docs: set full path of values.yaml key in output to user (#832)

Currently, the reported path of the values to be changed is not always correct (especially `gitea.persistence` vs. `persistence`).

Co-authored-by: techknowlogick <techknowlogick@noreply.gitea.com>
Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/832
Reviewed-by: techknowlogick <techknowlogick@noreply.gitea.com>
Co-authored-by: bachorp <bachorp@noreply.gitea.com>
Co-committed-by: bachorp <bachorp@noreply.gitea.com>

.commitlintrc.json

@@ -0,0 +1,7 @@
+{
+  "extends": ["@commitlint/config-conventional"],
+  "rules": {
+    "type-enum": [2, "always", ["feat", "fix", "chore", "docs", "style", "refactor", "test", "perf", "ci", "WIP"]],
+    "type-case": [0, "always", "lower-case"]
+  }
+}

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -23,7 +23,7 @@
 ### Applicable issues
 
 <!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
-  - fixes #
+- Fixes #
 
 ### Additional information
 
@@ -39,4 +39,6 @@
 
 - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
 - [ ] Breaking changes are documented in the `README.md`
-- [ ] Templating unittests are added
+- [ ] Helm templating unittests are added (required when changing anything in `templates` folder)
+- [ ] Bash unittests are added (required when changing anything in `scripts` folder)
+- [ ] All added template resources MUST render a namespace in metadata

.gitea/workflows/changelog.yml

@@ -0,0 +1,32 @@
+name: changelog
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  changelog:
+    runs-on: ubuntu-latest
+    container: docker.io/thegeeklab/git-sv:1.0.12
+    steps:
+      - name: install tools
+        run: |
+          apk add -q --update --no-cache nodejs curl jq sed
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Generate upcoming changelog
+        run: |
+          git sv rn -o changelog.md
+          export RELEASE_NOTES=$(cat changelog.md)
+          export ISSUE_NUMBER=$(curl -s "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues?state=open&q=Changelog%20for%20upcoming%20version" | jq '.[].number')
+
+          echo $RELEASE_NOTES
+          JSON_DATA=$(echo "" | jq -Rs --arg title 'Changelog for upcoming version' --arg body "$(cat changelog.md)" '{title: $title, body: $body}')
+
+          if [ -z "$ISSUE_NUMBER" ]; then
+            curl -s -X POST "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
+          else
+            curl -s -X PATCH "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues/$ISSUE_NUMBER" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
+          fi

.gitea/workflows/commitlint.yml

@@ -0,0 +1,19 @@
+name: commitlint
+
+on:
+  pull_request:
+    branches:
+      - "*"
+    types:
+      - opened
+      - edited
+
+jobs:
+  check-and-test:
+    runs-on: ubuntu-latest
+    container: commitlint/commitlint:19.7.1
+    steps:
+      - uses: actions/checkout@v4
+      - name: check PR title
+        run: |
+          echo "${{ gitea.event.pull_request.title }}" | commitlint --config .commitlintrc.json

.gitea/workflows/release-version.yml

@@ -7,7 +7,7 @@ on:
 
 env:
   # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.14.0"
+  HELM_VERSION: "3.17.1"
 
 jobs:
   generate-chart-publish:
@@ -19,20 +19,23 @@ jobs:
           apt update -y
           apt install -y curl ca-certificates curl gnupg
           # helm
-          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          curl -O https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
+          tar -xzf helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
+          mv linux-amd64/helm /usr/local/bin/
+          rm -rf linux-amd64 helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
+          helm version
           # docker
           install -m 0755 -d /etc/apt/keyrings
-          curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
           chmod a+r /etc/apt/keyrings/docker.gpg
-          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
           apt update -y
-          apt install -y python helm=${{ env.HELM_VERSION }}-1 python3-pip apt-transport-https docker-ce-cli
-          pip install awscli
+          apt install -y python3 python3-pip apt-transport-https docker-ce-cli
+          pip install awscli --break-system-packages
 
       - name: Import GPG key
         id: import_gpg
-        uses: https://github.com/crazy-max/ghaction-import-gpg@v5
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v6
         with:
           gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
           passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
@@ -46,7 +49,6 @@ jobs:
           helm plugin install https://github.com/pat-s/helm-gpg
           helm dependency build
           helm package --version "${GITHUB_REF#refs/tags/v}" ./
-          helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
           mkdir gitea
           mv gitea*.tgz gitea/
           curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
@@ -57,7 +59,7 @@ jobs:
           helm registry logout registry-1.docker.io
 
       - name: aws credential configure
-        uses: https://github.com/aws-actions/configure-aws-credentials@v2
+        uses: https://github.com/aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

.gitea/workflows/test-pr.yml

@@ -7,21 +7,20 @@ on:
   push:
     branches:
       - main
-      - "renovate/**"
 
 env:
   # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v0.4.1"
+  HELM_UNITTEST_VERSION: "v0.7.2"
 
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: alpine/helm:3.14.0
+    container: alpine/helm:3.17.1
     steps:
       - name: install tools
         run: |
           apk update
-          apk add --update make nodejs npm yamllint
+          apk add --update bash make nodejs npm yamllint ncurses
       - uses: actions/checkout@v4
       - name: install chart dependencies
         run: helm dependency build
@@ -29,9 +28,14 @@ jobs:
         run: helm lint
       - name: template
         run: helm template --debug gitea-helm .
-      - name: unit tests
+      - name: prepare unit test environment
         run: |
           helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
+          git submodule update --init --recursive
+      - name: unit tests
+        env:
+          TERM: xterm
+        run: |
           make unittests
       - name: verify readme
         run: |

.gitmodules

@@ -0,0 +1,12 @@
+[submodule "unittests/bash/bats"]
+	path = unittests/bash/bats
+	url = https://github.com/bats-core/bats-core.git
+[submodule "unittests/bash/test_helper/bats-support"]
+	path = unittests/bash/test_helper/bats-support
+	url = https://github.com/bats-core/bats-support.git
+[submodule "unittests/bash/test_helper/bats-assert"]
+	path = unittests/bash/test_helper/bats-assert
+	url = https://github.com/bats-core/bats-assert.git
+[submodule "unittests/bash/test_helper/bats-mock"]
+	path = unittests/bash/test_helper/bats-mock
+	url = https://github.com/jasonkarns/bats-mock.git

.gitsv/config.yaml

@@ -0,0 +1,57 @@
+version: '1.1' # Configuration version.
+
+versioning:
+  update-major: [breaking] # Commit types used to bump major.
+  update-minor: [feat, perf] # Commit types used to bump minor.
+  update-patch: [build, ci, chore, fix, perf, refactor, test] # Commit types used to bump patch.
+  # When type is not present on update rules and is unknown (not mapped on commit message types);
+  # if ignore-unknown=false bump patch, if ignore-unknown=true do not bump version.
+  ignore-unknown: false
+
+tag:
+  pattern: 'v%d.%d.%d' # Pattern used to create git tag.
+  filter: '' # Enables you to filter for considerable tags using git pattern syntax.
+
+release-notes:
+  sections: # Array with each section of release note. Check template section for more information.
+    - name: Breaking Changes
+      section-type: breaking-changes
+    - name: Features # Name used on section.
+      section-type: commits # Type of the section, supported types: commits, breaking-changes.
+      commit-types: [feat, perf] # Commit types for commit section-type, one commit type cannot be in more than one section.
+    - name: Bug Fixes
+      section-type: commits
+      commit-types: [fix]
+    - name: Maintenance
+      section-type: commits
+      commit-types: [chore, refactor]
+    - name: Documentation
+      commit-types: [docs]
+      section-type: commits
+    - name: CI
+      commit-types: [ci]
+      section-type: commits
+
+branches: # Git branches config.
+  prefix: ([a-z]+\/)? # Prefix used on branch name, it should be a regex group.
+  suffix: (-.*)? # Suffix used on branch name, it should be a regex group.
+  disable-issue: false # Set true if there is no need to recover issue id from branch name.
+  skip: [] # List of branch names ignored on commit message validation.
+  skip-detached: false # Set true if a detached branch should be ignored on commit message validation.
+
+commit-message:
+  # Supported commit types.
+  types: [build, ci, chore, docs, feat, fix, perf, refactor, revert, style, test]
+  header-selector: '' # You can put in a regex here to select only a certain part of the commit message. Please define a regex group 'header'.
+  scope:
+    # Define supported scopes, if blank, scope will not be validated, if not, only scope listed will be valid.
+    # Don't forget to add "" on your list if you need to define scopes and keep it optional.
+    values: []
+  footer:
+    issue: # Use "issue: {}" if you wish to disable issue footer.
+      key: jira # Name used to define an issue on footer metadata.
+      key-synonyms: [Jira, JIRA] # Supported variations for footer metadata.
+      use-hash: false # If false, use :<space> separator. If true, use <space># separator.
+      add-value-prefix: '' # Add a prefix to issue value.
+  issue:
+    regex: '[A-Z]+-[0-9]+' # Regex for issue id.

.helmignore

@@ -5,6 +5,7 @@
 # Common VCS dirs
 .git/
 .gitignore
+.gitmodules
 .bzr/
 .bzrignore
 .hg/
@@ -31,3 +32,10 @@ Makefile
 .drone.yml
 CONTRIBUTING.md
 unittests/
+.editorconfig
+.prettierignore
+.yamllint
+CODEOWNERS
+renovate.json5
+.commitlintrc.json
+.gitsv/

.markdownlint.yaml

@@ -129,6 +129,7 @@ MD041:
 MD044:
   # List of proper names
   names:
+    - docker.gitea.com
     - Gitea
     - PostgreSQL
     - Memcached

.vscode/extensions.json

@@ -3,6 +3,7 @@
         "yzhang.markdown-all-in-one",
         "DavidAnson.vscode-markdownlint",
         "Tim-Koehler.helm-intellisense",
-        "esbenp.prettier-vscode"
+        "esbenp.prettier-vscode",
+        "jetmartin.bats"
     ]
   }

.vscode/settings.json

@@ -1,8 +1,15 @@
 {
     "yaml.schemas": {
-        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.4.1/schema/helm-testsuite.json": [
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.2/schema/helm-testsuite.json": [
             "/unittests/**/*.yaml"
         ]
     },
-    "yaml.schemaStore.enable": true
+    "yaml.schemaStore.enable": true,
+    "[bats]": {
+        "editor.tabSize": 2
+    },
+    "[shellscript]": {
+        "files.eol": "\n",
+        "editor.tabSize": 2
+    }
 }

.yamllint

@@ -5,7 +5,7 @@ ignore: |
   .yamllint
   node_modules
   templates
-
+  unittests/bash
 
 rules:
   truthy:
@@ -17,4 +17,4 @@ rules:
   comments:
     min-spaces-from-content: 1
   braces:
-    max-spaces-inside: 2
+    max-spaces-inside: 2

CODEOWNERS

@@ -0,0 +1 @@
+* @justusbunsi @pat-s

CONTRIBUTING.md

@@ -29,6 +29,7 @@ When submitting or updating a PR:
 - try to avoid rebases. They make code reviews for large PRs and comments much harder.
 - if applicable, use the PR template for a well-defined PR description.
 - clearly mark breaking changes.
+- format the PR title following the [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/#specification) schema
 
 ## Local development & testing
 
@@ -37,7 +38,7 @@ be used:
 
 1. Install `minikube` and `helm`.
 1. Start a `minikube` cluster via `minikube start`.
-1. From the `gitea/helm-chart` directory execute the following command.
+1. From the `gitea/helm-gitea` directory execute the following command.
    This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
    If you want to test a branch, make sure to switch to the respective branch first.
    `helm install --dependency-update gitea . -f values.yaml`.
@@ -48,16 +49,30 @@ default port-forward svc/gitea-http 3000:3000`.
 
 ### Unit tests
 
+#### Helm templating tests
+
 ```bash
 # install the unittest plugin
 $ helm plugin install https://github.com/helm-unittest/helm-unittest
 
-# run the unittests
-make unittests
+# run the Helm unittests
+make unittests-helm
 ```
 
 See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
 
+#### Bash script tests
+
+```bash
+# setup the environment
+git submodule update --init --recursive
+
+# run the bash tests
+make unittests-bash
+```
+
+See [bats documentation](https://bats-core.readthedocs.io/en/stable/) for usage instructions.
+
 ## Release process
 
 1. Create a tag following the tagging schema

Chart.lock

@@ -1,12 +1,15 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 13.4.6
+  version: 16.4.14
 - name: postgresql-ha
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.8.2
+  version: 15.2.3
 - name: redis-cluster
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 9.5.20
-digest: sha256:10ca7303e61effbe02163c0df6ed1a87f25d71edd44d1aadae971f56679ae985
-generated: "2024-02-17T00:21:51.363456958Z"
+  version: 11.4.3
+- name: redis
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 20.8.0
+digest: sha256:ce1a2a02c3e1adb764cae42ccce1efd2d41adb5024576e6d8a92b30b8dfe67db
+generated: "2025-02-23T00:12:41.541107288Z"

Chart.yaml

@@ -3,7 +3,8 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.21.6
+# renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
+appVersion: 1.23.6
 icon: https://gitea.com/assets/img/logo.svg
 
 keywords:
@@ -14,9 +15,9 @@ keywords:
   - gitea
   - gogs
 sources:
-  - https://gitea.com/gitea/helm-chart
+  - https://gitea.com/gitea/helm-gitea
   - https://github.com/go-gitea/gitea
-  - https://hub.docker.com/r/gitea/gitea/
+  - https://docker.gitea.com/gitea
 maintainers:
   - name: Charlie Drage
     email: charlie@charliedrage.com
@@ -35,15 +36,20 @@ dependencies:
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
   - name: postgresql
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 13.4.6
+    version: 16.4.14
     condition: postgresql.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
   - name: postgresql-ha
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 12.8.2
+    version: 15.2.3
     condition: postgresql-ha.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
   - name: redis-cluster
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 9.5.20
+    version: 11.4.3
     condition: redis-cluster.enabled
+  # https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml
+  - name: redis
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 20.8.0
+    condition: redis.enabled

Makefile

@@ -1,3 +1,5 @@
+SHELL := /usr/bin/env bash -O globstar
+
 .PHONY: prepare-environment
 prepare-environment:
 	npm install
@@ -8,8 +10,15 @@ readme: prepare-environment
 	npm run readme:lint
 
 .PHONY: unittests
-unittests:
-	helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' ./
+unittests: unittests-helm unittests-bash
+
+.PHONY: unittests-helm
+unittests-helm:
+	helm unittest --strict -f 'unittests/helm/**/*.yaml' -f 'unittests/helm/values-conflicting-checks.yaml' ./
+
+.PHONY: unittests-bash
+unittests-bash:
+	./unittests/bash/bats/bin/bats --pretty ./unittests/bash/tests/**/*.bats
 
 .PHONY: helm
 update-helm-dependencies:

README.md

@@ -8,6 +8,7 @@
   - [Dependency Versioning](#dependency-versioning)
 - [Installing](#installing)
 - [High Availability](#high-availability)
+- [Limit resources](#limit-resources)
 - [Configuration](#configuration)
   - [Default Configuration](#default-configuration)
     - [Database defaults](#database-defaults)
@@ -30,6 +31,7 @@
   - [OAuth2 Settings](#oauth2-settings)
 - [Configure commit signing](#configure-commit-signing)
 - [Metrics and profiling](#metrics-and-profiling)
+  - [Secure Metrics Endpoint](#secure-metrics-endpoint)
 - [Pod annotations](#pod-annotations)
 - [Themes](#themes)
 - [Renovate](#renovate)
@@ -45,12 +47,14 @@
   - [Persistence](#persistence-1)
   - [Init](#init)
   - [Signing](#signing)
+  - [Gitea Actions](#gitea-actions)
   - [Gitea](#gitea)
   - [LivenessProbe](#livenessprobe)
   - [ReadinessProbe](#readinessprobe)
   - [StartupProbe](#startupprobe)
   - [redis-cluster](#redis-cluster)
-  - [PostgreSQL-ha](#postgresql-ha)
+  - [redis](#redis)
+  - [PostgreSQL HA](#postgresql-ha)
   - [PostgreSQL](#postgresql)
   - [Advanced](#advanced)
 - [Contributing](#contributing)
@@ -68,7 +72,7 @@ Additionally, this chart allows to provide LDAP and admin user configuration wit
 ## Update and versioning policy
 
 The Gitea helm chart versioning does not follow Gitea's versioning.
-The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-chart/releases).
+The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-gitea/releases).
 
 The chart aims to follow Gitea's releases closely.
 There might be times when the chart is behind the latest Gitea release.
@@ -98,7 +102,8 @@ These dependencies are enabled by default:
 
 Alternatively, the following non-HA replacements are available:
 
-- PostgreSQL ([Bitnami PostgreSQL](postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)))
+- PostgreSQL ([Bitnami PostgreSQL](<Postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)>))
+- Redis ([Bitnami Redis](<Redis](https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml)>))
 
 ### Dependency Versioning
 
@@ -117,6 +122,7 @@ Please double-check the image repository and available tags in the sub-chart:
 - [PostgreSQL-HA](https://hub.docker.com/r/bitnami/postgresql-repmgr/tags)
 - [PostgreSQL](https://hub.docker.com/r/bitnami/postgresql/tags)
 - [Redis Cluster](https://hub.docker.com/r/bitnami/redis-cluster/tags)
+- [Redis](https://hub.docker.com/r/bitnami/redis/tags)
 
 and look up the image tag which fits your needs on Dockerhub.
 
@@ -134,6 +140,12 @@ Alternatively, the chart can also be installed from Dockerhub (since v9.6.0)
 helm install gitea oci://registry-1.docker.io/giteacharts/gitea
 ```
 
+To avoid potential Dockerhub rate limits, the chart can also be installed via [docker.gitea.com](https://blog.gitea.com/docker-registry-update/) (since v9.6.0)
+
+```sh
+helm install gitea oci://docker.gitea.com/charts/gitea
+```
+
 When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes.
 
 ## High Availability
@@ -144,6 +156,44 @@ Care must be taken for production use as not all implementation details of Gitea
 Deploying a HA-ready Gitea instance requires some effort including using HA-ready dependencies.
 See the [HA Setup](docs/ha-setup.md) document for more details.
 
+## Limit resources
+
+If the application is deployed with a CPU resource limit, Prometheus may throw a CPU throttling warning for the
+application. This has more or less to do with the fact that the application finds the number of CPUs of the host, but
+cannot use the available CPU time to perform computing operations.
+
+The application must be informed that despite several CPUs only a part (limit) of the available computing time is
+available. As this is a Golang application, this can be implemented using `GOMAXPROCS`. The following example is one way
+of defining `GOMAXPROCS` automatically based on the defined CPU limit like `1000m`. Please keep in mind, that the CFS
+rate of `100ms` - default on each kubernetes node, is also very important to avoid CPU throttling.
+
+Further information about this topic can be found [here](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
+
+> [!NOTE]
+> The environment variable `GOMAXPROCS` is set automatically, when a CPU limit is defined. An explicit configuration is
+> not anymore required.
+>
+> Please note that a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
+
+```yaml
+deployment:
+  env:
+  # Will be automatically defined!
+  - name: GOMAXPROCS
+    valueFrom:
+      resourceFieldRef:
+        divisor: "1" # Is required for GitDevOps systems like ArgoCD/Flux. Otherwise throw the system a diff error. (k8s-default=1)
+        resource: limits.cpu
+
+resources:
+  limits:
+    cpu: 1000m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 512Mi
+```
+
 ## Configuration
 
 Gitea offers lots of configuration options.
@@ -244,7 +294,7 @@ External tools such as `redis-cluster` or `memcached` handle these workloads muc
 
 If HA is not needed/desired, the following configurations can be used to deploy a single-pod Gitea instance.
 
-1. For a production-ready single-pod Gitea instance without external dependencies (using the chart dependency `postgresql`):
+1. For a production-ready single-pod Gitea instance without external dependencies (using the chart dependency `postgresql` and `redis`):
 
    <details>
 
@@ -253,6 +303,8 @@ If HA is not needed/desired, the following configurations can be used to deploy
    ```yaml
    redis-cluster:
      enabled: false
+   redis:
+     enabled: true
    postgresql:
      enabled: true
    postgresql-ha:
@@ -265,12 +317,6 @@ If HA is not needed/desired, the following configurations can be used to deploy
      config:
        database:
          DB_TYPE: postgres
-       session:
-         PROVIDER: db
-       cache:
-         ADAPTER: memory
-       queue:
-         TYPE: level
        indexer:
          ISSUE_INDEXER_TYPE: bleve
          REPO_INDEXER_ENABLED: true
@@ -290,6 +336,8 @@ If HA is not needed/desired, the following configurations can be used to deploy
    ```yaml
    redis-cluster:
      enabled: false
+   redis:
+     enabled: false
    postgresql:
      enabled: false
    postgresql-ha:
@@ -419,6 +467,9 @@ gitea:
 
 postgresql:
   enabled: false
+
+postgresql-ha:
+  enabled: false
 ```
 
 ### Ports and external url
@@ -483,7 +534,7 @@ and the repository exists.
 ```
 
 To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
-More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
+More about this issue [here](https://gitea.com/gitea/helm-gitea/issues/161).
 
 ### Cache
 
@@ -497,6 +548,9 @@ redis-cluster:
   enabled: true
 ```
 
+⚠️ The redis charts [do not work well with special characters in the password](https://gitea.com/gitea/helm-gitea/issues/690).
+Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
+
 ### Persistence
 
 Gitea will be deployed as a deployment.
@@ -530,7 +584,7 @@ You can interact with the postgres settings as displayed in the following exampl
 postgresql:
   persistence:
     enabled: true
-    claimName: MyAwesomeGiteaPostgresClaim
+    existingClaim: MyAwesomeGiteaPostgresClaim
 ```
 
 ### Admin User
@@ -568,6 +622,20 @@ gitea:
     existingSecret: gitea-admin-secret
 ```
 
+Whether you use the existing Secret or specify a user name and password, there are three modes for how the admin user password is created or set.
+
+- `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated.
+- `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password.
+- `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login.
+
+These modes can be set like the following:
+
+```yaml
+gitea:
+  admin:
+    passwordMode: initialOnlyRequireReset
+```
+
 ### LDAP Settings
 
 Like the admin user the LDAP settings can be updated.
@@ -671,7 +739,7 @@ gitea:
 
 When using the rootless image the gpg key folder is not persistent by default.
 If you consider using signed commits for internal Gitea activities (e.g. initial commit), you'd need to provide a signing key.
-Prior to [PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.
+Prior to [PR186](https://gitea.com/gitea/helm-gitea/pulls/186), imported keys had to be re-imported once the container got replaced by another.
 
 The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing.
 By default this section is disabled to maintain backwards compatibility.
@@ -725,6 +793,21 @@ gitea:
       ENABLE_PPROF: true
 ```
 
+### Secure Metrics Endpoint
+
+Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication.
+
+**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`.
+
+```yaml
+gitea:
+  metrics:
+    token: "secure-token"
+    enabled: true
+    serviceMonitor:
+      enabled: true
+```
+
 ## Pod annotations
 
 Annotations can be added to the Gitea pod.
@@ -834,13 +917,14 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 
 ### Global
 
-| Name                      | Description                                                               | Value |
-| ------------------------- | ------------------------------------------------------------------------- | ----- |
-| `global.imageRegistry`    | global image registry override                                            | `""`  |
-| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]`  |
-| `global.storageClass`     | global storage class override                                             | `""`  |
-| `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files           | `[]`  |
-| `replicaCount`            | number of replicas for the deployment                                     | `1`   |
+| Name                      | Description                                                                                    | Value |
+| ------------------------- | ---------------------------------------------------------------------------------------------- | ----- |
+| `global.imageRegistry`    | global image registry override                                                                 | `""`  |
+| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets`                      | `[]`  |
+| `global.storageClass`     | global storage class override                                                                  | `""`  |
+| `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files                                | `[]`  |
+| `namespace`               | An explicit namespace to deploy Gitea into. Defaults to the release namespace if not specified | `""`  |
+| `replicaCount`            | number of replicas for the deployment                                                          | `1`   |
 
 ### strategy
 
@@ -853,16 +937,16 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 
 ### Image
 
-| Name                 | Description                                                                                                                                                      | Value          |
-| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- |
-| `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `""`           |
-| `image.repository`   | Image to start for this pod                                                                                                                                      | `gitea/gitea`  |
-| `image.tag`          | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.                          | `""`           |
-| `image.digest`       | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                                       | `""`           |
-| `image.pullPolicy`   | Image pull policy                                                                                                                                                | `IfNotPresent` |
-| `image.rootless`     | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher                                                                        | `true`         |
-| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""`           |
-| `imagePullSecrets`   | Secret to use for pulling the image                                                                                                                              | `[]`           |
+| Name                 | Description                                                                                                                                                      | Value              |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
+| `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `docker.gitea.com` |
+| `image.repository`   | Image to start for this pod                                                                                                                                      | `gitea`            |
+| `image.tag`          | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.                          | `""`               |
+| `image.digest`       | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                                       | `""`               |
+| `image.pullPolicy`   | Image pull policy                                                                                                                                                | `IfNotPresent`     |
+| `image.rootless`     | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher                                                                        | `true`             |
+| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""`               |
+| `imagePullSecrets`   | Secret to use for pulling the image                                                                                                                              | `[]`               |
 
 ### Security
 
@@ -889,6 +973,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer                                                                                                                                                            | `[]`        |
 | `service.http.annotations`              | HTTP service annotations                                                                                                                                                                             | `{}`        |
 | `service.http.labels`                   | HTTP service additional labels                                                                                                                                                                       | `{}`        |
+| `service.http.loadBalancerClass`        | Loadbalancer class                                                                                                                                                                                   | `nil`       |
 | `service.ssh.type`                      | Kubernetes service type for ssh traffic                                                                                                                                                              | `ClusterIP` |
 | `service.ssh.port`                      | Port number for ssh traffic                                                                                                                                                                          | `22`        |
 | `service.ssh.clusterIP`                 | ClusterIP setting for ssh autosetup for deployment is None                                                                                                                                           | `None`      |
@@ -902,6 +987,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `service.ssh.loadBalancerSourceRanges`  | Source range filter for ssh loadbalancer                                                                                                                                                             | `[]`        |
 | `service.ssh.annotations`               | SSH service annotations                                                                                                                                                                              | `{}`        |
 | `service.ssh.labels`                    | SSH service additional labels                                                                                                                                                                        | `{}`        |
+| `service.ssh.loadBalancerClass`         | Loadbalancer class                                                                                                                                                                                   | `nil`       |
 
 ### Ingress
 
@@ -959,6 +1045,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `persistence.storageClass`                        | Name of the storage class to use                                                                      | `nil`                  |
 | `persistence.subPath`                             | Subdirectory of the volume to mount at                                                                | `nil`                  |
 | `persistence.volumeName`                          | Name of persistent volume in PVC                                                                      | `""`                   |
+| `extraContainers`                                 | Additional sidecar containers to run in the pod                                                       | `[]`                   |
 | `extraVolumes`                                    | Additional volumes to mount to the Gitea deployment                                                   | `[]`                   |
 | `extraContainerVolumeMounts`                      | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]`                   |
 | `extraInitVolumeMounts`                           | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.    | `[]`                   |
@@ -979,27 +1066,72 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | ------------------------ | ----------------------------------------------------------------- | ------------------ |
 | `signing.enabled`        | Enable commit/action signing                                      | `false`            |
 | `signing.gpgHome`        | GPG home directory                                                | `/data/git/.gnupg` |
-| `signing.privateKey`     | Inline private gpg key for signed Gitea actions                   | `""`               |
+| `signing.privateKey`     | Inline private gpg key for signed internal Git activity           | `""`               |
 | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""`               |
 
+### Gitea Actions
+
+| Name                                              | Description                                                                                                                                 | Value                          |
+| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
+| `actions.enabled`                                 | Create an act runner StatefulSet.                                                                                                           | `false`                        |
+| `actions.init.image.repository`                   | The image used for the init containers                                                                                                      | `busybox`                      |
+| `actions.init.image.tag`                          | The image tag used for the init containers                                                                                                  | `1.37.0`                       |
+| `actions.statefulset.annotations`                 | Act runner annotations                                                                                                                      | `{}`                           |
+| `actions.statefulset.labels`                      | Act runner labels                                                                                                                           | `{}`                           |
+| `actions.statefulset.resources`                   | Act runner resources                                                                                                                        | `{}`                           |
+| `actions.statefulset.nodeSelector`                | NodeSelector for the statefulset                                                                                                            | `{}`                           |
+| `actions.statefulset.tolerations`                 | Tolerations for the statefulset                                                                                                             | `[]`                           |
+| `actions.statefulset.affinity`                    | Affinity for the statefulset                                                                                                                | `{}`                           |
+| `actions.statefulset.extraVolumes`                | Extra volumes for the statefulset                                                                                                           | `[]`                           |
+| `actions.statefulset.actRunner.repository`        | The Gitea act runner image                                                                                                                  | `gitea/act_runner`             |
+| `actions.statefulset.actRunner.tag`               | The Gitea act runner tag                                                                                                                    | `0.2.11`                       |
+| `actions.statefulset.actRunner.pullPolicy`        | The Gitea act runner pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.actRunner.extraVolumeMounts` | Allows mounting extra volumes in the act runner container                                                                                   | `[]`                           |
+| `actions.statefulset.actRunner.config`            | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
+| `actions.statefulset.dind.repository`             | The Docker-in-Docker image                                                                                                                  | `docker`                       |
+| `actions.statefulset.dind.tag`                    | The Docker-in-Docker image tag                                                                                                              | `25.0.2-dind`                  |
+| `actions.statefulset.dind.pullPolicy`             | The Docker-in-Docker pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.dind.extraVolumeMounts`      | Allows mounting extra volumes in the Docker-in-Docker container                                                                             | `[]`                           |
+| `actions.statefulset.dind.extraEnvs`              | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`                                                                | `[]`                           |
+| `actions.provisioning.enabled`                    | Create a job that will create and save the token in a Kubernetes Secret                                                                     | `false`                        |
+| `actions.provisioning.annotations`                | Job's annotations                                                                                                                           | `{}`                           |
+| `actions.provisioning.labels`                     | Job's labels                                                                                                                                | `{}`                           |
+| `actions.provisioning.resources`                  | Job's resources                                                                                                                             | `{}`                           |
+| `actions.provisioning.nodeSelector`               | NodeSelector for the job                                                                                                                    | `{}`                           |
+| `actions.provisioning.tolerations`                | Tolerations for the job                                                                                                                     | `[]`                           |
+| `actions.provisioning.affinity`                   | Affinity for the job                                                                                                                        | `{}`                           |
+| `actions.provisioning.ttlSecondsAfterFinished`    | ttl for the job after finished in order to allow helm to properly recognize that the job completed                                          | `300`                          |
+| `actions.provisioning.publish.repository`         | The image that can create the secret via kubectl                                                                                            | `bitnami/kubectl`              |
+| `actions.provisioning.publish.tag`                | The publish image tag that can create the secret                                                                                            | `1.29.0`                       |
+| `actions.provisioning.publish.pullPolicy`         | The publish image pullPolicy that can create the secret                                                                                     | `IfNotPresent`                 |
+| `actions.existingSecret`                          | Secret that contains the token                                                                                                              | `""`                           |
+| `actions.existingSecretKey`                       | Secret key                                                                                                                                  | `""`                           |
+
 ### Gitea
 
-| Name                                   | Description                                                               | Value                |
-| -------------------------------------- | ------------------------------------------------------------------------- | -------------------- |
-| `gitea.admin.username`                 | Username for the Gitea admin user                                         | `gitea_admin`        |
-| `gitea.admin.existingSecret`           | Use an existing secret to store admin user credentials                    | `nil`                |
-| `gitea.admin.password`                 | Password for the Gitea admin user                                         | `r8sA8CPHD9!bt6d`    |
-| `gitea.admin.email`                    | Email for the Gitea admin user                                            | `gitea@local.domain` |
-| `gitea.metrics.enabled`                | Enable Gitea metrics                                                      | `false`              |
-| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor                                      | `false`              |
-| `gitea.ldap`                           | LDAP configuration                                                        | `[]`                 |
-| `gitea.oauth`                          | OAuth configuration                                                       | `[]`                 |
-| `gitea.config.server.SSH_PORT`         | SSH port for rootlful Gitea image                                         | `22`                 |
-| `gitea.config.server.SSH_LISTEN_PORT`  | SSH port for rootless Gitea image                                         | `2222`               |
-| `gitea.additionalConfigSources`        | Additional configuration from secret or configmap                         | `[]`                 |
-| `gitea.additionalConfigFromEnvs`       | Additional configuration sources from environment variables               | `[]`                 |
-| `gitea.podAnnotations`                 | Annotations for the Gitea pod                                             | `{}`                 |
-| `gitea.ssh.logLevel`                   | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO`               |
+| Name                                         | Description                                                                                                                    | Value                |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
+| `gitea.admin.username`                       | Username for the Gitea admin user                                                                                              | `gitea_admin`        |
+| `gitea.admin.existingSecret`                 | Use an existing secret to store admin user credentials                                                                         | `nil`                |
+| `gitea.admin.password`                       | Password for the Gitea admin user                                                                                              | `r8sA8CPHD9!bt6d`    |
+| `gitea.admin.email`                          | Email for the Gitea admin user                                                                                                 | `gitea@local.domain` |
+| `gitea.admin.passwordMode`                   | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated  | `keepUpdated`        |
+| `gitea.metrics.enabled`                      | Enable Gitea metrics                                                                                                           | `false`              |
+| `gitea.metrics.token`                        | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.              | `nil`                |
+| `gitea.metrics.serviceMonitor.enabled`       | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false`              |
+| `gitea.metrics.serviceMonitor.interval`      | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                      | `""`                 |
+| `gitea.metrics.serviceMonitor.relabelings`   | RelabelConfigs to apply to samples before scraping.                                                                            | `[]`                 |
+| `gitea.metrics.serviceMonitor.scheme`        | HTTP scheme to use for scraping. For example `http` or `https`. Default is http.                                               | `""`                 |
+| `gitea.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                           | `""`                 |
+| `gitea.metrics.serviceMonitor.tlsConfig`     | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                      | `{}`                 |
+| `gitea.ldap`                                 | LDAP configuration                                                                                                             | `[]`                 |
+| `gitea.oauth`                                | OAuth configuration                                                                                                            | `[]`                 |
+| `gitea.config.server.SSH_PORT`               | SSH port for rootlful Gitea image                                                                                              | `22`                 |
+| `gitea.config.server.SSH_LISTEN_PORT`        | SSH port for rootless Gitea image                                                                                              | `2222`               |
+| `gitea.additionalConfigSources`              | Additional configuration from secret or configmap                                                                              | `[]`                 |
+| `gitea.additionalConfigFromEnvs`             | Additional configuration sources from environment variables                                                                    | `[]`                 |
+| `gitea.podAnnotations`                       | Annotations for the Gitea pod                                                                                                  | `{}`                 |
+| `gitea.ssh.logLevel`                         | Configure OpenSSH's log level. Only available for root-based Gitea image.                                                      | `INFO`               |
 
 ### LivenessProbe
 
@@ -1039,18 +1171,31 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 
 ### redis-cluster
 
+Redis cluster and [Redis](#redis) cannot be enabled at the same time.
+
 | Name                             | Description                                  | Value   |
 | -------------------------------- | -------------------------------------------- | ------- |
-| `redis-cluster.enabled`          | Enable redis                                 | `true`  |
+| `redis-cluster.enabled`          | Enable redis cluster                         | `true`  |
 | `redis-cluster.usePassword`      | Whether to use password authentication       | `false` |
 | `redis-cluster.cluster.nodes`    | Number of redis cluster master nodes         | `3`     |
 | `redis-cluster.cluster.replicas` | Number of redis cluster master node replicas | `0`     |
 
-### PostgreSQL-ha
+### redis
+
+Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
+
+| Name                          | Description                                | Value        |
+| ----------------------------- | ------------------------------------------ | ------------ |
+| `redis.enabled`               | Enable redis standalone or replicated      | `false`      |
+| `redis.architecture`          | Whether to use standalone or replication   | `standalone` |
+| `redis.global.redis.password` | Required password                          | `changeme`   |
+| `redis.master.count`          | Number of Redis master instances to deploy | `1`          |
+
+### PostgreSQL HA
 
 | Name                                        | Description                                                      | Value       |
 | ------------------------------------------- | ---------------------------------------------------------------- | ----------- |
-| `postgresql-ha.enabled`                     | Enable PostgreSQL-ha                                             | `true`      |
+| `postgresql-ha.enabled`                     | Enable PostgreSQL HA                                             | `true`      |
 | `postgresql-ha.postgresql.password`         | Password for the `gitea` user (overrides `auth.password`)        | `changeme4` |
 | `postgresql-ha.global.postgresql.database`  | Name for a custom database to create (overrides `auth.database`) | `gitea`     |
 | `postgresql-ha.global.postgresql.username`  | Name for a custom user to create (overrides `auth.username`)     | `gitea`     |
@@ -1059,7 +1204,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `postgresql-ha.postgresql.postgresPassword` | postgres Password                                                | `changeme1` |
 | `postgresql-ha.pgpool.adminPassword`        | pgpool adminPassword                                             | `changeme3` |
 | `postgresql-ha.service.ports.postgresql`    | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`      |
-| `postgresql-ha.primary.persistence.size`    | PVC Storage Request for PostgreSQL-ha volume                     | `10Gi`      |
+| `postgresql-ha.persistence.size`            | PVC Storage Request for PostgreSQL HA volume                     | `10Gi`      |
 
 ### PostgreSQL
 
@@ -1096,6 +1241,28 @@ If you miss this, blindly upgrading may delete your Postgres instance and you ma
 
 <details>
 
+<summary>To 11.0.0</summary>
+
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable-next-line -->
+**Breaking changes**
+<!-- prettier-ignore-end -->
+
+- Update Gitea to 1.23.x (review the [1.23 release blog post](https://blog.gitea.com/release-of-1.23.0/) for all application breaking changes)
+- Update PostgreSQL sub-chart dependencies to appVersion 17.x
+- Update Redis sub-chart to version 20.x (appVersion 7.4)
+  Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes:
+  - [Redis Chart release notes (starting with v20.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis/CHANGELOG.md#2000-2024-08-09).
+  - [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES).
+- Update Redis Cluster sub-chart to version 11.x (appVersion 7.4)
+  Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes:
+  - [Redis Chart release notes (starting with v11.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis-cluster/CHANGELOG.md#1100-2024-08-09).
+  - [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES).
+
+</details>
+
+<details>
+
 <summary>To 10.0.0</summary>
 
 <!-- prettier-ignore-start -->
@@ -1162,7 +1329,7 @@ The first item here (`<memcache service name>`) will be different compared to th
 The above changes are motivated by the idea to tidy dependencies but also have HA-ready ones at the same time.
 The previous `memcache` default was not HA-ready, hence we decided to switch to `redis-cluster` by default.
 
-If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-chart/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly:
+If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-gitea/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly:
 
 ```yaml
 gitea:
@@ -1187,7 +1354,7 @@ gitea:
 <!-- prettier-ignore-end -->
 
 If you are facing errors like `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED` due to this automatic transition:
-Have a look at [this discussion](https://gitea.com/gitea/helm-chart/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
+Have a look at [this discussion](https://gitea.com/gitea/helm-gitea/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
 
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
@@ -1243,7 +1410,7 @@ With respect to `values.yaml`, parameters `username`, `database` and `password`
 Please adjust your `values.yaml` accordingly.
 
 **Attention**: The Postgres upgrade is not automatically handled by the chart and must be done by yourself.
-See [this comment](https://gitea.com/gitea/helm-chart/issues/452#issuecomment-740885) for an extensive walkthrough.
+See [this comment](https://gitea.com/gitea/helm-gitea/issues/452#issuecomment-740885) for an extensive walkthrough.
 We again highly encourage users to use an external (managed) database for production instances.
 
 </details>

docs/actions-dev.md

@@ -0,0 +1,34 @@
+# Gitea Actions
+
+In order to use the Gitea Actions act-runner you must either:
+
+- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
+- create a secret containing the act runner token and reference it as a `existingSecret`
+
+In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
+    `gitea actions generate-runner-token`
+
+This command will out a token that is needed by the act-runner to register with the Gitea backend.
+
+Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
+
+1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
+2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
+the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
+
+After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
+
+1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
+2) `dind`: DockerInDocker image that is used to run the actions
+
+If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
+In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
+the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
+
+```yaml
+actions:
+  provisioning:
+    enabled: false
+  existingSecret: "secret-name"
+  existingSecretKey: "secret-key"
+```

package.json

@@ -1,6 +1,6 @@
 {
-  "name": "gitea-helm-chart",
-  "homepage": "https://gitea.com/gitea/helm-chart.git",
+  "name": "gitea-helm",
+  "homepage": "https://gitea.com/gitea/helm-gitea.git",
   "license": "MIT",
   "private": true,
   "engineStrict": true,
@@ -14,6 +14,6 @@
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.39.0"
+    "markdownlint-cli": "^0.44.0"
   }
-}
+}

renovate.json5

@@ -9,7 +9,13 @@
   labels: [
     'kind/dependency',
   ],
+  "digest": {
+    "automerge": true
+  },
   automergeStrategy: 'squash',
+  'git-submodules': {
+    'enabled': true
+  },
   customManagers: [
     {
       description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
@@ -30,6 +36,14 @@
       ],
       datasourceTemplate: 'github-releases',
     },
+    {
+      'description': 'Automatically detect new Gitea releases',
+      'customType': 'regex',
+      'fileMatch': ['(^|/)Chart\\.yaml$'],
+      'matchStrings': [
+        '# renovate datasource=(?<datasource>\\S+) depName=(?<depName>\\S+) extractVersion=(?<extractVersion>\\S+)\\nappVersion:\\s?(?<currentValue>\\S+)\\n',
+      ],
+    },
   ],
   packageRules: [
     {
@@ -55,6 +69,39 @@
         'patch',
         'digest',
       ],
+      matchFileNames: [
+        '!Chart.yaml',
+      ],
+    },
+    {
+      description: 'Update README.md on changes in values.yaml',
+      matchManagers: [
+        'helm-values',
+      ],
+      postUpgradeTasks: {
+        commands: [
+          'install-tool node',
+          'make readme',
+        ],
+        fileFilters: [
+          'README.md',
+        ],
+        executionMode: 'update',
+      },
+    },
+    {
+      description: 'Override changelog url for Helm image, to have release notes in our PRs',
+      matchDepNames: [
+        'alpine/helm',
+      ],
+      changelogUrl: 'https://github.com/helm/helm',
+    },
+    {
+      description: 'Bump Gitea as fast as possible - not only on weekends',
+      matchDepNames: [
+        'go-gitea/gitea',
+      ],
+      schedule: ['at any time'],
     },
   ],
 }

scripts/act_runner/token.sh

@@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -eu
+
+timeout_delay=15
+
+check_token() {
+  set +e
+
+  echo "Checking for existing token..."
+  token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
+  [ $? -ne 0 ] && return 1
+  [ -z "$token" ] && return 2
+  return 0
+}
+
+create_token() {
+  echo "Waiting for new token to be generated..."
+  begin=$(date +%s)
+  end=$((begin + timeout_delay))
+  while true; do
+    [ -f /data/actions/token ] && return 0
+    [ "$(date +%s)" -gt $end ] && return 1
+    sleep 5
+  done
+}
+
+store_token() {
+  echo "Storing the token in Kubernetes secret..."
+  kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
+}
+
+if check_token; then
+  echo "Key already in place, exiting."
+  exit
+fi
+
+if ! create_token; then
+  echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
+  exit 1
+fi
+
+store_token

scripts/init-containers/config/config_environment.sh

@@ -0,0 +1,154 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+function env2ini::log() {
+  printf "${1}\n"
+}
+
+function env2ini::read_config_to_env() {
+  local section="${1}"
+  local line="${2}"
+
+  if [[ -z "${line}" ]]; then
+    # skip empty line
+    return
+  fi
+
+  # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+  local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+  if [[ -z "${setting}" ]]; then
+    env2ini::log '  ! invalid setting'
+    exit 1
+  fi
+
+  local value=''
+  local regex="^${setting}(\s*)=(\s*)(.*)"
+  if [[ $line =~ $regex ]]; then
+    value="${BASH_REMATCH[3]}"
+  else
+    env2ini::log '  ! invalid setting'
+    exit 1
+  fi
+
+  env2ini::log "    + '${setting}'"
+
+  if [[ -z "${section}" ]]; then
+    export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+    return
+  fi
+
+  local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
+  masked_section="${masked_section//-/_0X2D_}"
+
+  export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
+}
+
+function env2ini::reload_preset_envs() {
+  env2ini::log "Reloading preset envs..."
+
+  while read -r line; do
+    if [[ -z "${line}" ]]; then
+      # skip empty line
+      return
+    fi
+
+    # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+    local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+    if [[ -z "${setting}" ]]; then
+      env2ini::log '  ! invalid setting'
+      exit 1
+    fi
+
+    local value=''
+    local regex="^${setting}(\s*)=(\s*)(.*)"
+    if [[ $line =~ $regex ]]; then
+      value="${BASH_REMATCH[3]}"
+    else
+      env2ini::log '  ! invalid setting'
+      exit 1
+    fi
+
+    env2ini::log "  + '${setting}'"
+
+    export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+  done < "$TMP_EXISTING_ENVS_FILE"
+
+  rm $TMP_EXISTING_ENVS_FILE
+}
+
+
+function env2ini::process_config_file() {
+  local config_file="${1}"
+  local section="$(basename "${config_file}")"
+
+  if [[ $section == '_generals_' ]]; then
+    env2ini::log "  [ini root]"
+    section=''
+  else
+    env2ini::log "  ${section}"
+  fi
+
+  while read -r line; do
+    env2ini::read_config_to_env "${section}" "${line}"
+  done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
+}
+
+function env2ini::load_config_sources() {
+  local path="${1}"
+
+  if [[ -d "${path}" ]]; then
+    env2ini::log "Processing $(basename "${path}")..."
+
+    while read -d '' configFile; do
+      env2ini::process_config_file "${configFile}"
+    done < <(find "${path}" -type l -not -name '..data' -print0)
+
+    env2ini::log "\n"
+  fi
+}
+
+function env2ini::generate_initial_secrets() {
+  # These environment variables will either be
+  #   - overwritten with user defined values,
+  #   - initially used to set up Gitea
+  # Anyway, they won't harm existing app.ini files
+
+  export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+  export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+  export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+  export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
+
+  env2ini::log "...Initial secrets generated\n"
+}
+
+# save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
+env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE
+
+# MUST BE CALLED BEFORE OTHER CONFIGURATION
+env2ini::generate_initial_secrets
+
+env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/"
+env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/"
+
+# load existing envs to override auto generated envs
+env2ini::reload_preset_envs
+
+env2ini::log "=== All configuration sources loaded ===\n"
+
+# safety to prevent rewrite of secret keys if an app.ini already exists
+if [ -f ${GITEA_APP_INI} ]; then
+  env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
+  env2ini::log '  - security.INTERNAL_TOKEN'
+  env2ini::log '  - security.SECRET_KEY'
+  env2ini::log '  - oauth2.JWT_SECRET'
+  env2ini::log '  - server.LFS_JWT_SECRET'
+
+  unset GITEA__SECURITY__INTERNAL_TOKEN
+  unset GITEA__SECURITY__SECRET_KEY
+  unset GITEA__OAUTH2__JWT_SECRET
+  unset GITEA__SERVER__LFS_JWT_SECRET
+fi
+
+environment-to-ini -o $GITEA_APP_INI

scripts/init-containers/init/configure_gpg_environment.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -eu
+
+gpg --batch --import "$TMP_RAW_GPG_KEY"

templates/_helpers.tpl

@@ -25,6 +25,13 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create a default worker name.
+*/}}
+{{- define "gitea.workername" -}}
+{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -40,7 +47,7 @@ Create image name and tag used by the deployment.
 {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
 {{- $repository := .Values.image.repository -}}
 {{- $separator := ":" -}}
-{{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
 {{- $digest := "" -}}
 {{- if .Values.image.digest }}
@@ -74,7 +81,7 @@ imagePullSecrets:
 Storage Class
 */}}
 {{- define "gitea.persistence.storageClass" -}}
-{{- $storageClass := .Values.persistence.storageClass | default .Values.global.storageClass }}
+{{- $storageClass :=  (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }}
 {{- if $storageClass }}
 storageClassName: {{ $storageClass | quote }}
 {{- end }}
@@ -92,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
+{{- define "gitea.labels.actRunner" -}}
+helm.sh/chart: {{ include "gitea.chart" . }}
+app: {{ include "gitea.name" . }}-act-runner
+{{ include "gitea.selectorLabels.actRunner" . }}
+app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
 {{/*
 Selector labels
 */}}
@@ -100,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
+{{- define "gitea.selectorLabels.actRunner" -}}
+app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
 {{- define "postgresql-ha.dns" -}}
 {{- if (index .Values "postgresql-ha").enabled -}}
 {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
@@ -113,20 +134,28 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "redis.dns" -}}
-{{- if (index .Values "redis-cluster").enabled -}}
+{{- if and ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
+{{- fail "redis and redis-cluster cannot be enabled at the same time. Please only choose one." -}}
+{{- else if (index .Values "redis-cluster").enabled -}}
 {{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
+{{- else if (index .Values "redis").enabled -}}
+{{- printf "redis://:%s@%s-redis-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis").master.service.ports.redis -}}
 {{- end -}}
 {{- end -}}
 
 {{- define "redis.port" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{ (index .Values "redis-cluster").service.ports.redis }}
+{{- else if (index .Values "redis").enabled -}}
+{{ (index .Values "redis").master.service.ports.redis }}
 {{- end -}}
 {{- end -}}
 
 {{- define "redis.servicename" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
+{{- else if (index .Values "redis").enabled -}}
+{{- printf "%s-redis-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 {{- end -}}
 
@@ -191,6 +220,15 @@ https
 {{- end -}}
 {{- end -}}
 
+{{- define "gitea.act_runner.local_root_url" -}}
+{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}}
+    {{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}}
+{{- else -}}
+  {{/* fallback for allowing to overwrite this value via inline config */}}
+  {{- .Values.gitea.config.server.LOCAL_ROOT_URL -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "gitea.inline_configuration" -}}
   {{- include "gitea.inline_configuration.init" . -}}
   {{- include "gitea.inline_configuration.defaults" . -}}
@@ -255,6 +293,9 @@ https
   {{- if not (hasKey .Values.gitea.config "indexer") -}}
     {{- $_ := set .Values.gitea.config "indexer" dict -}}
   {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "actions") -}}
+    {{- $_ := set .Values.gitea.config "actions" dict -}}
+  {{- end -}}
 {{- end -}}
 
 {{- define "gitea.inline_configuration.defaults" -}}
@@ -270,8 +311,11 @@ https
   {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
     {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
   {{- end -}}
+  {{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}}
+    {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}}
+  {{- end -}}
   {{- /* redis queue */ -}}
-  {{- if (index .Values "redis-cluster").enabled -}}
+  {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
     {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
     {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
     {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
@@ -301,6 +345,9 @@ https
   {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
      {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
   {{- end -}}
+  {{- if not .Values.gitea.config.actions.ENABLED -}}
+     {{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}}
+  {{- end -}}
 {{- end -}}
 
 {{- define "gitea.inline_configuration.defaults.server" -}}
@@ -320,6 +367,9 @@ https
   {{- if not .Values.gitea.config.server.ROOT_URL -}}
     {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
   {{- end -}}
+  {{- if .Values.actions.enabled -}}
+     {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}}
+  {{- end -}}
   {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
     {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
   {{- end -}}
@@ -392,3 +442,33 @@ https
 {{- define "gitea.serviceAccountName" -}}
 {{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
 {{- end -}}
+
+{{- define "gitea.admin.passwordMode" -}}
+{{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
+{{ .Values.gitea.admin.passwordMode }}
+{{- else -}}
+{{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
+{{- end -}}
+{{- end -}}
+
+{{/* Create a functioning probe object for rendering. Given argument must be either a livenessProbe, readinessProbe, or startupProbe */}}
+{{- define "gitea.deployment.probe" -}}
+  {{- $probe := unset . "enabled" -}}
+  {{- $probeKeys := keys $probe -}}
+  {{- $containsCustomMethod := false -}}
+  {{- $chartDefaultMethod := "tcpSocket" -}}
+  {{- $nonChartDefaultMethods := list "exec" "httpGet" "grpc" -}}
+  {{- range $probeKeys -}}
+    {{- if has . $nonChartDefaultMethods -}}
+      {{- $containsCustomMethod = true -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if $containsCustomMethod -}}
+    {{- $probe = unset . $chartDefaultMethod -}}
+  {{- end -}}
+  {{- toYaml $probe -}}
+{{- end -}}
+
+{{- define "gitea.metrics-secret-name" -}}
+{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }}
+{{- end -}}

templates/gitea/act_runner/01-consistency-checks.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.actions.enabled -}}
+    {{- if .Values.actions.provisioning.enabled -}}
+        {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}}
+            {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}}
+        {{- end -}}
+        {{- if and .Values.persistence.enabled .Values.persistence.mount -}}
+            {{- if .Values.actions.existingSecret -}}
+                {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}}
+            {{- end -}}
+        {{- end -}}
+    {{- end -}}
+    {{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}}
+        {{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}}
+    {{- end -}}
+{{- end -}}

templates/gitea/act_runner/config-act-runner.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.actions.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-act-runner-config
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- with .Values.actions.statefulset.actRunner.config -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+{{- end }}

templates/gitea/act_runner/config-scripts.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-scripts
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+{{ (.Files.Glob "scripts/act_runner/*.sh").AsConfig | indent 2 }}
+{{- end }}
+{{- end }}

templates/gitea/act_runner/job.yaml

@@ -0,0 +1,115 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    {{- with .Values.actions.provisioning.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/component: token-job
+  annotations:
+    {{- with .Values.actions.provisioning.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }}
+  template:
+    metadata:
+      labels:
+        {{- include "gitea.labels" . | nindent 8 }}
+        {{- with .Values.actions.provisioning.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        app.kubernetes.io/component: token-job
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
+                sleep 5
+              done
+      containers:
+        - name: actions-token-create
+          image: "{{ include "gitea.image" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+          command:
+            - sh
+            - -c
+            - |
+              echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
+              mkdir -p /data/actions/
+              gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
+          resources:
+            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
+          volumeMounts:
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+        - name: actions-token-upload
+          image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
+          imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
+          env:
+            - name: SECRET_NAME
+              value: {{ $secretName }}
+          command:
+            - sh
+            - -c
+            - |
+              printf "Checking rights to update kubernetes act_runner secret..."
+              kubectl auth can-i update secret/${SECRET_NAME}
+              /scripts/token.sh
+          resources:
+            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+              readOnly: true
+            - mountPath: /data
+              name: data
+              readOnly: true
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+      {{- range $key, $value := .Values.actions.provisioning.nodeSelector }}
+      nodeSelector:
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+      {{- with .Values.actions.provisioning.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.provisioning.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      serviceAccount: {{ $name }}
+      volumes:
+        - name: scripts
+          configMap:
+            name: {{ include "gitea.fullname" . }}-scripts
+            defaultMode: 0755
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.claimName }}
+  parallelism: 1
+  completions: 1
+  backoffLimit: 1
+{{- end }}
+{{- end }}

templates/gitea/act_runner/role-job.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - {{ $secretName }}
+    verbs:
+      - get
+      - update
+      - patch
+{{- end }}
+{{- end }}

templates/gitea/act_runner/rolebinding-job.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $name }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}

templates/gitea/act_runner/secret-token.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
+{{ if $secret -}}
+data:
+  token: {{ (b64dec (index $secret.data "token")) | b64enc }}
+{{ end -}}
+{{- end }}
+{{- end }}

templates/gitea/act_runner/serviceaccount-job.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+{{- end }}
+{{- end }}

templates/gitea/act_runner/statefulset.yaml

@@ -0,0 +1,129 @@
+{{- if .Values.actions.enabled }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    {{- include "gitea.labels.actRunner" . | nindent 4 }}
+    {{- with .Values.actions.statefulset.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.actions.statefulset.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "gitea.fullname" . }}-act-runner
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/gitea/act_runner/config-act-runner.yaml") . | sha256sum }}
+      labels:
+        {{- include "gitea.labels.actRunner" . | nindent 8 }}
+        {{- with .Values.actions.statefulset.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
+                sleep 5
+              done
+      containers:
+        - name: act-runner
+          image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
+          workingDir: /data
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.actions.existingSecret | default $secretName }}"
+                  key: "{{ .Values.actions.existingSecretKey | default "token" }}"
+            - name: GITEA_INSTANCE_URL
+              value: {{ include "gitea.act_runner.local_root_url" . }}
+            - name: CONFIG_FILE
+              value: /actrunner/config.yaml
+          resources:
+            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /actrunner/config.yaml
+              name: act-runner-config
+              subPath: config.yaml
+            - mountPath: /certs/server
+              name: docker-certs
+            - mountPath: /data
+              name: data-act-runner
+            {{- with .Values.actions.statefulset.actRunner.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+        - name: dind
+          image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            {{- if .Values.actions.statefulset.dind.extraEnvs }}
+            {{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }}
+            {{- end }}
+          securityContext:
+            privileged: true
+          resources:
+            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /certs/server
+              name: docker-certs
+            {{- with .Values.actions.statefulset.dind.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+      {{- range $key, $value := .Values.actions.statefulset.nodeSelector }}
+      nodeSelector:
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+      {{- with .Values.actions.statefulset.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.statefulset.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: act-runner-config
+          configMap:
+            name: {{ include "gitea.fullname" . }}-act-runner-config
+        - name: docker-certs
+          emptyDir: {}
+        {{- with .Values.actions.statefulset.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data-act-runner
+      spec:
+        accessModes: [ "ReadWriteOnce" ]
+        {{- include "gitea.persistence.storageClass" . | nindent 8 }}
+        resources:
+          requests:
+            storage: 1Mi
+{{- end }}

templates/gitea/config.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}-inline-config
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@@ -12,10 +13,12 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
+{{ (.Files.Glob "scripts/init-containers/config/*.sh").AsConfig | indent 2 }}
   assertions: |
 
     {{- /*assert that only one PG dep is enabled */ -}}
@@ -28,13 +31,13 @@ stringData:
       {{- if .Values.gitea.config.cron -}}
         {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
           {{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}}
-            {{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." }}
+            {{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'." }}
           {{- end }}
         {{- end }}
       {{- end }}
     
       {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
-        {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
+        {{- fail "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany." -}}
       {{- end }}
       {{- if .Values.gitea.config.indexer -}}
         {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
@@ -52,158 +55,3 @@ stringData:
       {{- end }}
       
     {{- end }}
-  config_environment.sh: |-
-    #!/usr/bin/env bash
-    set -euo pipefail
-
-    function env2ini::log() {
-      printf "${1}\n"
-    }
-
-    function env2ini::read_config_to_env() {
-      local section="${1}"
-      local line="${2}"
-
-      if [[ -z "${line}" ]]; then
-        # skip empty line
-        return
-      fi
-      
-      # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
-      local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
-
-      if [[ -z "${setting}" ]]; then
-        env2ini::log '  ! invalid setting'
-        exit 1
-      fi
-
-      local value=''
-      local regex="^${setting}(\s*)=(\s*)(.*)"
-      if [[ $line =~ $regex ]]; then
-        value="${BASH_REMATCH[3]}"
-      else
-        env2ini::log '  ! invalid setting'
-        exit 1
-      fi
-
-      env2ini::log "    + '${setting}'"
-
-      if [[ -z "${section}" ]]; then
-        export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-        return
-      fi
-
-      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
-      masked_section="${masked_section//-/_0X2D_}"
-
-      export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
-    }
-
-    function env2ini::reload_preset_envs() {
-      env2ini::log "Reloading preset envs..."
-
-      while read -r line; do
-        if [[ -z "${line}" ]]; then
-          # skip empty line
-          return
-        fi
-
-        # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
-        local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
-
-        if [[ -z "${setting}" ]]; then
-          env2ini::log '  ! invalid setting'
-          exit 1
-        fi
-
-        local value=''
-        local regex="^${setting}(\s*)=(\s*)(.*)"
-        if [[ $line =~ $regex ]]; then
-          value="${BASH_REMATCH[3]}"
-        else
-          env2ini::log '  ! invalid setting'
-          exit 1
-        fi
-
-        env2ini::log "  + '${setting}'"
-
-        export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-      done < "/tmp/existing-envs"
-
-      rm /tmp/existing-envs
-    }
-
-
-    function env2ini::process_config_file() {
-      local config_file="${1}"
-      local section="$(basename "${config_file}")"
-
-      if [[ $section == '_generals_' ]]; then
-        env2ini::log "  [ini root]"
-        section=''
-      else
-        env2ini::log "  ${section}"
-      fi
-
-      while read -r line; do
-        env2ini::read_config_to_env "${section}" "${line}"
-      done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
-    }
-
-    function env2ini::load_config_sources() {
-      local path="${1}"
-
-      if [[ -d "${path}" ]]; then
-        env2ini::log "Processing $(basename "${path}")..."
-
-        while read -d '' configFile; do
-          env2ini::process_config_file "${configFile}"
-        done < <(find "${path}" -type l -not -name '..data' -print0)
-
-        env2ini::log "\n"
-      fi
-    }
-
-    function env2ini::generate_initial_secrets() {
-      # These environment variables will either be
-      #   - overwritten with user defined values,
-      #   - initially used to set up Gitea
-      # Anyway, they won't harm existing app.ini files
-
-      export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
-      export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
-      export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
-      export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
-
-      env2ini::log "...Initial secrets generated\n"
-    }
-    
-    # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
-    env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > /tmp/existing-envs
-    
-    # MUST BE CALLED BEFORE OTHER CONFIGURATION
-    env2ini::generate_initial_secrets
-
-    env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
-    env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
-
-    # load existing envs to override auto generated envs
-    env2ini::reload_preset_envs
-
-    env2ini::log "=== All configuration sources loaded ===\n"
-
-    # safety to prevent rewrite of secret keys if an app.ini already exists
-    if [ -f ${GITEA_APP_INI} ]; then
-      env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
-      env2ini::log '  - security.INTERNAL_TOKEN'
-      env2ini::log '  - security.SECRET_KEY'
-      env2ini::log '  - oauth2.JWT_SECRET'
-      env2ini::log '  - server.LFS_JWT_SECRET'
-
-      unset GITEA__SECURITY__INTERNAL_TOKEN
-      unset GITEA__SECURITY__SECRET_KEY
-      unset GITEA__OAUTH2__JWT_SECRET
-      unset GITEA__SERVER__LFS_JWT_SECRET
-    fi
-
-    environment-to-ini -o $GITEA_APP_INI

templates/gitea/deployment.yaml

@@ -2,12 +2,16 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   annotations:
     {{- if .Values.deployment.annotations }}
     {{- toYaml .Values.deployment.annotations | nindent 4 }}
     {{- end }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
+    {{- if .Values.deployment.labels }}
+    {{- toYaml .Values.deployment.labels | nindent 4 }}
+    {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
   strategy:
@@ -103,6 +107,10 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
+            - name: TMP_EXISTING_ENVS_FILE
+              value: /tmp/existing-envs
+            - name: ENV_TO_INI_MOUNT_POINT
+              value: /env-to-ini-mounts
             {{- if .Values.deployment.env }}
             {{- toYaml .Values.deployment.env | nindent 12 }}
             {{- end }}
@@ -145,6 +153,8 @@ spec:
           env:
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}
+            - name: TMP_RAW_GPG_KEY
+              value: /raw/private.asc
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
@@ -240,6 +250,8 @@ spec:
             - name: GITEA_ADMIN_PASSWORD
               value: {{ .Values.gitea.admin.password | quote }}
             {{- end }}
+            - name: GITEA_ADMIN_PASSWORD_MODE
+              value: {{ include "gitea.admin.passwordMode" $ }}
             {{- if .Values.deployment.env }}
             {{- toYaml .Values.deployment.env | nindent 12 }}
             {{- end }}
@@ -279,6 +291,13 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
+            {{- if and (hasKey .Values.resources "limits") (hasKey .Values.resources.limits "cpu") }}
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  divisor: "1"
+                  resource: limits.cpu
+            {{- end }}
             - name: TMPDIR
               value: /tmp/gitea
             {{- if .Values.image.rootless }}
@@ -306,15 +325,15 @@ spec:
             {{- end }}
           {{- if .Values.gitea.livenessProbe.enabled }}
           livenessProbe:
-            {{- toYaml (omit .Values.gitea.livenessProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.livenessProbe | nindent 12 }}
           {{- end }}
           {{- if .Values.gitea.readinessProbe.enabled }}
           readinessProbe:
-            {{- toYaml (omit .Values.gitea.readinessProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.readinessProbe | nindent 12 }}
           {{- end }}
           {{- if .Values.gitea.startupProbe.enabled }}
           startupProbe:
-            {{- toYaml (omit .Values.gitea.startupProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.startupProbe | nindent 12 }}
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
@@ -334,20 +353,23 @@ spec:
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
             {{- include "gitea.container-additional-mounts" . | nindent 12 }}
+        {{- if .Values.extraContainers }}
+        {{- toYaml .Values.extraContainers | nindent 8 }}
+        {{- end }}
       {{- with .Values.global.hostAliases }}
       hostAliases:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.nodeSelector }}
+      {{- range $key, $value := .Values.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{ $key }}: {{ $value | quote }}
       {{- end }}
     {{- with .Values.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
     {{- end }}
     {{- with .Values.topologySpreadConstraints }}
-      topologySpreadConstraints: 
+      topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
     {{- end }}
     {{- with .Values.tolerations }}

templates/gitea/gpg-secret.yaml

@@ -7,6 +7,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.gpg-key-secret-name" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque

templates/gitea/http-svc.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "gitea.fullname" . }}-http
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.service.http.labels }}
@@ -11,7 +12,11 @@ metadata:
     {{- toYaml .Values.service.http.annotations | nindent 4 }}
 spec:
   type: {{ .Values.service.http.type }}
-  {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
+  {{- if eq .Values.service.http.type "LoadBalancer" }}
+  {{- if .Values.service.http.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.http.loadBalancerClass }}
+  {{- end }}
+  {{- if and .Values.service.http.loadBalancerIP }}
   loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
   {{- end }}
   {{- if .Values.service.http.loadBalancerSourceRanges }}
@@ -20,6 +25,7 @@ spec:
     - {{ . }}
   {{- end }}
   {{- end }}
+  {{- end }}
   {{- if .Values.service.http.externalIPs }}
   externalIPs:
     {{- toYaml .Values.service.http.externalIPs | nindent 4 }}

templates/gitea/ingress.yaml

@@ -13,6 +13,7 @@ apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
   annotations:
@@ -21,7 +22,7 @@ metadata:
     {{- end }}
 spec:
 {{- if .Values.ingress.className }}
-  ingressClassName: {{ .Values.ingress.className }}
+  ingressClassName: {{ tpl .Values.ingress.className . }}
 {{- end }}
 {{- if .Values.ingress.tls }}
   tls:

templates/gitea/init.yaml

@@ -2,15 +2,12 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}-init
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  configure_gpg_environment.sh: |-
-    #!/usr/bin/env bash
-    set -eu
-
-    gpg --batch --import /raw/private.asc
+{{ (.Files.Glob "scripts/init-containers/init/*.sh").AsConfig | indent 2 }}
   init_directory_structure.sh: |-
     #!/usr/bin/env bash
 
@@ -24,27 +21,25 @@ stringData:
     # END: initPreScript
     {{- end }}
 
-    set -x
-
     {{- if not .Values.image.rootless }}
-    chown 1000:1000 /data
+    chown -v 1000:1000 /data
     {{- end }}
-    mkdir -p /data/git/.ssh
-    chmod -R 700 /data/git/.ssh
-    [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+    mkdir -pv /data/git/.ssh
+    chmod -Rv 700 /data/git/.ssh
+    [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
 
     # prepare temp directory structure
-    mkdir -p "${GITEA_TEMP}"
+    mkdir -pv "${GITEA_TEMP}"
     {{- if not .Values.image.rootless }}
-    chown 1000:1000 "${GITEA_TEMP}"
+    chown -v 1000:1000 "${GITEA_TEMP}"
     {{- end }}
-    chmod ug+rwx "${GITEA_TEMP}"
+    chmod -v ug+rwx "${GITEA_TEMP}"
 
     {{ if .Values.signing.enabled -}}
     if [ ! -d "${GNUPGHOME}" ]; then
-      mkdir -p "${GNUPGHOME}"
-      chmod 700 "${GNUPGHOME}"
-      chown 1000:1000 "${GNUPGHOME}"
+      mkdir -pv "${GNUPGHOME}"
+      chmod -v 700 "${GNUPGHOME}"
+      chown -v 1000:1000 "${GNUPGHOME}"
     fi
     {{- end }}
 
@@ -67,7 +62,7 @@ stringData:
       local RETRY=0
       local MAX=30
       
-      echo 'Wait for redis to become avialable...'
+      echo 'Wait for redis to become available...'
       until [ "${RETRY}" -ge "${MAX}" ]; do
         nc -vz -w2 {{ include "redis.servicename" . }} {{ include "redis.port" . }} && break
         RETRY=$[${RETRY}+1]
@@ -99,7 +94,7 @@ stringData:
 
         echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users."
         echo "       Please review the output of 'gitea admin user list --admin' shown below."
-        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
         echo "DEBUG: Output of 'gitea admin user list --admin'"
         echo "--"
         echo "${full_admin_list}"
@@ -109,13 +104,33 @@ stringData:
 
       local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
       if [[ -z "${ACCOUNT_ID}" ]]; then
+        local -a create_args
+        create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
+          create_args+=(--must-change-password=true)
+        else
+          create_args+=(--must-change-password=false)
+        fi
         echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
-        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
+        gitea admin user create "${create_args[@]}"
         echo '...created.'
       else
-        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
-        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
-        echo '...password sync done.'
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
+          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
+          # See https://gitea.com/gitea/helm-gitea/issues/673
+          # --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior
+          #   which acted as if it were provided with =false. If the argument is present in this version of gitea, then we
+          #   should add it to prevent requiring frequent admin password resets.
+          local -a change_args
+          change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}")
+          if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then
+            change_args+=(--must-change-password=false)
+          fi
+          gitea admin user change-password "${change_args[@]}"
+          echo '...password sync done.'
+        else
+          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
+        fi
       fi
     }
 
@@ -139,7 +154,7 @@ stringData:
 
         echo "ERROR: 'configure_ldap' was not able to determine the current list of authentication sources."
         echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
-        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
         echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
         echo "--"
         echo "${full_auth_list}"
@@ -183,7 +198,7 @@ stringData:
 
         echo "ERROR: 'configure_oauth' was not able to determine the current list of authentication sources."
         echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
-        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
         echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
         echo "--"
         echo "${full_auth_list}"

templates/gitea/metrics-secret.yaml

@@ -0,0 +1,12 @@
+{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gitea.metrics-secret-name" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+data:
+  token: {{ .Values.gitea.metrics.token  | b64enc }}
+{{- end }}

templates/gitea/poddisruptionbudget.yaml

@@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 spec:

templates/gitea/pvc.yaml

@@ -3,7 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ .Values.persistence.claimName }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   annotations:
 {{ .Values.persistence.annotations | toYaml | indent 4}}
   labels:

templates/gitea/serviceaccount.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "gitea.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- with .Values.serviceAccount.labels }}

templates/gitea/servicemonitor.yaml

@@ -1,8 +1,9 @@
-{{- if .Values.gitea.metrics.serviceMonitor.enabled -}}
+{{- if and .Values.gitea.metrics.enabled .Values.gitea.metrics.serviceMonitor.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
@@ -14,4 +15,29 @@ spec:
       {{- include "gitea.selectorLabels" . | nindent 6 }}
   endpoints:
   - port: http
+    {{- if .Values.gitea.metrics.serviceMonitor.interval }}
+    interval: {{ .Values.gitea.metrics.serviceMonitor.interval }}
+    {{- end }}
+    {{- with .Values.gitea.metrics.serviceMonitor.relabelings }}
+    relabelings:
+      {{- . | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.serviceMonitor.scheme }}
+    scheme: {{ .Values.gitea.metrics.serviceMonitor.scheme }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
+    scrapeTimeout: {{ .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
+    {{- end }}
+    {{- with .Values.gitea.metrics.serviceMonitor.tlsConfig }}
+    tlsConfig:
+      {{- . | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.token }}
+    authorization:
+      type: Bearer
+      credentials:
+        name: {{ include "gitea.metrics-secret-name" . }}
+        key: token
+        optional: false
+    {{- end }}
 {{- end -}}

templates/gitea/ssh-svc.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "gitea.fullname" . }}-ssh
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.service.ssh.labels }}
@@ -12,6 +13,9 @@ metadata:
 spec:
   type: {{ .Values.service.ssh.type }}
   {{- if eq .Values.service.ssh.type "LoadBalancer" }}
+  {{- if .Values.service.ssh.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.ssh.loadBalancerClass }}
+  {{- end }}
   {{- if .Values.service.ssh.loadBalancerIP }}
   loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
   {{- end -}}

templates/tests/test-http-connection.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: "{{ include "gitea.fullname" . }}-test-connection"
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
 {{ include "gitea.labels" . | nindent 4 }}
   annotations:

unittests/bash/test_helper/common-setup.bash

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+function common_setup() {
+  load "$TEST_ROOT/test_helper/bats-support/load"
+  load "$TEST_ROOT/test_helper/bats-assert/load"
+  load "$TEST_ROOT/test_helper/bats-mock/stub"
+}

unittests/bash/tests/init-containers/config/config_environment.bats

@@ -0,0 +1,204 @@
+#!/usr/bin/env bats
+
+function setup() {
+  PROJECT_ROOT="$(git rev-parse --show-toplevel)"
+  TEST_ROOT="$PROJECT_ROOT/unittests/bash"
+  load "$TEST_ROOT/test_helper/common-setup"
+  common_setup
+
+  export GITEA_APP_INI="$BATS_TEST_TMPDIR/app.ini"
+  export TMP_EXISTING_ENVS_FILE="$BATS_TEST_TMPDIR/existing-envs"
+  export ENV_TO_INI_MOUNT_POINT="$BATS_TEST_TMPDIR/env-to-ini-mounts"
+
+  stub gitea \
+      "generate secret INTERNAL_TOKEN : echo 'mocked-internal-token'" \
+      "generate secret SECRET_KEY : echo 'mocked-secret-key'" \
+      "generate secret JWT_SECRET : echo 'mocked-jwt-secret'" \
+      "generate secret LFS_JWT_SECRET : echo 'mocked-lfs-jwt-secret'"
+}
+
+function teardown() {
+  unstub gitea
+  # This condition exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
+  if [ $ENV_TO_INI_EXPECTED -eq 1 ]; then
+    unstub environment-to-ini
+  fi
+}
+
+# This function exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
+function expect_environment_to_ini_call() {
+  export ENV_TO_INI_EXPECTED=1
+  stub environment-to-ini \
+    "-o $GITEA_APP_INI : echo 'Stubbed environment-to-ini was called!'"
+}
+
+function execute_test_script() {
+  currentEnvsBefore=$(env | sort)
+  source $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
+  local exitCode=$?
+  currentEnvsAfter=$(env | sort)
+
+  # diff as unified +/- output without context before/after
+  diff --unified=0 <(echo "$currentEnvsBefore") <(echo "$currentEnvsAfter")
+
+  exit $exitCode
+}
+
+function write_mounted_file() {
+  # either "inlines" or "additionals"
+  scope="${1}"
+  file="${2}"
+  content="${3}"
+
+  mkdir -p "$ENV_TO_INI_MOUNT_POINT/$scope/..data/"
+  echo "${content}" > "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file"
+  ln -sf "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file" "$ENV_TO_INI_MOUNT_POINT/$scope/$file"
+}
+
+@test "works as expected when nothing is configured" {
+  expect_environment_to_ini_call
+  run $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
+
+  assert_success
+  assert_line '...Initial secrets generated'
+  assert_line 'Reloading preset envs...'
+  assert_line '=== All configuration sources loaded ==='
+  assert_line 'Stubbed environment-to-ini was called!'
+}
+
+@test "exports initial secrets" {
+  expect_environment_to_ini_call
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  assert_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
+  assert_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
+  assert_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
+}
+
+@test "does NOT export initial secrets when app.ini already exists" {
+  expect_environment_to_ini_call
+  touch $GITEA_APP_INI
+
+  run execute_test_script
+
+  assert_success
+  assert_line --partial 'An app.ini file already exists.'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
+  refute_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
+  refute_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
+}
+
+@test "ensures that preset environment variables take precedence over auto-generated ones" {
+  expect_environment_to_ini_call
+  export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+}
+
+@test "ensures that preset environment variables take precedence over mounted ones" {
+  expect_environment_to_ini_call
+  export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
+  write_mounted_file "inlines" "oauth2" "$(cat << EOF
+JWT_SECRET=inline-jwt-secret
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
+}
+
+@test "ensures that additionals take precedence over inlines" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "oauth2" "$(cat << EOF
+JWT_SECRET=inline-jwt-secret
+EOF
+)"
+  write_mounted_file "additionals" "oauth2" "$(cat << EOF
+JWT_SECRET=additional-jwt-secret
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=additional-jwt-secret'
+}
+
+@test "ensures that dotted/dashed sections are properly masked" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
+WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
+}
+
+###############################################################
+##### THIS IS A BUG, BUT I WANT IT TO BE COVERED BY TESTS #####
+###############################################################
+@test "ensures uppercase section and setting names (🐞)" {
+  expect_environment_to_ini_call
+  export GITEA__oauth2__JwT_Secret="pre-defined-jwt-secret"
+  write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
+WORK_IN_progress_PREFIXES=WIP:,[WIP]
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=pre-defined-jwt-secret'
+}
+
+@test "treats top-level configuration as section-less" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+APP_NAME=Hello top-level configuration
+RUN_MODE=dev
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA____APP_NAME=Hello top-level configuration'
+  assert_line '+GITEA____RUN_MODE=dev'
+}
+
+@test "fails on invalid setting" {
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+some random invalid string
+EOF
+)"
+
+  run execute_test_script
+
+  assert_failure
+}
+
+@test "treats empty setting name as invalid setting" {
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+=value
+EOF
+)"
+
+  run execute_test_script
+
+  assert_failure
+}

unittests/config/database-section_postgresql-ha.yaml

@@ -1,30 +0,0 @@
-suite: config template | database section (postgresql-ha)
-release:
-  name: gitea-unittests
-  namespace: testing
-tests:
-  - it: connects to pgpool service
-    template: templates/gitea/config.yaml
-    set:
-      postgresql:
-        enabled: false
-      postgresql-ha:
-        enabled: true
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.database
-          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:5432
-  - it: renders the referenced service
-    template: charts/postgresql-ha/templates/pgpool/service.yaml
-    set:
-      postgresql:
-        enabled: false
-      postgresql-ha:
-        enabled: true
-    asserts:
-      - containsDocument:
-          kind: Service
-          apiVersion: v1
-          name: gitea-unittests-postgresql-ha-pgpool
-          namespace: testing

unittests/config/database-section_postgresql.yaml

@@ -1,30 +0,0 @@
-suite: config template | database section (postgresql)
-release:
-  name: gitea-unittests
-  namespace: testing
-tests:
-  - it: "connects to postgresql service"
-    template: templates/gitea/config.yaml
-    set:
-      postgresql:
-        enabled: true
-      postgresql-ha:
-        enabled: false
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.database
-          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:5432
-  - it: "renders the referenced service"
-    template: charts/postgresql/templates/primary/svc.yaml
-    set:
-      postgresql:
-        enabled: true
-      postgresql-ha:
-        enabled: false
-    asserts:
-      - containsDocument:
-          kind: Service
-          apiVersion: v1
-          name: gitea-unittests-postgresql
-          namespace: testing

unittests/deployment/basic.yaml

@@ -1,17 +0,0 @@
-suite: deployment template (basic)
-release:
-  name: gitea-unittests
-  namespace: testing
-templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
-tests:
-  - it: renders a deployment
-    template: templates/gitea/deployment.yaml
-    asserts:
-      - hasDocuments:
-          count: 1
-      - containsDocument:
-          kind: Deployment
-          apiVersion: apps/v1
-          name: gitea-unittests

unittests/deployment/ingress-configuration.yaml

@@ -1,23 +0,0 @@
-suite: ingress template
-release:
-  name: gitea-unittests
-  namespace: testing
-templates:
-  - templates/gitea/ingress.yaml
-tests:
-  - it: hostname using TPL
-    set:
-      global.giteaHostName: "gitea.example.com"
-      ingress.enabled: true
-      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
-      ingress.tls:
-        - secretName: gitea-tls
-          hosts:
-            - "{{ .Values.global.giteaHostName }}"
-    asserts:
-      - equal:
-          path: spec.tls[0].hosts[0]
-          value: "gitea.example.com"
-      - equal:
-          path: spec.rules[0].host
-          value: "gitea.example.com"

unittests/deployment/svc-configuration.yaml

@@ -1,51 +0,0 @@
-suite: ssh-svc / http-svc template (Services configuration)
-release:
-  name: gitea-unittests
-  namespace: testing
-templates:
-  - templates/gitea/ssh-svc.yaml
-  - templates/gitea/http-svc.yaml
-tests:
-  - it: supports adding custom labels to ssh-svc
-    template: templates/gitea/ssh-svc.yaml
-    set:
-      service:
-        ssh:
-          labels:
-            gitea/testkey: testvalue
-    asserts:
-      - equal:
-          path: metadata.labels["gitea/testkey"]
-          value: "testvalue"
-
-  - it: keeps existing labels (ssh)
-    template: templates/gitea/ssh-svc.yaml
-    set:
-      service:
-        ssh:
-          labels: {}
-    asserts:
-      - exists:
-          path: metadata.labels["app"]
-
-  - it: supports adding custom labels to http-svc
-    template: templates/gitea/http-svc.yaml
-    set:
-      service:
-        http:
-          labels:
-            gitea/testkey: testvalue
-    asserts:
-      - equal:
-          path: metadata.labels["gitea/testkey"]
-          value: "testvalue"
-
-  - it: keeps existing labels (http)
-    template: templates/gitea/http-svc.yaml
-    set:
-      service:
-        http:
-          labels: {}
-    asserts:
-      - exists:
-          path: metadata.labels["app"]

unittests/helm/act_runner/01-consistency-checks.yaml

@@ -0,0 +1,69 @@
+suite: actions template | consistency checks
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/01-consistency-checks.yaml
+tests:
+  - it: fails when provisioning is enabled BUT persistence is completely disabled
+    set:
+      persistence:
+        enabled: false
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
+  - it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled
+    set:
+      persistence:
+        enabled: true
+        mount: false
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
+  - it: fails when provisioning is enabled AND existingSecret is given
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+        existingSecret: "secret-reference"
+    asserts:
+      - failedTemplate:
+          errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret"
+  - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
+  - it: fails when provisioning is disabled BUT existingSecretKey is missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+        existingSecret: "my-secret"
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
+  - it: fails when provisioning is disabled BUT existingSecret is missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"

unittests/helm/act_runner/config-act-runner.yaml

@@ -0,0 +1,45 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: actions template | config-act-runner
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/config-act-runner.yaml
+tests:
+  - it: doesn't renders a ConfigMap by default
+    template: templates/gitea/act_runner/config-act-runner.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a ConfigMap
+    template: templates/gitea/act_runner/config-act-runner.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          actRunner:
+            config: |
+              log:
+                level: info
+              cache:
+                enabled: false
+              runner:
+                labels:
+                  - "ubuntu-latest"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-act-runner-config
+      - equal:
+          path: data["config.yaml"]
+          value: |
+            log:
+              level: info
+            cache:
+              enabled: false
+            runner:
+              labels:
+                - "ubuntu-latest"

unittests/helm/act_runner/config-scripts.yaml

@@ -0,0 +1,49 @@
+suite: actions template | config-scripts
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/config-scripts.yaml
+tests:
+  - it: renders a ConfigMap when all criteria are met
+    template: templates/gitea/act_runner/config-scripts.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-scripts
+      - isNotNullOrEmpty:
+          path: data["token.sh"]
+  - it: doesn't renders a ConfigMap by default
+    template: templates/gitea/act_runner/config-scripts.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a ConfigMap with disabled actions but enabled provisioning
+    template: templates/gitea/act_runner/config-scripts.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria
+    template: templates/gitea/act_runner/config-scripts.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/act_runner/job.yaml

@@ -0,0 +1,65 @@
+suite: actions template | job
+release:
+  name: gitea-unittests
+  namespace: testing
+chart:
+  # Override appVersion to have a pinned version for comparison
+  appVersion: 1.19.3
+templates:
+  - templates/gitea/act_runner/job.yaml
+tests:
+  - it: renders a Job
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Job
+          apiVersion: batch/v1
+          name: gitea-unittests-actions-token-job
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.19.3-rootless"
+  - it: tag override
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      image.tag: "1.19.4"
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+          publish:
+            tag: "1.29.0"
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.19.4-rootless"
+      - equal:
+          path: spec.template.spec.containers[1].image
+          value: "bitnami/kubectl:1.29.0"
+  - it: doesn't renders a Job by default
+    template: templates/gitea/act_runner/job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/act_runner/role-job.yaml

@@ -0,0 +1,42 @@
+suite: actions template | role-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/role-job.yaml
+tests:
+  - it: doesn't renders a Role by default
+    template: templates/gitea/act_runner/role-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a Role
+    template: templates/gitea/act_runner/role-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a Role when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/role-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/act_runner/rolebinding-job.yaml

@@ -0,0 +1,42 @@
+suite: actions template | rolebinding-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/rolebinding-job.yaml
+tests:
+  - it: doesn't renders a RoleBinding by default
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a RoleBinding
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/act_runner/secret-token.yaml

@@ -0,0 +1,42 @@
+suite: actions template | secret-token
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/secret-token.yaml
+tests:
+  - it: doesn't renders a Secret by default
+    template: templates/gitea/act_runner/secret-token.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a Secret
+    template: templates/gitea/act_runner/secret-token.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-actions-token
+  - it: doesn't renders a Secret when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/secret-token.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/act_runner/serviceaccount-job.yaml

@@ -0,0 +1,42 @@
+suite: actions template | serviceaccount-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/serviceaccount-job.yaml
+tests:
+  - it: doesn't renders a ServiceAccount by default
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a ServiceAccount
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/act_runner/statefulset.yaml

@@ -0,0 +1,182 @@
+suite: actions template | statefulset
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/statefulset.yaml
+  - templates/gitea/act_runner/config-act-runner.yaml
+tests:
+  - it: doesn't renders a StatefulSet by default
+    template: templates/gitea/act_runner/statefulset.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a StatefulSet (with given existingSecret/existingSecretKey)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[3]
+          value:
+            name: GITEA_RUNNER_REGISTRATION_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: "my-secret"
+                key: "my-secret-key"
+  - it: renders a StatefulSet (with secret reference defaults for enabled provisioning)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[3]
+          value:
+            name: GITEA_RUNNER_REGISTRATION_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: "gitea-unittests-actions-token"
+                key: "token"
+  - it: renders a StatefulSet (that tracks changes of the runner configuration as annotation)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      image.tag: "1.22.3" # lock image tag to prevent test failures on future Gitea upgrades
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.metadata.annotations["checksum/config"]
+          value: "2a2200e80fc29111d18b675789c265cd3d5f917754850f946f1ce3c55dcd65f8"
+  - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[4]
+          value:
+            name: GITEA_INSTANCE_URL
+            value: "http://gitea-unittests-http:3000"
+  - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env from customized LOCAL_ROOT_URL)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[4]
+          value:
+            name: GITEA_INSTANCE_URL
+            value: "http://git.example.com"
+  - it: allows adding custom environment variables to the docker-in-docker container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          dind:
+            extraEnvs:
+              - name: "CUSTOM_ENV_NAME"
+                value: "custom env value"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[1].env[3]
+          value:
+            name: "CUSTOM_ENV_NAME"
+            value: "custom env value"
+  - it: should mount an extra volume in the act runner container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          extraVolumes:
+            - name: my-act-runner-volume
+              emptyDir: {}
+          actRunner:
+            extraVolumeMounts:
+              - mountPath: /mnt
+                name: my-act-runner-volume
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - contains:
+          any: true
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /mnt
+            name: my-act-runner-volume
+  - it: should mount an extra volume in the docker-in-docker container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          extraVolumes:
+            - name: my-dind-volume
+              emptyDir: {}
+          dind:
+            extraVolumeMounts:
+              - mountPath: /mnt
+                name: my-dind-volume
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - contains:
+          any: true
+          path: spec.template.spec.containers[1].volumeMounts
+          content:
+            mountPath: /mnt
+            name: my-dind-volume

unittests/helm/config/actions-config.yaml

@@ -0,0 +1,61 @@
+suite: config template | actions config
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/config.yaml
+tests:
+  - it: "actions are not enabled by default"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=false
+
+  - it: "actions can be enabled via inline config"
+    template: templates/gitea/config.yaml
+    set:
+      gitea.config.actions.ENABLED: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=true
+
+  - it: "actions can be enabled via dedicated values object"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=true
+
+  - it: "defines LOCAL_ROOT_URL when actions are enabled"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nLOCAL_ROOT_URL=http://gitea-unittests-http:3000
+
+  - it: "respects custom LOCAL_ROOT_URL, even when actions are enabled"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+      gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nLOCAL_ROOT_URL=http://git.example.com

unittests/helm/config/cache-config.yaml

@@ -8,6 +8,8 @@ tests:
     set:
       redis-cluster:
         enabled: true
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -16,11 +18,28 @@ tests:
             ADAPTER=redis
             HOST=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
-  - it: "cache is configured correctly for 'memory' when redis-cluster is disabled"
+  - it: "cache is configured correctly for redis"
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.cache
+          value: |-
+            ADAPTER=redis
+            HOST=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "cache is configured correctly for 'memory' when redis (or redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -29,11 +48,13 @@ tests:
             ADAPTER=memory
             HOST=
 
-  - it: "cache can be customized when redis-cluster is disabled"
+  - it: "cache can be customized when redis (or redis-cluster) is disabled"
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: false
       gitea.config.cache.ADAPTER: custom-adapter
       gitea.config.cache.HOST: custom-host
     asserts:

unittests/helm/config/metrics-section_metrics-token.yaml

@@ -0,0 +1,58 @@
+suite: config template | metrics section (metrics token)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: metrics token is set
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token: "somepassword"
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+            TOKEN=somepassword
+  - it: metrics token is empty
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token: ""
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+  - it: metrics token is nil
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token:
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+  - it: does not configures a token if metrics are disabled
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: false
+          token: "somepassword"
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=false

unittests/helm/config/queue-config.yaml

@@ -8,6 +8,8 @@ tests:
     set:
       redis-cluster:
         enabled: true
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -16,11 +18,28 @@ tests:
             CONN_STR=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
             TYPE=redis
 
-  - it: "queue is configured correctly for 'levelDB' when redis-cluster is disabled"
+  - it: "queue is configured correctly for redis"
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.queue
+          value: |-
+            CONN_STR=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            TYPE=redis
+
+  - it: "queue is configured correctly for 'levelDB' when redis (and redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -29,11 +48,13 @@ tests:
             CONN_STR=
             TYPE=level
 
-  - it: "queue can be customized when redis-cluster is disabled"
+  - it: "queue can be customized when redis (and redis-cluster) are disabled"
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: false
       gitea.config.queue.TYPE: custom-type
       gitea.config.queue.CONN_STR: custom-connection-string
     asserts:

unittests/helm/config/session-config.yaml

@@ -8,6 +8,8 @@ tests:
     set:
       redis-cluster:
         enabled: true
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -16,11 +18,28 @@ tests:
             PROVIDER=redis
             PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
-  - it: "session is configured correctly for 'memory' when redis-cluster is disabled"
+  - it: "session is configured correctly for redis"
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.session
+          value: |-
+            PROVIDER=redis
+            PROVIDER_CONFIG=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "session is configured correctly for 'memory' when redis (and redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -29,11 +48,13 @@ tests:
             PROVIDER=memory
             PROVIDER_CONFIG=
 
-  - it: "session can be customized when redis-cluster is disabled"
+  - it: "session can be customized when redis (and redis-cluster) is disabled"
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: false
       gitea.config.session.PROVIDER: custom-provider
       gitea.config.session.PROVIDER_CONFIG: custom-provider-config
     asserts:

unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml

@@ -0,0 +1,121 @@
+suite: Dependency checks | Customization integrity | postgresql-ha
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  postgresql:
+    enabled: false
+  postgresql-ha:
+    enabled: true
+    global:
+      postgresql:
+        database: gitea-database
+        password: gitea-password
+        username: gitea-username
+    postgresql:
+      repmgrPassword: custom-password-repmgr
+      postgresPassword: custom-password-postgres
+      password: custom-password-overwritten-by-global-postgresql-password
+    pgpool:
+      adminPassword: custom-password-pgpool
+    service:
+      ports:
+        postgresql: 1234
+    persistence:
+      size: 1337Mi
+tests:
+  - it: "[postgresql-ha] DB settings are applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_DB
+            value: "gitea-database"
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_USER
+            value: "gitea-username"
+  - it: "[postgresql-ha] DB passwords are applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["repmgr-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXJlcG1ncg=="
+      - documentIndex: 0
+        equal:
+          path: data["postgres-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBvc3RncmVz"
+      - documentIndex: 0
+        equal:
+          path: data["password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ=" # postgresql-ha.postgresql.password is overwritten by postgresql-ha.global.postgresql.password and should not be referenced here
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] persistence.size is applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
+          value: "1337Mi"
+  - it: "[postgresql-ha] service.ports.postgresql is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/service.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.ports[0].port
+          value: 1234
+  - it: "[postgresql-ha] renders the referenced service"
+    template: charts/postgresql-ha/templates/pgpool/service.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql-ha-pgpool
+          namespace: testing
+  - it: "[gitea] connects to pgpool service"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:1234
+  - it: "[gitea] connects to configured database"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: NAME=gitea-database
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: USER=gitea-username
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: PASSWD=gitea-password

unittests/helm/dependency-checks/customization-integrity-postgresql.yaml

@@ -0,0 +1,88 @@
+suite: Dependency checks | Customization integrity | postgresql
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  postgresql-ha:
+    enabled: false
+  postgresql:
+    enabled: true
+    global:
+      postgresql:
+        auth:
+          password: gitea-password
+          database: gitea-database
+          username: gitea-username
+        service:
+          ports:
+            postgresql: 1234
+    primary:
+      persistence:
+        size: 1337Mi
+tests:
+  - it: "[postgresql] DB settings are applied as expected"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_DATABASE
+            value: "gitea-database"
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_USER
+            value: "gitea-username"
+  - it: "[postgresql] DB password is applied as expected"
+    template: charts/postgresql/templates/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ="
+  - it: "[postgresql] primary.persistence.size is applied as expected"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
+          value: "1337Mi"
+  - it: "[postgresql] global.postgresql.service.ports.postgresql is applied as expected"
+    template: charts/postgresql/templates/primary/svc.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.ports[0].port
+          value: 1234
+  - it: "[postgresql] renders the referenced service"
+    template: charts/postgresql/templates/primary/svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql
+          namespace: testing
+  - it: "[gitea] connects to postgresql service"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:1234
+  - it: "[gitea] connects to configured database"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: NAME=gitea-database
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: USER=gitea-username
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: PASSWD=gitea-password

unittests/helm/dependency-checks/customization-integrity-redis-cluster.yaml

@@ -0,0 +1,90 @@
+suite: Dependency checks | Customization integrity | redis-cluster
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  redis:
+    enabled: false
+  redis-cluster:
+    enabled: true
+    usePassword: false
+    cluster:
+      nodes: 5
+      replicas: 2
+tests:
+  - it: "[redis-cluster] configures correct nodes/replicas"
+    template: charts/redis-cluster/templates/redis-statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.replicas
+          value: 5
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].args[0]
+          pattern: REDIS_CLUSTER_REPLICAS="2"
+  - it: "[redis-cluster] support auth-less connections"
+    asserts:
+      - template: charts/redis-cluster/templates/secret.yaml
+        hasDocuments:
+          count: 0
+      - template: charts/redis-cluster/templates/redis-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOW_EMPTY_PASSWORD
+            value: "yes"
+  - it: "[redis-cluster] support auth-full connections"
+    set:
+      redis-cluster:
+        usePassword: true
+    asserts:
+      - template: charts/redis-cluster/templates/secret.yaml
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-redis-cluster
+          namespace: testing
+      - template: charts/redis-cluster/templates/redis-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDISCLI_AUTH
+            valueFrom:
+              secretKeyRef:
+                name: gitea-unittests-redis-cluster
+                key: redis-password
+      - template: charts/redis-cluster/templates/redis-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: gitea-unittests-redis-cluster
+                key: redis-password
+  - it: "[redis-cluster] renders the referenced service"
+    template: charts/redis-cluster/templates/headless-svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-redis-cluster-headless
+          namespace: testing
+      - documentIndex: 0
+        contains:
+          path: spec.ports
+          content:
+            name: tcp-redis
+            port: 6379
+            targetPort: tcp-redis
+  - it: "[gitea] waits for redis-cluster to be up and running"
+    template: templates/gitea/init.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData["configure_gitea.sh"]
+          pattern: nc -vz -w2 gitea-unittests-redis-cluster-headless.testing.svc.cluster.local 6379

unittests/helm/dependency-checks/customization-integrity-redis.yaml

@@ -0,0 +1,52 @@
+suite: Dependency checks | Customization integrity | redis
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  redis-cluster:
+    enabled: false
+  redis:
+    enabled: true
+    architecture: standalone
+    global:
+      redis:
+        password: gitea-password
+    master:
+      count: 2
+tests:
+  - it: "[redis] configures correct 'master' nodes"
+    template: charts/redis/templates/master/application.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.replicas
+          value: 2
+  - it: "[redis] redis.global.redis.password is applied as expected"
+    template: charts/redis/templates/secret.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["redis-password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ="
+  - it: "[redis] renders the referenced service"
+    template: charts/redis/templates/headless-svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-redis-headless
+          namespace: testing
+      - documentIndex: 0
+        contains:
+          path: spec.ports
+          content:
+            name: tcp-redis
+            port: 6379
+            targetPort: redis
+  - it: "[gitea] waits for redis to be up and running"
+    template: templates/gitea/init.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData["configure_gitea.sh"]
+          pattern: nc -vz -w2 gitea-unittests-redis-headless.testing.svc.cluster.local 6379

unittests/helm/dependency-checks/major-image-bump.yaml

@@ -1,4 +1,4 @@
-suite: Dependency update consistency
+suite: Dependency checks | Major image bumps
 release:
   name: gitea-unittests
   namespace: testing
@@ -15,7 +15,7 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^docker.io/bitnami/postgresql-repmgr:16.+$
+          pattern: bitnami/postgresql-repmgr:17.+$
   - it: "[postgresql] ensures we detect major image version upgrades"
     template: charts/postgresql/templates/primary/statefulset.yaml
     set:
@@ -28,15 +28,30 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^registry-1.docker.io/bitnami/postgresql:16.+$
+          pattern: bitnami/postgresql:17.+$
   - it: "[redis-cluster] ensures we detect major image version upgrades"
     template: charts/redis-cluster/templates/redis-statefulset.yaml
     set:
       redis-cluster:
         enabled: true
+      redis:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: bitnami/redis-cluster:7.+$
+  - it: "[redis] ensures we detect major image version upgrades"
+    template: charts/redis/templates/master/application.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: true
     asserts:
       - documentIndex: 0
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^registry-1.docker.io/bitnami/redis-cluster:7.+$
+          pattern: bitnami/redis:7.+$

unittests/helm/deployment/HA.yaml

@@ -20,14 +20,14 @@ tests:
               ENABLED: true
     asserts:
       - failedTemplate:
-          errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'."
+          errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'."
   - it: fails with multiple replicas and RWX file system not set
     template: templates/gitea/deployment.yaml
     set:
       replicaCount: 2
     asserts:
       - failedTemplate:
-          errorMessage: "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany."
+          errorMessage: "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany."
   - it: fails with multiple replicas and bleve issue indexer
     template: templates/gitea/deployment.yaml
     set:

unittests/helm/deployment/basic.yaml

@@ -0,0 +1,75 @@
+suite: deployment template (basic)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders a deployment
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Deployment
+          apiVersion: apps/v1
+          name: gitea-unittests
+  - it: deployment labels are set
+    template: templates/gitea/deployment.yaml
+    set:
+      deployment.labels:
+        hello: world
+    asserts:
+      - isSubset:
+          path: metadata.labels
+          content:
+            hello: world
+      - isSubset:
+          path: spec.template.metadata.labels
+          content:
+            hello: world
+  - it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container"
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[1].env
+          content:
+            name: TMP_EXISTING_ENVS_FILE
+            value: /tmp/existing-envs
+  - it: "injects ENV_TO_INI_MOUNT_POINT as environment variable to 'init-app-ini' init container"
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[1].env
+          content:
+            name: ENV_TO_INI_MOUNT_POINT
+            value: /env-to-ini-mounts
+  - it: CPU resources are defined as well as GOMAXPROCS
+    template: templates/gitea/deployment.yaml
+    set:
+      resources:
+        limits:
+          cpu: 200ms
+          memory: 200Mi
+        requests:
+          cpu: 100ms
+          memory: 100Mi
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                divisor: "1"
+                resource: limits.cpu
+      - equal:
+          path: spec.template.spec.containers[0].resources
+          value:
+            limits:
+              cpu: 200ms
+              memory: 200Mi
+            requests:
+              cpu: 100ms
+              memory: 100Mi

unittests/helm/deployment/image-configuration.yaml

@@ -14,7 +14,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3-rootless"
+          value: "docker.gitea.com/gitea:1.19.3-rootless"
   - it: tag override
     template: templates/gitea/deployment.yaml
     set:
@@ -22,7 +22,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.4-rootless"
+          value: "docker.gitea.com/gitea:1.19.4-rootless"
   - it: root-based image
     template: templates/gitea/deployment.yaml
     set:
@@ -30,7 +30,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3"
+          value: "docker.gitea.com/gitea:1.19.3"
   - it: scoped registry
     template: templates/gitea/deployment.yaml
     set:
@@ -38,7 +38,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "example.com/gitea/gitea:1.19.3-rootless"
+          value: "example.com/gitea:1.19.3-rootless"
   - it: global registry
     template: templates/gitea/deployment.yaml
     set:
@@ -46,7 +46,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "global.example.com/gitea/gitea:1.19.3-rootless"
+          value: "global.example.com/gitea:1.19.3-rootless"
   - it: digest for rootless image
     template: templates/gitea/deployment.yaml
     set:
@@ -56,12 +56,12 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+          value: "docker.gitea.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: image fullOverride (does not append rootless)
     template: templates/gitea/deployment.yaml
     set:
       image:
-        fullOverride: gitea/gitea:1.19.3
+        fullOverride: docker.gitea.com/gitea:1.19.3
         # setting rootless, registry, repository, tag, and digest to prove that override works
         rootless: true
         registry: example.com
@@ -71,7 +71,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3"
+          value: "docker.gitea.com/gitea:1.19.3"
   - it: digest for root-based image
     template: templates/gitea/deployment.yaml
     set:
@@ -81,7 +81,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+          value: "docker.gitea.com/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: digest and global registry
     template: templates/gitea/deployment.yaml
     set:
@@ -90,4 +90,21 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "global.example.com/gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+          value: "global.example.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+  - it: correctly renders floating tag references
+    template: templates/gitea/deployment.yaml
+    set:
+      image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-gitea/issues/631
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[0].image
+          value: "docker.gitea.com/gitea:1.21-rootless"
+      - equal:
+          path: spec.template.spec.initContainers[1].image
+          value: "docker.gitea.com/gitea:1.21-rootless"
+      - equal:
+          path: spec.template.spec.initContainers[2].image
+          value: "docker.gitea.com/gitea:1.21-rootless"
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.21-rootless"

unittests/helm/deployment/ingress-configuration.yaml

@@ -0,0 +1,47 @@
+suite: ingress template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/ingress.yaml
+tests:
+  - it: hostname using TPL
+    set:
+      global.giteaHostName: "gitea.example.com"
+      ingress.enabled: true
+      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "{{ .Values.global.giteaHostName }}"
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "gitea.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "gitea.example.com"
+  - it: Ingress Class using TPL
+    set:
+      global.ingress.className: "ingress-class"
+      ingress.className: "{{ .Values.global.ingress.className }}"
+      ingress.enabled: true
+      ingress.hosts[0].host: "some-host"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "some-host"
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "some-host"
+      - equal:
+          path: spec.rules[0].host
+          value: "some-host"
+      - equal:
+          path: spec.ingressClassName
+          value: "ingress-class"

unittests/helm/deployment/probes.yaml

@@ -0,0 +1,188 @@
+suite: deployment template (probes)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders default liveness probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            failureThreshold: 10
+            initialDelaySeconds: 200
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+  - it: renders default readiness probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].readinessProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            failureThreshold: 3
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+  - it: does not render a default startup probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe
+  - it: allows enabling a startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea.startupProbe.enabled: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            failureThreshold: 10
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+
+  - it: allows overwriting the default port of the liveness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        livenessProbe:
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows overwriting the default port of the readiness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        readinessProbe:
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows overwriting the default port of the startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        startupProbe:
+          enabled: true
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows using a non-default method as liveness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        livenessProbe:
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372
+
+  - it: allows using a non-default method as readiness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        readinessProbe:
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].readinessProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372
+
+  - it: allows using a non-default method as startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        startupProbe:
+          enabled: true
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372

unittests/helm/deployment/sidecar-container.yaml

@@ -0,0 +1,21 @@
+suite: sidecar container
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: supports adding a sidecar container
+    template: templates/gitea/deployment.yaml
+    set:
+      extraContainers:
+        - name: sidecar-bob
+          image: busybox
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[1].name
+          value: "sidecar-bob"
+      - equal:
+          path: spec.template.spec.containers[1].image
+          value: "busybox"

unittests/helm/deployment/signing-enabled.yaml

@@ -28,6 +28,8 @@ tests:
           value:
             - name: GNUPGHOME
               value: /data/git/.gnupg
+            - name: TMP_RAW_GPG_KEY
+              value: /raw/private.asc
       - equal:
           path: spec.template.spec.initContainers[2].volumeMounts
           value:

unittests/helm/deployment/ssh-configuration.yaml

@@ -30,7 +30,7 @@ tests:
   - it: supports overriding SSH log level (even when image.fullOverride set)
     template: templates/gitea/deployment.yaml
     set:
-      image.fullOverride: gitea/gitea:1.19.3
+      image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: false
       gitea.ssh.logLevel: "DEBUG"
     asserts:
@@ -53,7 +53,7 @@ tests:
   - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
     template: templates/gitea/deployment.yaml
     set:
-      image.fullOverride: gitea/gitea:1.19.3
+      image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: true
       gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
     asserts:

unittests/helm/deployment/svc-configuration.yaml

@@ -0,0 +1,118 @@
+suite: ssh-svc / http-svc template (Services configuration)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/ssh-svc.yaml
+  - templates/gitea/http-svc.yaml
+tests:
+  - it: supports adding custom labels to ssh-svc
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          labels:
+            gitea/testkey: testvalue
+    asserts:
+      - equal:
+          path: metadata.labels["gitea/testkey"]
+          value: "testvalue"
+
+  - it: keeps existing labels (ssh)
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          labels: {}
+    asserts:
+      - exists:
+          path: metadata.labels["app"]
+
+  - it: supports adding custom labels to http-svc
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          labels:
+            gitea/testkey: testvalue
+    asserts:
+      - equal:
+          path: metadata.labels["gitea/testkey"]
+          value: "testvalue"
+
+  - it: keeps existing labels (http)
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          labels: {}
+    asserts:
+      - exists:
+          path: metadata.labels["app"]
+
+  - it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          loadBalancerClass: "example.com/class"
+          type: LoadBalancer
+          loadBalancerIP: "1.2.3.4"
+          loadBalancerSourceRanges:
+            - "1.2.3.4/32"
+            - "5.6.7.8/32"
+    asserts:
+      - equal:
+          path: spec.loadBalancerClass
+          value: "example.com/class"
+      - equal:
+          path: spec.loadBalancerIP
+          value: "1.2.3.4"
+      - equal:
+          path: spec.loadBalancerSourceRanges
+          value: ["1.2.3.4/32", "5.6.7.8/32"]
+
+  - it: does not render when loadbalancer properties are set but type is not loadBalancerClass
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          type: ClusterIP
+          loadBalancerClass: "example.com/class"
+          loadBalancerIP: "1.2.3.4"
+          loadBalancerSourceRanges:
+            - "1.2.3.4/32"
+            - "5.6.7.8/32"
+    asserts:
+      - notExists:
+          path: spec.loadBalancerClass
+      - notExists:
+          path: spec.loadBalancerIP
+      - notExists:
+          path: spec.loadBalancerSourceRanges
+
+  - it: does not render loadBalancerClass by default even when type is LoadBalancer
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          type: LoadBalancer
+          loadBalancerIP: "1.2.3.4"
+    asserts:
+      - notExists:
+          path: spec.loadBalancerClass
+      - equal:
+          path: spec.loadBalancerIP
+          value: "1.2.3.4"
+
+  - it: both ssh and http services exist
+    templates:
+      - templates/gitea/ssh-svc.yaml
+      - templates/gitea/http-svc.yaml
+    asserts:
+      - matchRegex:
+          path: metadata.name
+          pattern: "^gitea-unittests-(?:ssh|http)$"
+      - matchRegex:
+          path: spec.ports[0].name
+          pattern: "^(?:ssh|http)$"

unittests/helm/init/init_directory_structure.sh-rootless.yaml

@@ -15,11 +15,11 @@ tests:
     asserts:
       - equal:
           path: stringData["configure_gpg_environment.sh"]
-          value: |-
+          value: |
             #!/usr/bin/env bash
             set -eu
 
-            gpg --batch --import /raw/private.asc
+            gpg --batch --import "$TMP_RAW_GPG_KEY"
   - it: skips gpg script block for disabled signing
     asserts:
       - equal:
@@ -28,15 +28,13 @@ tests:
             #!/usr/bin/env bash
 
             set -euo pipefail
-
-            set -x
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
 
             # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
   - it: adds gpg script block for enabled signing
     set:
       signing.enabled: true
@@ -51,25 +49,23 @@ tests:
             #!/usr/bin/env bash
 
             set -euo pipefail
-
-            set -x
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
 
             # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
 
             if [ ! -d "${GNUPGHOME}" ]; then
-              mkdir -p "${GNUPGHOME}"
-              chmod 700 "${GNUPGHOME}"
-              chown 1000:1000 "${GNUPGHOME}"
+              mkdir -pv "${GNUPGHOME}"
+              chmod -v 700 "${GNUPGHOME}"
+              chown -v 1000:1000 "${GNUPGHOME}"
             fi
   - it: it does not chown /data even when image.fullOverride is set
     template: templates/gitea/init.yaml
     set:
-      image.fullOverride: gitea/gitea:1.20.5
+      image.fullOverride: docker.gitea.com/gitea:1.20.5
     asserts:
       - equal:
           path: stringData["init_directory_structure.sh"]
@@ -77,12 +73,10 @@ tests:
             #!/usr/bin/env bash
 
             set -euo pipefail
-
-            set -x
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
 
             # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"

unittests/helm/init/init_directory_structure.sh.yaml

@@ -16,11 +16,11 @@ tests:
     asserts:
       - equal:
           path: stringData["configure_gpg_environment.sh"]
-          value: |-
+          value: |
             #!/usr/bin/env bash
             set -eu
 
-            gpg --batch --import /raw/private.asc
+            gpg --batch --import "$TMP_RAW_GPG_KEY"
   - it: skips gpg script block for disabled signing
     set:
       image.rootless: false
@@ -31,17 +31,15 @@ tests:
             #!/usr/bin/env bash
 
             set -euo pipefail
-
-            set -x
-            chown 1000:1000 /data
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            chown -v 1000:1000 /data
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
 
             # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chown 1000:1000 "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chown -v 1000:1000 "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
   - it: adds gpg script block for enabled signing
     set:
       image.rootless: false
@@ -57,20 +55,18 @@ tests:
             #!/usr/bin/env bash
 
             set -euo pipefail
-
-            set -x
-            chown 1000:1000 /data
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            chown -v 1000:1000 /data
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
 
             # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chown 1000:1000 "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chown -v 1000:1000 "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
 
             if [ ! -d "${GNUPGHOME}" ]; then
-              mkdir -p "${GNUPGHOME}"
-              chmod 700 "${GNUPGHOME}"
-              chown 1000:1000 "${GNUPGHOME}"
+              mkdir -pv "${GNUPGHOME}"
+              chmod -v 700 "${GNUPGHOME}"
+              chown -v 1000:1000 "${GNUPGHOME}"
             fi

unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml

@@ -0,0 +1,23 @@
+suite: Metrics secret template (monitoring disabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/metrics-secret.yaml
+tests:
+  - it: renders nothing if monitoring disabled and gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.serviceMonitor.enabled: false
+      gitea.metrics.token: ""
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders nothing if monitoring disabled and gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.serviceMonitor.enabled: false
+      gitea.metrics.token: "test-token"
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml

@@ -0,0 +1,33 @@
+suite: Metrics secret template (monitoring enabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/metrics-secret.yaml
+tests:
+  - it: renders nothing if monitoring enabled and gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+      gitea.metrics.token: ""
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders Secret if monitoring enabled and gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+      gitea.metrics.token: "test-token"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-metrics-secret
+      - isNotNullOrEmpty:
+          path: metadata.labels
+      - equal:
+          path: data.token
+          value: "dGVzdC10b2tlbg=="

unittests/helm/pvc/pvc-configuration.yaml

@@ -0,0 +1,19 @@
+suite: PVC template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/pvc.yaml
+tests:
+  - it: Storage Class using TPL
+    set:
+      global.persistence.storageClass: "storage-class"
+      persistence.enabled: true
+      persistence.create: true
+      persistence.storageClass: "{{ .Values.global.persistence.storageClass }}"
+    asserts:
+      - isKind:
+          of: PersistentVolumeClaim
+      - equal:
+          path: spec.storageClassName
+          value: "storage-class"