Support custom envs for Action DinD container (#722 )

Follow-up to https://gitea.com/gitea/helm-chart/pulls/666. Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/722 Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com> Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>
Add Gitea Actions act runner (#666 )
2024-11-10 14:02:15 +00:00 · 2024-11-10 13:35:56 +00:00 · 2024-10-18 15:14:56 +00:00 · 2024-10-18 15:09:14 +00:00 · 2024-10-18 13:50:35 +00:00 · 2024-10-18 13:44:37 +00:00
64 changed files with 2441 additions and 286 deletions
--- a/.gitea/workflows/release-version.yml
+++ b/.gitea/workflows/release-version.yml
@ -7,7 +7,7 @@ on:

 env:
  # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.13.2"
+  HELM_VERSION: "3.15.3"

 jobs:
  generate-chart-publish:
@ -19,20 +19,23 @@ jobs:
          apt update -y
          apt install -y curl ca-certificates curl gnupg
          # helm
-          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          curl -O https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
+          tar -xzf helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
+          mv linux-amd64/helm /usr/local/bin/
+          rm -rf linux-amd64 helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
+          helm version
          # docker
          install -m 0755 -d /etc/apt/keyrings
-          curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
          chmod a+r /etc/apt/keyrings/docker.gpg
-          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
          apt update -y
-          apt install -y python helm=${{ env.HELM_VERSION }}-1 python3-pip apt-transport-https docker-ce-cli
+          apt install -y python3 python3-pip apt-transport-https docker-ce-cli
          pip install awscli

      - name: Import GPG key
        id: import_gpg
-        uses: https://github.com/crazy-max/ghaction-import-gpg@v5
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
@ -46,7 +49,6 @@ jobs:
          helm plugin install https://github.com/pat-s/helm-gpg
          helm dependency build
          helm package --version "${GITHUB_REF#refs/tags/v}" ./
-          helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
          mkdir gitea
          mv gitea*.tgz gitea/
          curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
@ -57,7 +59,7 @@ jobs:
          helm registry logout registry-1.docker.io

      - name: aws credential configure
-        uses: https://github.com/aws-actions/configure-aws-credentials@v2
+        uses: https://github.com/aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
--- a/.gitea/workflows/test-pr.yml
+++ b/.gitea/workflows/test-pr.yml
@ -11,12 +11,12 @@ on:

 env:
  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v0.3.6"
+  HELM_UNITTEST_VERSION: "v0.5.2"

 jobs:
  check-and-test:
    runs-on: ubuntu-latest
-    container: alpine/helm:3.13.2
+    container: alpine/helm:3.15.3
    steps:
      - name: install tools
        run: |
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@ -73,7 +73,7 @@ MD022:
 # MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
 MD024:
  # Only check sibling headings
-  allow_different_nesting: true
+  siblings_only: true

 # MD025/single-title/single-h1 - Multiple top-level headings in the same document
 MD025:
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,6 +1,6 @@
 {
    "yaml.schemas": {
-        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.3.6/schema/helm-testsuite.json": [
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [
            "/unittests/**/*.yaml"
        ]
    },
--- a/1
+++ b/1
@ -0,0 +1 @@
+* @justusbunsi @pat-s
--- a/Chart.lock
+++ b/Chart.lock
@ -1,12 +1,15 @@
 dependencies:
 - name: postgresql
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 13.2.24
+  version: 15.5.20
 - name: postgresql-ha
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.3.3
+  version: 14.2.16
 - name: redis-cluster
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 9.1.3
-digest: sha256:c4ae8a7ddfb6670acc7f39d5728a0929f6c7666d32459229b5e4e66b19749677
-generated: "2023-12-17T00:11:27.841588235Z"
+  version: 10.3.0
+- name: redis
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 19.6.4
+digest: sha256:a28c809273f313c482e3f803a0a002c3bb3a0d2090bf6b732d68ecc4710b4732
+generated: "2024-08-03T00:21:16.080925346Z"
--- a/Chart.yaml
+++ b/Chart.yaml
@ -3,7 +3,8 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.21.2
+# renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
+appVersion: 1.22.3
 icon: https://gitea.com/assets/img/logo.svg

 keywords:
@ -31,20 +32,24 @@ maintainers:
  - name: Patrick Schratz
    email: patrick.schratz@gmail.com

-# Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
  - name: postgresql
    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 13.2.24
+    version: 15.5.20
    condition: postgresql.enabled
  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
  - name: postgresql-ha
    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 12.3.3
+    version: 14.2.16
    condition: postgresql-ha.enabled
  # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
  - name: redis-cluster
    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 9.1.3
+    version: 10.3.0
    condition: redis-cluster.enabled
+  # https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml
+  - name: redis
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 19.6.4
+    condition: redis.enabled
--- a/2
+++ b/2
@ -9,7 +9,7 @@ readme: prepare-environment

 .PHONY: unittests
 unittests:
-	helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' ./
+	helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' -f 'unittests/values-conflicting-checks.yaml' ./

 .PHONY: helm
 update-helm-dependencies:
--- a/README.md
+++ b/README.md
@ -45,12 +45,14 @@
  - [Persistence](#persistence-1)
  - [Init](#init)
  - [Signing](#signing)
+  - [Gitea Actions](#gitea-actions)
  - [Gitea](#gitea)
  - [LivenessProbe](#livenessprobe)
  - [ReadinessProbe](#readinessprobe)
  - [StartupProbe](#startupprobe)
  - [redis-cluster](#redis-cluster)
-  - [PostgreSQL-ha](#postgresql-ha)
+  - [redis](#redis)
+  - [PostgreSQL HA](#postgresql-ha)
  - [PostgreSQL](#postgresql)
  - [Advanced](#advanced)
 - [Contributing](#contributing)
@ -98,7 +100,8 @@ These dependencies are enabled by default:

 Alternatively, the following non-HA replacements are available:

- PostgreSQL ([Bitnami PostgreSQL](postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)))
+- PostgreSQL ([Bitnami PostgreSQL](<Postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)>))
+- Redis ([Bitnami Redis](<Redis](https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml)>))

 ### Dependency Versioning

@ -117,6 +120,7 @@ Please double-check the image repository and available tags in the sub-chart:
 - [PostgreSQL-HA](https://hub.docker.com/r/bitnami/postgresql-repmgr/tags)
 - [PostgreSQL](https://hub.docker.com/r/bitnami/postgresql/tags)
 - [Redis Cluster](https://hub.docker.com/r/bitnami/redis-cluster/tags)
+- [Redis](https://hub.docker.com/r/bitnami/redis/tags)

 and look up the image tag which fits your needs on Dockerhub.

@ -244,7 +248,7 @@ External tools such as `redis-cluster` or `memcached` handle these workloads muc

 If HA is not needed/desired, the following configurations can be used to deploy a single-pod Gitea instance.

-1. For a production-ready single-pod Gitea instance without external dependencies (using the chart dependency `postgresql`):
+1. For a production-ready single-pod Gitea instance without external dependencies (using the chart dependency `postgresql` and `redis`):

   <details>

@ -253,6 +257,8 @@ If HA is not needed/desired, the following configurations can be used to deploy
   ```yaml
   redis-cluster:
     enabled: false
+   redis:
+     enabled: true
   postgresql:
     enabled: true
   postgresql-ha:
@ -265,12 +271,6 @@ If HA is not needed/desired, the following configurations can be used to deploy
     config:
       database:
         DB_TYPE: postgres
-       session:
-         PROVIDER: db
-       cache:
-         ADAPTER: memory
-       queue:
-         TYPE: level
       indexer:
         ISSUE_INDEXER_TYPE: bleve
         REPO_INDEXER_ENABLED: true
@ -290,6 +290,8 @@ If HA is not needed/desired, the following configurations can be used to deploy
   ```yaml
   redis-cluster:
     enabled: false
+   redis:
+     enabled: false
   postgresql:
     enabled: false
   postgresql-ha:
@ -419,6 +421,9 @@ gitea:

 postgresql:
  enabled: false
+
+postgresql-ha:
+  enabled: false
 ```

 ### Ports and external url
@ -497,6 +502,9 @@ redis-cluster:
  enabled: true
 ```

+⚠️ The redis charts [do not work well with special characters in the password](https://gitea.com/gitea/helm-chart/issues/690).
+Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
+
 ### Persistence

 Gitea will be deployed as a deployment.
@ -568,6 +576,20 @@ gitea:
    existingSecret: gitea-admin-secret
 ```

+Whether you use the existing Secret or specify a user name and password, there are three modes for how the admin user password is created or set.
+
+- `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated.
+- `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password.
+- `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login.
+
+These modes can be set like the following:
+
+```yaml
+gitea:
+  admin:
+    passwordMode: initialOnlyRequireReset
+```
+
 ### LDAP Settings

 Like the admin user the LDAP settings can be updated.
@ -834,13 +856,14 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo

 ### Global

-| Name                      | Description                                                               | Value |
-| ------------------------- | ------------------------------------------------------------------------- | ----- |
-| `global.imageRegistry`    | global image registry override                                            | `""`  |
-| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]`  |
-| `global.storageClass`     | global storage class override                                             | `""`  |
-| `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files           | `[]`  |
-| `replicaCount`            | number of replicas for the deployment                                     | `1`   |
+| Name                      | Description                                                                                    | Value |
+| ------------------------- | ---------------------------------------------------------------------------------------------- | ----- |
+| `global.imageRegistry`    | global image registry override                                                                 | `""`  |
+| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets`                      | `[]`  |
+| `global.storageClass`     | global storage class override                                                                  | `""`  |
+| `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files                                | `[]`  |
+| `namespace`               | An explicit namespace to deploy Gitea into. Defaults to the release namespace if not specified | `""`  |
+| `replicaCount`            | number of replicas for the deployment                                                          | `1`   |

 ### strategy

@ -888,6 +911,8 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `service.http.ipFamilies`               | HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). | `nil`       |
 | `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer                                                                                                                                                            | `[]`        |
 | `service.http.annotations`              | HTTP service annotations                                                                                                                                                                             | `{}`        |
+| `service.http.labels`                   | HTTP service additional labels                                                                                                                                                                       | `{}`        |
+| `service.http.loadBalancerClass`        | Loadbalancer class                                                                                                                                                                                   | `nil`       |
 | `service.ssh.type`                      | Kubernetes service type for ssh traffic                                                                                                                                                              | `ClusterIP` |
 | `service.ssh.port`                      | Port number for ssh traffic                                                                                                                                                                          | `22`        |
 | `service.ssh.clusterIP`                 | ClusterIP setting for ssh autosetup for deployment is None                                                                                                                                           | `None`      |
@ -900,6 +925,8 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `service.ssh.hostPort`                  | HostPort for ssh service                                                                                                                                                                             | `nil`       |
 | `service.ssh.loadBalancerSourceRanges`  | Source range filter for ssh loadbalancer                                                                                                                                                             | `[]`        |
 | `service.ssh.annotations`               | SSH service annotations                                                                                                                                                                              | `{}`        |
+| `service.ssh.labels`                    | SSH service additional labels                                                                                                                                                                        | `{}`        |
+| `service.ssh.loadBalancerClass`         | Loadbalancer class                                                                                                                                                                                   | `nil`       |

 ### Ingress

@ -957,6 +984,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `persistence.storageClass`                        | Name of the storage class to use                                                                      | `nil`                  |
 | `persistence.subPath`                             | Subdirectory of the volume to mount at                                                                | `nil`                  |
 | `persistence.volumeName`                          | Name of persistent volume in PVC                                                                      | `""`                   |
+| `extraContainers`                                 | Additional sidecar containers to run in the pod                                                       | `[]`                   |
 | `extraVolumes`                                    | Additional volumes to mount to the Gitea deployment                                                   | `[]`                   |
 | `extraContainerVolumeMounts`                      | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]`                   |
 | `extraInitVolumeMounts`                           | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.    | `[]`                   |
@ -977,27 +1005,68 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | ------------------------ | ----------------------------------------------------------------- | ------------------ |
 | `signing.enabled`        | Enable commit/action signing                                      | `false`            |
 | `signing.gpgHome`        | GPG home directory                                                | `/data/git/.gnupg` |
-| `signing.privateKey`     | Inline private gpg key for signed Gitea actions                   | `""`               |
+| `signing.privateKey`     | Inline private gpg key for signed internal Git activity           | `""`               |
 | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""`               |

+### Gitea Actions
+
+| Name                                           | Description                                                                                                                                 | Value                          |
+| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
+| `actions.enabled`                              | Create an act runner StatefulSet.                                                                                                           | `false`                        |
+| `actions.init.image.repository`                | The image used for the init containers                                                                                                      | `busybox`                      |
+| `actions.init.image.tag`                       | The image tag used for the init containers                                                                                                  | `1.36.1`                       |
+| `actions.statefulset.annotations`              | Act runner annotations                                                                                                                      | `{}`                           |
+| `actions.statefulset.labels`                   | Act runner labels                                                                                                                           | `{}`                           |
+| `actions.statefulset.resources`                | Act runner resources                                                                                                                        | `{}`                           |
+| `actions.statefulset.nodeSelector`             | NodeSelector for the statefulset                                                                                                            | `{}`                           |
+| `actions.statefulset.tolerations`              | Tolerations for the statefulset                                                                                                             | `[]`                           |
+| `actions.statefulset.affinity`                 | Affinity for the statefulset                                                                                                                | `{}`                           |
+| `actions.statefulset.actRunner.repository`     | The Gitea act runner image                                                                                                                  | `gitea/act_runner`             |
+| `actions.statefulset.actRunner.tag`            | The Gitea act runner tag                                                                                                                    | `0.2.11`                       |
+| `actions.statefulset.actRunner.pullPolicy`     | The Gitea act runner pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.actRunner.config`         | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
+| `actions.statefulset.dind.repository`          | The Docker-in-Docker image                                                                                                                  | `docker`                       |
+| `actions.statefulset.dind.tag`                 | The Docker-in-Docker image tag                                                                                                              | `25.0.2-dind`                  |
+| `actions.statefulset.dind.pullPolicy`          | The Docker-in-Docker pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.dind.extraEnvs`           | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`                                                                | `[]`                           |
+| `actions.provisioning.enabled`                 | Create a job that will create and save the token in a Kubernetes Secret                                                                     | `false`                        |
+| `actions.provisioning.annotations`             | Job's annotations                                                                                                                           | `{}`                           |
+| `actions.provisioning.labels`                  | Job's labels                                                                                                                                | `{}`                           |
+| `actions.provisioning.resources`               | Job's resources                                                                                                                             | `{}`                           |
+| `actions.provisioning.nodeSelector`            | NodeSelector for the job                                                                                                                    | `{}`                           |
+| `actions.provisioning.tolerations`             | Tolerations for the job                                                                                                                     | `[]`                           |
+| `actions.provisioning.affinity`                | Affinity for the job                                                                                                                        | `{}`                           |
+| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed                                          | `300`                          |
+| `actions.provisioning.publish.repository`      | The image that can create the secret via kubectl                                                                                            | `bitnami/kubectl`              |
+| `actions.provisioning.publish.tag`             | The publish image tag that can create the secret                                                                                            | `1.29.0`                       |
+| `actions.provisioning.publish.pullPolicy`      | The publish image pullPolicy that can create the secret                                                                                     | `IfNotPresent`                 |
+| `actions.existingSecret`                       | Secret that contains the token                                                                                                              | `""`                           |
+| `actions.existingSecretKey`                    | Secret key                                                                                                                                  | `""`                           |
+
 ### Gitea

-| Name                                   | Description                                                               | Value                |
-| -------------------------------------- | ------------------------------------------------------------------------- | -------------------- |
-| `gitea.admin.username`                 | Username for the Gitea admin user                                         | `gitea_admin`        |
-| `gitea.admin.existingSecret`           | Use an existing secret to store admin user credentials                    | `nil`                |
-| `gitea.admin.password`                 | Password for the Gitea admin user                                         | `r8sA8CPHD9!bt6d`    |
-| `gitea.admin.email`                    | Email for the Gitea admin user                                            | `gitea@local.domain` |
-| `gitea.metrics.enabled`                | Enable Gitea metrics                                                      | `false`              |
-| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor                                      | `false`              |
-| `gitea.ldap`                           | LDAP configuration                                                        | `[]`                 |
-| `gitea.oauth`                          | OAuth configuration                                                       | `[]`                 |
-| `gitea.config.server.SSH_PORT`         | SSH port for rootlful Gitea image                                         | `22`                 |
-| `gitea.config.server.SSH_LISTEN_PORT`  | SSH port for rootless Gitea image                                         | `2222`               |
-| `gitea.additionalConfigSources`        | Additional configuration from secret or configmap                         | `[]`                 |
-| `gitea.additionalConfigFromEnvs`       | Additional configuration sources from environment variables               | `[]`                 |
-| `gitea.podAnnotations`                 | Annotations for the Gitea pod                                             | `{}`                 |
-| `gitea.ssh.logLevel`                   | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO`               |
+| Name                                         | Description                                                                                                                    | Value                |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
+| `gitea.admin.username`                       | Username for the Gitea admin user                                                                                              | `gitea_admin`        |
+| `gitea.admin.existingSecret`                 | Use an existing secret to store admin user credentials                                                                         | `nil`                |
+| `gitea.admin.password`                       | Password for the Gitea admin user                                                                                              | `r8sA8CPHD9!bt6d`    |
+| `gitea.admin.email`                          | Email for the Gitea admin user                                                                                                 | `gitea@local.domain` |
+| `gitea.admin.passwordMode`                   | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated  | `keepUpdated`        |
+| `gitea.metrics.enabled`                      | Enable Gitea metrics                                                                                                           | `false`              |
+| `gitea.metrics.serviceMonitor.enabled`       | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false`              |
+| `gitea.metrics.serviceMonitor.interval`      | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                      | `""`                 |
+| `gitea.metrics.serviceMonitor.relabelings`   | RelabelConfigs to apply to samples before scraping.                                                                            | `[]`                 |
+| `gitea.metrics.serviceMonitor.scheme`        | HTTP scheme to use for scraping. For example `http` or `https`. Default is http.                                               | `""`                 |
+| `gitea.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                           | `""`                 |
+| `gitea.metrics.serviceMonitor.tlsConfig`     | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                      | `{}`                 |
+| `gitea.ldap`                                 | LDAP configuration                                                                                                             | `[]`                 |
+| `gitea.oauth`                                | OAuth configuration                                                                                                            | `[]`                 |
+| `gitea.config.server.SSH_PORT`               | SSH port for rootlful Gitea image                                                                                              | `22`                 |
+| `gitea.config.server.SSH_LISTEN_PORT`        | SSH port for rootless Gitea image                                                                                              | `2222`               |
+| `gitea.additionalConfigSources`              | Additional configuration from secret or configmap                                                                              | `[]`                 |
+| `gitea.additionalConfigFromEnvs`             | Additional configuration sources from environment variables                                                                    | `[]`                 |
+| `gitea.podAnnotations`                       | Annotations for the Gitea pod                                                                                                  | `{}`                 |
+| `gitea.ssh.logLevel`                         | Configure OpenSSH's log level. Only available for root-based Gitea image.                                                      | `INFO`               |

 ### LivenessProbe

@ -1037,18 +1106,31 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo

 ### redis-cluster

+Redis cluster and [Redis](#redis) cannot be enabled at the same time.
+
 | Name                             | Description                                  | Value   |
 | -------------------------------- | -------------------------------------------- | ------- |
-| `redis-cluster.enabled`          | Enable redis                                 | `true`  |
+| `redis-cluster.enabled`          | Enable redis cluster                         | `true`  |
 | `redis-cluster.usePassword`      | Whether to use password authentication       | `false` |
 | `redis-cluster.cluster.nodes`    | Number of redis cluster master nodes         | `3`     |
 | `redis-cluster.cluster.replicas` | Number of redis cluster master node replicas | `0`     |

-### PostgreSQL-ha
+### redis
+
+Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
+
+| Name                          | Description                                | Value        |
+| ----------------------------- | ------------------------------------------ | ------------ |
+| `redis.enabled`               | Enable redis standalone or replicated      | `false`      |
+| `redis.architecture`          | Whether to use standalone or replication   | `standalone` |
+| `redis.global.redis.password` | Required password                          | `changeme`   |
+| `redis.master.count`          | Number of Redis master instances to deploy | `1`          |
+
+### PostgreSQL HA

 | Name                                        | Description                                                      | Value       |
 | ------------------------------------------- | ---------------------------------------------------------------- | ----------- |
-| `postgresql-ha.enabled`                     | Enable PostgreSQL-ha                                             | `true`      |
+| `postgresql-ha.enabled`                     | Enable PostgreSQL HA                                             | `true`      |
 | `postgresql-ha.postgresql.password`         | Password for the `gitea` user (overrides `auth.password`)        | `changeme4` |
 | `postgresql-ha.global.postgresql.database`  | Name for a custom database to create (overrides `auth.database`) | `gitea`     |
 | `postgresql-ha.global.postgresql.username`  | Name for a custom user to create (overrides `auth.username`)     | `gitea`     |
@ -1057,7 +1139,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `postgresql-ha.postgresql.postgresPassword` | postgres Password                                                | `changeme1` |
 | `postgresql-ha.pgpool.adminPassword`        | pgpool adminPassword                                             | `changeme3` |
 | `postgresql-ha.service.ports.postgresql`    | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`      |
-| `postgresql-ha.primary.persistence.size`    | PVC Storage Request for PostgreSQL-ha volume                     | `10Gi`      |
+| `postgresql-ha.persistence.size`            | PVC Storage Request for PostgreSQL HA volume                     | `10Gi`      |

 ### PostgreSQL

--- a/package-lock.json
+++ b/package-lock.json
@ -8,7 +8,7 @@
      "license": "MIT",
      "devDependencies": {
        "@bitnami/readme-generator-for-helm": "^2.5.0",
-        "markdownlint-cli": "^0.38.0"
+        "markdownlint-cli": "^0.41.0"
      },
      "engines": {
        "node": ">=16.0.0",
@ -16,9 +16,9 @@
      }
    },
    "node_modules/@bitnami/readme-generator-for-helm": {
-      "version": "2.6.0",
-      "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.6.0.tgz",
-      "integrity": "sha512-LcByNCryaC2OJExL9rnhyFJ18+vrZu1gVoN2Z7j/HI42EjV4kLgT4G1KEPNnrKbls9HvozBqMG+sKZIDh0McFg==",
+      "version": "2.6.1",
+      "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.6.1.tgz",
+      "integrity": "sha512-rN0m0sfbOuaNdCmQWBfSj9o4kgzz+Dw67Dl1ssDVqghv/UpLkrDmNuTxhD1CWu+sesGL66UYJ2VplGz9KxlAdg==",
      "dev": true,
      "dependencies": {
        "commander": "^7.1.0",
@ -195,9 +195,9 @@
      "dev": true
    },
    "node_modules/entities": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/entities/-/entities-3.0.1.tgz",
-      "integrity": "sha512-WiyBqoomrwMdFG1e0kqvASYfnlb0lp8M5o5Fw2OFq1hNZxxcNk8Ik0Xm7LxzBhuidnZB/UtBqVCgUz3kBOP51Q==",
+      "version": "4.5.0",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz",
+      "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==",
      "dev": true,
      "engines": {
        "node": ">=0.12"
@ -261,9 +261,9 @@
      }
    },
    "node_modules/ignore": {
-      "version": "5.3.0",
-      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.0.tgz",
-      "integrity": "sha512-g7dmpshy+gD7mh88OC9NwSGTKoc3kyLAZQRU1mt53Aw/vnvfXnbC+F/7F7QoYVKbV+KNvJx8wArewKy1vXMtlg==",
+      "version": "5.3.1",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.1.tgz",
+      "integrity": "sha512-5Fytz/IraMjqpwfd34ke28PTVMjZjJG2MPn5t7OE4eUCUNf8BAa7b5WUS9/Qvr6mwOQS7Mk6vdsMno5he+T8Xw==",
      "dev": true,
      "engines": {
        "node": ">= 4"
@ -310,10 +310,11 @@
      "dev": true
    },
    "node_modules/jackspeak": {
-      "version": "2.3.6",
-      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-2.3.6.tgz",
-      "integrity": "sha512-N3yCS/NegsOBokc8GAdM8UcmfsKiSS8cipheD/nivzr700H+nsMOxJjQnvwOcRYVuFkdH0wGUvW2WbXGmrZGbQ==",
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.1.2.tgz",
+      "integrity": "sha512-kWmLKn2tRtfYMF/BakihVVRzBKOxz4gJMiL2Rj91WnAB5TPZumSH99R/Yf1qE1u4uRimvCSJfm6hnxohXeEXjQ==",
      "dev": true,
+      "license": "BlueOak-1.0.0",
      "dependencies": {
        "@isaacs/cliui": "^8.0.2"
      },
@ -340,18 +341,27 @@
      }
    },
    "node_modules/jsonc-parser": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.2.0.tgz",
-      "integrity": "sha512-gfFQZrcTc8CnKXp6Y4/CBT3fTc0OVuDofpre4aEeEpSBPV5X5v4+Vmx+8snU7RLPrNHPKSgLxGo9YuQzz20o+w==",
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.2.1.tgz",
+      "integrity": "sha512-AilxAyFOAcK5wA1+LeaySVBrHsGQvUFCDWXKpZjzaL0PqW+xfBOttn8GNtWKFWqneyMZj41MWF9Kl6iPWLwgOA==",
      "dev": true
    },
+    "node_modules/jsonpointer": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/jsonpointer/-/jsonpointer-5.0.1.tgz",
+      "integrity": "sha512-p/nXbhSEcu3pZRdkW1OfJhpsVtW1gd4Wa1fnQc9YLiTfAjn0312eMKimbdIQzuZl9aa9xUGaRlP9T/CJE/ditQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
    "node_modules/linkify-it": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-4.0.1.tgz",
-      "integrity": "sha512-C7bfi1UZmoj8+PQx22XyeXCuBlokoyWQL5pWSP+EI6nzRylyThouddufc2c1NDIcP9k5agmN9fLpA7VNJfIiqw==",
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz",
+      "integrity": "sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==",
      "dev": true,
      "dependencies": {
-        "uc.micro": "^1.0.1"
+        "uc.micro": "^2.0.0"
      }
    },
    "node_modules/lodash": {
@ -361,28 +371,29 @@
      "dev": true
    },
    "node_modules/lru-cache": {
-      "version": "9.1.1",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-9.1.1.tgz",
-      "integrity": "sha512-65/Jky17UwSb0BuB9V+MyDpsOtXKmYwzhyl+cOa9XUiI4uV2Ouy/2voFP3+al0BjZbJgMBD8FojMpAf+Z+qn4A==",
+      "version": "10.2.2",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.2.tgz",
+      "integrity": "sha512-9hp3Vp2/hFQUiIwKo8XCeFVnrg8Pk3TYNPIR7tJADKi5YfcF7vEaK7avFHTlSy3kOKYaJQaalfEo6YuXdceBOQ==",
      "dev": true,
      "engines": {
        "node": "14 || >=16.14"
      }
    },
    "node_modules/markdown-it": {
-      "version": "13.0.2",
-      "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-13.0.2.tgz",
-      "integrity": "sha512-FtwnEuuK+2yVU7goGn/MJ0WBZMM9ZPgU9spqlFs7/A/pDIUNSOQZhUgOqYCficIuR2QaFnrt8LHqBWsbTAoI5w==",
+      "version": "14.1.0",
+      "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.0.tgz",
+      "integrity": "sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==",
      "dev": true,
      "dependencies": {
        "argparse": "^2.0.1",
-        "entities": "~3.0.1",
-        "linkify-it": "^4.0.1",
-        "mdurl": "^1.0.1",
-        "uc.micro": "^1.0.5"
+        "entities": "^4.4.0",
+        "linkify-it": "^5.0.0",
+        "mdurl": "^2.0.0",
+        "punycode.js": "^2.3.1",
+        "uc.micro": "^2.1.0"
      },
      "bin": {
-        "markdown-it": "bin/markdown-it.js"
+        "markdown-it": "bin/markdown-it.mjs"
      }
    },
    "node_modules/markdown-table": {
@ -399,13 +410,13 @@
      }
    },
    "node_modules/markdownlint": {
-      "version": "0.32.1",
-      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.32.1.tgz",
-      "integrity": "sha512-3sx9xpi4xlHlokGyHO9k0g3gJbNY4DI6oNEeEYq5gQ4W7UkiJ90VDAnuDl2U+yyXOUa6BX+0gf69ZlTUGIBp6A==",
+      "version": "0.34.0",
+      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.34.0.tgz",
+      "integrity": "sha512-qwGyuyKwjkEMOJ10XN6OTKNOVYvOIi35RNvDLNxTof5s8UmyGHlCdpngRHoRGNvQVGuxO3BJ7uNSgdeX166WXw==",
      "dev": true,
      "dependencies": {
-        "markdown-it": "13.0.2",
-        "markdownlint-micromark": "0.1.7"
+        "markdown-it": "14.1.0",
+        "markdownlint-micromark": "0.1.9"
      },
      "engines": {
        "node": ">=18"
@ -415,20 +426,23 @@
      }
    },
    "node_modules/markdownlint-cli": {
-      "version": "0.38.0",
-      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.38.0.tgz",
-      "integrity": "sha512-qkZRKJ4LVq6CJIkRIuJsEHvhWhm+FP0E7yhHvOMrrgdykgFWNYD4wuhZTjvigbJLTKPooP79yPiUDDZBCBI5JA==",
+      "version": "0.41.0",
+      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.41.0.tgz",
+      "integrity": "sha512-kp29tKrMKdn+xonfefjp3a/MsNzAd9c5ke0ydMEI9PR98bOjzglYN4nfMSaIs69msUf1DNkgevAIAPtK2SeX0Q==",
      "dev": true,
+      "license": "MIT",
      "dependencies": {
-        "commander": "~11.1.0",
+        "commander": "~12.1.0",
        "get-stdin": "~9.0.0",
-        "glob": "~10.3.10",
-        "ignore": "~5.3.0",
+        "glob": "~10.4.1",
+        "ignore": "~5.3.1",
        "js-yaml": "^4.1.0",
-        "jsonc-parser": "~3.2.0",
-        "markdownlint": "~0.32.1",
-        "minimatch": "~9.0.3",
-        "run-con": "~1.3.2"
+        "jsonc-parser": "~3.2.1",
+        "jsonpointer": "5.0.1",
+        "markdownlint": "~0.34.0",
+        "minimatch": "~9.0.4",
+        "run-con": "~1.3.2",
+        "smol-toml": "~1.2.0"
      },
      "bin": {
        "markdownlint": "markdownlint.js"
@ -442,46 +456,50 @@
      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
      "dev": true,
+      "license": "MIT",
      "dependencies": {
        "balanced-match": "^1.0.0"
      }
    },
    "node_modules/markdownlint-cli/node_modules/commander": {
-      "version": "11.1.0",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-11.1.0.tgz",
-      "integrity": "sha512-yPVavfyCcRhmorC7rWlkHn15b4wDVgVmBA7kV4QVBsF7kv/9TKJAbAXVTxvTnwP8HHKjRCJDClKbciiYS7p0DQ==",
+      "version": "12.1.0",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-12.1.0.tgz",
+      "integrity": "sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==",
      "dev": true,
+      "license": "MIT",
      "engines": {
-        "node": ">=16"
+        "node": ">=18"
      }
    },
    "node_modules/markdownlint-cli/node_modules/glob": {
-      "version": "10.3.10",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.3.10.tgz",
-      "integrity": "sha512-fa46+tv1Ak0UPK1TOy/pZrIybNNt4HCv7SDzwyfiOZkvZLEbjsZkJBPtDHVshZjbecAoAGSC20MjLDG/qr679g==",
+      "version": "10.4.1",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.1.tgz",
+      "integrity": "sha512-2jelhlq3E4ho74ZyVLN03oKdAZVUa6UDZzFLVH1H7dnoax+y9qyaq8zBkfDIggjniU19z0wU18y16jMB2eyVIw==",
      "dev": true,
+      "license": "ISC",
      "dependencies": {
        "foreground-child": "^3.1.0",
-        "jackspeak": "^2.3.5",
-        "minimatch": "^9.0.1",
-        "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0",
-        "path-scurry": "^1.10.1"
+        "jackspeak": "^3.1.2",
+        "minimatch": "^9.0.4",
+        "minipass": "^7.1.2",
+        "path-scurry": "^1.11.1"
      },
      "bin": {
        "glob": "dist/esm/bin.mjs"
      },
      "engines": {
-        "node": ">=16 || 14 >=14.17"
+        "node": ">=16 || 14 >=14.18"
      },
      "funding": {
        "url": "https://github.com/sponsors/isaacs"
      }
    },
    "node_modules/markdownlint-cli/node_modules/minimatch": {
-      "version": "9.0.3",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
-      "integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
+      "version": "9.0.4",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz",
+      "integrity": "sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==",
      "dev": true,
+      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^2.0.1"
      },
@ -493,18 +511,21 @@
      }
    },
    "node_modules/markdownlint-micromark": {
-      "version": "0.1.7",
-      "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.7.tgz",
-      "integrity": "sha512-BbRPTC72fl5vlSKv37v/xIENSRDYL/7X/XoFzZ740FGEbs9vZerLrIkFRY0rv7slQKxDczToYuMmqQFN61fi4Q==",
+      "version": "0.1.9",
+      "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.9.tgz",
+      "integrity": "sha512-5hVs/DzAFa8XqYosbEAEg6ok6MF2smDj89ztn9pKkCtdKHVdPQuGMH7frFfYL9mLkvfFe4pTyAMffLbjf3/EyA==",
      "dev": true,
      "engines": {
-        "node": ">=16"
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/DavidAnson"
      }
    },
    "node_modules/mdurl": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-1.0.1.tgz",
-      "integrity": "sha512-/sKlQJCBYVY9Ers9hqzKou4H6V5UWc/M59TH2dvkt+84itfnq7uFOMLpOiOS4ujvHP4etln18fmIxA5R5fll0g==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-2.0.0.tgz",
+      "integrity": "sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==",
      "dev": true
    },
    "node_modules/minimatch": {
@ -529,12 +550,13 @@
      }
    },
    "node_modules/minipass": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-5.0.0.tgz",
-      "integrity": "sha512-3FnjYuehv9k6ovOEbyOswadCDPX1piCfhV8ncmYtHOjuPwylVWsghTLo7rabjC3Rx5xD4HDx8Wm1xnMF7S5qFQ==",
+      "version": "7.1.2",
+      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
+      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
      "dev": true,
+      "license": "ISC",
      "engines": {
-        "node": ">=8"
+        "node": ">=16 || 14 >=14.17"
      }
    },
    "node_modules/once": {
@ -565,21 +587,31 @@
      }
    },
    "node_modules/path-scurry": {
-      "version": "1.10.1",
-      "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.10.1.tgz",
-      "integrity": "sha512-MkhCqzzBEpPvxxQ71Md0b1Kk51W01lrYvlMzSUaIzNsODdd7mqhiimSZlr+VegAz5Z6Vzt9Xg2ttE//XBhH3EQ==",
+      "version": "1.11.1",
+      "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz",
+      "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==",
      "dev": true,
+      "license": "BlueOak-1.0.0",
      "dependencies": {
-        "lru-cache": "^9.1.1 || ^10.0.0",
+        "lru-cache": "^10.2.0",
        "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0"
      },
      "engines": {
-        "node": ">=16 || 14 >=14.17"
+        "node": ">=16 || 14 >=14.18"
      },
      "funding": {
        "url": "https://github.com/sponsors/isaacs"
      }
    },
+    "node_modules/punycode.js": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/punycode.js/-/punycode.js-2.3.1.tgz",
+      "integrity": "sha512-uxFIHU0YlHYhDQtV4R9J6a52SLx28BCjT+4ieh7IGbgwVJWO+km431c4yRlREUAsAmt/uMjQUyQHNEPf0M39CA==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
    "node_modules/repeat-string": {
      "version": "1.6.1",
      "resolved": "https://registry.npmjs.org/repeat-string/-/repeat-string-1.6.1.tgz",
@ -637,6 +669,17 @@
        "url": "https://github.com/sponsors/isaacs"
      }
    },
+    "node_modules/smol-toml": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.2.0.tgz",
+      "integrity": "sha512-KObxdQANC/xje3OoatMbSwQf2XAvJ0RbK+4nmQRszFNZptbNRnMWqbLF/zb4sMi9xJ6HNyhWXeuZ9zC/I/XY7w==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">= 18",
+        "pnpm": ">= 9"
+      }
+    },
    "node_modules/string-width": {
      "version": "5.1.2",
      "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz",
@ -746,9 +789,9 @@
      }
    },
    "node_modules/uc.micro": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-1.0.6.tgz",
-      "integrity": "sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-2.1.0.tgz",
+      "integrity": "sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A==",
      "dev": true
    },
    "node_modules/which": {
--- a/package.json
+++ b/package.json
@ -14,6 +14,6 @@
  },
  "devDependencies": {
    "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.38.0"
+    "markdownlint-cli": "^0.41.0"
  }
 }
--- a/readme-actions-dev.md
+++ b/readme-actions-dev.md
@ -0,0 +1,34 @@
+# Gitea Actions
+
+In order to use the Gitea Actions act-runner you must either:
+
+- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
+- create a secret containing the act runner token and reference it as a `existingSecret`
+
+In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
+    `gitea actions generate-runner-token`
+
+This command will out a token that is needed by the act-runner to register with the Gitea backend.
+
+Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
+
+1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
+2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
+the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
+
+After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
+
+1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
+2) `dind`: DockerInDocker image that is used to run the actions
+
+If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
+In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
+the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
+
+```yaml
+actions:
+  provisioning:
+    enabled: false
+  existingSecret: "secret-name"
+  existingSecretKey: "secret-key"
+```
--- a/renovate.json5
+++ b/renovate.json5
@ -30,6 +30,14 @@
      ],
      datasourceTemplate: 'github-releases',
    },
+    {
+      'description': 'Automatically detect new Gitea releases',
+      'customType': 'regex',
+      'fileMatch': ['(^|/)Chart\\.yaml$'],
+      'matchStrings': [
+        '# renovate datasource=(?<datasource>\\S+) depName=(?<depName>\\S+) extractVersion=(?<extractVersion>\\S+)\\nappVersion:\\s?(?<currentValue>\\S+)\\n',
+      ],
+    },
  ],
  packageRules: [
    {
@ -56,5 +64,12 @@
        'digest',
      ],
    },
+    {
+      description: 'Override changelog url for Helm image, to have release notes in our PRs',
+      matchDepNames: [
+        'alpine/helm',
+      ],
+      changelogUrl: 'https://github.com/helm/helm',
+    },
  ],
 }
--- a/scripts/token.sh
+++ b/scripts/token.sh
@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -eu
+
+timeout_delay=15
+
+check_token() {
+  set +e
+
+  echo "Checking for existing token..."
+  token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
+  [ $? -ne 0 ] && return 1
+  [ -z "$token" ] && return 2
+  return 0
+}
+
+create_token() {
+  echo "Waiting for new token to be generated..."
+  begin=$(date +%s)
+  end=$((begin + timeout_delay))
+  while true; do
+    [ -f /data/actions/token ] && return 0
+    [ "$(date +%s)" -gt $end ] && return 1
+    sleep 5
+  done
+}
+
+store_token() {
+  echo "Storing the token in Kubernetes secret..."
+  kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
+}
+
+if check_token; then
+  echo "Key already in place, exiting."
+  exit
+fi
+
+if ! create_token; then
+  echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
+  exit 1
+fi
+
+store_token
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -3,26 +3,6 @@
 Expand the name of the chart.
 */}}

-{{- /* multiple replicas assertions */ -}}
-{{- if gt .Values.replicaCount 1.0 -}}
-  {{- fail "When using multiple replicas, a RWX file system is required" -}}
-  {{- if eq (get (.Values.persistence.accessModes 0) "ReadWriteOnce") -}}
-    {{- fail "When using multiple replicas, a RWX file system is required" -}}
-  {{- end }}
-  
-  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
-    {{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
-  {{- end }}
-  
-  {{- if and (eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve") (eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED "true") -}}
-    {{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
-  {{- end }}
-  
-  {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
-    {{- (printf "DEBUG: When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'") | fail -}}
-  {{- end }}
-{{- end }}
-
 {{- define "gitea.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
@ -45,6 +25,13 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}

+{{/*
+Create a default worker name.
+*/}}
+{{- define "gitea.workername" -}}
+{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@ -60,7 +47,7 @@ Create image name and tag used by the deployment.
 {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
 {{- $repository := .Values.image.repository -}}
 {{- $separator := ":" -}}
-{{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
 {{- $digest := "" -}}
 {{- if .Values.image.digest }}
@ -94,7 +81,7 @@ imagePullSecrets:
 Storage Class
 */}}
 {{- define "gitea.persistence.storageClass" -}}
-{{- $storageClass := .Values.global.storageClass | default .Values.persistence.storageClass }}
+{{- $storageClass :=  (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }}
 {{- if $storageClass }}
 storageClassName: {{ $storageClass | quote }}
 {{- end }}
@ -112,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}

+{{- define "gitea.labels.actRunner" -}}
+helm.sh/chart: {{ include "gitea.chart" . }}
+app: {{ include "gitea.name" . }}-act-runner
+{{ include "gitea.selectorLabels.actRunner" . }}
+app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
 {{/*
 Selector labels
 */}}
@ -120,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}

+{{- define "gitea.selectorLabels.actRunner" -}}
+app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
 {{- define "postgresql-ha.dns" -}}
 {{- if (index .Values "postgresql-ha").enabled -}}
 {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
@ -133,20 +134,28 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}

 {{- define "redis.dns" -}}
-{{- if (index .Values "redis-cluster").enabled -}}
+{{- if and ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
+{{- fail "redis and redis-cluster cannot be enabled at the same time. Please only choose one." -}}
+{{- else if (index .Values "redis-cluster").enabled -}}
 {{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
+{{- else if (index .Values "redis").enabled -}}
+{{- printf "redis://:%s@%s-redis-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis").master.service.ports.redis -}}
 {{- end -}}
 {{- end -}}

 {{- define "redis.port" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{ (index .Values "redis-cluster").service.ports.redis }}
+{{- else if (index .Values "redis").enabled -}}
+{{ (index .Values "redis").master.service.ports.redis }}
 {{- end -}}
 {{- end -}}

 {{- define "redis.servicename" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
+{{- else if (index .Values "redis").enabled -}}
+{{- printf "%s-redis-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 {{- end -}}

@ -211,6 +220,15 @@ https
 {{- end -}}
 {{- end -}}

+{{- define "gitea.act_runner.local_root_url" -}}
+{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}}
+    {{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}}
+{{- else -}}
+  {{/* fallback for allowing to overwrite this value via inline config */}}
+  {{- .Values.gitea.config.server.LOCAL_ROOT_URL -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "gitea.inline_configuration" -}}
  {{- include "gitea.inline_configuration.init" . -}}
  {{- include "gitea.inline_configuration.defaults" . -}}
@ -275,6 +293,9 @@ https
  {{- if not (hasKey .Values.gitea.config "indexer") -}}
    {{- $_ := set .Values.gitea.config "indexer" dict -}}
  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "actions") -}}
+    {{- $_ := set .Values.gitea.config "actions" dict -}}
+  {{- end -}}
 {{- end -}}

 {{- define "gitea.inline_configuration.defaults" -}}
@ -291,7 +312,7 @@ https
    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
  {{- end -}}
  {{- /* redis queue */ -}}
-  {{- if (index .Values "redis-cluster").enabled -}}
+  {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
    {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
    {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
    {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
@ -321,6 +342,9 @@ https
  {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
     {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
  {{- end -}}
+  {{- if not .Values.gitea.config.actions.ENABLED -}}
+     {{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}}
+  {{- end -}}
 {{- end -}}

 {{- define "gitea.inline_configuration.defaults.server" -}}
@ -340,6 +364,9 @@ https
  {{- if not .Values.gitea.config.server.ROOT_URL -}}
    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
  {{- end -}}
+  {{- if .Values.actions.enabled -}}
+     {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}}
+  {{- end -}}
  {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
    {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
  {{- end -}}
@ -412,3 +439,29 @@ https
 {{- define "gitea.serviceAccountName" -}}
 {{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
 {{- end -}}
+
+{{- define "gitea.admin.passwordMode" -}}
+{{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
+{{ .Values.gitea.admin.passwordMode }}
+{{- else -}}
+{{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
+{{- end -}}
+{{- end -}}
+
+{{/* Create a functioning probe object for rendering. Given argument must be either a livenessProbe, readinessProbe, or startupProbe */}}
+{{- define "gitea.deployment.probe" -}}
+  {{- $probe := unset . "enabled" -}}
+  {{- $probeKeys := keys $probe -}}
+  {{- $containsCustomMethod := false -}}
+  {{- $chartDefaultMethod := "tcpSocket" -}}
+  {{- $nonChartDefaultMethods := list "exec" "httpGet" "grpc" -}}
+  {{- range $probeKeys -}}
+    {{- if has . $nonChartDefaultMethods -}}
+      {{- $containsCustomMethod = true -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if $containsCustomMethod -}}
+    {{- $probe = unset . $chartDefaultMethod -}}
+  {{- end -}}
+  {{- toYaml $probe -}}
+{{- end -}}
--- a/templates/gitea/act_runner/01-consistency-checks.yaml
+++ b/templates/gitea/act_runner/01-consistency-checks.yaml
@ -0,0 +1,15 @@
+{{- if .Values.actions.enabled -}}
+    {{- if .Values.actions.provisioning.enabled -}}
+        {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}}
+            {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}}
+        {{- end -}}
+        {{- if and .Values.persistence.enabled .Values.persistence.mount -}}
+            {{- if .Values.actions.existingSecret -}}
+                {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}}
+            {{- end -}}
+        {{- end -}}
+    {{- end -}}
+    {{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}}
+        {{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}}
+    {{- end -}}
+{{- end -}}
--- a/templates/gitea/act_runner/config-act-runner.yaml
+++ b/templates/gitea/act_runner/config-act-runner.yaml
@ -0,0 +1,14 @@
+{{- if .Values.actions.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-act-runner-config
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- with .Values.actions.statefulset.actRunner.config -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+{{- end }}
--- a/templates/gitea/act_runner/config-scripts.yaml
+++ b/templates/gitea/act_runner/config-scripts.yaml
@ -0,0 +1,13 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-scripts
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/job.yaml
+++ b/templates/gitea/act_runner/job.yaml
@ -0,0 +1,114 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    {{- with .Values.actions.provisioning.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/component: token-job
+  annotations:
+    {{- with .Values.actions.provisioning.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }}
+  template:
+    metadata:
+      labels:
+        {{- include "gitea.labels" . | nindent 8 }}
+        {{- with .Values.actions.provisioning.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        app.kubernetes.io/component: token-job
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
+                sleep 5
+              done
+      containers:
+        - name: actions-token-create
+          image: "{{ include "gitea.image" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+          command:
+            - sh
+            - -c
+            - |
+              echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
+              mkdir -p /data/actions/
+              gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
+          resources:
+            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
+          volumeMounts:
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+        - name: actions-token-upload
+          image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
+          imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
+          env:
+            - name: SECRET_NAME
+              value: {{ $secretName }}
+          command:
+            - sh
+            - -c
+            - |
+              printf "Checking rights to update kubernetes act_runner secret..."
+              kubectl auth can-i update secret/${SECRET_NAME}
+              /scripts/token.sh
+          resources:
+            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+              readOnly: true
+            - mountPath: /data
+              name: data
+              readOnly: true
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+      {{- with .Values.actions.provisioning.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.provisioning.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.provisioning.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      serviceAccount: {{ $name }}
+      volumes:
+        - name: scripts
+          configMap:
+            name: {{ include "gitea.fullname" . }}-scripts
+            defaultMode: 0755
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.claimName }}
+  parallelism: 1
+  completions: 1
+  backoffLimit: 1
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/role-job.yaml
+++ b/templates/gitea/act_runner/role-job.yaml
@ -0,0 +1,25 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - {{ $secretName }}
+    verbs:
+      - get
+      - update
+      - patch
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/rolebinding-job.yaml
+++ b/templates/gitea/act_runner/rolebinding-job.yaml
@ -0,0 +1,22 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $name }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/secret-token.yaml
+++ b/templates/gitea/act_runner/secret-token.yaml
@ -0,0 +1,19 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
+{{ if $secret -}}
+data:
+  token: {{ (b64dec (index $secret.data "token")) | b64enc }}
+{{ end -}}
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/serviceaccount-job.yaml
+++ b/templates/gitea/act_runner/serviceaccount-job.yaml
@ -0,0 +1,13 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/statefulset.yaml
+++ b/templates/gitea/act_runner/statefulset.yaml
@ -0,0 +1,117 @@
+{{- if .Values.actions.enabled }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    {{- include "gitea.labels.actRunner" . | nindent 4 }}
+    {{- with .Values.actions.statefulset.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.actions.statefulset.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "gitea.fullname" . }}-act-runner
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "gitea.labels.actRunner" . | nindent 8 }}
+        {{- with .Values.actions.statefulset.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
+                sleep 5
+              done
+      containers:
+        - name: act-runner
+          image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
+          workingDir: /data
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.actions.existingSecret | default $secretName }}"
+                  key: "{{ .Values.actions.existingSecretKey | default "token" }}"
+            - name: GITEA_INSTANCE_URL
+              value: {{ include "gitea.act_runner.local_root_url" . }}
+            - name: CONFIG_FILE
+              value: /actrunner/config.yaml
+          resources:
+            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /actrunner/config.yaml
+              name: act-runner-config
+              subPath: config.yaml
+            - mountPath: /certs/server
+              name: docker-certs
+            - mountPath: /data
+              name: data-act-runner
+        - name: dind
+          image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            {{- if .Values.actions.statefulset.dind.extraEnvs }}
+            {{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }}
+            {{- end }}
+          securityContext:
+            privileged: true
+          resources:
+            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /certs/server
+              name: docker-certs
+      {{- with .Values.actions.statefulset.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.statefulset.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.statefulset.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: act-runner-config
+          configMap:
+            name: {{ include "gitea.fullname" . }}-act-runner-config
+        - name: docker-certs
+          emptyDir: {}
+  volumeClaimTemplates:
+    - metadata:
+        name: data-act-runner
+      spec:
+        accessModes: [ "ReadWriteOnce" ]
+        {{- include "gitea.persistence.storageClass" . | nindent 8 }}
+        resources:
+          requests:
+            storage: 1Mi
+{{- end }}
--- a/templates/gitea/config.yaml
+++ b/templates/gitea/config.yaml
@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}-inline-config
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@ -12,41 +13,47 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
  assertions: |

-{{- /*assert that only one PG dep is enabled */ -}}
-{{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
-  {{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
-{{- end }}
-
-{{- /* multiple replicas assertions */ -}}
-{{- if gt .Values.replicaCount 1.0 -}}
-  {{- if (get (get .Values.gitea.config "cron.GIT_GC_REPOS") "ENABLED") -}}
-    {{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." -}}
-  {{- end }}
-
-  {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
-    {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
-  {{- end }}
-
-  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
-    {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
-  {{- end }}
-  {{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
-    {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_TYPE") "bleve" -}}
-      {{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
-        {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_ENABLED") "true" -}}
-          {{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
+    {{- /*assert that only one PG dep is enabled */ -}}
+    {{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
+      {{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
+    {{- end }}
+    
+    {{- /* multiple replicas assertions */ -}}
+    {{- if gt .Values.replicaCount 1.0 -}}
+      {{- if .Values.gitea.config.cron -}}
+        {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
+          {{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}}
+            {{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." }}
+          {{- end }}
        {{- end }}
      {{- end }}
+    
+      {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
+        {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
+      {{- end }}
+      {{- if .Values.gitea.config.indexer -}}
+        {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
+          {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
+        {{- end }}
+        {{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
+          {{- if eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve" -}}
+            {{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
+              {{- if eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED true -}}
+                {{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
+              {{- end }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+      
    {{- end }}
-  {{- end }}
-  
-{{- end }}
  config_environment.sh: |-
    #!/usr/bin/env bash
    set -euo pipefail
--- a/templates/gitea/deployment.yaml
+++ b/templates/gitea/deployment.yaml
@ -2,12 +2,16 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  annotations:
    {{- if .Values.deployment.annotations }}
    {{- toYaml .Values.deployment.annotations | nindent 4 }}
    {{- end }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
+    {{- if .Values.deployment.labels }}
+    {{- toYaml .Values.deployment.labels | nindent 4 }}
+    {{- end }}
 spec:
  replicas: {{ .Values.replicaCount }}
  strategy:
@ -240,6 +244,8 @@ spec:
            - name: GITEA_ADMIN_PASSWORD
              value: {{ .Values.gitea.admin.password | quote }}
            {{- end }}
+            - name: GITEA_ADMIN_PASSWORD_MODE
+              value: {{ include "gitea.admin.passwordMode" $ }}
            {{- if .Values.deployment.env }}
            {{- toYaml .Values.deployment.env | nindent 12 }}
            {{- end }}
@ -306,15 +312,15 @@ spec:
            {{- end }}
          {{- if .Values.gitea.livenessProbe.enabled }}
          livenessProbe:
-            {{- toYaml (omit .Values.gitea.livenessProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.livenessProbe | nindent 12 }}
          {{- end }}
          {{- if .Values.gitea.readinessProbe.enabled }}
          readinessProbe:
-            {{- toYaml (omit .Values.gitea.readinessProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.readinessProbe | nindent 12 }}
          {{- end }}
          {{- if .Values.gitea.startupProbe.enabled }}
          startupProbe:
-            {{- toYaml (omit .Values.gitea.startupProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.startupProbe | nindent 12 }}
          {{- end }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
@ -334,6 +340,9 @@ spec:
              subPath: {{ .Values.persistence.subPath }}
              {{- end }}
            {{- include "gitea.container-additional-mounts" . | nindent 12 }}
+        {{- if .Values.extraContainers }}
+        {{- toYaml .Values.extraContainers | nindent 8 }}
+        {{- end }}
      {{- with .Values.global.hostAliases }}
      hostAliases:
        {{- toYaml . | nindent 8 }}
--- a/templates/gitea/gpg-secret.yaml
+++ b/templates/gitea/gpg-secret.yaml
@ -7,6 +7,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.gpg-key-secret-name" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
--- a/templates/gitea/http-svc.yaml
+++ b/templates/gitea/http-svc.yaml
@ -2,13 +2,21 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "gitea.fullname" . }}-http
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
+    {{- if .Values.service.http.labels }}
+    {{- toYaml .Values.service.http.labels  | nindent 4 }}
+    {{- end }}
  annotations:
    {{- toYaml .Values.service.http.annotations | nindent 4 }}
 spec:
  type: {{ .Values.service.http.type }}
-  {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
+  {{- if eq .Values.service.http.type "LoadBalancer" }}
+  {{- if .Values.service.http.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.http.loadBalancerClass }}
+  {{- end }}
+  {{- if and .Values.service.http.loadBalancerIP }}
  loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
  {{- end }}
  {{- if .Values.service.http.loadBalancerSourceRanges }}
@ -17,6 +25,7 @@ spec:
    - {{ . }}
  {{- end }}
  {{- end }}
+  {{- end }}
  {{- if .Values.service.http.externalIPs }}
  externalIPs:
    {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
--- a/templates/gitea/ingress.yaml
+++ b/templates/gitea/ingress.yaml
@ -13,6 +13,7 @@ apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
  name: {{ $fullName }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
  annotations:
@ -21,7 +22,7 @@ metadata:
    {{- end }}
 spec:
 {{- if .Values.ingress.className }}
-  ingressClassName: {{ .Values.ingress.className }}
+  ingressClassName: {{ tpl .Values.ingress.className . }}
 {{- end }}
 {{- if .Values.ingress.tls }}
  tls:
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}-init
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@ -24,27 +25,25 @@ stringData:
    # END: initPreScript
    {{- end }}

-    set -x
-
    {{- if not .Values.image.rootless }}
-    chown 1000:1000 /data
+    chown -v 1000:1000 /data
    {{- end }}
-    mkdir -p /data/git/.ssh
-    chmod -R 700 /data/git/.ssh
-    [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+    mkdir -pv /data/git/.ssh
+    chmod -Rv 700 /data/git/.ssh
+    [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf

    # prepare temp directory structure
-    mkdir -p "${GITEA_TEMP}"
+    mkdir -pv "${GITEA_TEMP}"
    {{- if not .Values.image.rootless }}
-    chown 1000:1000 "${GITEA_TEMP}"
+    chown -v 1000:1000 "${GITEA_TEMP}"
    {{- end }}
-    chmod ug+rwx "${GITEA_TEMP}"
+    chmod -v ug+rwx "${GITEA_TEMP}"

    {{ if .Values.signing.enabled -}}
    if [ ! -d "${GNUPGHOME}" ]; then
-      mkdir -p "${GNUPGHOME}"
-      chmod 700 "${GNUPGHOME}"
-      chown 1000:1000 "${GNUPGHOME}"
+      mkdir -pv "${GNUPGHOME}"
+      chmod -v 700 "${GNUPGHOME}"
+      chown -v 1000:1000 "${GNUPGHOME}"
    fi
    {{- end }}

@ -86,15 +85,56 @@ stringData:

    {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
    function configure_admin_user() {
-      local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
+      local full_admin_list=$(gitea admin user list --admin)
+      local actual_user_table=''
+
+      # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
+      local regex="(.*)(ID\s+Username\s+Email\s+IsActive.*)"
+      if [[ "${full_admin_list}" =~ $regex ]]; then
+        actual_user_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
+      else
+        # This code block should never be reached, as long as the output table header remains the same.
+        # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
+
+        echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users."
+        echo "       Please review the output of 'gitea admin user list --admin' shown below."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "DEBUG: Output of 'gitea admin user list --admin'"
+        echo "--"
+        echo "${full_admin_list}"
+        echo "--"
+        exit 1
+      fi
+
+      local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
      if [[ -z "${ACCOUNT_ID}" ]]; then
+        local -a create_args
+        create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
+          create_args+=(--must-change-password=true)
+        else
+          create_args+=(--must-change-password=false)
+        fi
        echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
-        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
+        gitea admin user create "${create_args[@]}"
        echo '...created.'
      else
-        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
-        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
-        echo '...password sync done.'
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
+          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
+          # See https://gitea.com/gitea/helm-chart/issues/673
+          # --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior
+          #   which acted as if it were provided with =false. If the argument is present in this version of gitea, then we
+          #   should add it to prevent requiring frequent admin password resets.
+          local -a change_args
+          change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}")
+          if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then
+            change_args+=(--must-change-password=false)
+          fi
+          gitea admin user change-password "${change_args[@]}"
+          echo '...password sync done.'
+        else
+          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
+        fi
      fi
    }

@ -105,7 +145,28 @@ stringData:
      {{- if .Values.gitea.ldap }}
      {{- range $idx, $value := .Values.gitea.ldap }}
      local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
-      local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
+      local full_auth_list=$(gitea admin auth list --vertical-bars)
+      local actual_auth_table=''
+
+      # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
+      local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
+      if [[ "${full_auth_list}" =~ $regex ]]; then
+        actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
+      else
+        # This code block should never be reached, as long as the output table header remains the same.
+        # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
+
+        echo "ERROR: 'configure_ldap' was not able to determine the current list of authentication sources."
+        echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
+        echo "--"
+        echo "${full_auth_list}"
+        echo "--"
+        exit 1
+      fi
+
+      local GITEA_AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")

      if [[ -z "${GITEA_AUTH_ID}" ]]; then
        echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
@ -128,7 +189,28 @@ stringData:
      {{- if .Values.gitea.oauth }}
      {{- range $idx, $value := .Values.gitea.oauth }}
      local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
-      local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
+      local full_auth_list=$(gitea admin auth list --vertical-bars)
+      local actual_auth_table=''
+
+      # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
+      local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
+      if [[ "${full_auth_list}" =~ $regex ]]; then
+        actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
+      else
+        # This code block should never be reached, as long as the output table header remains the same.
+        # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
+
+        echo "ERROR: 'configure_oauth' was not able to determine the current list of authentication sources."
+        echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
+        echo "--"
+        echo "${full_auth_list}"
+        echo "--"
+        exit 1
+      fi
+
+      local AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")

      if [[ -z "${AUTH_ID}" ]]; then
        echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
--- a/templates/gitea/poddisruptionbudget.yaml
+++ b/templates/gitea/poddisruptionbudget.yaml
@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 spec:
--- a/templates/gitea/pvc.yaml
+++ b/templates/gitea/pvc.yaml
@ -3,9 +3,11 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ .Values.persistence.claimName }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  annotations:
 {{ .Values.persistence.annotations | toYaml | indent 4}}
+  labels:
+{{ .Values.persistence.labels | toYaml | indent 4}}
 spec:
  accessModes:
  {{- if gt .Values.replicaCount 1.0 }}
@ -14,9 +16,7 @@ spec:
    {{- .Values.persistence.accessModes | toYaml | nindent 4 }}
  {{- end }}
  volumeMode: Filesystem
-  {{- if .Values.persistence.storageClass }}
-  storageClassName: {{ .Values.persistence.storageClass }}
-  {{- end }}
+  {{- include "gitea.persistence.storageClass" . | nindent 2 }}
  {{- with .Values.persistence.volumeName }}
  volumeName: {{ . }}
  {{- end }}
--- a/templates/gitea/serviceaccount.yaml
+++ b/templates/gitea/serviceaccount.yaml
@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "gitea.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- with .Values.serviceAccount.labels }}
--- a/templates/gitea/servicemonitor.yaml
+++ b/templates/gitea/servicemonitor.yaml
@ -1,8 +1,9 @@
-{{- if .Values.gitea.metrics.serviceMonitor.enabled -}}
+{{- if and .Values.gitea.metrics.enabled .Values.gitea.metrics.serviceMonitor.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
@ -14,4 +15,21 @@ spec:
      {{- include "gitea.selectorLabels" . | nindent 6 }}
  endpoints:
  - port: http
+    {{- if .Values.gitea.metrics.serviceMonitor.interval }}
+    interval: {{ .Values.gitea.metrics.serviceMonitor.interval }}
+    {{- end }}
+    {{- with .Values.gitea.metrics.serviceMonitor.relabelings }}
+    relabelings:
+      {{- . | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.serviceMonitor.scheme }}
+    scheme: {{ .Values.gitea.metrics.serviceMonitor.scheme }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
+    scrapeTimeout: {{ .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
+    {{- end }}
+    {{- with .Values.gitea.metrics.serviceMonitor.tlsConfig }}
+    tlsConfig:
+      {{- . | toYaml | nindent 6 }}
+    {{- end }}
 {{- end -}}
--- a/templates/gitea/ssh-svc.yaml
+++ b/templates/gitea/ssh-svc.yaml
@ -2,13 +2,20 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "gitea.fullname" . }}-ssh
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
+    {{- if .Values.service.ssh.labels }}
+    {{- toYaml .Values.service.ssh.labels  | nindent 4 }}
+    {{- end }}
  annotations:
    {{- toYaml .Values.service.ssh.annotations | nindent 4 }}
 spec:
  type: {{ .Values.service.ssh.type }}
  {{- if eq .Values.service.ssh.type "LoadBalancer" }}
+  {{- if .Values.service.ssh.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.ssh.loadBalancerClass }}
+  {{- end }}
  {{- if .Values.service.ssh.loadBalancerIP }}
  loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
  {{- end -}}
--- a/templates/tests/test-http-connection.yaml
+++ b/templates/tests/test-http-connection.yaml
@ -3,6 +3,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: "{{ include "gitea.fullname" . }}-test-connection"
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
 {{ include "gitea.labels" . | nindent 4 }}
  annotations:
--- a/unittests/act_runner/01-consistency-checks.yaml
+++ b/unittests/act_runner/01-consistency-checks.yaml
@ -0,0 +1,69 @@
+suite: actions template | consistency checks
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/01-consistency-checks.yaml
+tests:
+  - it: fails when provisioning is enabled BUT persistence is completely disabled
+    set:
+      persistence:
+        enabled: false
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
+  - it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled
+    set:
+      persistence:
+        enabled: true
+        mount: false
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
+  - it: fails when provisioning is enabled AND existingSecret is given
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+        existingSecret: "secret-reference"
+    asserts:
+      - failedTemplate:
+          errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret"
+  - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
+  - it: fails when provisioning is disabled BUT existingSecretKey is missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+        existingSecret: "my-secret"
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
+  - it: fails when provisioning is disabled BUT existingSecret is missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
--- a/unittests/act_runner/config-act-runner.yaml
+++ b/unittests/act_runner/config-act-runner.yaml
@ -0,0 +1,45 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: actions template | config-act-runner
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/config-act-runner.yaml
+tests:
+  - it: doesn't renders a ConfigMap by default
+    template: templates/gitea/act_runner/config-act-runner.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a ConfigMap
+    template: templates/gitea/act_runner/config-act-runner.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          actRunner:
+            config: |
+              log:
+                level: info
+              cache:
+                enabled: false
+              runner:
+                labels:
+                  - "ubuntu-latest"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-act-runner-config
+      - equal:
+          path: data["config.yaml"]
+          value: |
+            log:
+              level: info
+            cache:
+              enabled: false
+            runner:
+              labels:
+                - "ubuntu-latest"
--- a/unittests/act_runner/config-scripts.yaml
+++ b/unittests/act_runner/config-scripts.yaml
@ -0,0 +1,49 @@
+suite: actions template | config-scripts
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/config-scripts.yaml
+tests:
+  - it: renders a ConfigMap when all criteria are met
+    template: templates/gitea/act_runner/config-scripts.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-scripts
+      - isNotNullOrEmpty:
+          path: data["token.sh"]
+  - it: doesn't renders a ConfigMap by default
+    template: templates/gitea/act_runner/config-scripts.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a ConfigMap with disabled actions but enabled provisioning
+    template: templates/gitea/act_runner/config-scripts.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria
+    template: templates/gitea/act_runner/config-scripts.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/act_runner/job.yaml
+++ b/unittests/act_runner/job.yaml
@ -0,0 +1,65 @@
+suite: actions template | job
+release:
+  name: gitea-unittests
+  namespace: testing
+chart:
+  # Override appVersion to have a pinned version for comparison
+  appVersion: 1.19.3
+templates:
+  - templates/gitea/act_runner/job.yaml
+tests:
+  - it: renders a Job
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Job
+          apiVersion: batch/v1
+          name: gitea-unittests-actions-token-job
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3-rootless"
+  - it: tag override
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      image.tag: "1.19.4"
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+          publish:
+            tag: "1.29.0"
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.4-rootless"
+      - equal:
+          path: spec.template.spec.containers[1].image
+          value: "bitnami/kubectl:1.29.0"
+  - it: doesn't renders a Job by default
+    template: templates/gitea/act_runner/job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/act_runner/role-job.yaml
+++ b/unittests/act_runner/role-job.yaml
@ -0,0 +1,42 @@
+suite: actions template | role-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/role-job.yaml
+tests:
+  - it: doesn't renders a Role by default
+    template: templates/gitea/act_runner/role-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a Role
+    template: templates/gitea/act_runner/role-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a Role when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/role-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/act_runner/rolebinding-job.yaml
+++ b/unittests/act_runner/rolebinding-job.yaml
@ -0,0 +1,42 @@
+suite: actions template | rolebinding-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/rolebinding-job.yaml
+tests:
+  - it: doesn't renders a RoleBinding by default
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a RoleBinding
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/act_runner/secret-token.yaml
+++ b/unittests/act_runner/secret-token.yaml
@ -0,0 +1,42 @@
+suite: actions template | secret-token
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/secret-token.yaml
+tests:
+  - it: doesn't renders a Secret by default
+    template: templates/gitea/act_runner/secret-token.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a Secret
+    template: templates/gitea/act_runner/secret-token.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-actions-token
+  - it: doesn't renders a Secret when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/secret-token.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/act_runner/serviceaccount-job.yaml
+++ b/unittests/act_runner/serviceaccount-job.yaml
@ -0,0 +1,42 @@
+suite: actions template | serviceaccount-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/serviceaccount-job.yaml
+tests:
+  - it: doesn't renders a ServiceAccount by default
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a ServiceAccount
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/act_runner/statefulset.yaml
+++ b/unittests/act_runner/statefulset.yaml
@ -0,0 +1,111 @@
+suite: actions template | statefulset
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/statefulset.yaml
+tests:
+  - it: doesn't renders a StatefulSet by default
+    template: templates/gitea/act_runner/statefulset.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a StatefulSet (with given existingSecret/existingSecretKey)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[3]
+          value:
+            name: GITEA_RUNNER_REGISTRATION_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: "my-secret"
+                key: "my-secret-key"
+  - it: renders a StatefulSet (with secret reference defaults for enabled provisioning)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[3]
+          value:
+            name: GITEA_RUNNER_REGISTRATION_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: "gitea-unittests-actions-token"
+                key: "token"
+  - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[4]
+          value:
+            name: GITEA_INSTANCE_URL
+            value: "http://gitea-unittests-http:3000"
+  - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env from customized LOCAL_ROOT_URL)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[4]
+          value:
+            name: GITEA_INSTANCE_URL
+            value: "http://git.example.com"
+  - it: allows adding custom environment variables to the docker-in-docker container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          dind:
+            extraEnvs:
+              - name: "CUSTOM_ENV_NAME"
+                value: "custom env value"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[1].env[3]
+          value:
+            name: "CUSTOM_ENV_NAME"
+            value: "custom env value"
--- a/unittests/config/actions-config.yaml
+++ b/unittests/config/actions-config.yaml
@ -0,0 +1,61 @@
+suite: config template | actions config
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/config.yaml
+tests:
+  - it: "actions are not enabled by default"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=false
+
+  - it: "actions can be enabled via inline config"
+    template: templates/gitea/config.yaml
+    set:
+      gitea.config.actions.ENABLED: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=true
+
+  - it: "actions can be enabled via dedicated values object"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=true
+
+  - it: "defines LOCAL_ROOT_URL when actions are enabled"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nLOCAL_ROOT_URL=http://gitea-unittests-http:3000
+
+  - it: "respects custom LOCAL_ROOT_URL, even when actions are enabled"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+      gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nLOCAL_ROOT_URL=http://git.example.com
--- a/unittests/config/cache-config.yaml
+++ b/unittests/config/cache-config.yaml
@ -8,6 +8,8 @@ tests:
    set:
      redis-cluster:
        enabled: true
+      redis:
+        enabled: false
    asserts:
      - documentIndex: 0
        equal:
@ -16,11 +18,28 @@ tests:
            ADAPTER=redis
            HOST=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&

-  - it: "cache is configured correctly for 'memory' when redis-cluster is disabled"
+  - it: "cache is configured correctly for redis"
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.cache
+          value: |-
+            ADAPTER=redis
+            HOST=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "cache is configured correctly for 'memory' when redis (or redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
    asserts:
      - documentIndex: 0
        equal:
@ -29,11 +48,13 @@ tests:
            ADAPTER=memory
            HOST=

-  - it: "cache can be customized when redis-cluster is disabled"
+  - it: "cache can be customized when redis (or redis-cluster) is disabled"
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
+      redis:
+        enabled: false
      gitea.config.cache.ADAPTER: custom-adapter
      gitea.config.cache.HOST: custom-host
    asserts:
--- a/unittests/config/queue-config.yaml
+++ b/unittests/config/queue-config.yaml
@ -8,6 +8,8 @@ tests:
    set:
      redis-cluster:
        enabled: true
+      redis:
+        enabled: false
    asserts:
      - documentIndex: 0
        equal:
@ -16,11 +18,28 @@ tests:
            CONN_STR=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
            TYPE=redis

-  - it: "queue is configured correctly for 'levelDB' when redis-cluster is disabled"
+  - it: "queue is configured correctly for redis"
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.queue
+          value: |-
+            CONN_STR=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            TYPE=redis
+
+  - it: "queue is configured correctly for 'levelDB' when redis (and redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
    asserts:
      - documentIndex: 0
        equal:
@ -29,11 +48,13 @@ tests:
            CONN_STR=
            TYPE=level

-  - it: "queue can be customized when redis-cluster is disabled"
+  - it: "queue can be customized when redis (and redis-cluster) are disabled"
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
+      redis:
+        enabled: false
      gitea.config.queue.TYPE: custom-type
      gitea.config.queue.CONN_STR: custom-connection-string
    asserts:
--- a/unittests/config/session-config.yaml
+++ b/unittests/config/session-config.yaml
@ -8,6 +8,8 @@ tests:
    set:
      redis-cluster:
        enabled: true
+      redis:
+        enabled: false
    asserts:
      - documentIndex: 0
        equal:
@ -16,11 +18,28 @@ tests:
            PROVIDER=redis
            PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&

-  - it: "session is configured correctly for 'memory' when redis-cluster is disabled"
+  - it: "session is configured correctly for redis"
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.session
+          value: |-
+            PROVIDER=redis
+            PROVIDER_CONFIG=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "session is configured correctly for 'memory' when redis (and redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
    asserts:
      - documentIndex: 0
        equal:
@ -29,11 +48,13 @@ tests:
            PROVIDER=memory
            PROVIDER_CONFIG=

-  - it: "session can be customized when redis-cluster is disabled"
+  - it: "session can be customized when redis (and redis-cluster) is disabled"
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
+      redis:
+        enabled: false
      gitea.config.session.PROVIDER: custom-provider
      gitea.config.session.PROVIDER_CONFIG: custom-provider-config
    asserts:
--- a/unittests/dependency-major-image-check.yaml
+++ b/unittests/dependency-major-image-check.yaml
@ -15,7 +15,7 @@ tests:
        matchRegex:
          path: spec.template.spec.containers[0].image
          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^docker.io/bitnami/postgresql-repmgr:16.+$
+          pattern: bitnami/postgresql-repmgr:16.+$
  - it: "[postgresql] ensures we detect major image version upgrades"
    template: charts/postgresql/templates/primary/statefulset.yaml
    set:
@ -28,15 +28,30 @@ tests:
        matchRegex:
          path: spec.template.spec.containers[0].image
          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^docker.io/bitnami/postgresql:16.+$
+          pattern: bitnami/postgresql:16.+$
  - it: "[redis-cluster] ensures we detect major image version upgrades"
    template: charts/redis-cluster/templates/redis-statefulset.yaml
    set:
      redis-cluster:
        enabled: true
+      redis:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: bitnami/redis-cluster:7.+$
+  - it: "[redis] ensures we detect major image version upgrades"
+    template: charts/redis/templates/master/application.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: true
    asserts:
      - documentIndex: 0
        matchRegex:
          path: spec.template.spec.containers[0].image
          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^docker.io/bitnami/redis-cluster:7.+$
+          pattern: bitnami/redis:7.+$
--- a/unittests/deployment/HA.yaml
+++ b/unittests/deployment/HA.yaml
@ -0,0 +1,59 @@
+suite: deployment template (HA)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: fails with multiple replicas and "GIT_GC_REPOS" enabled
+    template: templates/gitea/deployment.yaml
+    set:
+      replicaCount: 2
+      persistence:
+        accessModes:
+          - ReadWriteMany
+      gitea:
+        config:
+          cron:
+            GIT_GC_REPOS:
+              ENABLED: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'."
+  - it: fails with multiple replicas and RWX file system not set
+    template: templates/gitea/deployment.yaml
+    set:
+      replicaCount: 2
+    asserts:
+      - failedTemplate:
+          errorMessage: "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany."
+  - it: fails with multiple replicas and bleve issue indexer
+    template: templates/gitea/deployment.yaml
+    set:
+      replicaCount: 2
+      persistence:
+        accessModes:
+          - ReadWriteMany
+      gitea:
+        config:
+          indexer:
+            ISSUE_INDEXER_TYPE: bleve
+    asserts:
+      - failedTemplate:
+          errorMessage: "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)."
+  - it: fails with multiple replicas and bleve repo indexer
+    template: templates/gitea/deployment.yaml
+    set:
+      replicaCount: 2
+      persistence:
+        accessModes:
+          - ReadWriteMany
+      gitea:
+        config:
+          indexer:
+            REPO_INDEXER_TYPE: bleve
+            REPO_INDEXER_ENABLED: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled."
--- a/unittests/deployment/basic.yaml
+++ b/unittests/deployment/basic.yaml
@ -15,3 +15,17 @@ tests:
          kind: Deployment
          apiVersion: apps/v1
          name: gitea-unittests
+  - it: deployment labels are set
+    template: templates/gitea/deployment.yaml
+    set:
+      deployment.labels:
+        hello: world
+    asserts:
+      - isSubset:
+          path: metadata.labels
+          content:
+            hello: world
+      - isSubset:
+          path: spec.template.metadata.labels
+          content:
+            hello: world
--- a/unittests/deployment/image-configuration.yaml
+++ b/unittests/deployment/image-configuration.yaml
@ -91,3 +91,20 @@ tests:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "global.example.com/gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+  - it: correctly renders floating tag references
+    template: templates/gitea/deployment.yaml
+    set:
+      image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-chart/issues/631
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[0].image
+          value: "gitea/gitea:1.21-rootless"
+      - equal:
+          path: spec.template.spec.initContainers[1].image
+          value: "gitea/gitea:1.21-rootless"
+      - equal:
+          path: spec.template.spec.initContainers[2].image
+          value: "gitea/gitea:1.21-rootless"
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.21-rootless"
--- a/unittests/deployment/ingress-configuration.yaml
+++ b/unittests/deployment/ingress-configuration.yaml
@ -15,9 +15,33 @@ tests:
          hosts:
            - "{{ .Values.global.giteaHostName }}"
    asserts:
+      - isKind:
+          of: Ingress
      - equal:
          path: spec.tls[0].hosts[0]
          value: "gitea.example.com"
      - equal:
          path: spec.rules[0].host
          value: "gitea.example.com"
+  - it: Ingress Class using TPL
+    set:
+      global.ingress.className: "ingress-class"
+      ingress.className: "{{ .Values.global.ingress.className }}"
+      ingress.enabled: true
+      ingress.hosts[0].host: "some-host"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "some-host"
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "some-host"
+      - equal:
+          path: spec.rules[0].host
+          value: "some-host"
+      - equal:
+          path: spec.ingressClassName
+          value: "ingress-class"
--- a/unittests/deployment/probes.yaml
+++ b/unittests/deployment/probes.yaml
@ -0,0 +1,188 @@
+suite: deployment template (probes)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders default liveness probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            failureThreshold: 10
+            initialDelaySeconds: 200
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+  - it: renders default readiness probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].readinessProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            failureThreshold: 3
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+  - it: does not render a default startup probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe
+  - it: allows enabling a startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea.startupProbe.enabled: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            failureThreshold: 10
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+
+  - it: allows overwriting the default port of the liveness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        livenessProbe:
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows overwriting the default port of the readiness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        readinessProbe:
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows overwriting the default port of the startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        startupProbe:
+          enabled: true
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows using a non-default method as liveness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        livenessProbe:
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372
+
+  - it: allows using a non-default method as readiness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        readinessProbe:
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].readinessProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372
+
+  - it: allows using a non-default method as startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        startupProbe:
+          enabled: true
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372
--- a/unittests/deployment/sidecar-container.yaml
+++ b/unittests/deployment/sidecar-container.yaml
@ -0,0 +1,21 @@
+suite: sidecar container
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: supports adding a sidecar container
+    template: templates/gitea/deployment.yaml
+    set:
+      extraContainers:
+        - name: sidecar-bob
+          image: busybox
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[1].name
+          value: "sidecar-bob"
+      - equal:
+          path: spec.template.spec.containers[1].image
+          value: "busybox"
--- a/unittests/deployment/storage-class-configuration.yaml
+++ b/unittests/deployment/storage-class-configuration.yaml
@ -0,0 +1,39 @@
+# File: tests/gitea-storageclass-tests.yaml
+
+suite: storage class configuration tests
+
+release:
+  name: gitea-storageclass-tests
+  namespace: testing
+
+templates:
+  - templates/gitea/pvc.yaml
+
+tests:
+  - it: should set storageClassName when persistence.storageClass is defined
+    template: templates/gitea/pvc.yaml
+    set:
+      persistence.storageClass: "my-storage-class"
+    asserts:
+      - equal:
+          path: "spec.storageClassName"
+          value: "my-storage-class"
+
+  - it: should set global.storageClass when persistence.storageClass is not defined
+    template: templates/gitea/pvc.yaml
+    set:
+      global.storageClass: "default-storage-class"
+    asserts:
+      - equal:
+          path: spec.storageClassName
+          value: "default-storage-class"
+
+  - it: should set storageClassName when persistence.storageClass is defined and global.storageClass is defined
+    template: templates/gitea/pvc.yaml
+    set:
+      global.storageClass: "default-storage-class"
+      persistence.storageClass: "my-storage-class"
+    asserts:
+      - equal:
+          path: spec.storageClassName
+          value: "my-storage-class"
--- a/unittests/deployment/svc-configuration.yaml
+++ b/unittests/deployment/svc-configuration.yaml
@ -0,0 +1,118 @@
+suite: ssh-svc / http-svc template (Services configuration)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/ssh-svc.yaml
+  - templates/gitea/http-svc.yaml
+tests:
+  - it: supports adding custom labels to ssh-svc
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          labels:
+            gitea/testkey: testvalue
+    asserts:
+      - equal:
+          path: metadata.labels["gitea/testkey"]
+          value: "testvalue"
+
+  - it: keeps existing labels (ssh)
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          labels: {}
+    asserts:
+      - exists:
+          path: metadata.labels["app"]
+
+  - it: supports adding custom labels to http-svc
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          labels:
+            gitea/testkey: testvalue
+    asserts:
+      - equal:
+          path: metadata.labels["gitea/testkey"]
+          value: "testvalue"
+
+  - it: keeps existing labels (http)
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          labels: {}
+    asserts:
+      - exists:
+          path: metadata.labels["app"]
+
+  - it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          loadBalancerClass: "example.com/class"
+          type: LoadBalancer
+          loadBalancerIP: "1.2.3.4"
+          loadBalancerSourceRanges:
+            - "1.2.3.4/32"
+            - "5.6.7.8/32"
+    asserts:
+      - equal:
+          path: spec.loadBalancerClass
+          value: "example.com/class"
+      - equal:
+          path: spec.loadBalancerIP
+          value: "1.2.3.4"
+      - equal:
+          path: spec.loadBalancerSourceRanges
+          value: ["1.2.3.4/32", "5.6.7.8/32"]
+
+  - it: does not render when loadbalancer properties are set but type is not loadBalancerClass
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          type: ClusterIP
+          loadBalancerClass: "example.com/class"
+          loadBalancerIP: "1.2.3.4"
+          loadBalancerSourceRanges:
+            - "1.2.3.4/32"
+            - "5.6.7.8/32"
+    asserts:
+      - notExists:
+          path: spec.loadBalancerClass
+      - notExists:
+          path: spec.loadBalancerIP
+      - notExists:
+          path: spec.loadBalancerSourceRanges
+
+  - it: does not render loadBalancerClass by default even when type is LoadBalancer
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          type: LoadBalancer
+          loadBalancerIP: "1.2.3.4"
+    asserts:
+      - notExists:
+          path: spec.loadBalancerClass
+      - equal:
+          path: spec.loadBalancerIP
+          value: "1.2.3.4"
+
+  - it: both ssh and http services exist
+    templates:
+      - templates/gitea/ssh-svc.yaml
+      - templates/gitea/http-svc.yaml
+    asserts:
+      - matchRegex:
+          path: metadata.name
+          pattern: "^gitea-unittests-(?:ssh|http)$"
+      - matchRegex:
+          path: spec.ports[0].name
+          pattern: "^(?:ssh|http)$"
--- a/unittests/init/init_directory_structure.sh-rootless.yaml
+++ b/unittests/init/init_directory_structure.sh-rootless.yaml
@ -28,15 +28,13 @@ tests:
            #!/usr/bin/env bash

            set -euo pipefail
-
-            set -x
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf

            # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
  - it: adds gpg script block for enabled signing
    set:
      signing.enabled: true
@ -51,20 +49,18 @@ tests:
            #!/usr/bin/env bash

            set -euo pipefail
-
-            set -x
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf

            # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"

            if [ ! -d "${GNUPGHOME}" ]; then
-              mkdir -p "${GNUPGHOME}"
-              chmod 700 "${GNUPGHOME}"
-              chown 1000:1000 "${GNUPGHOME}"
+              mkdir -pv "${GNUPGHOME}"
+              chmod -v 700 "${GNUPGHOME}"
+              chown -v 1000:1000 "${GNUPGHOME}"
            fi
  - it: it does not chown /data even when image.fullOverride is set
    template: templates/gitea/init.yaml
@ -77,12 +73,10 @@ tests:
            #!/usr/bin/env bash

            set -euo pipefail
-
-            set -x
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf

            # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
--- a/unittests/init/init_directory_structure.sh.yaml
+++ b/unittests/init/init_directory_structure.sh.yaml
@ -31,17 +31,15 @@ tests:
            #!/usr/bin/env bash

            set -euo pipefail
-
-            set -x
-            chown 1000:1000 /data
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            chown -v 1000:1000 /data
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf

            # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chown 1000:1000 "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chown -v 1000:1000 "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
  - it: adds gpg script block for enabled signing
    set:
      image.rootless: false
@ -57,20 +55,18 @@ tests:
            #!/usr/bin/env bash

            set -euo pipefail
-
-            set -x
-            chown 1000:1000 /data
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            chown -v 1000:1000 /data
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf

            # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chown 1000:1000 "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chown -v 1000:1000 "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"

            if [ ! -d "${GNUPGHOME}" ]; then
-              mkdir -p "${GNUPGHOME}"
-              chmod 700 "${GNUPGHOME}"
-              chown 1000:1000 "${GNUPGHOME}"
+              mkdir -pv "${GNUPGHOME}"
+              chmod -v 700 "${GNUPGHOME}"
+              chown -v 1000:1000 "${GNUPGHOME}"
            fi
--- a/unittests/pvc/pvc-configuration.yaml
+++ b/unittests/pvc/pvc-configuration.yaml
@ -0,0 +1,19 @@
+suite: PVC template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/pvc.yaml
+tests:
+  - it: Storage Class using TPL
+    set:
+      global.persistence.storageClass: "storage-class"
+      persistence.enabled: true
+      persistence.create: true
+      persistence.storageClass: "{{ .Values.global.persistence.storageClass }}"
+    asserts:
+      - isKind:
+          of: PersistentVolumeClaim
+      - equal:
+          path: spec.storageClassName
+          value: "storage-class"
--- a/unittests/servicemonitor/basic.yaml
+++ b/unittests/servicemonitor/basic.yaml
@ -0,0 +1,89 @@
+suite: ServiceMonitor template (basic)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/servicemonitor.yaml
+tests:
+  - it: skips rendering by default
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders default ServiceMonitor object with gitea.metrics.enabled=true
+    set:
+      gitea.metrics.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders default ServiceMonitor object with gitea.metrics.serviceMonitor.enabled=true
+    set:
+      gitea.metrics.serviceMonitor.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders defaults
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ServiceMonitor
+          apiVersion: monitoring.coreos.com/v1
+          name: gitea-unittests
+      - notExists:
+          path: metadata.annotations
+      - notExists:
+          path: spec.endpoints[0].interval
+      - equal:
+          path: spec.endpoints[0].port
+          value: http
+      - notExists:
+          path: spec.endpoints[0].scheme
+      - notExists:
+          path: spec.endpoints[0].scrapeTimeout
+      - notExists:
+          path: spec.endpoints[0].tlsConfig
+  - it: renders custom scrape interval
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+      gitea.metrics.serviceMonitor.interval: 30s
+      gitea.metrics.serviceMonitor.scrapeTimeout: 5s
+    asserts:
+      - equal:
+          path: spec.endpoints[0].interval
+          value: 30s
+      - equal:
+          path: spec.endpoints[0].scrapeTimeout
+          value: 5s
+  - it: renders custom tls config
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+      gitea.metrics.serviceMonitor.scheme: https
+      gitea.metrics.serviceMonitor.tlsConfig.caFile: /etc/prometheus/tls/ca.crt
+      gitea.metrics.serviceMonitor.tlsConfig.certFile: /etc/prometheus/tls/tls.crt
+      gitea.metrics.serviceMonitor.tlsConfig.keyFile: /etc/prometheus/tls/tls.key
+      gitea.metrics.serviceMonitor.tlsConfig.insecureSkipVerify: false
+      gitea.metrics.serviceMonitor.tlsConfig.serverName: gitea-unittest
+    asserts:
+      - equal:
+          path: spec.endpoints[0].scheme
+          value: https
+      - equal:
+          path: spec.endpoints[0].tlsConfig.caFile
+          value: /etc/prometheus/tls/ca.crt
+      - equal:
+          path: spec.endpoints[0].tlsConfig.certFile
+          value: /etc/prometheus/tls/tls.crt
+      - equal:
+          path: spec.endpoints[0].tlsConfig.keyFile
+          value: /etc/prometheus/tls/tls.key
+      - equal:
+          path: spec.endpoints[0].tlsConfig.insecureSkipVerify
+          value: false
+      - equal:
+          path: spec.endpoints[0].tlsConfig.serverName
+          value: gitea-unittest
--- a/unittests/values-conflicting-checks.yaml
+++ b/unittests/values-conflicting-checks.yaml
@ -0,0 +1,14 @@
+suite: Values conflicting checks
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: fails when trying to configure redis and redis-cluster the same time
+    set:
+      redis-cluster:
+        enabled: true
+      redis:
+        enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: redis and redis-cluster cannot be enabled at the same time. Please only choose one.
--- a/values.yaml
+++ b/values.yaml
@ -20,6 +20,9 @@ global:
  #   hostnames:
  #   - example.com

+## @param namespace An explicit namespace to deploy gitea into. Defaults to the release namespace if not specified
+namespace: ""
+
 ## @param replicaCount number of replicas for the deployment
 replicaCount: 1

@ -106,6 +109,8 @@ service:
  ## @param service.http.ipFamilies HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/).
  ## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer
  ## @param service.http.annotations HTTP service annotations
+  ## @param service.http.labels HTTP service additional labels
+  ## @param service.http.loadBalancerClass Loadbalancer class
  http:
    type: ClusterIP
    port: 3000
@ -118,6 +123,8 @@ service:
    ipFamilies:
    loadBalancerSourceRanges: []
    annotations: {}
+    labels: {}
+    loadBalancerClass:
  ## @param service.ssh.type Kubernetes service type for ssh traffic
  ## @param service.ssh.port Port number for ssh traffic
  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None
@ -130,6 +137,8 @@ service:
  ## @param service.ssh.hostPort HostPort for ssh service
  ## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer
  ## @param service.ssh.annotations SSH service annotations
+  ## @param service.ssh.labels SSH service additional labels
+  ## @param service.ssh.loadBalancerClass Loadbalancer class
  ssh:
    type: ClusterIP
    port: 22
@ -143,6 +152,8 @@ service:
    hostPort:
    loadBalancerSourceRanges: []
    annotations: {}
+    labels: {}
+    loadBalancerClass:

 ## @section Ingress
 ## @param ingress.enabled Enable ingress
@ -272,6 +283,12 @@ persistence:
  annotations:
    helm.sh/resource-policy: keep

+## @param extraContainers Additional sidecar containers to run in the pod
+extraContainers: []
+#  - name: sidecar-bob
+#    image: busybox
+#    command: [/bin/sh, -c, 'echo "Hello world"; sleep 86400']
+
 ## @param extraVolumes Additional volumes to mount to the Gitea deployment
 extraVolumes: []
 # - name: postgres-ssl-vol
@ -319,7 +336,7 @@ initContainers:
 #
 ## @param signing.enabled Enable commit/action signing
 ## @param signing.gpgHome GPG home directory
-## @param signing.privateKey Inline private gpg key for signed Gitea actions
+## @param signing.privateKey Inline private gpg key for signed internal Git activity
 ## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
 signing:
  enabled: false
@ -331,6 +348,102 @@ signing:
  #   -----END PGP PRIVATE KEY BLOCK-----
  existingSecret: ""

+# Configure Gitea Actions
+# - must enable persistence if the job is enabled
+## @section Gitea Actions
+#
+## @param actions.enabled Create an act runner StatefulSet.
+## @param actions.init.image.repository The image used for the init containers
+## @param actions.init.image.tag The image tag used for the init containers
+## @param actions.statefulset.annotations Act runner annotations
+## @param actions.statefulset.labels Act runner labels
+## @param actions.statefulset.resources Act runner resources
+## @param actions.statefulset.nodeSelector NodeSelector for the statefulset
+## @param actions.statefulset.tolerations Tolerations for the statefulset
+## @param actions.statefulset.affinity Affinity for the statefulset
+## @param actions.statefulset.actRunner.repository The Gitea act runner image
+## @param actions.statefulset.actRunner.tag The Gitea act runner tag
+## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
+## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
+## @param actions.statefulset.dind.repository The Docker-in-Docker image
+## @param actions.statefulset.dind.tag The Docker-in-Docker image tag
+## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
+## @param actions.statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`
+## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret
+## @param actions.provisioning.annotations Job's annotations
+## @param actions.provisioning.labels Job's labels
+## @param actions.provisioning.resources Job's resources
+## @param actions.provisioning.nodeSelector NodeSelector for the job
+## @param actions.provisioning.tolerations Tolerations for the job
+## @param actions.provisioning.affinity Affinity for the job
+## @param actions.provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed
+## @param actions.provisioning.publish.repository The image that can create the secret via kubectl
+## @param actions.provisioning.publish.tag The publish image tag that can create the secret
+## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret
+## @param actions.existingSecret Secret that contains the token
+## @param actions.existingSecretKey Secret key
+actions:
+  enabled: false
+  statefulset:
+    annotations: {}
+    labels: {}
+    resources: {}
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
+
+    actRunner:
+      repository: gitea/act_runner
+      tag: 0.2.11
+      pullPolicy: IfNotPresent
+
+      config: |
+        log:
+          level: debug
+        cache:
+          enabled: false
+        runner:
+          labels:
+            - "ubuntu-latest"
+
+    dind:
+      repository: docker
+      tag: 25.0.2-dind
+      pullPolicy: IfNotPresent
+      # If the container keeps crashing in your environment, you might have to add the `DOCKER_IPTABLES_LEGACY` environment variable.
+      # See https://github.com/docker-library/docker/issues/463#issuecomment-1881909456
+      extraEnvs: []
+        #  - name: "DOCKER_IPTABLES_LEGACY"
+        #    value: "1"
+
+  init:
+    image:
+      repository: busybox
+      # Overrides the image tag whose default is the chart appVersion.
+      tag: "1.36.1"
+
+  provisioning:
+    enabled: false
+
+    annotations: {}
+    labels: {}
+    resources: {}
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
+
+    publish:
+      repository: bitnami/kubectl
+      tag: 1.29.0
+      pullPolicy: IfNotPresent
+
+    ttlSecondsAfterFinished: 300
+
+  ## Specify an existing token secret
+  ##
+  existingSecret: ""
+  existingSecretKey: ""
+
 ## @section Gitea
 #
 gitea:
@ -338,21 +451,33 @@ gitea:
  ## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
  ## @param gitea.admin.password Password for the Gitea admin user
  ## @param gitea.admin.email Email for the Gitea admin user
+  ## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
  admin:
    # existingSecret: gitea-admin-secret
    existingSecret:
    username: gitea_admin
    password: r8sA8CPHD9!bt6d
    email: "gitea@local.domain"
+    passwordMode: keepUpdated

  ## @param gitea.metrics.enabled Enable Gitea metrics
-  ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor
+  ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally.
+  ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
+  ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping.
+  ## @param gitea.metrics.serviceMonitor.scheme HTTP scheme to use for scraping. For example `http` or `https`. Default is http.
+  ## @param gitea.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.
+  ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
  metrics:
    enabled: false
    serviceMonitor:
      enabled: false
      #  additionalLabels:
      #    prometheus-release: prom1
+      interval: ""
+      relabelings: []
+      scheme: ""
+      scrapeTimeout: ""
+      tlsConfig: {}

  ## @param gitea.ldap LDAP configuration
  ldap:
@ -477,10 +602,15 @@ gitea:
    failureThreshold: 10

 ## @section redis-cluster
-## @param redis-cluster.enabled Enable redis
+## @param redis-cluster.enabled Enable redis cluster
+# ⚠️ The redis charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
+# Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
 ## @param redis-cluster.usePassword Whether to use password authentication
 ## @param redis-cluster.cluster.nodes Number of redis cluster master nodes
 ## @param redis-cluster.cluster.replicas Number of redis cluster master node replicas
+## @descriptionStart
+## Redis cluster and [Redis](#redis) cannot be enabled at the same time.
+## @descriptionEnd
 redis-cluster:
  enabled: true
  usePassword: false
@ -488,9 +618,28 @@ redis-cluster:
    nodes: 3 # default: 6
    replicas: 0 # default: 1

-## @section postgresql-ha
+## @section redis
+## @param redis.enabled Enable redis standalone or replicated
+## @param redis.architecture Whether to use standalone or replication
+# ⚠️ The redis charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
+# Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
+## @param redis.global.redis.password Required password
+## @param redis.master.count Number of Redis master instances to deploy
+## @descriptionStart
+## Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
+## @descriptionEnd
+redis:
+  enabled: false
+  architecture: standalone
+  global:
+    redis:
+      password: changeme
+  master:
+    count: 1
+
+## @section PostgreSQL HA
 #
-## @param postgresql-ha.enabled Enable postgresql-ha
+## @param postgresql-ha.enabled Enable PostgreSQL HA
 ## @param postgresql-ha.postgresql.password Password for the `gitea` user (overrides `auth.password`)
 ## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`)
 ## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`)
@ -498,8 +647,8 @@ redis-cluster:
 ## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password
 ## @param postgresql-ha.postgresql.postgresPassword postgres Password
 ## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword
-## @param postgresql-ha.service.ports.postgresql postgresql service port (overrides `service.ports.postgresql`)
-## @param postgresql-ha.primary.persistence.size PVC Storage Request for postgresql-ha volume
+## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
+## @param postgresql-ha.persistence.size PVC Storage Request for PostgreSQL HA volume
 postgresql-ha:
  global:
    postgresql:
@ -516,9 +665,8 @@ postgresql-ha:
  service:
    ports:
      postgresql: 5432
-  primary:
-    persistence:
-      size: 10Gi
+  persistence:
+    size: 10Gi

 ## @section PostgreSQL
 #