gitea.fullname" . }}-http
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- if .Values.service.http.labels }}
    {{- toYaml .Values.service.http.labels  | nindent 4 }}
    {{- end }}
  annotations:
    {{- toYaml .Values.service.http.annotations | nindent 4 }}
 spec:
  type: {{ .Values.service.http.type }}
-  {{- if eq .Values.service.http.type "LoadBalancer" }}
+  {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
  {{- if .Values.service.http.loadBalancerClass }}
  loadBalancerClass: {{ .Values.service.http.loadBalancerClass }}
  {{- end }}
  {{- if and .Values.service.http.loadBalancerIP }}
  loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
  {{- end }}
  {{- if .Values.service.http.loadBalancerSourceRanges }}
@ -25,7 +17,6 @@ spec:
    - {{ . }}
  {{- end }}
  {{- end }}
  {{- end }}
  {{- if .Values.service.http.externalIPs }}
  externalIPs:
    {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
--- a/templates/gitea/ingress.yaml
+++ b/templates/gitea/ingress.yaml
@ -1,62 +1,58 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
 {{- $httpPort := .Values.service.http.port -}}
-apiVersion: networking.k8s.io/v1
+{{- $apiVersion := "extensions/v1beta1" -}}
 {{- if .Values.ingress.apiVersion -}}
 {{- $apiVersion = .Values.ingress.apiVersion -}}
 {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
 {{- $apiVersion = "networking.k8s.io/v1" }}
 {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
 {{- $apiVersion = "networking.k8s.io/v1beta1" }}
 {{- end }}
 apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
  name: {{ $fullName }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
  annotations:
-    {{- range $key, $value := .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
      {{ $key }}: {{ $value | quote }}
  {{- end }}
 spec:
-  ingressClassName: {{ tpl .Values.ingress.className . }}
+{{- if .Values.ingress.className }}
  ingressClassName: {{ .Values.ingress.className }}
 {{- end }}
 {{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
-        - {{ tpl . $ | quote }}
+        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
 {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
-    - host: {{ tpl .host $ | quote }}
+    - host: {{ .host | quote }}
      http:
        paths:
          {{- if .paths }}
          {{- range .paths }}
-          {{- if kindIs "string" . }}
+          - path: {{ .path }}
-          - path: {{ . }}
+            {{- if and .pathType (eq $apiVersion "networking.k8s.io/v1") }}
-            pathType: {{ default "Prefix" $.Values.ingress.pathType }}
+            pathType: {{ .pathType }}
            {{- end }}
            backend:
            {{- if eq $apiVersion "networking.k8s.io/v1" }}
              service:
                name: {{ $fullName }}-http
                port:
                  number: {{ $httpPort }}
            {{- else }}
-          - path: {{ .path | default "/" }}
+              serviceName: {{ $fullName }}-http
-            pathType: {{ .pathType | default "Prefix" }}
+              servicePort: {{ $httpPort }}
-            backend:
+            {{- end }}
              service:
                name: {{ $fullName }}-http
                port:
                  number: {{ $httpPort }}
          {{- end }}
          {{- end }}
          {{- else }}
          - path: "/"
            pathType: "Prefix"
            backend:
              service:
                name: {{ $fullName }}-http
                port:
                  number: {{ $httpPort }}
          {{- end }}
    {{- end }}
 {{- end }}
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@ -2,12 +2,10 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}-init
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
 {{ (.Files.Glob "scripts/init-containers/init/*.sh").AsConfig | indent 2 }}
  init_directory_structure.sh: |-
    #!/usr/bin/env bash
@ -21,27 +19,21 @@ stringData:
    # END: initPreScript
    {{- end }}
    set -x
    {{- if not .Values.image.rootless }}
-    chown -v 1000:1000 /data
+    chown 1000:1000 /data
    {{- end }}
-    mkdir -pv /data/git/.ssh
+    mkdir -p /data/git/.ssh
-    chmod -Rv 700 /data/git/.ssh
+    chmod -R 700 /data/git/.ssh
-    [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
+    [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
    # prepare temp directory structure
-    mkdir -pv "${GITEA_TEMP}"
+    mkdir -p "${GITEA_TEMP}"
    {{- if not .Values.image.rootless }}
-    chown -v 1000:1000 "${GITEA_TEMP}"
+    chown 1000:1000 "${GITEA_TEMP}"
    {{- end }}
    chmod -v ug+rwx "${GITEA_TEMP}"
    {{ if .Values.signing.enabled -}}
    if [ ! -d "${GNUPGHOME}" ]; then
      mkdir -pv "${GNUPGHOME}"
      chmod -v 700 "${GNUPGHOME}"
      chown -v 1000:1000 "${GNUPGHOME}"
    fi
    {{- end }}
    chmod ug+rwx "${GITEA_TEMP}"
  configure_gitea.sh: |-
    #!/usr/bin/env bash
@ -57,80 +49,18 @@ stringData:
      exit 1
    }
    {{- if include "valkey.servicename" . }}
    function test_valkey_connection() {
      local RETRY=0
      local MAX=30
      echo 'Wait for valkey to become avialable...'
      until [ "${RETRY}" -ge "${MAX}" ]; do
        nc -vz -w2 {{ include "valkey.servicename" . }} {{ include "valkey.port" . }} && break
        RETRY=$[${RETRY}+1]
        echo "...not ready yet (${RETRY}/${MAX})"
      done
      if [ "${RETRY}" -ge "${MAX}" ]; then
        echo "Valkey not reachable after '${MAX}' attempts!"
        exit 1
      fi
    }
    test_valkey_connection
    {{- end }}
    {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
    function configure_admin_user() {
-      local full_admin_list=$(gitea admin user list --admin)
+      local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
      local actual_user_table=''
      # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
      local regex="(.*)(ID\s+Username\s+Email\s+IsActive.*)"
      if [[ "${full_admin_list}" =~ $regex ]]; then
        actual_user_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
      else
        # This code block should never be reached, as long as the output table header remains the same.
        # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
        echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users."
        echo "       Please review the output of 'gitea admin user list --admin' shown below."
        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
        echo "DEBUG: Output of 'gitea admin user list --admin'"
        echo "--"
        echo "${full_admin_list}"
        echo "--"
        exit 1
      fi
      local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
      if [[ -z "${ACCOUNT_ID}" ]]; then
        local -a create_args
        create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
          create_args+=(--must-change-password=true)
        else
          create_args+=(--must-change-password=false)
        fi
        echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
-        gitea admin user create "${create_args[@]}"
+        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
        echo '...created.'
      else
        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
-          # See https://gitea.com/gitea/helm-gitea/issues/673
+        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
          # --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior
          #   which acted as if it were provided with =false. If the argument is present in this version of gitea, then we
          #   should add it to prevent requiring frequent admin password resets.
          local -a change_args
          change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}")
          if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then
            change_args+=(--must-change-password=false)
          fi
          gitea admin user change-password "${change_args[@]}"
        echo '...password sync done.'
        else
          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
        fi
      fi
    }
@ -141,28 +71,7 @@ stringData:
      {{- if .Values.gitea.ldap }}
      {{- range $idx, $value := .Values.gitea.ldap }}
      local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
-      local full_auth_list=$(gitea admin auth list --vertical-bars)
+      local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
      local actual_auth_table=''
      # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
      local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
      if [[ "${full_auth_list}" =~ $regex ]]; then
        actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
      else
        # This code block should never be reached, as long as the output table header remains the same.
        # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
        echo "ERROR: 'configure_ldap' was not able to determine the current list of authentication sources."
        echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
        echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
        echo "--"
        echo "${full_auth_list}"
        echo "--"
        exit 1
      fi
      local GITEA_AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
      if [[ -z "${GITEA_AUTH_ID}" ]]; then
        echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
@ -185,28 +94,7 @@ stringData:
      {{- if .Values.gitea.oauth }}
      {{- range $idx, $value := .Values.gitea.oauth }}
      local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
-      local full_auth_list=$(gitea admin auth list --vertical-bars)
+      local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
      local actual_auth_table=''
      # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
      local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
      if [[ "${full_auth_list}" =~ $regex ]]; then
        actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
      else
        # This code block should never be reached, as long as the output table header remains the same.
        # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
        echo "ERROR: 'configure_oauth' was not able to determine the current list of authentication sources."
        echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
        echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
        echo "--"
        echo "${full_auth_list}"
        echo "--"
        exit 1
      fi
      local AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
      if [[ -z "${AUTH_ID}" ]]; then
        echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
--- a/templates/gitea/metrics-secret.yaml
+++ b/templates/gitea/metrics-secret.yaml
@ -1,12 +0,0 @@
 {{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.metrics-secret-name" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 data:
  token: {{ .Values.gitea.metrics.token  | b64enc }}
 {{- end }}
--- a/templates/gitea/poddisruptionbudget.yaml
+++ b/templates/gitea/poddisruptionbudget.yaml
@ -1,18 +0,0 @@
 {{- if .Values.podDisruptionBudget -}}
 {{- if .Capabilities.APIVersions.Has "policy/v1" }}
 apiVersion: policy/v1
 {{- else }}
 apiVersion: policy/v1beta1
 {{- end }}
 kind: PodDisruptionBudget
 metadata:
  name: {{ include "gitea.fullname" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 spec:
  selector:
    matchLabels:
      {{- include "gitea.selectorLabels" . | nindent 6 }}
  {{- toYaml .Values.podDisruptionBudget | nindent 2 }}
 {{- end -}}
--- a/templates/gitea/pvc.yaml
+++ b/templates/gitea/pvc.yaml
@ -1,26 +0,0 @@
 {{- if and .Values.persistence.enabled .Values.persistence.create }}
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ .Values.persistence.claimName }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  annotations:
 {{ .Values.persistence.annotations | toYaml | indent 4}}
  labels:
 {{ .Values.persistence.labels | toYaml | indent 4}}
 spec:
  accessModes:
  {{- if gt .Values.replicaCount 1.0 }}
      - ReadWriteMany
  {{- else }}
    {{- .Values.persistence.accessModes | toYaml | nindent 4 }}
  {{- end }}
  volumeMode: Filesystem
  {{- include "gitea.persistence.storageClass" . | nindent 2 }}
  {{- with .Values.persistence.volumeName }}
  volumeName: {{ . }}
  {{- end }}
  resources:
    requests:
      storage: {{ .Values.persistence.size }}
 {{- end }}
--- a/templates/gitea/serviceaccount.yaml
+++ b/templates/gitea/serviceaccount.yaml
@ -1,21 +0,0 @@
 {{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "gitea.serviceAccountName" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- with .Values.serviceAccount.labels }}
    {{- . | toYaml | nindent 4 }}
  {{- end }}
  {{- with .Values.serviceAccount.annotations }}
  annotations:
    {{- . | toYaml | nindent 4 }}
  {{- end }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- with .Values.serviceAccount.imagePullSecrets }}
 imagePullSecrets:
  {{- . | toYaml | nindent 2 }}
 {{- end }}
 {{- end }}
--- a/templates/gitea/servicemonitor.yaml
+++ b/templates/gitea/servicemonitor.yaml
@ -1,9 +1,8 @@
-{{- if and .Values.gitea.metrics.enabled .Values.gitea.metrics.serviceMonitor.enabled -}}
+{{- if .Values.gitea.metrics.serviceMonitor.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ include "gitea.fullname" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
@ -15,29 +14,4 @@ spec:
      {{- include "gitea.selectorLabels" . | nindent 6 }}
  endpoints:
  - port: http
    {{- if .Values.gitea.metrics.serviceMonitor.interval }}
    interval: {{ .Values.gitea.metrics.serviceMonitor.interval }}
    {{- end }}
    {{- with .Values.gitea.metrics.serviceMonitor.relabelings }}
    relabelings:
      {{- . | toYaml | nindent 6 }}
    {{- end }}
    {{- if .Values.gitea.metrics.serviceMonitor.scheme }}
    scheme: {{ .Values.gitea.metrics.serviceMonitor.scheme }}
    {{- end }}
    {{- if .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
    scrapeTimeout: {{ .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
    {{- end }}
    {{- with .Values.gitea.metrics.serviceMonitor.tlsConfig }}
    tlsConfig:
      {{- . | toYaml | nindent 6 }}
    {{- end }}
    {{- if .Values.gitea.metrics.token }}
    authorization:
      type: Bearer
      credentials:
        name: {{ include "gitea.metrics-secret-name" . }}
        key: token
        optional: false
    {{- end }}
 {{- end -}}
--- a/templates/gitea/ssh-svc.yaml
+++ b/templates/gitea/ssh-svc.yaml
@ -2,20 +2,13 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "gitea.fullname" . }}-ssh
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- if .Values.service.ssh.labels }}
    {{- toYaml .Values.service.ssh.labels  | nindent 4 }}
    {{- end }}
  annotations:
    {{- toYaml .Values.service.ssh.annotations | nindent 4 }}
 spec:
  type: {{ .Values.service.ssh.type }}
  {{- if eq .Values.service.ssh.type "LoadBalancer" }}
  {{- if .Values.service.ssh.loadBalancerClass }}
  loadBalancerClass: {{ .Values.service.ssh.loadBalancerClass }}
  {{- end }}
  {{- if .Values.service.ssh.loadBalancerIP }}
  loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
  {{- end -}}
@ -46,9 +39,7 @@ spec:
  ports:
  - name: ssh
    port: {{ .Values.service.ssh.port }}
    {{- if .Values.gitea.config.server.SSH_LISTEN_PORT }}
    targetPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
    {{- end }}
    protocol: TCP
    {{- if .Values.service.ssh.nodePort }}
    nodePort: {{ .Values.service.ssh.nodePort }}
--- a/templates/gitea/statefulset.yaml
+++ b/templates/gitea/statefulset.yaml
@ -1,32 +1,22 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
  name: {{ include "gitea.fullname" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  annotations:
-    {{- if .Values.deployment.annotations }}
+    {{- if .Values.statefulset.annotations }}
-    {{- toYaml .Values.deployment.annotations | nindent 4 }}
+    {{- toYaml .Values.statefulset.annotations | nindent 4 }}
    {{- end }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- if .Values.deployment.labels }}
    {{- toYaml .Values.deployment.labels | nindent 4 }}
    {{- end }}
 spec:
  replicas: {{ .Values.replicaCount }}
  strategy:
    type: {{ .Values.strategy.type }}
    {{- if eq .Values.strategy.type "RollingUpdate" }}
    rollingUpdate:
      maxUnavailable: {{ .Values.strategy.rollingUpdate.maxUnavailable }}
      maxSurge: {{ .Values.strategy.rollingUpdate.maxSurge }}
    {{- end }}
  selector:
    matchLabels:
      {{- include "gitea.selectorLabels" . | nindent 6 }}
-      {{- if .Values.deployment.labels }}
+      {{- if .Values.statefulset.labels }}
-      {{- toYaml .Values.deployment.labels | nindent 6 }}
+      {{- toYaml .Values.statefulset.labels | nindent 6 }}
      {{- end }}
  serviceName: {{ include "gitea.fullname" . }}
  template:
    metadata:
      annotations:
@ -42,19 +32,13 @@ spec:
        {{- end }}
      labels:
        {{- include "gitea.labels" . | nindent 8 }}
-        {{- if .Values.deployment.labels }}
+        {{- if .Values.statefulset.labels }}
-        {{- toYaml .Values.deployment.labels | nindent 8 }}
+        {{- toYaml .Values.statefulset.labels | nindent 8 }}
        {{- end }}
    spec:
      {{- if .Values.schedulerName }}
      schedulerName: "{{ .Values.schedulerName }}"
      {{- end }}
      {{- if (or .Values.serviceAccount.create .Values.serviceAccount.name) }}
      serviceAccountName: {{ include "gitea.serviceAccountName" . }}
      {{- end }}
      {{- if .Values.priorityClassName }}
      priorityClassName: "{{ .Values.priorityClassName }}"
      {{- end }}
      {{- include "gitea.images.pullSecrets" . | nindent 6 }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
@ -62,8 +46,7 @@ spec:
        - name: init-directories
          image: "{{ include "gitea.image" . }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command:
+          command: ["/usr/sbin/init_directory_structure.sh"]
            - "{{ .Values.initContainersScriptsVolumeMountPath }}/init_directory_structure.sh"
          env:
            - name: GITEA_APP_INI
              value: /data/gitea/conf/app.ini
@ -73,16 +56,12 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
-            {{- if .Values.deployment.env }}
+            {{- if .Values.statefulset.env }}
-            {{- toYaml .Values.deployment.env | nindent 12 }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
            {{- end }}
            {{- if .Values.signing.enabled }}
            - name: GNUPGHOME
              value: {{ .Values.signing.gpgHome }}
            {{- end }}
          volumeMounts:
            - name: init
-              mountPath: {{ .Values.initContainersScriptsVolumeMountPath }}
+              mountPath: /usr/sbin
            - name: temp
              mountPath: /tmp
            - name: data
@ -93,13 +72,10 @@ spec:
            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
          securityContext:
            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
          resources:
            {{- toYaml .Values.initContainers.resources | nindent 12 }}
        - name: init-app-ini
          image: "{{ include "gitea.image" . }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: 
+          command: ["/usr/sbin/config_environment.sh"]
          - "{{ .Values.initContainersScriptsVolumeMountPath }}/config_environment.sh"
          env:
            - name: GITEA_APP_INI
              value: /data/gitea/conf/app.ini
@ -109,19 +85,15 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
-            - name: TMP_EXISTING_ENVS_FILE
+            {{- if .Values.statefulset.env }}
-              value: /tmp/existing-envs
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
            - name: ENV_TO_INI_MOUNT_POINT
              value: /env-to-ini-mounts
            {{- if .Values.deployment.env }}
            {{- toYaml .Values.deployment.env | nindent 12 }}
            {{- end }}
            {{- if .Values.gitea.additionalConfigFromEnvs }}
-            {{- tpl (toYaml .Values.gitea.additionalConfigFromEnvs) $ | nindent 12 }}
+            {{- toYaml .Values.gitea.additionalConfigFromEnvs | nindent 12 }}
            {{- end }}
          volumeMounts:
            - name: config
-              mountPath: {{ .Values.initContainersScriptsVolumeMountPath }}
+              mountPath: /usr/sbin
            - name: temp
              mountPath: /tmp
            - name: data
@ -138,47 +110,9 @@ spec:
            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
          securityContext:
            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
          resources:
            {{- toYaml .Values.initContainers.resources | nindent 12 }}
        {{- if .Values.signing.enabled }}
        - name: configure-gpg
          image: "{{ include "gitea.image" . }}"
          command: 
          - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          securityContext:
            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
            {{- $csc := deepCopy .Values.containerSecurityContext -}}
            {{- if not (hasKey $csc "runAsUser") -}}
            {{- $_ := set $csc "runAsUser" 1000 -}}
            {{- end -}}
            {{- toYaml $csc | nindent 12 }}
          env:
            - name: GNUPGHOME
              value: {{ .Values.signing.gpgHome }}
            - name: TMP_RAW_GPG_KEY
              value: /raw/private.asc
          volumeMounts:
            - name: init
              mountPath: {{ .Values.initContainersScriptsVolumeMountPath }}
            - name: data
              mountPath: /data
              {{- if .Values.persistence.subPath }}
              subPath: {{ .Values.persistence.subPath }}
              {{- end }}
            - name: gpg-private-key
              mountPath: /raw
              readOnly: true
            {{- if .Values.extraVolumeMounts }}
            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
            {{- end }}
          resources:
            {{- toYaml .Values.initContainers.resources | nindent 12 }}
        {{- end }}
        - name: configure-gitea
          image: "{{ include "gitea.image" . }}"
-          command:
+          command: ["/usr/sbin/configure_gitea.sh"]
          - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gitea.sh"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          securityContext:
            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
@ -196,10 +130,6 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
            {{- if .Values.image.rootless }}
            - name: HOME
              value: /data/gitea/git
            {{- end }}
            {{- if .Values.gitea.ldap }}
            {{- range $idx, $value := .Values.gitea.ldap }}
            {{- if $value.existingSecret }}
@ -254,14 +184,12 @@ spec:
            - name: GITEA_ADMIN_PASSWORD
              value: {{ .Values.gitea.admin.password | quote }}
            {{- end }}
-            - name: GITEA_ADMIN_PASSWORD_MODE
+            {{- if .Values.statefulset.env }}
-              value: {{ include "gitea.admin.passwordMode" $ }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
            {{- if .Values.deployment.env }}
            {{- toYaml .Values.deployment.env | nindent 12 }}
            {{- end }}
          volumeMounts:
            - name: init
-              mountPath: {{ .Values.initContainersScriptsVolumeMountPath }}
+              mountPath: /usr/sbin
            - name: temp
              mountPath: /tmp
            - name: data
@ -270,9 +198,7 @@ spec:
              subPath: {{ .Values.persistence.subPath }}
              {{- end }}
            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
-          resources:
+      terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
            {{- toYaml .Values.initContainers.resources | nindent 12 }}
      terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ include "gitea.image" . }}"
@ -283,10 +209,6 @@ spec:
              value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }}
            - name: SSH_PORT
              value: {{ .Values.gitea.config.server.SSH_PORT | quote }}
            {{- if not .Values.image.rootless }}
            - name: SSH_LOG_LEVEL
              value: {{ .Values.gitea.ssh.logLevel | quote }}
            {{- end }}
            - name: GITEA_APP_INI
              value: /data/gitea/conf/app.ini
            - name: GITEA_CUSTOM
@ -295,25 +217,14 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
            {{- if and (hasKey .Values.resources "limits") (hasKey .Values.resources.limits "cpu") }}
            - name: GOMAXPROCS
              valueFrom:
                resourceFieldRef:
                  divisor: "1"
                  resource: limits.cpu
            {{- end }}
            - name: TMPDIR
              value: /tmp/gitea
            {{- if .Values.image.rootless }}
            - name: HOME
              value: /data/gitea/git
            {{- end }}
            {{- if .Values.signing.enabled }}
            - name: GNUPGHOME
              value: {{ .Values.signing.gpgHome }}
            {{- end }}
-            {{- if .Values.deployment.env }}
+            {{- if .Values.statefulset.env }}
-            {{- toYaml .Values.deployment.env | nindent 12 }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
            {{- end }}
          ports:
            - name: ssh
@ -329,15 +240,15 @@ spec:
            {{- end }}
          {{- if .Values.gitea.livenessProbe.enabled }}
          livenessProbe:
-            {{- include "gitea.deployment.probe" .Values.gitea.livenessProbe | nindent 12 }}
+            {{- toYaml (omit .Values.gitea.livenessProbe "enabled") | nindent 12 }}
          {{- end }}
          {{- if .Values.gitea.readinessProbe.enabled }}
          readinessProbe:
-            {{- include "gitea.deployment.probe" .Values.gitea.readinessProbe | nindent 12 }}
+            {{- toYaml (omit .Values.gitea.readinessProbe "enabled") | nindent 12 }}
          {{- end }}
          {{- if .Values.gitea.startupProbe.enabled }}
          startupProbe:
-            {{- include "gitea.deployment.probe" .Values.gitea.startupProbe | nindent 12 }}
+            {{- toYaml (omit .Values.gitea.startupProbe "enabled") | nindent 12 }}
          {{- end }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
@ -357,25 +268,14 @@ spec:
              subPath: {{ .Values.persistence.subPath }}
              {{- end }}
            {{- include "gitea.container-additional-mounts" . | nindent 12 }}
-        {{- if .Values.extraContainers }}
+      {{- with .Values.nodeSelector }}
        {{- toYaml .Values.extraContainers | nindent 8 }}
        {{- end }}
      {{- with .Values.global.hostAliases }}
      hostAliases:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- range $key, $value := .Values.nodeSelector }}
      nodeSelector:
-        {{ $key }}: {{ $value | quote }}
+        {{- toYaml . | nindent 8 }}
      {{- end }}
    {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- with .Values.topologySpreadConstraints }}
      topologySpreadConstraints:
        {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
@ -405,22 +305,38 @@ spec:
        {{- end }}
        - name: temp
          emptyDir: {}
-        {{- if .Values.signing.enabled }}
+  {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
        - name: gpg-private-key
          secret:
            secretName: {{ include "gitea.gpg-key-secret-name" . }}
            items:
              - key: privateKey
                path: private.asc
            defaultMode: 0100
        {{- end }}
  {{- if .Values.persistence.enabled }}
    {{- if .Values.persistence.mount }}
        - name: data
          persistentVolumeClaim:
-            claimName: {{ .Values.persistence.claimName }}
+  {{- with .Values.persistence.existingClaim }}
            claimName: {{ tpl . $ }}
  {{- end }}
  {{- else if not .Values.persistence.enabled }}
        - name: data
          emptyDir: {}
  {{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
  volumeClaimTemplates:
    - metadata:
        name: data
      {{- with .Values.persistence.annotations }}
        annotations:
        {{- range $key, $value := . }}
          {{ $key }}: {{ $value }}
        {{- end }}
      {{- end }}
      {{- with .Values.persistence.labels }}
        labels:
        {{- range $key, $value := . }}
          {{ $key }}: {{ $value }}
        {{- end }}
      {{- end }}
      spec:
        accessModes:
          {{- range .Values.persistence.accessModes }}
            - {{ . | quote }}
          {{- end }}
        {{- include "gitea.persistence.storageClass" . | indent 8 }}
        resources:
          requests:
            storage: {{ .Values.persistence.size | quote }}
  {{- end }}
--- a/templates/tests/test-http-connection.yaml
+++ b/templates/tests/test-http-connection.yaml
@ -1,9 +1,7 @@
 {{- if .Values.test.enabled }}
 apiVersion: v1
 kind: Pod
 metadata:
  name: "{{ include "gitea.fullname" . }}-test-connection"
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
 {{ include "gitea.labels" . | nindent 4 }}
  annotations:
@ -11,8 +9,7 @@ metadata:
 spec:
  containers:
    - name: wget
-      image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}"
+      image: busybox
      command: ['wget']
      args:  ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
  restartPolicy: Never
 {{- end }}
--- a/unittests/bash/bats
+++ b/unittests/bash/bats
@ -1 +0,0 @@
 Subproject commit 5ec2d815109358b3ad86f5aabf289d96e6535ac5
--- a/unittests/bash/test_helper/bats-assert
+++ b/unittests/bash/test_helper/bats-assert
@ -1 +0,0 @@
 Subproject commit b93143a1bfbde41d9b7343aab0d36f3ef6549e6b
--- a/unittests/bash/test_helper/bats-mock
+++ b/unittests/bash/test_helper/bats-mock
@ -1 +0,0 @@
 Subproject commit 93e0128b8787db05a2632c70501cd667dd35d253
--- a/unittests/bash/test_helper/bats-support
+++ b/unittests/bash/test_helper/bats-support
@ -1 +0,0 @@
 Subproject commit d007fc1f451abbad55204fa9c9eb3e6ed5dc5f61
--- a/unittests/bash/test_helper/common-setup.bash
+++ b/unittests/bash/test_helper/common-setup.bash
@ -1,7 +0,0 @@
 #!/usr/bin/env bash
 function common_setup() {
  load "$TEST_ROOT/test_helper/bats-support/load"
  load "$TEST_ROOT/test_helper/bats-assert/load"
  load "$TEST_ROOT/test_helper/bats-mock/stub"
 }
--- a/unittests/bash/tests/init-containers/config/config_environment.bats
+++ b/unittests/bash/tests/init-containers/config/config_environment.bats
@ -1,204 +0,0 @@
 #!/usr/bin/env bats
 function setup() {
  PROJECT_ROOT="$(git rev-parse --show-toplevel)"
  TEST_ROOT="$PROJECT_ROOT/unittests/bash"
  load "$TEST_ROOT/test_helper/common-setup"
  common_setup
  export GITEA_APP_INI="$BATS_TEST_TMPDIR/app.ini"
  export TMP_EXISTING_ENVS_FILE="$BATS_TEST_TMPDIR/existing-envs"
  export ENV_TO_INI_MOUNT_POINT="$BATS_TEST_TMPDIR/env-to-ini-mounts"
  stub gitea \
      "generate secret INTERNAL_TOKEN : echo 'mocked-internal-token'" \
      "generate secret SECRET_KEY : echo 'mocked-secret-key'" \
      "generate secret JWT_SECRET : echo 'mocked-jwt-secret'" \
      "generate secret LFS_JWT_SECRET : echo 'mocked-lfs-jwt-secret'"
 }
 function teardown() {
  unstub gitea
  # This condition exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
  if [ $ENV_TO_INI_EXPECTED -eq 1 ]; then
    unstub environment-to-ini
  fi
 }
 # This function exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
 function expect_environment_to_ini_call() {
  export ENV_TO_INI_EXPECTED=1
  stub environment-to-ini \
    "-o $GITEA_APP_INI : echo 'Stubbed environment-to-ini was called!'"
 }
 function execute_test_script() {
  currentEnvsBefore=$(env | sort)
  source $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
  local exitCode=$?
  currentEnvsAfter=$(env | sort)
  # diff as unified +/- output without context before/after
  diff --unified=0 <(echo "$currentEnvsBefore") <(echo "$currentEnvsAfter")
  exit $exitCode
 }
 function write_mounted_file() {
  # either "inlines" or "additionals"
  scope="${1}"
  file="${2}"
  content="${3}"
  mkdir -p "$ENV_TO_INI_MOUNT_POINT/$scope/..data/"
  echo "${content}" > "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file"
  ln -sf "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file" "$ENV_TO_INI_MOUNT_POINT/$scope/$file"
 }
@test "works as expected when nothing is configured" {
  expect_environment_to_ini_call
  run $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
  assert_success
  assert_line '...Initial secrets generated'
  assert_line 'Reloading preset envs...'
  assert_line '=== All configuration sources loaded ==='
  assert_line 'Stubbed environment-to-ini was called!'
 }
@test "exports initial secrets" {
  expect_environment_to_ini_call
  run execute_test_script
  assert_success
  assert_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
  assert_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
  assert_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
  assert_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
 }
@test "does NOT export initial secrets when app.ini already exists" {
  expect_environment_to_ini_call
  touch $GITEA_APP_INI
  run execute_test_script
  assert_success
  assert_line --partial 'An app.ini file already exists.'
  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
  refute_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
  refute_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
  refute_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
 }
@test "ensures that preset environment variables take precedence over auto-generated ones" {
  expect_environment_to_ini_call
  export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
  run execute_test_script
  assert_success
  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
 }
@test "ensures that preset environment variables take precedence over mounted ones" {
  expect_environment_to_ini_call
  export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
  write_mounted_file "inlines" "oauth2" "$(cat << EOF
 JWT_SECRET=inline-jwt-secret
 EOF
 )"
  run execute_test_script
  assert_success
  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
  refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
 }
@test "ensures that additionals take precedence over inlines" {
  expect_environment_to_ini_call
  write_mounted_file "inlines" "oauth2" "$(cat << EOF
 JWT_SECRET=inline-jwt-secret
 EOF
 )"
  write_mounted_file "additionals" "oauth2" "$(cat << EOF
 JWT_SECRET=additional-jwt-secret
 EOF
 )"
  run execute_test_script
  assert_success
  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
  refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
  assert_line '+GITEA__OAUTH2__JWT_SECRET=additional-jwt-secret'
 }
@test "ensures that dotted/dashed sections are properly masked" {
  expect_environment_to_ini_call
  write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
 WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]
 EOF
 )"
  run execute_test_script
  assert_success
  assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
 }
 ###############################################################
 ##### THIS IS A BUG, BUT I WANT IT TO BE COVERED BY TESTS #####
 ###############################################################
@test "ensures uppercase section and setting names (🐞)" {
  expect_environment_to_ini_call
  export GITEA__oauth2__JwT_Secret="pre-defined-jwt-secret"
  write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
 WORK_IN_progress_PREFIXES=WIP:,[WIP]
 EOF
 )"
  run execute_test_script
  assert_success
  assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
  assert_line '+GITEA__OAUTH2__JWT_SECRET=pre-defined-jwt-secret'
 }
@test "treats top-level configuration as section-less" {
  expect_environment_to_ini_call
  write_mounted_file "inlines" "_generals_" "$(cat << EOF
 APP_NAME=Hello top-level configuration
 RUN_MODE=dev
 EOF
 )"
  run execute_test_script
  assert_success
  assert_line '+GITEA____APP_NAME=Hello top-level configuration'
  assert_line '+GITEA____RUN_MODE=dev'
 }
@test "fails on invalid setting" {
  write_mounted_file "inlines" "_generals_" "$(cat << EOF
 some random invalid string
 EOF
 )"
  run execute_test_script
  assert_failure
 }
@test "treats empty setting name as invalid setting" {
  write_mounted_file "inlines" "_generals_" "$(cat << EOF
 =value
 EOF
 )"
  run execute_test_script
  assert_failure
 }
--- a/unittests/helm/check-actions-not-present.yaml
+++ b/unittests/helm/check-actions-not-present.yaml
@ -1,12 +0,0 @@
 suite: Check if actions raises an error
 release:
  name: gitea-unittests
  namespace: testing
 tests:
  - it: fails when trying to configure actions due to removal
    set:
      actions:
        enabled: true
    asserts:
      - failedTemplate:
          errorMessage: The actions sub-chart has been outsourced to a dedicated chart available at https://gitea.com/gitea/helm-actions. For assistance with the migration process, check https://gitea.com/gitea/helm-actions/issues/9.
--- a/unittests/helm/config/actions-config.yaml
+++ b/unittests/helm/config/actions-config.yaml
@ -1,24 +0,0 @@
 suite: config template | actions config
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/config.yaml
 tests:
  - it: "actions are enabled by default (based on vanilla Gitea behavior)"
    template: templates/gitea/config.yaml
    asserts:
      - documentIndex: 0
        notExists:
          path: stringData.actions
  - it: "actions can be disabled via inline config"
    template: templates/gitea/config.yaml
    set:
      gitea.config.actions.ENABLED: false
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.actions
          value: |-
            ENABLED=false
--- a/unittests/helm/config/cache-config.yaml
+++ b/unittests/helm/config/cache-config.yaml
@ -1,66 +0,0 @@
 suite: config template | cache config
 release:
  name: gitea-unittests
  namespace: testing
 tests:
  - it: "cache is configured correctly for valkey-cluster"
    template: templates/gitea/config.yaml
    set:
      valkey-cluster:
        enabled: true
      valkey:
        enabled: false
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.cache
          value: |-
            ADAPTER=redis
            HOST=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
  - it: "cache is configured correctly for valkey"
    template: templates/gitea/config.yaml
    set:
      valkey-cluster:
        enabled: false
      valkey:
        enabled: true
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.cache
          value: |-
            ADAPTER=redis
            HOST=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
  - it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled"
    template: templates/gitea/config.yaml
    set:
      valkey-cluster:
        enabled: false
      valkey:
        enabled: false
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.cache
          value: |-
            ADAPTER=memory
            HOST=
  - it: "cache can be customized when valkey (or valkey-cluster) is disabled"
    template: templates/gitea/config.yaml
    set:
      valkey-cluster:
        enabled: false
      valkey:
        enabled: false
      gitea.config.cache.ADAPTER: custom-adapter
      gitea.config.cache.HOST: custom-host
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.cache
          value: |-
            ADAPTER=custom-adapter
            HOST=custom-host
--- a/unittests/helm/config/metrics-section_metrics-token.yaml
+++ b/unittests/helm/config/metrics-section_metrics-token.yaml
@ -1,58 +0,0 @@
 suite: config template | metrics section (metrics token)
 release:
  name: gitea-unittests
  namespace: testing
 tests:
  - it: metrics token is set
    template: templates/gitea/config.yaml
    set:
      gitea:
        metrics:
          enabled: true
          token: "somepassword"
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.metrics
          value: |-
            ENABLED=true
            TOKEN=somepassword
  - it: metrics token is empty
    template: templates/gitea/config.yaml
    set:
      gitea:
        metrics:
          enabled: true
          token: ""
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.metrics
          value: |-
            ENABLED=true
  - it: metrics token is nil
    template: templates/gitea/config.yaml
    set:
      gitea:
        metrics:
          enabled: true
          token:
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.metrics
          value: |-
            ENABLED=true
  - it: does not configures a token if metrics are disabled
    template: templates/gitea/config.yaml
    set:
      gitea:
        metrics:
          enabled: false
          token: "somepassword"
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.metrics
          value: |-
            ENABLED=false
--- a/unittests/helm/config/queue-config.yaml
+++ b/unittests/helm/config/queue-config.yaml
@ -1,66 +0,0 @@
 suite: config template | queue config
 release:
  name: gitea-unittests
  namespace: testing
 tests:
  - it: "queue is configured correctly for valkey-cluster"
    template: templates/gitea/config.yaml
    set:
      valkey-cluster:
        enabled: true
      valkey:
        enabled: false
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.queue
          value: |-
            CONN_STR=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
            TYPE=redis
  - it: "queue is configured correctly for valkey"
    template: templates/gitea/config.yaml
    set:
      valkey-cluster:
        enabled: false
      valkey:
        enabled: true
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.queue
          value: |-
            CONN_STR=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
            TYPE=redis
  - it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled"
    template: templates/gitea/config.yaml
    set:
      valkey-cluster:
        enabled: false
      valkey:
        enabled: false
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.queue
          value: |-
            CONN_STR=
            TYPE=level
  - it: "queue can be customized when valkey (and valkey-cluster) are disabled"
    template: templates/gitea/config.yaml
    set:
      valkey-cluster:
        enabled: false
      valkey:
        enabled: false
      gitea.config.queue.TYPE: custom-type
      gitea.config.queue.CONN_STR: custom-connection-string
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.queue
          value: |-
            CONN_STR=custom-connection-string
            TYPE=custom-type
--- a/unittests/helm/config/server-section_domain.yaml
+++ b/unittests/helm/config/server-section_domain.yaml
@ -1,67 +0,0 @@
 suite: config template | server section (domain related)
 release:
  name: gitea-unittests
  namespace: testing
 tests:
  - it: "[default values] uses ingress host for DOMAIN|SSH_DOMAIN|ROOT_URL"
    template: templates/gitea/config.yaml
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nDOMAIN=git.example.com
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nSSH_DOMAIN=git.example.com
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nROOT_URL=http://git.example.com
  ################################################
  - it: "[no ingress hosts] uses gitea http service for DOMAIN|SSH_DOMAIN|ROOT_URL"
    template: templates/gitea/config.yaml
    set:
      ingress:
        hosts: []
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nDOMAIN=gitea-unittests-http.testing.svc.cluster.local
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nSSH_DOMAIN=gitea-unittests-http.testing.svc.cluster.local
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nROOT_URL=http://gitea-unittests-http.testing.svc.cluster.local
  ################################################
  - it: "[provided via values] uses that for DOMAIN|SSH_DOMAIN|ROOT_URL"
    template: templates/gitea/config.yaml
    set:
      gitea.config.server.DOMAIN: provided.example.com
      ingress:
        hosts:
          - host: non-used.example.com
            paths:
              - path: /
                pathType: Prefix
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nDOMAIN=provided.example.com
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nSSH_DOMAIN=provided.example.com
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nROOT_URL=http://provided.example.com
--- a/unittests/helm/config/session-config.yaml
+++ b/unittests/helm/config/session-config.yaml
@ -1,66 +0,0 @@
 suite: config template | session config
 release:
  name: gitea-unittests
  namespace: testing
 tests:
  - it: "session is configured correctly for valkey-cluster"
    template: templates/gitea/config.yaml
    set:
      valkey-cluster:
        enabled: true
      valkey:
        enabled: false
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.session
          value: |-
            PROVIDER=redis
            PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
  - it: "session is configured correctly for valkey"
    template: templates/gitea/config.yaml
    set:
      valkey-cluster:
        enabled: false
      valkey:
        enabled: true
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.session
          value: |-
            PROVIDER=redis
            PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
  - it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled"
    template: templates/gitea/config.yaml
    set:
      valkey-cluster:
        enabled: false
      valkey:
        enabled: false
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.session
          value: |-
            PROVIDER=memory
            PROVIDER_CONFIG=
  - it: "session can be customized when valkey (and valkey-cluster) is disabled"
    template: templates/gitea/config.yaml
    set:
      valkey-cluster:
        enabled: false
      valkey:
        enabled: false
      gitea.config.session.PROVIDER: custom-provider
      gitea.config.session.PROVIDER_CONFIG: custom-provider-config
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.session
          value: |-
            PROVIDER=custom-provider
            PROVIDER_CONFIG=custom-provider-config
--- a/unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml
+++ b/unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml
@ -1,121 +0,0 @@
 suite: Dependency checks | Customization integrity | postgresql-ha
 release:
  name: gitea-unittests
  namespace: testing
 set:
  postgresql:
    enabled: false
  postgresql-ha:
    enabled: true
    global:
      postgresql:
        database: gitea-database
        password: gitea-password
        username: gitea-username
    postgresql:
      repmgrPassword: custom-password-repmgr
      postgresPassword: custom-password-postgres
      password: custom-password-overwritten-by-global-postgresql-password
    pgpool:
      adminPassword: custom-password-pgpool
    service:
      ports:
        postgresql: 1234
    persistence:
      size: 1337Mi
 tests:
  - it: "[postgresql-ha] DB settings are applied as expected"
    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
    asserts:
      - documentIndex: 0
        contains:
          path: spec.template.spec.containers[0].env
          content:
            name: POSTGRES_DB
            value: "gitea-database"
      - documentIndex: 0
        contains:
          path: spec.template.spec.containers[0].env
          content:
            name: POSTGRES_USER
            value: "gitea-username"
  - it: "[postgresql-ha] DB passwords are applied as expected"
    template: charts/postgresql-ha/templates/postgresql/secrets.yaml
    asserts:
      - documentIndex: 0
        equal:
          path: data["repmgr-password"]
          value: "Y3VzdG9tLXBhc3N3b3JkLXJlcG1ncg=="
      - documentIndex: 0
        equal:
          path: data["postgres-password"]
          value: "Y3VzdG9tLXBhc3N3b3JkLXBvc3RncmVz"
      - documentIndex: 0
        equal:
          path: data["password"]
          value: "Z2l0ZWEtcGFzc3dvcmQ=" # postgresql-ha.postgresql.password is overwritten by postgresql-ha.global.postgresql.password and should not be referenced here
  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
    asserts:
      - documentIndex: 0
        equal:
          path: data["admin-password"]
          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
    asserts:
      - documentIndex: 0
        equal:
          path: data["admin-password"]
          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
    asserts:
      - documentIndex: 0
        equal:
          path: data["admin-password"]
          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
  - it: "[postgresql-ha] persistence.size is applied as expected"
    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
    asserts:
      - documentIndex: 0
        equal:
          path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
          value: "1337Mi"
  - it: "[postgresql-ha] service.ports.postgresql is applied as expected"
    template: charts/postgresql-ha/templates/pgpool/service.yaml
    asserts:
      - documentIndex: 0
        equal:
          path: spec.ports[0].port
          value: 1234
  - it: "[postgresql-ha] renders the referenced service"
    template: charts/postgresql-ha/templates/pgpool/service.yaml
    asserts:
      - containsDocument:
          kind: Service
          apiVersion: v1
          name: gitea-unittests-postgresql-ha-pgpool
          namespace: testing
  - it: "[gitea] connects to pgpool service"
    template: templates/gitea/config.yaml
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData.database
          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:1234
  - it: "[gitea] connects to configured database"
    template: templates/gitea/config.yaml
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData.database
          pattern: NAME=gitea-database
      - documentIndex: 0
        matchRegex:
          path: stringData.database
          pattern: USER=gitea-username
      - documentIndex: 0
        matchRegex:
          path: stringData.database
          pattern: PASSWD=gitea-password
--- a/unittests/helm/dependency-checks/customization-integrity-postgresql.yaml
+++ b/unittests/helm/dependency-checks/customization-integrity-postgresql.yaml
@ -1,88 +0,0 @@
 suite: Dependency checks | Customization integrity | postgresql
 release:
  name: gitea-unittests
  namespace: testing
 set:
  postgresql-ha:
    enabled: false
  postgresql:
    enabled: true
    global:
      postgresql:
        auth:
          password: gitea-password
          database: gitea-database
          username: gitea-username
        service:
          ports:
            postgresql: 1234
    primary:
      persistence:
        size: 1337Mi
 tests:
  - it: "[postgresql] DB settings are applied as expected"
    template: charts/postgresql/templates/primary/statefulset.yaml
    asserts:
      - documentIndex: 0
        contains:
          path: spec.template.spec.containers[0].env
          content:
            name: POSTGRES_DATABASE
            value: "gitea-database"
      - documentIndex: 0
        contains:
          path: spec.template.spec.containers[0].env
          content:
            name: POSTGRES_USER
            value: "gitea-username"
  - it: "[postgresql] DB password is applied as expected"
    template: charts/postgresql/templates/secrets.yaml
    asserts:
      - documentIndex: 0
        equal:
          path: data["password"]
          value: "Z2l0ZWEtcGFzc3dvcmQ="
  - it: "[postgresql] primary.persistence.size is applied as expected"
    template: charts/postgresql/templates/primary/statefulset.yaml
    asserts:
      - documentIndex: 0
        equal:
          path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
          value: "1337Mi"
  - it: "[postgresql] global.postgresql.service.ports.postgresql is applied as expected"
    template: charts/postgresql/templates/primary/svc.yaml
    asserts:
      - documentIndex: 0
        equal:
          path: spec.ports[0].port
          value: 1234
  - it: "[postgresql] renders the referenced service"
    template: charts/postgresql/templates/primary/svc.yaml
    asserts:
      - containsDocument:
          kind: Service
          apiVersion: v1
          name: gitea-unittests-postgresql
          namespace: testing
  - it: "[gitea] connects to postgresql service"
    template: templates/gitea/config.yaml
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData.database
          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:1234
  - it: "[gitea] connects to configured database"
    template: templates/gitea/config.yaml
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData.database
          pattern: NAME=gitea-database
      - documentIndex: 0
        matchRegex:
          path: stringData.database
          pattern: USER=gitea-username
      - documentIndex: 0
        matchRegex:
          path: stringData.database
          pattern: PASSWD=gitea-password
--- a/unittests/helm/dependency-checks/customization-integrity-valkey-cluster.yaml
+++ b/unittests/helm/dependency-checks/customization-integrity-valkey-cluster.yaml
@ -1,90 +0,0 @@
 suite: Dependency checks | Customization integrity | valkey-cluster
 release:
  name: gitea-unittests
  namespace: testing
 set:
  valkey:
    enabled: false
  valkey-cluster:
    enabled: true
    usePassword: false
    cluster:
      nodes: 5
      replicas: 2
 tests:
  - it: "[valkey-cluster] configures correct nodes/replicas"
    template: charts/valkey-cluster/templates/valkey-statefulset.yaml
    asserts:
      - documentIndex: 0
        equal:
          path: spec.replicas
          value: 5
      - documentIndex: 0
        matchRegex:
          path: spec.template.spec.containers[0].args[0]
          pattern: VALKEY_CLUSTER_REPLICAS="2"
  - it: "[valkey-cluster] support auth-less connections"
    asserts:
      - template: charts/valkey-cluster/templates/secret.yaml
        hasDocuments:
          count: 0
      - template: charts/valkey-cluster/templates/valkey-statefulset.yaml
        documentIndex: 0
        contains:
          path: spec.template.spec.containers[0].env
          content:
            name: ALLOW_EMPTY_PASSWORD
            value: "yes"
  - it: "[valkey-cluster] support auth-full connections"
    set:
      valkey-cluster:
        usePassword: true
    asserts:
      - template: charts/valkey-cluster/templates/secret.yaml
        containsDocument:
          kind: Secret
          apiVersion: v1
          name: gitea-unittests-valkey-cluster
          namespace: testing
      - template: charts/valkey-cluster/templates/valkey-statefulset.yaml
        documentIndex: 0
        contains:
          path: spec.template.spec.containers[0].env
          content:
            name: REDISCLI_AUTH
            valueFrom:
              secretKeyRef:
                name: gitea-unittests-valkey-cluster
                key: valkey-password
      - template: charts/valkey-cluster/templates/valkey-statefulset.yaml
        documentIndex: 0
        contains:
          path: spec.template.spec.containers[0].env
          content:
            name: REDISCLI_AUTH
            valueFrom:
              secretKeyRef:
                name: gitea-unittests-valkey-cluster
                key: valkey-password
  - it: "[valkey-cluster] renders the referenced service"
    template: charts/valkey-cluster/templates/headless-svc.yaml
    asserts:
      - containsDocument:
          kind: Service
          apiVersion: v1
          name: gitea-unittests-valkey-cluster-headless
          namespace: testing
      - documentIndex: 0
        contains:
          path: spec.ports
          content:
            name: tcp-redis
            port: 6379
            targetPort: tcp-redis
  - it: "[gitea] waits for valkey-cluster to be up and running"
    template: templates/gitea/init.yaml
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData["configure_gitea.sh"]
          pattern: nc -vz -w2 gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local 6379
--- a/unittests/helm/dependency-checks/customization-integrity-valkey.yaml
+++ b/unittests/helm/dependency-checks/customization-integrity-valkey.yaml
@ -1,52 +0,0 @@
 suite: Dependency checks | Customization integrity | valkey
 release:
  name: gitea-unittests
  namespace: testing
 set:
  valkey-cluster:
    enabled: false
  valkey:
    enabled: true
    architecture: standalone
    global:
      valkey:
        password: gitea-password
    master:
      count: 2
 tests:
  - it: "[valkey] configures correct 'master' nodes"
    template: charts/valkey/templates/primary/application.yaml
    asserts:
      - documentIndex: 0
        equal:
          path: spec.replicas
          value: 1
  - it: "[valkey] valkey.global.valkey.password is applied as expected"
    template: charts/valkey/templates/secret.yaml
    asserts:
      - documentIndex: 0
        equal:
          path: data["valkey-password"]
          value: "Z2l0ZWEtcGFzc3dvcmQ="
  - it: "[valkey] renders the referenced service"
    template: charts/valkey/templates/headless-svc.yaml
    asserts:
      - containsDocument:
          kind: Service
          apiVersion: v1
          name: gitea-unittests-valkey-headless
          namespace: testing
      - documentIndex: 0
        contains:
          path: spec.ports
          content:
            name: tcp-redis
            port: 6379
            targetPort: redis
  - it: "[gitea] waits for valkey to be up and running"
    template: templates/gitea/init.yaml
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData["configure_gitea.sh"]
          pattern: nc -vz -w2 gitea-unittests-valkey-headless.testing.svc.cluster.local 6379
--- a/unittests/helm/dependency-checks/major-image-bump.yaml
+++ b/unittests/helm/dependency-checks/major-image-bump.yaml
@ -1,57 +0,0 @@
 suite: Dependency checks | Major image bumps
 release:
  name: gitea-unittests
  namespace: testing
 tests:
  - it: "[postgresql-ha] ensures we detect major image version upgrades"
    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
    set:
      postgresql:
        enabled: false
      postgresql-ha:
        enabled: true
    asserts:
      - documentIndex: 0
        matchRegex:
          path: spec.template.spec.containers[0].image
          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
          pattern: bitnami/postgresql-repmgr:17.+$
  - it: "[postgresql] ensures we detect major image version upgrades"
    template: charts/postgresql/templates/primary/statefulset.yaml
    set:
      postgresql:
        enabled: true
      postgresql-ha:
        enabled: false
    asserts:
      - documentIndex: 0
        matchRegex:
          path: spec.template.spec.containers[0].image
          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
          pattern: bitnami/postgresql:17.+$
  - it: "[valkey-cluster] ensures we detect major image version upgrades"
    template: charts/valkey-cluster/templates/valkey-statefulset.yaml
    set:
      valkey-cluster:
        enabled: true
      valkey:
        enabled: false
    asserts:
      - documentIndex: 0
        matchRegex:
          path: spec.template.spec.containers[0].image
          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
          pattern: bitnami/valkey-cluster:8.+$
  - it: "[valkey] ensures we detect major image version upgrades"
    template: charts/valkey/templates/primary/application.yaml
    set:
      valkey-cluster:
        enabled: false
      valkey:
        enabled: true
    asserts:
      - documentIndex: 0
        matchRegex:
          path: spec.template.spec.containers[0].image
          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
          pattern: bitnami/valkey:8.+$
--- a/unittests/helm/deployment/HA.yaml
+++ b/unittests/helm/deployment/HA.yaml
@ -1,59 +0,0 @@
 suite: deployment template (HA)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: fails with multiple replicas and "GIT_GC_REPOS" enabled
    template: templates/gitea/deployment.yaml
    set:
      replicaCount: 2
      persistence:
        accessModes:
          - ReadWriteMany
      gitea:
        config:
          cron:
            GIT_GC_REPOS:
              ENABLED: true
    asserts:
      - failedTemplate:
          errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'."
  - it: fails with multiple replicas and RWX file system not set
    template: templates/gitea/deployment.yaml
    set:
      replicaCount: 2
    asserts:
      - failedTemplate:
          errorMessage: "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany."
  - it: fails with multiple replicas and bleve issue indexer
    template: templates/gitea/deployment.yaml
    set:
      replicaCount: 2
      persistence:
        accessModes:
          - ReadWriteMany
      gitea:
        config:
          indexer:
            ISSUE_INDEXER_TYPE: bleve
    asserts:
      - failedTemplate:
          errorMessage: "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)."
  - it: fails with multiple replicas and bleve repo indexer
    template: templates/gitea/deployment.yaml
    set:
      replicaCount: 2
      persistence:
        accessModes:
          - ReadWriteMany
      gitea:
        config:
          indexer:
            REPO_INDEXER_TYPE: bleve
            REPO_INDEXER_ENABLED: true
    asserts:
      - failedTemplate:
          errorMessage: "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled."
--- a/unittests/helm/deployment/basic.yaml
+++ b/unittests/helm/deployment/basic.yaml
@ -1,95 +0,0 @@
 suite: deployment template (basic)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: renders a deployment
    template: templates/gitea/deployment.yaml
    asserts:
      - hasDocuments:
          count: 1
      - containsDocument:
          kind: Deployment
          apiVersion: apps/v1
          name: gitea-unittests
  - it: deployment labels are set
    template: templates/gitea/deployment.yaml
    set:
      deployment.labels:
        hello: world
    asserts:
      - isSubset:
          path: metadata.labels
          content:
            hello: world
      - isSubset:
          path: spec.template.metadata.labels
          content:
            hello: world
  - it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container"
    template: templates/gitea/deployment.yaml
    asserts:
      - contains:
          path: spec.template.spec.initContainers[1].env
          content:
            name: TMP_EXISTING_ENVS_FILE
            value: /tmp/existing-envs
  - it: "injects ENV_TO_INI_MOUNT_POINT as environment variable to 'init-app-ini' init container"
    template: templates/gitea/deployment.yaml
    asserts:
      - contains:
          path: spec.template.spec.initContainers[1].env
          content:
            name: ENV_TO_INI_MOUNT_POINT
            value: /env-to-ini-mounts
  - it: CPU resources are defined as well as GOMAXPROCS
    template: templates/gitea/deployment.yaml
    set:
      resources:
        limits:
          cpu: 200ms
          memory: 200Mi
        requests:
          cpu: 100ms
          memory: 100Mi
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: GOMAXPROCS
            valueFrom:
              resourceFieldRef:
                divisor: "1"
                resource: limits.cpu
      - equal:
          path: spec.template.spec.containers[0].resources
          value:
            limits:
              cpu: 200ms
              memory: 200Mi
            requests:
              cpu: 100ms
              memory: 100Mi
  - it: Init containers have correct volumeMount path
    template: templates/gitea/deployment.yaml
    set:
      initContainersScriptsVolumeMountPath: "/custom/init/path"
    asserts:
      - equal:
          path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="init")].mountPath
          value: "/custom/init/path"
      - equal:
          path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="config")].mountPath
          value: "/custom/init/path"
  - it: Init containers have correct volumeMount path if there is no override
    template: templates/gitea/deployment.yaml
    asserts:
      - equal:
          path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="init")].mountPath
          value: "/usr/sbinx"
      - equal:
          path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="config")].mountPath
          value: "/usr/sbinx"
--- a/unittests/helm/deployment/deployment-additional-config.yaml
+++ b/unittests/helm/deployment/deployment-additional-config.yaml
@ -1,150 +0,0 @@
 suite: deployment template
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: Renders a deployment
    template: templates/gitea/deployment.yaml
    asserts:
      - hasDocuments:
          count: 1
      - containsDocument:
          kind: Deployment
          apiVersion: apps/v1
          name: gitea-unittests
  - it: Deployment with empty additionalConfigFromEnvs
    template: templates/gitea/deployment.yaml
    set:
      gitea.additionalConfigFromEnvs: []
    asserts:
      - hasDocuments:
          count: 1
      - exists:
          path: spec.template.spec.initContainers[1].env
      - lengthEqual:
          path: spec.template.spec.initContainers[1].env
          count: 6
      - isSubset:
          path: spec.template.spec.initContainers[1]
          content:
            env:
              - name: GITEA_APP_INI
                value: /data/gitea/conf/app.ini
              - name: GITEA_CUSTOM
                value: /data/gitea
              - name: GITEA_WORK_DIR
                value: /data
              - name: GITEA_TEMP
                value: /tmp/gitea
              - name: TMP_EXISTING_ENVS_FILE
                value: /tmp/existing-envs
              - name: ENV_TO_INI_MOUNT_POINT
                value: /env-to-ini-mounts
  - it: Deployment with standard additionalConfigFromEnvs
    template: templates/gitea/deployment.yaml
    set:
      gitea.additionalConfigFromEnvs: [{name: GITEA_database_HOST, value: my-db:123}, {name: GITEA_database_USER, value: my-user}]
    asserts:
      - hasDocuments:
          count: 1
      - exists:
          path: spec.template.spec.initContainers[1].env
      - lengthEqual:
          path: spec.template.spec.initContainers[1].env
          count: 8
      - isSubset:
          path: spec.template.spec.initContainers[1]
          content:
            env:
              - name: GITEA_APP_INI
                value: /data/gitea/conf/app.ini
              - name: GITEA_CUSTOM
                value: /data/gitea
              - name: GITEA_WORK_DIR
                value: /data
              - name: GITEA_TEMP
                value: /tmp/gitea
              - name: TMP_EXISTING_ENVS_FILE
                value: /tmp/existing-envs
              - name: ENV_TO_INI_MOUNT_POINT
                value: /env-to-ini-mounts
              - name: GITEA_database_HOST
                value: my-db:123
              - name: GITEA_database_USER
                value: my-user
  - it: Deployment with templated additionalConfigFromEnvs
    template: templates/gitea/deployment.yaml
    set:
      gitea.misc.host: my-db-host:321
      gitea.misc.user: my-db-user
      gitea.additionalConfigFromEnvs: [{name: GITEA_database_HOST, value: "{{ .Values.gitea.misc.host }}"}, {name: GITEA_database_USER, value: "{{ .Values.gitea.misc.user }}"}]
    asserts:
      - hasDocuments:
          count: 1
      - exists:
          path: spec.template.spec.initContainers[1].env
      - lengthEqual:
          path: spec.template.spec.initContainers[1].env
          count: 8
      - isSubset:
          path: spec.template.spec.initContainers[1]
          content:
            env:
              - name: GITEA_APP_INI
                value: /data/gitea/conf/app.ini
              - name: GITEA_CUSTOM
                value: /data/gitea
              - name: GITEA_WORK_DIR
                value: /data
              - name: GITEA_TEMP
                value: /tmp/gitea
              - name: TMP_EXISTING_ENVS_FILE
                value: /tmp/existing-envs
              - name: ENV_TO_INI_MOUNT_POINT
                value: /env-to-ini-mounts
              - name: GITEA_database_HOST
                value: my-db-host:321
              - name: GITEA_database_USER
                value: my-db-user
  - it: Deployment with additionalConfigFromEnvs templated secret name
    template: templates/gitea/deployment.yaml
    set:
      gitea.misc.existingSecret: my-db-secret
      gitea.additionalConfigFromEnvs[0]:
        name: GITEA_database_HOST
        valueFrom:
          secretKeyRef:
            name: "{{ .Values.gitea.misc.existingSecret }}"
            key: password
    asserts:
      - hasDocuments:
          count: 1
      - exists:
          path: spec.template.spec.initContainers[1].env
      - lengthEqual:
          path: spec.template.spec.initContainers[1].env
          count: 7
      - isSubset:
          path: spec.template.spec.initContainers[1]
          content:
            env:
              - name: GITEA_APP_INI
                value: /data/gitea/conf/app.ini
              - name: GITEA_CUSTOM
                value: /data/gitea
              - name: GITEA_WORK_DIR
                value: /data
              - name: GITEA_TEMP
                value: /tmp/gitea
              - name: TMP_EXISTING_ENVS_FILE
                value: /tmp/existing-envs
              - name: ENV_TO_INI_MOUNT_POINT
                value: /env-to-ini-mounts
              - name: GITEA_database_HOST
                valueFrom:
                  secretKeyRef:
                    name: "my-db-secret"
                    key: password
--- a/unittests/helm/deployment/image-configuration.yaml
+++ b/unittests/helm/deployment/image-configuration.yaml
@ -1,110 +0,0 @@
 suite: deployment template (image configuration)
 release:
  name: gitea-unittests
  namespace: testing
 chart:
  # Override appVersion to be consistent with used digest :)
  appVersion: 1.19.3
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: default values
    template: templates/gitea/deployment.yaml
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "docker.gitea.com/gitea:1.19.3-rootless"
  - it: tag override
    template: templates/gitea/deployment.yaml
    set:
      image.tag: "1.19.4"
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "docker.gitea.com/gitea:1.19.4-rootless"
  - it: root-based image
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "docker.gitea.com/gitea:1.19.3"
  - it: scoped registry
    template: templates/gitea/deployment.yaml
    set:
      image.registry: "example.com"
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "example.com/gitea:1.19.3-rootless"
  - it: global registry
    template: templates/gitea/deployment.yaml
    set:
      global.imageRegistry: "global.example.com"
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "global.example.com/gitea:1.19.3-rootless"
  - it: digest for rootless image
    template: templates/gitea/deployment.yaml
    set:
      image:
        rootless: true
        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "docker.gitea.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
  - it: image fullOverride (does not append rootless)
    template: templates/gitea/deployment.yaml
    set:
      image:
        fullOverride: docker.gitea.com/gitea:1.19.3
        # setting rootless, registry, repository, tag, and digest to prove that override works
        rootless: true
        registry: example.com
        repository: example/image
        tag: "1.0.0"
        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "docker.gitea.com/gitea:1.19.3"
  - it: digest for root-based image
    template: templates/gitea/deployment.yaml
    set:
      image:
        rootless: false
        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "docker.gitea.com/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
  - it: digest and global registry
    template: templates/gitea/deployment.yaml
    set:
      global.imageRegistry: "global.example.com"
      image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "global.example.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
  - it: correctly renders floating tag references
    template: templates/gitea/deployment.yaml
    set:
      image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-gitea/issues/631
    asserts:
      - equal:
          path: spec.template.spec.initContainers[0].image
          value: "docker.gitea.com/gitea:1.21-rootless"
      - equal:
          path: spec.template.spec.initContainers[1].image
          value: "docker.gitea.com/gitea:1.21-rootless"
      - equal:
          path: spec.template.spec.initContainers[2].image
          value: "docker.gitea.com/gitea:1.21-rootless"
      - equal:
          path: spec.template.spec.containers[0].image
          value: "docker.gitea.com/gitea:1.21-rootless"
--- a/unittests/helm/deployment/ingress-configuration.yaml
+++ b/unittests/helm/deployment/ingress-configuration.yaml
@ -1,45 +0,0 @@
 suite: Test ingress tpl use
 templates:
  - templates/gitea/ingress.yaml
 tests:
  - it: Ingress Class using TPL
    set:
      global.ingress.className: "ingress-class"
      ingress.className: "{{ .Values.global.ingress.className }}"
      ingress.enabled: true
      ingress.hosts[0].host: "some-host"
      ingress.tls:
        - secretName: gitea-tls
          hosts:
            - "some-host"
    asserts:
      - isKind:
          of: Ingress
      - equal:
          path: spec.tls[0].hosts[0]
          value: "some-host"
      - equal:
          path: spec.rules[0].host
          value: "some-host"
      - equal:
          path: spec.ingressClassName
          value: "ingress-class"
  - it: hostname using TPL
    set:
      global.giteaHostName: "gitea.example.com"
      ingress.enabled: true
      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
      ingress.tls:
        - secretName: gitea-tls
          hosts:
            - "{{ .Values.global.giteaHostName }}"
    asserts:
      - isKind:
          of: Ingress
      - equal:
          path: spec.tls[0].hosts[0]
          value: "gitea.example.com"
      - equal:
          path: spec.rules[0].host
          value: "gitea.example.com"
--- a/unittests/helm/deployment/inline-config.yaml
+++ b/unittests/helm/deployment/inline-config.yaml
@ -1,33 +0,0 @@
 suite: config template
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/config.yaml
 tests:
  - it: inline config stringData.server using TPL
    set:
      global.giteaHostName: "gitea.example.com"
      ingress.enabled: true
      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
      ingress.tls:
        - secretName: gitea-tls
          hosts:
            - "{{ .Values.global.giteaHostName }}"
    asserts:
      - documentIndex: 0
        matchRegex:
          path: metadata.name
          pattern: .*-inline-config$
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: DOMAIN=gitea\.example\.com
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: ROOT_URL=https://gitea\.example\.com
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: SSH_DOMAIN=gitea\.example\.com
--- a/unittests/helm/deployment/probes.yaml
+++ b/unittests/helm/deployment/probes.yaml
@ -1,188 +0,0 @@
 suite: deployment template (probes)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: renders default liveness probe
    template: templates/gitea/deployment.yaml
    asserts:
      - notExists:
          path: spec.template.spec.containers[0].livenessProbe.enabled
      - isSubset:
          path: spec.template.spec.containers[0].livenessProbe
          content:
            failureThreshold: 10
            initialDelaySeconds: 200
            periodSeconds: 10
            successThreshold: 1
            tcpSocket:
              port: http
            timeoutSeconds: 1
  - it: renders default readiness probe
    template: templates/gitea/deployment.yaml
    asserts:
      - notExists:
          path: spec.template.spec.containers[0].readinessProbe.enabled
      - isSubset:
          path: spec.template.spec.containers[0].readinessProbe
          content:
            failureThreshold: 3
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            tcpSocket:
              port: http
            timeoutSeconds: 1
  - it: does not render a default startup probe
    template: templates/gitea/deployment.yaml
    asserts:
      - notExists:
          path: spec.template.spec.containers[0].startupProbe
  - it: allows enabling a startup probe
    template: templates/gitea/deployment.yaml
    set:
      gitea.startupProbe.enabled: true
    asserts:
      - notExists:
          path: spec.template.spec.containers[0].startupProbe.enabled
      - isSubset:
          path: spec.template.spec.containers[0].startupProbe
          content:
            failureThreshold: 10
            initialDelaySeconds: 60
            periodSeconds: 10
            successThreshold: 1
            tcpSocket:
              port: http
            timeoutSeconds: 1
  - it: allows overwriting the default port of the liveness probe
    template: templates/gitea/deployment.yaml
    set:
      gitea:
        livenessProbe:
          tcpSocket:
            port: my-port
    asserts:
      - isSubset:
          path: spec.template.spec.containers[0].livenessProbe
          content:
            tcpSocket:
              port: my-port
  - it: allows overwriting the default port of the readiness probe
    template: templates/gitea/deployment.yaml
    set:
      gitea:
        readinessProbe:
          tcpSocket:
            port: my-port
    asserts:
      - isSubset:
          path: spec.template.spec.containers[0].readinessProbe
          content:
            tcpSocket:
              port: my-port
  - it: allows overwriting the default port of the startup probe
    template: templates/gitea/deployment.yaml
    set:
      gitea:
        startupProbe:
          enabled: true
          tcpSocket:
            port: my-port
    asserts:
      - isSubset:
          path: spec.template.spec.containers[0].startupProbe
          content:
            tcpSocket:
              port: my-port
  - it: allows using a non-default method as liveness probe
    template: templates/gitea/deployment.yaml
    set:
      gitea:
        livenessProbe:
          httpGet:
            path: /api/healthz
            port: http
          initialDelaySeconds: 13371
          timeoutSeconds: 13372
          periodSeconds: 13373
          successThreshold: 13374
          failureThreshold: 13375
    asserts:
      - notExists:
          path: spec.template.spec.containers[0].livenessProbe.tcpSocket
      - isSubset:
          path: spec.template.spec.containers[0].livenessProbe
          content:
            failureThreshold: 13375
            initialDelaySeconds: 13371
            periodSeconds: 13373
            successThreshold: 13374
            httpGet:
              path: /api/healthz
              port: http
            timeoutSeconds: 13372
  - it: allows using a non-default method as readiness probe
    template: templates/gitea/deployment.yaml
    set:
      gitea:
        readinessProbe:
          httpGet:
            path: /api/healthz
            port: http
          initialDelaySeconds: 13371
          timeoutSeconds: 13372
          periodSeconds: 13373
          successThreshold: 13374
          failureThreshold: 13375
    asserts:
      - notExists:
          path: spec.template.spec.containers[0].readinessProbe.tcpSocket
      - isSubset:
          path: spec.template.spec.containers[0].readinessProbe
          content:
            failureThreshold: 13375
            initialDelaySeconds: 13371
            periodSeconds: 13373
            successThreshold: 13374
            httpGet:
              path: /api/healthz
              port: http
            timeoutSeconds: 13372
  - it: allows using a non-default method as startup probe
    template: templates/gitea/deployment.yaml
    set:
      gitea:
        startupProbe:
          enabled: true
          httpGet:
            path: /api/healthz
            port: http
          initialDelaySeconds: 13371
          timeoutSeconds: 13372
          periodSeconds: 13373
          successThreshold: 13374
          failureThreshold: 13375
    asserts:
      - notExists:
          path: spec.template.spec.containers[0].startupProbe.tcpSocket
      - isSubset:
          path: spec.template.spec.containers[0].startupProbe
          content:
            failureThreshold: 13375
            initialDelaySeconds: 13371
            periodSeconds: 13373
            successThreshold: 13374
            httpGet:
              path: /api/healthz
              port: http
            timeoutSeconds: 13372
--- a/unittests/helm/deployment/sidecar-container.yaml
+++ b/unittests/helm/deployment/sidecar-container.yaml
@ -1,21 +0,0 @@
 suite: sidecar container
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: supports adding a sidecar container
    template: templates/gitea/deployment.yaml
    set:
      extraContainers:
        - name: sidecar-bob
          image: busybox
    asserts:
      - equal:
          path: spec.template.spec.containers[1].name
          value: "sidecar-bob"
      - equal:
          path: spec.template.spec.containers[1].image
          value: "busybox"
--- a/unittests/helm/deployment/signing-disabled.yaml
+++ b/unittests/helm/deployment/signing-disabled.yaml
@ -1,40 +0,0 @@
 suite: deployment template (signing disabled)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: skips gpg init container
    template: templates/gitea/deployment.yaml
    asserts:
      - notContains:
          path: spec.template.spec.initContainers
          any: true
          content:
            name: configure-gpg
  - it: skips gpg env in `init-directories` init container
    template: templates/gitea/deployment.yaml
    set:
      signing.enabled: false
    asserts:
      - notContains:
          path: spec.template.spec.initContainers[0].env
          content:
            name: GNUPGHOME
            value: /data/git/.gnupg
  - it: skips gpg env in runtime container
    template: templates/gitea/deployment.yaml
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].env
          content:
            name: GNUPGHOME
  - it: skips gpg volume spec
    template: templates/gitea/deployment.yaml
    asserts:
      - notContains:
          path: spec.template.spec.volumes
          content:
            name: gpg-private-key
--- a/unittests/helm/deployment/signing-enabled.yaml
+++ b/unittests/helm/deployment/signing-enabled.yaml
@ -1,98 +0,0 @@
 suite: deployment template (signing enabled)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: adds gpg init container
    template: templates/gitea/deployment.yaml
    set:
      signing:
        enabled: true
        existingSecret: "custom-gpg-secret"
    asserts:
      - equal:
          path: spec.template.spec.initContainers[2].name
          value: configure-gpg
      - equal:
          path: spec.template.spec.initContainers[2].command
          value: ["/usr/sbinx/configure_gpg_environment.sh"]
      - equal:
          path: spec.template.spec.initContainers[2].securityContext
          value:
            runAsUser: 1000
      - equal:
          path: spec.template.spec.initContainers[2].env
          value:
            - name: GNUPGHOME
              value: /data/git/.gnupg
            - name: TMP_RAW_GPG_KEY
              value: /raw/private.asc
      - equal:
          path: spec.template.spec.initContainers[2].volumeMounts
          value:
            - name: init
              mountPath: /usr/sbinx
            - name: data
              mountPath: /data
            - name: gpg-private-key
              mountPath: /raw
              readOnly: true
  - it: adds gpg env in `init-directories` init container
    template: templates/gitea/deployment.yaml
    set:
      signing.enabled: true
      signing.existingSecret: "custom-gpg-secret"
    asserts:
      - contains:
          path: spec.template.spec.initContainers[0].env
          content:
            name: GNUPGHOME
            value: /data/git/.gnupg
  - it: adds gpg env in runtime container
    template: templates/gitea/deployment.yaml
    set:
      signing.enabled: true
      signing.existingSecret: "custom-gpg-secret"
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: GNUPGHOME
            value: /data/git/.gnupg
  - it: adds gpg volume spec
    template: templates/gitea/deployment.yaml
    set:
      signing:
        enabled: true
        existingSecret: "gitea-unittests-gpg-key"
    asserts:
      - contains:
          path: spec.template.spec.volumes
          content:
            name: gpg-private-key
            secret:
              secretName: gitea-unittests-gpg-key
              items:
                - key: privateKey
                  path: private.asc
              defaultMode: 0100
  - it: supports gpg volume spec with external reference
    template: templates/gitea/deployment.yaml
    set:
      signing:
        enabled: true
        existingSecret: custom-gpg-secret
    asserts:
      - contains:
          path: spec.template.spec.volumes
          content:
            name: gpg-private-key
            secret:
              secretName: custom-gpg-secret
              items:
                - key: privateKey
                  path: private.asc
              defaultMode: 0100
--- a/unittests/helm/deployment/ssh-configuration.yaml
+++ b/unittests/helm/deployment/ssh-configuration.yaml
@ -1,64 +0,0 @@
 suite: deployment template (SSH configuration)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: supports defining SSH log level for root based image
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: SSH_LOG_LEVEL
            value: "INFO"
  - it: supports overriding SSH log level
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
      gitea.ssh.logLevel: "DEBUG"
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: SSH_LOG_LEVEL
            value: "DEBUG"
  - it: supports overriding SSH log level (even when image.fullOverride set)
    template: templates/gitea/deployment.yaml
    set:
      image.fullOverride: docker.gitea.com/gitea:1.19.3
      image.rootless: false
      gitea.ssh.logLevel: "DEBUG"
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: SSH_LOG_LEVEL
            value: "DEBUG"
  - it: skips SSH_LOG_LEVEL for rootless image
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: true
      gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].env
          any: true
          content:
            name: SSH_LOG_LEVEL
  - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
    template: templates/gitea/deployment.yaml
    set:
      image.fullOverride: docker.gitea.com/gitea:1.19.3
      image.rootless: true
      gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].env
          any: true
          content:
            name: SSH_LOG_LEVEL
--- a/unittests/helm/deployment/storage-class-configuration.yaml
+++ b/unittests/helm/deployment/storage-class-configuration.yaml
@ -1,39 +0,0 @@
 # File: tests/gitea-storageclass-tests.yaml
 suite: storage class configuration tests
 release:
  name: gitea-storageclass-tests
  namespace: testing
 templates:
  - templates/gitea/pvc.yaml
 tests:
  - it: should set storageClassName when persistence.storageClass is defined
    template: templates/gitea/pvc.yaml
    set:
      persistence.storageClass: "my-storage-class"
    asserts:
      - equal:
          path: "spec.storageClassName"
          value: "my-storage-class"
  - it: should set global.storageClass when persistence.storageClass is not defined
    template: templates/gitea/pvc.yaml
    set:
      global.storageClass: "default-storage-class"
    asserts:
      - equal:
          path: spec.storageClassName
          value: "default-storage-class"
  - it: should set storageClassName when persistence.storageClass is defined and global.storageClass is defined
    template: templates/gitea/pvc.yaml
    set:
      global.storageClass: "default-storage-class"
      persistence.storageClass: "my-storage-class"
    asserts:
      - equal:
          path: spec.storageClassName
          value: "my-storage-class"
--- a/unittests/helm/deployment/svc-configuration.yaml
+++ b/unittests/helm/deployment/svc-configuration.yaml
@ -1,118 +0,0 @@
 suite: ssh-svc / http-svc template (Services configuration)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/ssh-svc.yaml
  - templates/gitea/http-svc.yaml
 tests:
  - it: supports adding custom labels to ssh-svc
    template: templates/gitea/ssh-svc.yaml
    set:
      service:
        ssh:
          labels:
            gitea/testkey: testvalue
    asserts:
      - equal:
          path: metadata.labels["gitea/testkey"]
          value: "testvalue"
  - it: keeps existing labels (ssh)
    template: templates/gitea/ssh-svc.yaml
    set:
      service:
        ssh:
          labels: {}
    asserts:
      - exists:
          path: metadata.labels["app"]
  - it: supports adding custom labels to http-svc
    template: templates/gitea/http-svc.yaml
    set:
      service:
        http:
          labels:
            gitea/testkey: testvalue
    asserts:
      - equal:
          path: metadata.labels["gitea/testkey"]
          value: "testvalue"
  - it: keeps existing labels (http)
    template: templates/gitea/http-svc.yaml
    set:
      service:
        http:
          labels: {}
    asserts:
      - exists:
          path: metadata.labels["app"]
  - it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
    template: templates/gitea/ssh-svc.yaml
    set:
      service:
        ssh:
          loadBalancerClass: "example.com/class"
          type: LoadBalancer
          loadBalancerIP: "1.2.3.4"
          loadBalancerSourceRanges:
            - "1.2.3.4/32"
            - "5.6.7.8/32"
    asserts:
      - equal:
          path: spec.loadBalancerClass
          value: "example.com/class"
      - equal:
          path: spec.loadBalancerIP
          value: "1.2.3.4"
      - equal:
          path: spec.loadBalancerSourceRanges
          value: ["1.2.3.4/32", "5.6.7.8/32"]
  - it: does not render when loadbalancer properties are set but type is not loadBalancerClass
    template: templates/gitea/http-svc.yaml
    set:
      service:
        http:
          type: ClusterIP
          loadBalancerClass: "example.com/class"
          loadBalancerIP: "1.2.3.4"
          loadBalancerSourceRanges:
            - "1.2.3.4/32"
            - "5.6.7.8/32"
    asserts:
      - notExists:
          path: spec.loadBalancerClass
      - notExists:
          path: spec.loadBalancerIP
      - notExists:
          path: spec.loadBalancerSourceRanges
  - it: does not render loadBalancerClass by default even when type is LoadBalancer
    template: templates/gitea/http-svc.yaml
    set:
      service:
        http:
          type: LoadBalancer
          loadBalancerIP: "1.2.3.4"
    asserts:
      - notExists:
          path: spec.loadBalancerClass
      - equal:
          path: spec.loadBalancerIP
          value: "1.2.3.4"
  - it: both ssh and http services exist
    templates:
      - templates/gitea/ssh-svc.yaml
      - templates/gitea/http-svc.yaml
    asserts:
      - matchRegex:
          path: metadata.name
          pattern: "^gitea-unittests-(?:ssh|http)$"
      - matchRegex:
          path: spec.ports[0].name
          pattern: "^(?:ssh|http)$"
--- a/unittests/helm/gpg-secret/signing-disabled.yaml
+++ b/unittests/helm/gpg-secret/signing-disabled.yaml
@ -1,13 +0,0 @@
 suite: GPG secret template (signing disabled)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/gpg-secret.yaml
 tests:
  - it: renders nothing
    set:
      signing.enabled: false
    asserts:
      - hasDocuments:
          count: 0
--- a/unittests/helm/gpg-secret/signing-enabled.yaml
+++ b/unittests/helm/gpg-secret/signing-enabled.yaml
@ -1,40 +0,0 @@
 suite: GPG secret template (signing enabled)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/gpg-secret.yaml
 tests:
  - it: fails rendering when nothing is configured
    set:
      signing:
        enabled: true
    asserts:
      - failedTemplate:
          errorMessage: Either specify `signing.privateKey` or `signing.existingSecret`
  - it: skips rendering using external secret reference
    set:
      signing:
        enabled: true
        existingSecret: "external-secret-reference"
    asserts:
      - hasDocuments:
          count: 0
  - it: renders secret specification using inline gpg key
    set:
      signing:
        enabled: true
        privateKey: "gpg-key-placeholder"
    asserts:
      - hasDocuments:
          count: 1
      - documentIndex: 0
        containsDocument:
          kind: Secret
          apiVersion: v1
          name: gitea-unittests-gpg-key
      - isNotNullOrEmpty:
          path: metadata.labels
      - equal:
          path: data.privateKey
          value: "Z3BnLWtleS1wbGFjZWhvbGRlcg=="
--- a/unittests/helm/ingress/basic.yaml
+++ b/unittests/helm/ingress/basic.yaml
@ -1,93 +0,0 @@
 suite: Test ingress.yaml
 templates:
  - templates/gitea/ingress.yaml
 tests:
  - it: should enable ingress when ingress.enabled is true
    set:
      ingress.enabled: true
      ingress.apiVersion: networking.k8s.io/v1
      ingress.annotations:
        kubernetes.io/ingress.class: nginx
      ingress.className: nginx
      ingress.tls:
        - hosts:
            - example.com
          secretName: tls-secret
      ingress.hosts:
        - host: example.com
          paths: ["/"]
    asserts:
      - hasDocuments:
          count: 1
      - isKind:
          of: Ingress
      - equal:
          path: metadata.name
          value: RELEASE-NAME-gitea
      - matchRegex:
          path: apiVersion
          pattern: networking.k8s.io/v1
      - equal:
          path: spec.ingressClassName
          value: nginx
      - equal:
          path: spec.rules[0].host
          value: "example.com"
      - equal:
          path: spec.tls[0].hosts[0]
          value: "example.com"
      - equal:
          path: spec.tls[0].secretName
          value: tls-secret
      - equal:
          path: metadata.annotations["kubernetes.io/ingress.class"]
          value: nginx
  - it: should not create ingress when ingress.enabled is false
    set:
      ingress.enabled: false
    asserts:
      - hasDocuments:
          count: 0
  - it: Ingress Class using TPL
    set:
      global.ingress.className: "ingress-class"
      ingress.className: "{{ .Values.global.ingress.className }}"
      ingress.enabled: true
      ingress.hosts[0].host: "some-host"
      ingress.tls:
        - secretName: gitea-tls
          hosts:
            - "some-host"
    asserts:
      - isKind:
          of: Ingress
      - equal:
          path: spec.tls[0].hosts[0]
          value: "some-host"
      - equal:
          path: spec.rules[0].host
          value: "some-host"
      - equal:
          path: spec.ingressClassName
          value: "ingress-class"
  - it: hostname using TPL
    set:
      global.giteaHostName: "gitea.example.com"
      ingress.enabled: true
      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
      ingress.tls:
        - secretName: gitea-tls
          hosts:
            - "{{ .Values.global.giteaHostName }}"
    asserts:
      - isKind:
          of: Ingress
      - equal:
          path: spec.tls[0].hosts[0]
          value: "gitea.example.com"
      - equal:
          path: spec.rules[0].host
          value: "gitea.example.com"
--- a/unittests/helm/ingress/implicit-defaults.yaml
+++ b/unittests/helm/ingress/implicit-defaults.yaml
@ -1,23 +0,0 @@
 suite: Test ingress with implicit path defaults
 templates:
  - templates/gitea/ingress.yaml
 tests:
  - it: should use default path and pathType when no paths are specified
    set:
      ingress.enabled: true
      ingress.hosts:
        - host: git.example.com
    asserts:
      - hasDocuments:
          count: 1
      - isKind:
          of: Ingress
      - equal:
          path: spec.rules[0].host
          value: "git.example.com"
      - equal:
          path: spec.rules[0].http.paths[0].path
          value: "/"
      - equal:
          path: spec.rules[0].http.paths[0].pathType
          value: "Prefix"
--- a/unittests/helm/ingress/ingress.tpl.yaml
+++ b/unittests/helm/ingress/ingress.tpl.yaml
@ -1,45 +0,0 @@
 suite: Test ingress tpl use
 templates:
  - templates/gitea/ingress.yaml
 tests:
  - it: Ingress Class using TPL
    set:
      global.ingress.className: "ingress-class"
      ingress.className: "{{ .Values.global.ingress.className }}"
      ingress.enabled: true
      ingress.hosts[0].host: "some-host"
      ingress.tls:
        - secretName: gitea-tls
          hosts:
            - "some-host"
    asserts:
      - isKind:
          of: Ingress
      - equal:
          path: spec.tls[0].hosts[0]
          value: "some-host"
      - equal:
          path: spec.rules[0].host
          value: "some-host"
      - equal:
          path: spec.ingressClassName
          value: "ingress-class"
  - it: hostname using TPL
    set:
      global.giteaHostName: "gitea.example.com"
      ingress.enabled: true
      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
      ingress.tls:
        - secretName: gitea-tls
          hosts:
            - "{{ .Values.global.giteaHostName }}"
    asserts:
      - isKind:
          of: Ingress
      - equal:
          path: spec.tls[0].hosts[0]
          value: "gitea.example.com"
      - equal:
          path: spec.rules[0].host
          value: "gitea.example.com"
--- a/unittests/helm/ingress/structured-paths.yaml
+++ b/unittests/helm/ingress/structured-paths.yaml
@ -1,26 +0,0 @@
 suite: Test ingress with structured paths
 templates:
  - templates/gitea/ingress.yaml
 tests:
  - it: should work with structured path definitions
    set:
      ingress.enabled: true
      ingress.hosts:
        - host: git.devxy.io
          paths:
            - path: /
              pathType: Prefix
    asserts:
      - hasDocuments:
          count: 1
      - isKind:
          of: Ingress
      - equal:
          path: spec.rules[0].host
          value: "git.devxy.io"
      - equal:
          path: spec.rules[0].http.paths[0].path
          value: "/"
      - equal:
          path: spec.rules[0].http.paths[0].pathType
          value: "Prefix"
--- a/unittests/helm/init/basic.yaml
+++ b/unittests/helm/init/basic.yaml
@ -1,15 +0,0 @@
 suite: Init template (basic)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/init.yaml
 tests:
  - it: renders a secret
    asserts:
      - hasDocuments:
          count: 1
      - containsDocument:
          kind: Secret
          apiVersion: v1
          name: gitea-unittests-init
--- a/unittests/helm/init/init_directory_structure.sh-rootless.yaml
+++ b/unittests/helm/init/init_directory_structure.sh-rootless.yaml
@ -1,82 +0,0 @@
 suite: Init template
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/init.yaml
 tests:
  - it: runs gpg in batch mode
    set:
      signing.enabled: true
      signing.privateKey: |-
        -----BEGIN PGP PRIVATE KEY BLOCK-----
        {placeholder}
        -----END PGP PRIVATE KEY BLOCK-----
    asserts:
      - equal:
          path: stringData["configure_gpg_environment.sh"]
          value: |
            #!/usr/bin/env bash
            set -eu
            gpg --batch --import "$TMP_RAW_GPG_KEY"
  - it: skips gpg script block for disabled signing
    asserts:
      - equal:
          path: stringData["init_directory_structure.sh"]
          value: |-
            #!/usr/bin/env bash
            set -euo pipefail
            mkdir -pv /data/git/.ssh
            chmod -Rv 700 /data/git/.ssh
            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
            # prepare temp directory structure
            mkdir -pv "${GITEA_TEMP}"
            chmod -v ug+rwx "${GITEA_TEMP}"
  - it: adds gpg script block for enabled signing
    set:
      signing.enabled: true
      signing.privateKey: |-
        -----BEGIN PGP PRIVATE KEY BLOCK-----
        {placeholder}
        -----END PGP PRIVATE KEY BLOCK-----
    asserts:
      - equal:
          path: stringData["init_directory_structure.sh"]
          value: |-
            #!/usr/bin/env bash
            set -euo pipefail
            mkdir -pv /data/git/.ssh
            chmod -Rv 700 /data/git/.ssh
            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
            # prepare temp directory structure
            mkdir -pv "${GITEA_TEMP}"
            chmod -v ug+rwx "${GITEA_TEMP}"
            if [ ! -d "${GNUPGHOME}" ]; then
              mkdir -pv "${GNUPGHOME}"
              chmod -v 700 "${GNUPGHOME}"
              chown -v 1000:1000 "${GNUPGHOME}"
            fi
  - it: it does not chown /data even when image.fullOverride is set
    template: templates/gitea/init.yaml
    set:
      image.fullOverride: docker.gitea.com/gitea:1.20.5
    asserts:
      - equal:
          path: stringData["init_directory_structure.sh"]
          value: |-
            #!/usr/bin/env bash
            set -euo pipefail
            mkdir -pv /data/git/.ssh
            chmod -Rv 700 /data/git/.ssh
            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
            # prepare temp directory structure
            mkdir -pv "${GITEA_TEMP}"
            chmod -v ug+rwx "${GITEA_TEMP}"
--- a/unittests/helm/init/init_directory_structure.sh.yaml
+++ b/unittests/helm/init/init_directory_structure.sh.yaml
@ -1,72 +0,0 @@
 suite: Init template
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/init.yaml
 tests:
  - it: runs gpg in batch mode
    set:
      image.rootless: false
      signing.enabled: true
      signing.privateKey: |-
        -----BEGIN PGP PRIVATE KEY BLOCK-----
        {placeholder}
        -----END PGP PRIVATE KEY BLOCK-----
    asserts:
      - equal:
          path: stringData["configure_gpg_environment.sh"]
          value: |
            #!/usr/bin/env bash
            set -eu
            gpg --batch --import "$TMP_RAW_GPG_KEY"
  - it: skips gpg script block for disabled signing
    set:
      image.rootless: false
    asserts:
      - equal:
          path: stringData["init_directory_structure.sh"]
          value: |-
            #!/usr/bin/env bash
            set -euo pipefail
            chown -v 1000:1000 /data
            mkdir -pv /data/git/.ssh
            chmod -Rv 700 /data/git/.ssh
            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
            # prepare temp directory structure
            mkdir -pv "${GITEA_TEMP}"
            chown -v 1000:1000 "${GITEA_TEMP}"
            chmod -v ug+rwx "${GITEA_TEMP}"
  - it: adds gpg script block for enabled signing
    set:
      image.rootless: false
      signing.enabled: true
      signing.privateKey: |-
        -----BEGIN PGP PRIVATE KEY BLOCK-----
        {placeholder}
        -----END PGP PRIVATE KEY BLOCK-----
    asserts:
      - equal:
          path: stringData["init_directory_structure.sh"]
          value: |-
            #!/usr/bin/env bash
            set -euo pipefail
            chown -v 1000:1000 /data
            mkdir -pv /data/git/.ssh
            chmod -Rv 700 /data/git/.ssh
            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
            # prepare temp directory structure
            mkdir -pv "${GITEA_TEMP}"
            chown -v 1000:1000 "${GITEA_TEMP}"
            chmod -v ug+rwx "${GITEA_TEMP}"
            if [ ! -d "${GNUPGHOME}" ]; then
              mkdir -pv "${GNUPGHOME}"
              chmod -v 700 "${GNUPGHOME}"
              chown -v 1000:1000 "${GNUPGHOME}"
            fi
--- a/unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml
+++ b/unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml
@ -1,23 +0,0 @@
 suite: Metrics secret template (monitoring disabled)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/metrics-secret.yaml
 tests:
  - it: renders nothing if monitoring disabled and gitea.metrics.token empty
    set:
      gitea.metrics.enabled: false
      gitea.metrics.serviceMonitor.enabled: false
      gitea.metrics.token: ""
    asserts:
      - hasDocuments:
          count: 0
  - it: renders nothing if monitoring disabled and gitea.metrics.token not empty
    set:
      gitea.metrics.enabled: false
      gitea.metrics.serviceMonitor.enabled: false
      gitea.metrics.token: "test-token"
    asserts:
      - hasDocuments:
          count: 0
--- a/unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml
+++ b/unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml
@ -1,33 +0,0 @@
 suite: Metrics secret template (monitoring enabled)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/metrics-secret.yaml
 tests:
  - it: renders nothing if monitoring enabled and gitea.metrics.token empty
    set:
      gitea.metrics.enabled: true
      gitea.metrics.serviceMonitor.enabled: true
      gitea.metrics.token: ""
    asserts:
      - hasDocuments:
          count: 0
  - it: renders Secret if monitoring enabled and gitea.metrics.token not empty
    set:
      gitea.metrics.enabled: true
      gitea.metrics.serviceMonitor.enabled: true
      gitea.metrics.token: "test-token"
    asserts:
      - hasDocuments:
          count: 1
      - documentIndex: 0
        containsDocument:
          kind: Secret
          apiVersion: v1
          name: gitea-unittests-metrics-secret
      - isNotNullOrEmpty:
          path: metadata.labels
      - equal:
          path: data.token
          value: "dGVzdC10b2tlbg=="
--- a/unittests/helm/pvc/pvc-configuration.yaml
+++ b/unittests/helm/pvc/pvc-configuration.yaml
@ -1,19 +0,0 @@
 suite: PVC template
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/pvc.yaml
 tests:
  - it: Storage Class using TPL
    set:
      global.persistence.storageClass: "storage-class"
      persistence.enabled: true
      persistence.create: true
      persistence.storageClass: "{{ .Values.global.persistence.storageClass }}"
    asserts:
      - isKind:
          of: PersistentVolumeClaim
      - equal:
          path: spec.storageClassName
          value: "storage-class"
--- a/unittests/helm/serviceaccount/basic.yaml
+++ b/unittests/helm/serviceaccount/basic.yaml
@ -1,82 +0,0 @@
 suite: ServiceAccount template (basic)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/serviceaccount.yaml
 tests:
  - it: skips rendering by default
    asserts:
      - hasDocuments:
          count: 0
  - it: renders default ServiceAccount object with serviceAccount.create=true
    set:
      serviceAccount.create: true
    asserts:
      - hasDocuments:
          count: 1
      - containsDocument:
          kind: ServiceAccount
          apiVersion: v1
          name: gitea-unittests
      - equal:
          path: automountServiceAccountToken
          value: false
      - notExists:
          path: imagePullSecrets
      - notExists:
          path: metadata.annotations
  - it: allows for adding custom labels
    set:
      serviceAccount:
        create: true
        labels:
          custom: label
    asserts:
      - equal:
          path: metadata.labels.custom
          value: label
  - it: allows for adding custom annotations
    set:
      serviceAccount:
        create: true
        annotations:
          myCustom: annotation
    asserts:
      - equal:
          path: metadata.annotations.myCustom
          value: annotation
  - it: allows to override the generated name
    set:
      serviceAccount:
        create: true
        name: provided-serviceaccount-name
    asserts:
      - equal:
          path: metadata.name
          value: provided-serviceaccount-name
  - it: allows to mount the token
    set:
      serviceAccount:
        create: true
        automountServiceAccountToken: true
    asserts:
      - equal:
          path: automountServiceAccountToken
          value: true
  - it: allows to reference image pull secrets
    set:
      serviceAccount:
        create: true
        imagePullSecrets:
          - name: testing-image-pull-secret
          - name: another-pull-secret
    asserts:
      - contains:
          path: imagePullSecrets
          content:
            name: testing-image-pull-secret
      - contains:
          path: imagePullSecrets
          content:
            name: another-pull-secret
--- a/unittests/helm/serviceaccount/reference.yaml
+++ b/unittests/helm/serviceaccount/reference.yaml
@ -1,32 +0,0 @@
 suite: ServiceAccount template (reference)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/serviceaccount.yaml
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: does not modify the deployment by default
    template: templates/gitea/deployment.yaml
    asserts:
      - notExists:
          path: spec.serviceAccountName
  - it: adds the reference to the deployment with serviceAccount.create=true
    template: templates/gitea/deployment.yaml
    set:
      serviceAccount.create: true
    asserts:
      - equal:
          path: spec.template.spec.serviceAccountName
          value: gitea-unittests
  - it: allows referencing an externally created ServiceAccount to the deployment
    template: templates/gitea/deployment.yaml
    set:
      serviceAccount:
        create: false # explicitly set to define rendering behavior
        name: "externally-existing-serviceaccount"
    asserts:
      - equal:
          path: spec.template.spec.serviceAccountName
          value: externally-existing-serviceaccount
--- a/unittests/helm/servicemonitor/basic.yaml
+++ b/unittests/helm/servicemonitor/basic.yaml
@ -1,89 +0,0 @@
 suite: ServiceMonitor template (basic)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/servicemonitor.yaml
 tests:
  - it: skips rendering by default
    asserts:
      - hasDocuments:
          count: 0
  - it: renders default ServiceMonitor object with gitea.metrics.enabled=true
    set:
      gitea.metrics.enabled: true
    asserts:
      - hasDocuments:
          count: 0
  - it: renders default ServiceMonitor object with gitea.metrics.serviceMonitor.enabled=true
    set:
      gitea.metrics.serviceMonitor.enabled: true
    asserts:
      - hasDocuments:
          count: 0
  - it: renders defaults
    set:
      gitea.metrics.enabled: true
      gitea.metrics.serviceMonitor.enabled: true
    asserts:
      - hasDocuments:
          count: 1
      - containsDocument:
          kind: ServiceMonitor
          apiVersion: monitoring.coreos.com/v1
          name: gitea-unittests
      - notExists:
          path: metadata.annotations
      - notExists:
          path: spec.endpoints[0].interval
      - equal:
          path: spec.endpoints[0].port
          value: http
      - notExists:
          path: spec.endpoints[0].scheme
      - notExists:
          path: spec.endpoints[0].scrapeTimeout
      - notExists:
          path: spec.endpoints[0].tlsConfig
  - it: renders custom scrape interval
    set:
      gitea.metrics.enabled: true
      gitea.metrics.serviceMonitor.enabled: true
      gitea.metrics.serviceMonitor.interval: 30s
      gitea.metrics.serviceMonitor.scrapeTimeout: 5s
    asserts:
      - equal:
          path: spec.endpoints[0].interval
          value: 30s
      - equal:
          path: spec.endpoints[0].scrapeTimeout
          value: 5s
  - it: renders custom tls config
    set:
      gitea.metrics.enabled: true
      gitea.metrics.serviceMonitor.enabled: true
      gitea.metrics.serviceMonitor.scheme: https
      gitea.metrics.serviceMonitor.tlsConfig.caFile: /etc/prometheus/tls/ca.crt
      gitea.metrics.serviceMonitor.tlsConfig.certFile: /etc/prometheus/tls/tls.crt
      gitea.metrics.serviceMonitor.tlsConfig.keyFile: /etc/prometheus/tls/tls.key
      gitea.metrics.serviceMonitor.tlsConfig.insecureSkipVerify: false
      gitea.metrics.serviceMonitor.tlsConfig.serverName: gitea-unittest
    asserts:
      - equal:
          path: spec.endpoints[0].scheme
          value: https
      - equal:
          path: spec.endpoints[0].tlsConfig.caFile
          value: /etc/prometheus/tls/ca.crt
      - equal:
          path: spec.endpoints[0].tlsConfig.certFile
          value: /etc/prometheus/tls/tls.crt
      - equal:
          path: spec.endpoints[0].tlsConfig.keyFile
          value: /etc/prometheus/tls/tls.key
      - equal:
          path: spec.endpoints[0].tlsConfig.insecureSkipVerify
          value: false
      - equal:
          path: spec.endpoints[0].tlsConfig.serverName
          value: gitea-unittest
--- a/unittests/helm/servicemonitor/servicemonitor-disabled.yaml
+++ b/unittests/helm/servicemonitor/servicemonitor-disabled.yaml
@ -1,23 +0,0 @@
 suite: ServiceMonitor template (monitoring disabled)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/servicemonitor.yaml
 tests:
  - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty
    set:
      gitea.metrics.enabled: false
      gitea.metrics.token: ""
      gitea.metrics.serviceMonitor.enabled: false
    asserts:
      - hasDocuments:
          count: 0
  - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty
    set:
      gitea.metrics.enabled: false
      gitea.metrics.token: "test-token"
      gitea.metrics.serviceMonitor.enabled: false
    asserts:
      - hasDocuments:
          count: 0
--- a/unittests/helm/servicemonitor/servicemonitor-enabled.yaml
+++ b/unittests/helm/servicemonitor/servicemonitor-enabled.yaml
@ -1,70 +0,0 @@
 suite: ServiceMonitor template (monitoring enabled)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/servicemonitor.yaml
 tests:
  - it: renders unsecure ServiceMonitor if gitea.metrics.token nil
    set:
      gitea.metrics.enabled: true
      gitea.metrics.token:
      gitea.metrics.serviceMonitor.enabled: true
    asserts:
      - hasDocuments:
          count: 1
      - documentIndex: 0
        containsDocument:
          kind: ServiceMonitor
          apiVersion: monitoring.coreos.com/v1
          name: gitea-unittests
      - isNotNullOrEmpty:
          path: metadata.labels
      - equal:
          path: spec.endpoints
          value:
            - port: http
  - it: renders unsecure ServiceMonitor if gitea.metrics.token empty
    set:
      gitea.metrics.enabled: true
      gitea.metrics.token: ""
      gitea.metrics.serviceMonitor.enabled: true
    asserts:
      - hasDocuments:
          count: 1
      - documentIndex: 0
        containsDocument:
          kind: ServiceMonitor
          apiVersion: monitoring.coreos.com/v1
          name: gitea-unittests
      - isNotNullOrEmpty:
          path: metadata.labels
      - equal:
          path: spec.endpoints
          value:
            - port: http
  - it: renders secure ServiceMonitor if gitea.metrics.token not empty
    set:
      gitea.metrics.enabled: true
      gitea.metrics.token: "test-token"
      gitea.metrics.serviceMonitor.enabled: true
    asserts:
      - hasDocuments:
          count: 1
      - documentIndex: 0
        containsDocument:
          kind: ServiceMonitor
          apiVersion: monitoring.coreos.com/v1
          name: gitea-unittests
      - isNotNullOrEmpty:
          path: metadata.labels
      - equal:
          path: spec.endpoints
          value:
            - port: http
              authorization:
                type: Bearer
                credentials:
                  name: gitea-unittests-metrics-secret
                  key: token
                  optional: false
--- a/unittests/helm/values-conflicting-checks.yaml
+++ b/unittests/helm/values-conflicting-checks.yaml
@ -1,14 +0,0 @@
 suite: Values conflicting checks
 release:
  name: gitea-unittests
  namespace: testing
 tests:
  - it: fails when trying to configure valkey and valkey-cluster the same time
    set:
      valkey-cluster:
        enabled: true
      valkey:
        enabled: true
    asserts:
      - failedTemplate:
          errorMessage: valkey and valkey-cluster cannot be enabled at the same time. Please only choose one.
--- a/values.yaml
+++ b/values.yaml
@ -6,7 +6,6 @@
 ## @param global.imageRegistry global image registry override
 ## @param global.imagePullSecrets global image pull secrets override; can be extended by `imagePullSecrets`
 ## @param global.storageClass global storage class override
 ## @param global.hostAliases global hostAliases which will be added to the pod's hosts files
 global:
  imageRegistry: ""
  ## E.g.
@ -15,27 +14,10 @@ global:
  ##
  imagePullSecrets: []
  storageClass: ""
  hostAliases: []
  # - ip: 192.168.137.2
  #   hostnames:
  #   - example.com
-## @param namespace An explicit namespace to deploy gitea into. Defaults to the release namespace if not specified
+## @param replicaCount number of replicas for the statefulset
 namespace: ""
 ## @param replicaCount number of replicas for the deployment
 replicaCount: 1
 ## @section strategy
 ## @param strategy.type strategy type
 ## @param strategy.rollingUpdate.maxSurge maxSurge
 ## @param strategy.rollingUpdate.maxUnavailable maxUnavailable
 strategy:
  type: "RollingUpdate"
  rollingUpdate:
    maxSurge: "100%"
    maxUnavailable: 0
 ## @param clusterDomain cluster domain
 clusterDomain: cluster.local
@ -43,19 +25,15 @@ clusterDomain: cluster.local
 ## @param image.registry image registry, e.g. gcr.io,docker.io
 ## @param image.repository Image to start for this pod
 ## @param image.tag Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.
 ## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
 ## @param image.pullPolicy Image pull policy
 ## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher
 ## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).**
 image:
-  registry: "docker.gitea.com"
+  registry: ""
-  repository: gitea
+  repository: gitea/gitea
  # Overrides the image tag whose default is the chart appVersion.
  tag: ""
-  digest: ""
+  pullPolicy: Always
-  pullPolicy: IfNotPresent
+  rootless: false # only possible when running 1.14 or later
  rootless: true
  fullOverride: ""
 ## @param imagePullSecrets Secret to use for pulling the image
 imagePullSecrets: []
@ -76,7 +54,7 @@ containerSecurityContext: {}
 #   # run pods on nodes that use the container runtime cri-o. Otherwise, you will
 #   # get an error message from the SSH server that it is not possible to read from
 #   # the repository.
-#   # https://gitea.com/gitea/helm-gitea/issues/161
+#   # https://gitea.com/gitea/helm-chart/issues/161
 #     add:
 #       - SYS_CHROOT
 #   privileged: false
@ -85,22 +63,17 @@ containerSecurityContext: {}
 #   runAsNonRoot: true
 #   runAsUser: 1000
-## @deprecated The securityContext variable has been split two:
+## @depracated The securityContext variable has been split two:
 ## - containerSecurityContext
 ## - podSecurityContext.
 ## @param securityContext Run init and Gitea containers as a specific securityContext
 securityContext: {}
 ## @param podDisruptionBudget Pod disruption budget
 podDisruptionBudget: {}
 #  maxUnavailable: 1
 #  minAvailable: 1
 ## @section Service
 service:
  ## @param service.http.type Kubernetes service type for web traffic
  ## @param service.http.port Port number for web traffic
-  ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment is None
+  ## @param service.http.clusterIP ClusterIP setting for http autosetup for statefulset is None
  ## @param service.http.loadBalancerIP LoadBalancer IP setting
  ## @param service.http.nodePort NodePort for http service
  ## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@ -109,8 +82,6 @@ service:
  ## @param service.http.ipFamilies HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/).
  ## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer
  ## @param service.http.annotations HTTP service annotations
  ## @param service.http.labels HTTP service additional labels
  ## @param service.http.loadBalancerClass Loadbalancer class
  http:
    type: ClusterIP
    port: 3000
@ -123,11 +94,9 @@ service:
    ipFamilies:
    loadBalancerSourceRanges: []
    annotations: {}
    labels: {}
    loadBalancerClass:
  ## @param service.ssh.type Kubernetes service type for ssh traffic
  ## @param service.ssh.port Port number for ssh traffic
-  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None
+  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for statefulset is None
  ## @param service.ssh.loadBalancerIP LoadBalancer IP setting
  ## @param service.ssh.nodePort NodePort for ssh service
  ## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@ -137,8 +106,6 @@ service:
  ## @param service.ssh.hostPort HostPort for ssh service
  ## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer
  ## @param service.ssh.annotations SSH service annotations
  ## @param service.ssh.labels SSH service additional labels
  ## @param service.ssh.loadBalancerClass Loadbalancer class
  ssh:
    type: ClusterIP
    port: 22
@ -152,36 +119,41 @@ service:
    hostPort:
    loadBalancerSourceRanges: []
    annotations: {}
-    labels: {}
+
    loadBalancerClass:
 ## @section Ingress
 ## @param ingress.enabled Enable ingress
-## @param ingress.className DEPRECATED: Ingress class name.
+## @param ingress.className Ingress class name
 ## @param ingress.pathType Ingress Path Type
 ## @param ingress.annotations Ingress annotations
 ## @param ingress.hosts[0].host Default Ingress host
 ## @param ingress.hosts[0].paths[0].path Default Ingress path
 ## @param ingress.hosts[0].paths[0].pathType Ingress path type
 ## @param ingress.tls Ingress tls settings
 ## @extra ingress.apiVersion Specify APIVersion of ingress object. Mostly would only be used for argocd.
 ingress:
  enabled: false
-  className: ""
+  # className: nginx
-  pathType: Prefix
+  className:
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: git.example.com
      paths:
        - path: /
          pathType: Prefix
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - git.example.com
  # Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar
  # If helm doesn't correctly detect your ingress API version you can set it here.
  # apiVersion: networking.k8s.io/v1
-## @section deployment
+## @section StatefulSet
 #
 ## @param resources Kubernetes resources
-resources:
+resources: {}
  {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
@ -199,89 +171,52 @@ resources:
 ## @param schedulerName Use an alternate scheduler, e.g. "stork"
 schedulerName: ""
-## @param nodeSelector NodeSelector for the deployment
+## @param nodeSelector NodeSelector for the statefulset
 nodeSelector: {}
-## @param tolerations Tolerations for the deployment
+## @param tolerations Tolerations for the statefulset
 tolerations: []
-## @param affinity Affinity for the deployment
+## @param affinity Affinity for the statefulset
 affinity: {}
-## @param topologySpreadConstraints TopologySpreadConstraints for the deployment
+## @param dnsConfig dnsConfig for the statefulset
 topologySpreadConstraints: []
 ## @param dnsConfig dnsConfig for the deployment
 dnsConfig: {}
-## @param priorityClassName priorityClassName for the deployment
+## @param statefulset.env  Additional environment variables to pass to containers
-priorityClassName: ""
+## @param statefulset.terminationGracePeriodSeconds How long to wait until forcefully kill the pod
-
+## @param statefulset.labels Labels for the statefulset
-## @param deployment.env  Additional environment variables to pass to containers
+## @param statefulset.annotations Annotations for the Gitea StatefulSet to be created
-## @param deployment.terminationGracePeriodSeconds How long to wait until forcefully kill the pod
+statefulset:
-## @param deployment.labels Labels for the deployment
+  env: []
 ## @param deployment.annotations Annotations for the Gitea deployment to be created
 deployment:
  env:
    []
    # - name: VARIABLE
    #   value: my-value
  terminationGracePeriodSeconds: 60
  labels: {}
  annotations: {}
 ## @section ServiceAccount
 ## @param serviceAccount.create Enable the creation of a ServiceAccount
 ## @param serviceAccount.name Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used.
 ## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of the service account token
 ## @param serviceAccount.imagePullSecrets Image pull secrets, available to the ServiceAccount
 ## @param serviceAccount.annotations Custom annotations for the ServiceAccount
 ## @param serviceAccount.labels Custom labels for the ServiceAccount
 serviceAccount:
  create: false
  name: ""
  automountServiceAccountToken: false
  imagePullSecrets: []
  # - name: private-registry-access
  annotations: {}
  labels: {}
 ## @section Persistence
 #
 ## @param persistence.enabled Enable persistent storage
-## @param persistence.create Whether to create the persistentVolumeClaim for shared storage
+## @param persistence.existingClaim Use an existing claim to store repository information
 ## @param persistence.mount Whether the persistentVolumeClaim should be mounted (even if not created)
 ## @param persistence.claimName Use an existing claim to store repository information
 ## @param persistence.size Size for persistence to store repo information
 ## @param persistence.accessModes AccessMode for persistence
 ## @param persistence.labels Labels for the persistence volume claim to be created
-## @param persistence.annotations.helm.sh/resource-policy Resource policy for the persistence volume claim
+## @param persistence.annotations Annotations for the persistence volume claim to be created
 ## @param persistence.storageClass Name of the storage class to use
 ## @param persistence.subPath Subdirectory of the volume to mount at
 ## @param persistence.volumeName Name of persistent volume in PVC
 persistence:
  enabled: true
-  create: true
+  existingClaim:
  mount: true
  claimName: gitea-shared-storage
  size: 10Gi
  accessModes:
    - ReadWriteOnce
  labels: {}
  annotations: {}
  storageClass:
  subPath:
  volumeName: ""
  annotations:
    helm.sh/resource-policy: keep
-## @param extraContainers Additional sidecar containers to run in the pod
+## @param extraVolumes Additional volumes to mount to the Gitea statefulset
 extraContainers: []
 #  - name: sidecar-bob
 #    image: busybox
 #    command: [/bin/sh, -c, 'echo "Hello world"; sleep 86400']
 ## @param extraVolumes Additional volumes to mount to the Gitea deployment
 extraVolumes: []
 # - name: postgres-ssl-vol
 #   secret:
@ -293,7 +228,7 @@ extraContainerVolumeMounts: []
 ## @param extraInitVolumeMounts Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.
 extraInitVolumeMounts: []
-## @deprecated The extraVolumeMounts variable has been split two:
+## @depracated The extraVolumeMounts variable has been split two:
 ## - extraContainerVolumeMounts
 ## - extraInitVolumeMounts
 ## As an example, can be used to mount a client cert when connecting to an external Postgres server.
@ -306,8 +241,6 @@ extraVolumeMounts: []
 ## @section Init
 ## @param initPreScript Bash shell script copied verbatim to the start of the init-container.
 initPreScript: ""
 ## @param initContainersScriptsVolumeMountPath Path to mount the scripts consumed from the Secrets
 initContainersScriptsVolumeMountPath: "/usr/sbinx"
 #
 # initPreScript: |
 #   mkdir -p /data/git/.postgresql
@ -315,32 +248,14 @@ initContainersScriptsVolumeMountPath: "/usr/sbinx"
 #   chown -R git:git /data/git/.postgresql/
 #   chmod 400 /data/git/.postgresql/postgresql.key
 ## @param initContainers.resources.limits initContainers.limits Kubernetes resource limits for init containers
 ## @param initContainers.resources.requests.cpu initContainers.requests.cpu Kubernetes cpu resource limits for init containers
 ## @param initContainers.resources.requests.memory initContainers.requests.memory Kubernetes memory resource limits for init containers
 initContainers:
  resources:
    limits: {}
    requests:
      cpu: 100m
      memory: 128Mi
 # Configure commit/action signing prerequisites
 ## @section Signing
 #
 ## @param signing.enabled Enable commit/action signing
 ## @param signing.gpgHome GPG home directory
 ## @param signing.privateKey Inline private gpg key for signed internal Git activity
 ## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
 signing:
  enabled: false
  gpgHome: /data/git/.gnupg
  privateKey: ""
  # privateKey: |-
  #   -----BEGIN PGP PRIVATE KEY BLOCK-----
  #   ...
  #   -----END PGP PRIVATE KEY BLOCK-----
  existingSecret: ""
 ## @section Gitea
 #
@ -349,39 +264,24 @@ gitea:
  ## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
  ## @param gitea.admin.password Password for the Gitea admin user
  ## @param gitea.admin.email Email for the Gitea admin user
  ## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
  admin:
    #existingSecret: gitea-admin-secret
    existingSecret:
    username: gitea_admin
    password: r8sA8CPHD9!bt6d
    email: "gitea@local.domain"
    passwordMode: keepUpdated
  ## @param gitea.metrics.enabled Enable Gitea metrics
-  ## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.
+  ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor
  ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally.
  ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
  ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping.
  ## @param gitea.metrics.serviceMonitor.scheme HTTP scheme to use for scraping. For example `http` or `https`. Default is http.
  ## @param gitea.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.
  ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
  metrics:
    enabled: false
    token:
    serviceMonitor:
      enabled: false
      #  additionalLabels:
      #    prometheus-release: prom1
      interval: ""
      relabelings: []
      scheme: ""
      scrapeTimeout: ""
      tlsConfig: {}
  ## @param gitea.ldap LDAP configuration
-  ldap:
+  ldap: []
    []
    # - name: "LDAP 1"
    #  existingSecret:
    #  securityProtocol:
@ -398,8 +298,7 @@ gitea:
  # Either specify inline `key` and `secret` or refer to them via `existingSecret`
  ## @param gitea.oauth OAuth configuration
-  oauth:
+  oauth: []
    []
    # - name: 'OAuth 1'
    #   provider:
    #   key:
@ -412,14 +311,13 @@ gitea:
    #   customProfileUrl:
    #   customEmailUrl:
-  ## @param gitea.config.server.SSH_PORT SSH port for rootlful Gitea image
+  ## @param gitea.config  Configuration for the Gitea server,ref: [config-cheat-sheet](https://docs.gitea.io/en-us/config-cheat-sheet/)
-  ## @param gitea.config.server.SSH_LISTEN_PORT SSH port for rootless Gitea image
+  config: {}
  config:
  #  APP_NAME: "Gitea: Git with a cup of tea"
  #  RUN_MODE: dev
-    server:
+  #
-      SSH_PORT: 22 # rootful image
+  #  server:
-      SSH_LISTEN_PORT: 2222 # rootless image
+  #    SSH_PORT: 22
  #
  #  security:
  #    PASSWORD_COMPLEXITY: spec
@ -437,10 +335,6 @@ gitea:
  ## @param gitea.podAnnotations Annotations for the Gitea pod
  podAnnotations: {}
  ## @param gitea.ssh.logLevel Configure OpenSSH's log level. Only available for root-based Gitea image.
  ssh:
    logLevel: "INFO"
  ## @section LivenessProbe
  #
  ## @param gitea.livenessProbe.enabled Enable liveness probe
@ -501,103 +395,75 @@ gitea:
    successThreshold: 1
    failureThreshold: 10
-## @section valkey-cluster
+## @section Memcached
 ## @param valkey-cluster.enabled Enable valkey cluster
 # ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
 # Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
 ## @param valkey-cluster.usePassword Whether to use password authentication
 ## @param valkey-cluster.usePasswordFiles Whether to mount passwords as files instead of environment variables
 ## @param valkey-cluster.cluster.nodes Number of valkey cluster master nodes
 ## @param valkey-cluster.cluster.replicas Number of valkey cluster master node replicas
 ## @param valkey-cluster.service.ports.valkey Port of Valkey service
 ## @descriptionStart
 ## Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time.
 ## @descriptionEnd
 valkey-cluster:
  enabled: true
  usePassword: false
  usePasswordFiles: false
  cluster:
    nodes: 3 # default: 6
    replicas: 0 # default: 1
  service:
    ports:
      valkey: 6379
 ## @section valkey
 ## @param valkey.enabled Enable valkey standalone or replicated
 ## @param valkey.architecture Whether to use standalone or replication
 # ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
 # Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
 ## @param valkey.global.valkey.password Required password
 ## @param valkey.master.count Number of Valkey master instances to deploy
 ## @param valkey.master.service.ports.valkey Port of Valkey service
 ## @descriptionStart
 ## Valkey and [Valkey cluster](#valkey-cluster) cannot be enabled at the same time.
 ## @descriptionEnd
 valkey:
  enabled: false
  architecture: standalone
  global:
    valkey:
      password: changeme
  master:
    count: 1
    service:
      ports:
        valkey: 6379
 ## @section PostgreSQL HA
 #
-## @param postgresql-ha.enabled Enable PostgreSQL HA
+## @param memcached.enabled Memcached is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if enabled in the values. Complete Configuration can be taken from their website.
-## @param postgresql-ha.postgresql.password Password for the `gitea` user (overrides `auth.password`)
+## @param memcached.service.port Port for Memcached
-## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`)
+memcached:
 ## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`)
 ## @param postgresql-ha.global.postgresql.password Name for a custom password to create (overrides `auth.password`)
 ## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password
 ## @param postgresql-ha.postgresql.postgresPassword postgres Password
 ## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword
 ## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
 ## @param postgresql-ha.persistence.size PVC Storage Request for PostgreSQL HA volume
 postgresql-ha:
  global:
    postgresql:
      database: gitea
      password: gitea
      username: gitea
  enabled: true
  postgresql:
    repmgrPassword: changeme2
    postgresPassword: changeme1
    password: changeme4
  pgpool:
    adminPassword: changeme3
  service:
-    ports:
+    port: 11211
      postgresql: 5432
  persistence:
    size: 10Gi
 ## @section PostgreSQL
 #
 ## @param postgresql.enabled Enable PostgreSQL
-## @param postgresql.global.postgresql.auth.password Password for the `gitea` user (overrides `auth.password`)
+## @param postgresql.global.postgresql.postgresqlDatabase PostgreSQL database (overrides postgresqlDatabase)
-## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
+## @param postgresql.global.postgresql.postgresqlUsername PostgreSQL username (overrides postgresqlUsername)
-## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
+## @param postgresql.global.postgresql.postgresqlPassword PostgreSQL admin password (overrides postgresqlPassword)
-## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
+## @param postgresql.global.postgresql.servicePort PostgreSQL port (overrides service.port)
-## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
+## @param postgresql.persistence.size PVC Storage Request for PostgreSQL volume
 postgresql:
-  enabled: false
+  enabled: true
  global:
    postgresql:
-      auth:
+      postgresqlDatabase: gitea
      postgresqlUsername: gitea
      postgresqlPassword: gitea
      servicePort: 5432
  persistence:
    size: 10Gi
 ## @section MySQL
 #
 ## @param mysql.enabled Enable MySQL
 ## @param mysql.root.password Password for the root user. Ignored if existing secret is provided
 ## @param mysql.db.user Username of new user to create.
 ## @param mysql.db.password Password for the new user.Ignored if existing secret is provided
 ## @param mysql.db.name Name for new database to create.
 ## @param mysql.service.port Port to connect to MySQL service
 ## @param mysql.persistence.size PVC Storage Request for MySQL volume
 mysql:
  enabled: false
  root:
    password: gitea
  db:
    user: gitea
    password: gitea
    name: gitea
  service:
    port: 3306
  persistence:
    size: 10Gi
 ## @section MariaDB
 #
 ## @param mariadb.enabled Enable MariaDB
 ## @param mariadb.auth.database Name of the database to create.
 ## @param mariadb.auth.username Username of the new user to create.
 ## @param mariadb.auth.password Password for the new user. Ignored if existing secret is provided
 ## @param mariadb.auth.rootPassword Password for the root user.
 ## @param mariadb.primary.service.port Port to connect to MariaDB service
 ## @param mariadb.primary.persistence.size Persistence size for MariaDB
 mariadb:
  enabled: false
  auth:
    database: gitea
    username: gitea
-      service:
+    password: gitea
-        ports:
+    rootPassword: gitea
          postgresql: 5432
  primary:
    service:
      port: 3306
    persistence:
      size: 10Gi
@ -605,16 +471,4 @@ postgresql:
 # Set it to false to skip this basic validation check.
 ## @section Advanced
 ## @param checkDeprecation Set it to false to skip this basic validation check.
 ## @param test.enabled Set it to false to disable test-connection Pod.
 ## @param test.image.name Image name for the wget container used in the test-connection Pod.
 ## @param test.image.tag Image tag for the wget container used in the test-connection Pod.
 checkDeprecation: true
 test:
  enabled: true
  image:
    name: busybox
    tag: latest
 ## @param extraDeploy Array of extra objects to deploy with the release
 ##
 extraDeploy: []
		`@ -1 +0,0 @@`
			`Subproject commit 5ec2d815109358b3ad86f5aabf289d96e6535ac5`
		`@ -1 +0,0 @@`
			`Subproject commit b93143a1bfbde41d9b7343aab0d36f3ef6549e6b`
		`@ -1 +0,0 @@`
			`Subproject commit 93e0128b8787db05a2632c70501cd667dd35d253`
		`@ -1 +0,0 @@`
			`Subproject commit d007fc1f451abbad55204fa9c9eb3e6ed5dc5f61`