ci(release): fix aws-cli installation

Signed-off-by: justusbunsi <sk.bunsenbrenner@gmail.com>

.commitlintrc.json

@@ -0,0 +1,7 @@
+{
+  "extends": ["@commitlint/config-conventional"],
+  "rules": {
+    "type-enum": [2, "always", ["feat", "fix", "chore", "docs", "style", "refactor", "test", "perf", "ci", "WIP"]],
+    "type-case": [0, "always", "lower-case"]
+  }
+}

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -23,7 +23,7 @@
 ### Applicable issues
 
 <!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
-  - fixes #
+- Fixes #
 
 ### Additional information
 
@@ -39,4 +39,6 @@
 
 - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
 - [ ] Breaking changes are documented in the `README.md`
-- [ ] Templating unittests are added
+- [ ] Helm templating unittests are added (required when changing anything in `templates` folder)
+- [ ] Bash unittests are added (required when changing anything in `scripts` folder)
+- [ ] All added template resources MUST render a namespace in metadata

.gitea/workflows/changelog.yml

@@ -0,0 +1,32 @@
+name: changelog
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  changelog:
+    runs-on: ubuntu-latest
+    container: docker.io/thegeeklab/git-sv:1.0.12
+    steps:
+      - name: install tools
+        run: |
+          apk add -q --update --no-cache nodejs curl jq sed
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Generate upcoming changelog
+        run: |
+          git sv rn -o changelog.md
+          export RELEASE_NOTES=$(cat changelog.md)
+          export ISSUE_NUMBER=$(curl -s "https://gitea.com/api/v1/repos/gitea/helm-chart/issues?state=open&q=Changelog%20for%20upcoming%20version" | jq '.[].number')
+
+          echo $RELEASE_NOTES
+          JSON_DATA=$(echo "" | jq -Rs --arg title 'Changelog for upcoming version' --arg body "$(cat changelog.md)" '{title: $title, body: $body}')
+
+          if [ -z "$ISSUE_NUMBER" ]; then
+            curl -s -X POST "https://gitea.com/api/v1/repos/gitea/helm-chart/issues" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
+          else
+            curl -s -X PATCH "https://gitea.com/api/v1/repos/gitea/helm-chart/issues/$ISSUE_NUMBER" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
+          fi

.gitea/workflows/commitlint.yml

@@ -0,0 +1,19 @@
+name: commitlint
+
+on:
+  pull_request:
+    branches:
+      - "*"
+    types:
+      - opened
+      - edited
+
+jobs:
+  check-and-test:
+    runs-on: ubuntu-latest
+    container: commitlint/commitlint:19.7.1
+    steps:
+      - uses: actions/checkout@v4
+      - name: check PR title
+        run: |
+          echo "${{ gitea.event.pull_request.title }}" | commitlint --config .commitlintrc.json

.gitea/workflows/release-version.yml

@@ -7,7 +7,7 @@ on:
 
 env:
   # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.15.2"
+  HELM_VERSION: "3.17.1"
 
 jobs:
   generate-chart-publish:
@@ -31,7 +31,7 @@ jobs:
           echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
           apt update -y
           apt install -y python3 python3-pip apt-transport-https docker-ce-cli
-          pip install awscli
+          pip install awscli --break-system-packages
 
       - name: Import GPG key
         id: import_gpg

.gitea/workflows/test-pr.yml

@@ -7,21 +7,20 @@ on:
   push:
     branches:
       - main
-      - "renovate/**"
 
 env:
   # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v0.5.1"
+  HELM_UNITTEST_VERSION: "v0.7.2"
 
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: alpine/helm:3.15.2
+    container: alpine/helm:3.17.1
     steps:
       - name: install tools
         run: |
           apk update
-          apk add --update make nodejs npm yamllint
+          apk add --update bash make nodejs npm yamllint ncurses
       - uses: actions/checkout@v4
       - name: install chart dependencies
         run: helm dependency build
@@ -29,9 +28,14 @@ jobs:
         run: helm lint
       - name: template
         run: helm template --debug gitea-helm .
-      - name: unit tests
+      - name: prepare unit test environment
         run: |
           helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
+          git submodule update --init --recursive
+      - name: unit tests
+        env:
+          TERM: xterm
+        run: |
           make unittests
       - name: verify readme
         run: |

.gitmodules

@@ -0,0 +1,12 @@
+[submodule "unittests/bash/bats"]
+	path = unittests/bash/bats
+	url = https://github.com/bats-core/bats-core.git
+[submodule "unittests/bash/test_helper/bats-support"]
+	path = unittests/bash/test_helper/bats-support
+	url = https://github.com/bats-core/bats-support.git
+[submodule "unittests/bash/test_helper/bats-assert"]
+	path = unittests/bash/test_helper/bats-assert
+	url = https://github.com/bats-core/bats-assert.git
+[submodule "unittests/bash/test_helper/bats-mock"]
+	path = unittests/bash/test_helper/bats-mock
+	url = https://github.com/jasonkarns/bats-mock.git

.gitsv/config.yaml

@@ -0,0 +1,57 @@
+version: '1.1' # Configuration version.
+
+versioning:
+  update-major: [breaking] # Commit types used to bump major.
+  update-minor: [feat, perf] # Commit types used to bump minor.
+  update-patch: [build, ci, chore, fix, perf, refactor, test] # Commit types used to bump patch.
+  # When type is not present on update rules and is unknown (not mapped on commit message types);
+  # if ignore-unknown=false bump patch, if ignore-unknown=true do not bump version.
+  ignore-unknown: false
+
+tag:
+  pattern: 'v%d.%d.%d' # Pattern used to create git tag.
+  filter: '' # Enables you to filter for considerable tags using git pattern syntax.
+
+release-notes:
+  sections: # Array with each section of release note. Check template section for more information.
+    - name: Breaking Changes
+      section-type: breaking-changes
+    - name: Features # Name used on section.
+      section-type: commits # Type of the section, supported types: commits, breaking-changes.
+      commit-types: [feat, perf] # Commit types for commit section-type, one commit type cannot be in more than one section.
+    - name: Bug Fixes
+      section-type: commits
+      commit-types: [fix]
+    - name: Maintenance
+      section-type: commits
+      commit-types: [chore, refactor]
+    - name: Documentation
+      commit-types: [docs]
+      section-type: commits
+    - name: CI
+      commit-types: [ci]
+      section-type: commits
+
+branches: # Git branches config.
+  prefix: ([a-z]+\/)? # Prefix used on branch name, it should be a regex group.
+  suffix: (-.*)? # Suffix used on branch name, it should be a regex group.
+  disable-issue: false # Set true if there is no need to recover issue id from branch name.
+  skip: [] # List of branch names ignored on commit message validation.
+  skip-detached: false # Set true if a detached branch should be ignored on commit message validation.
+
+commit-message:
+  # Supported commit types.
+  types: [build, ci, chore, docs, feat, fix, perf, refactor, revert, style, test]
+  header-selector: '' # You can put in a regex here to select only a certain part of the commit message. Please define a regex group 'header'.
+  scope:
+    # Define supported scopes, if blank, scope will not be validated, if not, only scope listed will be valid.
+    # Don't forget to add "" on your list if you need to define scopes and keep it optional.
+    values: []
+  footer:
+    issue: # Use "issue: {}" if you wish to disable issue footer.
+      key: jira # Name used to define an issue on footer metadata.
+      key-synonyms: [Jira, JIRA] # Supported variations for footer metadata.
+      use-hash: false # If false, use :<space> separator. If true, use <space># separator.
+      add-value-prefix: '' # Add a prefix to issue value.
+  issue:
+    regex: '[A-Z]+-[0-9]+' # Regex for issue id.

.helmignore

@@ -5,6 +5,7 @@
 # Common VCS dirs
 .git/
 .gitignore
+.gitmodules
 .bzr/
 .bzrignore
 .hg/
@@ -31,3 +32,10 @@ Makefile
 .drone.yml
 CONTRIBUTING.md
 unittests/
+.editorconfig
+.prettierignore
+.yamllint
+CODEOWNERS
+renovate.json5
+.commitlintrc.json
+.gitsv/

.markdownlint.yaml

@@ -129,6 +129,7 @@ MD041:
 MD044:
   # List of proper names
   names:
+    - docker.gitea.com
     - Gitea
     - PostgreSQL
     - Memcached

.vscode/extensions.json

@@ -3,6 +3,7 @@
         "yzhang.markdown-all-in-one",
         "DavidAnson.vscode-markdownlint",
         "Tim-Koehler.helm-intellisense",
-        "esbenp.prettier-vscode"
+        "esbenp.prettier-vscode",
+        "jetmartin.bats"
     ]
   }

.vscode/settings.json

@@ -1,8 +1,15 @@
 {
     "yaml.schemas": {
-        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.1/schema/helm-testsuite.json": [
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.2/schema/helm-testsuite.json": [
             "/unittests/**/*.yaml"
         ]
     },
-    "yaml.schemaStore.enable": true
+    "yaml.schemaStore.enable": true,
+    "[bats]": {
+        "editor.tabSize": 2
+    },
+    "[shellscript]": {
+        "files.eol": "\n",
+        "editor.tabSize": 2
+    }
 }

.yamllint

@@ -5,7 +5,7 @@ ignore: |
   .yamllint
   node_modules
   templates
-
+  unittests/bash
 
 rules:
   truthy:

CONTRIBUTING.md

@@ -29,6 +29,7 @@ When submitting or updating a PR:
 - try to avoid rebases. They make code reviews for large PRs and comments much harder.
 - if applicable, use the PR template for a well-defined PR description.
 - clearly mark breaking changes.
+- format the PR title following the [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/#specification) schema
 
 ## Local development & testing
 
@@ -48,16 +49,30 @@ default port-forward svc/gitea-http 3000:3000`.
 
 ### Unit tests
 
+#### Helm templating tests
+
 ```bash
 # install the unittest plugin
 $ helm plugin install https://github.com/helm-unittest/helm-unittest
 
-# run the unittests
-make unittests
+# run the Helm unittests
+make unittests-helm
 ```
 
 See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
 
+#### Bash script tests
+
+```bash
+# setup the environment
+git submodule update --init --recursive
+
+# run the bash tests
+make unittests-bash
+```
+
+See [bats documentation](https://bats-core.readthedocs.io/en/stable/) for usage instructions.
+
 ## Release process
 
 1. Create a tag following the tagging schema

Chart.lock

@@ -1,15 +1,15 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 15.5.14
+  version: 16.4.14
 - name: postgresql-ha
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 14.2.11
+  version: 15.2.3
 - name: redis-cluster
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 10.2.6
+  version: 11.4.3
 - name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 19.6.1
-digest: sha256:b67d5866d0e5c17ae77d617f11d0c598c93b90dd4703684799f6a77282d8d96d
-generated: "2024-07-07T11:54:30.9528697+02:00"
+  version: 20.8.0
+digest: sha256:ce1a2a02c3e1adb764cae42ccce1efd2d41adb5024576e6d8a92b30b8dfe67db
+generated: "2025-02-23T00:12:41.541107288Z"

Chart.yaml

@@ -3,7 +3,8 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.22.0
+# renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
+appVersion: 1.23.4
 icon: https://gitea.com/assets/img/logo.svg
 
 keywords:
@@ -35,20 +36,20 @@ dependencies:
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
   - name: postgresql
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 15.5.14
+    version: 16.4.14
     condition: postgresql.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
   - name: postgresql-ha
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 14.2.11
+    version: 15.2.3
     condition: postgresql-ha.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
   - name: redis-cluster
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 10.2.6
+    version: 11.4.3
     condition: redis-cluster.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml
   - name: redis
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 19.6.1
+    version: 20.8.0
     condition: redis.enabled

Makefile

@@ -1,3 +1,5 @@
+SHELL := /usr/bin/env bash -O globstar
+
 .PHONY: prepare-environment
 prepare-environment:
 	npm install
@@ -8,8 +10,15 @@ readme: prepare-environment
 	npm run readme:lint
 
 .PHONY: unittests
-unittests:
-	helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' -f 'unittests/values-conflicting-checks.yaml' ./
+unittests: unittests-helm unittests-bash
+
+.PHONY: unittests-helm
+unittests-helm:
+	helm unittest --strict -f 'unittests/helm/**/*.yaml' -f 'unittests/helm/values-conflicting-checks.yaml' ./
+
+.PHONY: unittests-bash
+unittests-bash:
+	./unittests/bash/bats/bin/bats --pretty ./unittests/bash/tests/**/*.bats
 
 .PHONY: helm
 update-helm-dependencies:

README.md

@@ -8,6 +8,7 @@
   - [Dependency Versioning](#dependency-versioning)
 - [Installing](#installing)
 - [High Availability](#high-availability)
+- [Limit resources](#limit-resources)
 - [Configuration](#configuration)
   - [Default Configuration](#default-configuration)
     - [Database defaults](#database-defaults)
@@ -30,6 +31,7 @@
   - [OAuth2 Settings](#oauth2-settings)
 - [Configure commit signing](#configure-commit-signing)
 - [Metrics and profiling](#metrics-and-profiling)
+  - [Secure Metrics Endpoint](#secure-metrics-endpoint)
 - [Pod annotations](#pod-annotations)
 - [Themes](#themes)
 - [Renovate](#renovate)
@@ -45,6 +47,7 @@
   - [Persistence](#persistence-1)
   - [Init](#init)
   - [Signing](#signing)
+  - [Gitea Actions](#gitea-actions)
   - [Gitea](#gitea)
   - [LivenessProbe](#livenessprobe)
   - [ReadinessProbe](#readinessprobe)
@@ -137,6 +140,12 @@ Alternatively, the chart can also be installed from Dockerhub (since v9.6.0)
 helm install gitea oci://registry-1.docker.io/giteacharts/gitea
 ```
 
+To avoid potential Dockerhub rate limits, the chart can also be installed via [docker.gitea.com](https://blog.gitea.com/docker-registry-update/) (since v9.6.0)
+
+```sh
+helm install gitea oci://docker.gitea.com/charts/gitea
+```
+
 When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes.
 
 ## High Availability
@@ -147,6 +156,44 @@ Care must be taken for production use as not all implementation details of Gitea
 Deploying a HA-ready Gitea instance requires some effort including using HA-ready dependencies.
 See the [HA Setup](docs/ha-setup.md) document for more details.
 
+## Limit resources
+
+If the application is deployed with a CPU resource limit, Prometheus may throw a CPU throttling warning for the
+application. This has more or less to do with the fact that the application finds the number of CPUs of the host, but
+cannot use the available CPU time to perform computing operations.
+
+The application must be informed that despite several CPUs only a part (limit) of the available computing time is
+available. As this is a Golang application, this can be implemented using `GOMAXPROCS`. The following example is one way
+of defining `GOMAXPROCS` automatically based on the defined CPU limit like `1000m`. Please keep in mind, that the CFS
+rate of `100ms` - default on each kubernetes node, is also very important to avoid CPU throttling.
+
+Further information about this topic can be found [here](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
+
+> [!NOTE]
+> The environment variable `GOMAXPROCS` is set automatically, when a CPU limit is defined. An explicit configuration is
+> not anymore required.
+>
+> Please note that a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
+
+```yaml
+deployment:
+  env:
+  # Will be automatically defined!
+  - name: GOMAXPROCS
+    valueFrom:
+      resourceFieldRef:
+        divisor: "1" # Is required for GitDevOps systems like ArgoCD/Flux. Otherwise throw the system a diff error. (k8s-default=1)
+        resource: limits.cpu
+
+resources:
+  limits:
+    cpu: 1000m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 512Mi
+```
+
 ## Configuration
 
 Gitea offers lots of configuration options.
@@ -420,6 +467,9 @@ gitea:
 
 postgresql:
   enabled: false
+
+postgresql-ha:
+  enabled: false
 ```
 
 ### Ports and external url
@@ -498,6 +548,9 @@ redis-cluster:
   enabled: true
 ```
 
+⚠️ The redis charts [do not work well with special characters in the password](https://gitea.com/gitea/helm-chart/issues/690).
+Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
+
 ### Persistence
 
 Gitea will be deployed as a deployment.
@@ -531,7 +584,7 @@ You can interact with the postgres settings as displayed in the following exampl
 postgresql:
   persistence:
     enabled: true
-    claimName: MyAwesomeGiteaPostgresClaim
+    existingClaim: MyAwesomeGiteaPostgresClaim
 ```
 
 ### Admin User
@@ -740,6 +793,21 @@ gitea:
       ENABLE_PPROF: true
 ```
 
+### Secure Metrics Endpoint
+
+Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication.
+
+**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`.
+
+```yaml
+gitea:
+  metrics:
+    token: "secure-token"
+    enabled: true
+    serviceMonitor:
+      enabled: true
+```
+
 ## Pod annotations
 
 Annotations can be added to the Gitea pod.
@@ -850,11 +918,12 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 ### Global
 
 | Name                      | Description                                                                                    | Value |
-| ------------------------- | ------------------------------------------------------------------------- | ----- |
+| ------------------------- | ---------------------------------------------------------------------------------------------- | ----- |
 | `global.imageRegistry`    | global image registry override                                                                 | `""`  |
 | `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets`                      | `[]`  |
 | `global.storageClass`     | global storage class override                                                                  | `""`  |
 | `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files                                | `[]`  |
+| `namespace`               | An explicit namespace to deploy Gitea into. Defaults to the release namespace if not specified | `""`  |
 | `replicaCount`            | number of replicas for the deployment                                                          | `1`   |
 
 ### strategy
@@ -869,9 +938,9 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 ### Image
 
 | Name                 | Description                                                                                                                                                      | Value              |
-| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- |
-| `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `""`           |
-| `image.repository`   | Image to start for this pod                                                                                                                                      | `gitea/gitea`  |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
+| `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `docker.gitea.com` |
+| `image.repository`   | Image to start for this pod                                                                                                                                      | `gitea`            |
 | `image.tag`          | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.                          | `""`               |
 | `image.digest`       | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                                       | `""`               |
 | `image.pullPolicy`   | Image pull policy                                                                                                                                                | `IfNotPresent`     |
@@ -904,6 +973,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer                                                                                                                                                            | `[]`        |
 | `service.http.annotations`              | HTTP service annotations                                                                                                                                                                             | `{}`        |
 | `service.http.labels`                   | HTTP service additional labels                                                                                                                                                                       | `{}`        |
+| `service.http.loadBalancerClass`        | Loadbalancer class                                                                                                                                                                                   | `nil`       |
 | `service.ssh.type`                      | Kubernetes service type for ssh traffic                                                                                                                                                              | `ClusterIP` |
 | `service.ssh.port`                      | Port number for ssh traffic                                                                                                                                                                          | `22`        |
 | `service.ssh.clusterIP`                 | ClusterIP setting for ssh autosetup for deployment is None                                                                                                                                           | `None`      |
@@ -917,6 +987,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `service.ssh.loadBalancerSourceRanges`  | Source range filter for ssh loadbalancer                                                                                                                                                             | `[]`        |
 | `service.ssh.annotations`               | SSH service annotations                                                                                                                                                                              | `{}`        |
 | `service.ssh.labels`                    | SSH service additional labels                                                                                                                                                                        | `{}`        |
+| `service.ssh.loadBalancerClass`         | Loadbalancer class                                                                                                                                                                                   | `nil`       |
 
 ### Ingress
 
@@ -974,6 +1045,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `persistence.storageClass`                        | Name of the storage class to use                                                                      | `nil`                  |
 | `persistence.subPath`                             | Subdirectory of the volume to mount at                                                                | `nil`                  |
 | `persistence.volumeName`                          | Name of persistent volume in PVC                                                                      | `""`                   |
+| `extraContainers`                                 | Additional sidecar containers to run in the pod                                                       | `[]`                   |
 | `extraVolumes`                                    | Additional volumes to mount to the Gitea deployment                                                   | `[]`                   |
 | `extraContainerVolumeMounts`                      | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]`                   |
 | `extraInitVolumeMounts`                           | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.    | `[]`                   |
@@ -997,17 +1069,61 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `signing.privateKey`     | Inline private gpg key for signed internal Git activity           | `""`               |
 | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""`               |
 
+### Gitea Actions
+
+| Name                                              | Description                                                                                                                                 | Value                          |
+| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
+| `actions.enabled`                                 | Create an act runner StatefulSet.                                                                                                           | `false`                        |
+| `actions.init.image.repository`                   | The image used for the init containers                                                                                                      | `busybox`                      |
+| `actions.init.image.tag`                          | The image tag used for the init containers                                                                                                  | `1.37.0`                       |
+| `actions.statefulset.annotations`                 | Act runner annotations                                                                                                                      | `{}`                           |
+| `actions.statefulset.labels`                      | Act runner labels                                                                                                                           | `{}`                           |
+| `actions.statefulset.resources`                   | Act runner resources                                                                                                                        | `{}`                           |
+| `actions.statefulset.nodeSelector`                | NodeSelector for the statefulset                                                                                                            | `{}`                           |
+| `actions.statefulset.tolerations`                 | Tolerations for the statefulset                                                                                                             | `[]`                           |
+| `actions.statefulset.affinity`                    | Affinity for the statefulset                                                                                                                | `{}`                           |
+| `actions.statefulset.extraVolumes`                | Extra volumes for the statefulset                                                                                                           | `[]`                           |
+| `actions.statefulset.actRunner.repository`        | The Gitea act runner image                                                                                                                  | `gitea/act_runner`             |
+| `actions.statefulset.actRunner.tag`               | The Gitea act runner tag                                                                                                                    | `0.2.11`                       |
+| `actions.statefulset.actRunner.pullPolicy`        | The Gitea act runner pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.actRunner.extraVolumeMounts` | Allows mounting extra volumes in the act runner container                                                                                   | `[]`                           |
+| `actions.statefulset.actRunner.config`            | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
+| `actions.statefulset.dind.repository`             | The Docker-in-Docker image                                                                                                                  | `docker`                       |
+| `actions.statefulset.dind.tag`                    | The Docker-in-Docker image tag                                                                                                              | `25.0.2-dind`                  |
+| `actions.statefulset.dind.pullPolicy`             | The Docker-in-Docker pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.dind.extraVolumeMounts`      | Allows mounting extra volumes in the Docker-in-Docker container                                                                             | `[]`                           |
+| `actions.statefulset.dind.extraEnvs`              | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`                                                                | `[]`                           |
+| `actions.provisioning.enabled`                    | Create a job that will create and save the token in a Kubernetes Secret                                                                     | `false`                        |
+| `actions.provisioning.annotations`                | Job's annotations                                                                                                                           | `{}`                           |
+| `actions.provisioning.labels`                     | Job's labels                                                                                                                                | `{}`                           |
+| `actions.provisioning.resources`                  | Job's resources                                                                                                                             | `{}`                           |
+| `actions.provisioning.nodeSelector`               | NodeSelector for the job                                                                                                                    | `{}`                           |
+| `actions.provisioning.tolerations`                | Tolerations for the job                                                                                                                     | `[]`                           |
+| `actions.provisioning.affinity`                   | Affinity for the job                                                                                                                        | `{}`                           |
+| `actions.provisioning.ttlSecondsAfterFinished`    | ttl for the job after finished in order to allow helm to properly recognize that the job completed                                          | `300`                          |
+| `actions.provisioning.publish.repository`         | The image that can create the secret via kubectl                                                                                            | `bitnami/kubectl`              |
+| `actions.provisioning.publish.tag`                | The publish image tag that can create the secret                                                                                            | `1.29.0`                       |
+| `actions.provisioning.publish.pullPolicy`         | The publish image pullPolicy that can create the secret                                                                                     | `IfNotPresent`                 |
+| `actions.existingSecret`                          | Secret that contains the token                                                                                                              | `""`                           |
+| `actions.existingSecretKey`                       | Secret key                                                                                                                                  | `""`                           |
+
 ### Gitea
 
 | Name                                         | Description                                                                                                                    | Value                |
-| -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------- |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
 | `gitea.admin.username`                       | Username for the Gitea admin user                                                                                              | `gitea_admin`        |
 | `gitea.admin.existingSecret`                 | Use an existing secret to store admin user credentials                                                                         | `nil`                |
 | `gitea.admin.password`                       | Password for the Gitea admin user                                                                                              | `r8sA8CPHD9!bt6d`    |
 | `gitea.admin.email`                          | Email for the Gitea admin user                                                                                                 | `gitea@local.domain` |
 | `gitea.admin.passwordMode`                   | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated  | `keepUpdated`        |
 | `gitea.metrics.enabled`                      | Enable Gitea metrics                                                                                                           | `false`              |
-| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor                                                                                          | `false`              |
+| `gitea.metrics.token`                        | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.              | `nil`                |
+| `gitea.metrics.serviceMonitor.enabled`       | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false`              |
+| `gitea.metrics.serviceMonitor.interval`      | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                      | `""`                 |
+| `gitea.metrics.serviceMonitor.relabelings`   | RelabelConfigs to apply to samples before scraping.                                                                            | `[]`                 |
+| `gitea.metrics.serviceMonitor.scheme`        | HTTP scheme to use for scraping. For example `http` or `https`. Default is http.                                               | `""`                 |
+| `gitea.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                           | `""`                 |
+| `gitea.metrics.serviceMonitor.tlsConfig`     | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                      | `{}`                 |
 | `gitea.ldap`                                 | LDAP configuration                                                                                                             | `[]`                 |
 | `gitea.oauth`                                | OAuth configuration                                                                                                            | `[]`                 |
 | `gitea.config.server.SSH_PORT`               | SSH port for rootlful Gitea image                                                                                              | `22`                 |
@@ -1088,7 +1204,7 @@ Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
 | `postgresql-ha.postgresql.postgresPassword` | postgres Password                                                | `changeme1` |
 | `postgresql-ha.pgpool.adminPassword`        | pgpool adminPassword                                             | `changeme3` |
 | `postgresql-ha.service.ports.postgresql`    | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`      |
-| `postgresql-ha.primary.persistence.size`    | PVC Storage Request for PostgreSQL HA volume                     | `10Gi`      |
+| `postgresql-ha.persistence.size`            | PVC Storage Request for PostgreSQL HA volume                     | `10Gi`      |
 
 ### PostgreSQL
 
@@ -1125,6 +1241,28 @@ If you miss this, blindly upgrading may delete your Postgres instance and you ma
 
 <details>
 
+<summary>To 11.0.0</summary>
+
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable-next-line -->
+**Breaking changes**
+<!-- prettier-ignore-end -->
+
+- Update Gitea to 1.23.x (review the [1.23 release blog post](https://blog.gitea.com/release-of-1.23.0/) for all application breaking changes)
+- Update PostgreSQL sub-chart dependencies to appVersion 17.x
+- Update Redis sub-chart to version 20.x (appVersion 7.4)
+  Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes:
+  - [Redis Chart release notes (starting with v20.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis/CHANGELOG.md#2000-2024-08-09).
+  - [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES).
+- Update Redis Cluster sub-chart to version 11.x (appVersion 7.4)
+  Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes:
+  - [Redis Chart release notes (starting with v11.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis-cluster/CHANGELOG.md#1100-2024-08-09).
+  - [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES).
+
+</details>
+
+<details>
+
 <summary>To 10.0.0</summary>
 
 <!-- prettier-ignore-start -->

docs/actions-dev.md

@@ -0,0 +1,34 @@
+# Gitea Actions
+
+In order to use the Gitea Actions act-runner you must either:
+
+- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
+- create a secret containing the act runner token and reference it as a `existingSecret`
+
+In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
+    `gitea actions generate-runner-token`
+
+This command will out a token that is needed by the act-runner to register with the Gitea backend.
+
+Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
+
+1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
+2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
+the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
+
+After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
+
+1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
+2) `dind`: DockerInDocker image that is used to run the actions
+
+If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
+In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
+the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
+
+```yaml
+actions:
+  provisioning:
+    enabled: false
+  existingSecret: "secret-name"
+  existingSecretKey: "secret-key"
+```

package.json

@@ -14,6 +14,6 @@
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.41.0"
+    "markdownlint-cli": "^0.44.0"
   }
 }

renovate.json5

@@ -9,7 +9,13 @@
   labels: [
     'kind/dependency',
   ],
+  "digest": {
+    "automerge": true
+  },
   automergeStrategy: 'squash',
+  'git-submodules': {
+    'enabled': true
+  },
   customManagers: [
     {
       description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
@@ -30,6 +36,14 @@
       ],
       datasourceTemplate: 'github-releases',
     },
+    {
+      'description': 'Automatically detect new Gitea releases',
+      'customType': 'regex',
+      'fileMatch': ['(^|/)Chart\\.yaml$'],
+      'matchStrings': [
+        '# renovate datasource=(?<datasource>\\S+) depName=(?<depName>\\S+) extractVersion=(?<extractVersion>\\S+)\\nappVersion:\\s?(?<currentValue>\\S+)\\n',
+      ],
+    },
   ],
   packageRules: [
     {
@@ -55,6 +69,39 @@
         'patch',
         'digest',
       ],
+      matchFileNames: [
+        '!Chart.yaml',
+      ],
+    },
+    {
+      description: 'Update README.md on changes in values.yaml',
+      matchManagers: [
+        'helm-values',
+      ],
+      postUpgradeTasks: {
+        commands: [
+          'install-tool node',
+          'make readme',
+        ],
+        fileFilters: [
+          'README.md',
+        ],
+        executionMode: 'update',
+      },
+    },
+    {
+      description: 'Override changelog url for Helm image, to have release notes in our PRs',
+      matchDepNames: [
+        'alpine/helm',
+      ],
+      changelogUrl: 'https://github.com/helm/helm',
+    },
+    {
+      description: 'Bump Gitea as fast as possible - not only on weekends',
+      matchDepNames: [
+        'go-gitea/gitea',
+      ],
+      schedule: ['at any time'],
     },
   ],
 }

scripts/act_runner/token.sh

@@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -eu
+
+timeout_delay=15
+
+check_token() {
+  set +e
+
+  echo "Checking for existing token..."
+  token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
+  [ $? -ne 0 ] && return 1
+  [ -z "$token" ] && return 2
+  return 0
+}
+
+create_token() {
+  echo "Waiting for new token to be generated..."
+  begin=$(date +%s)
+  end=$((begin + timeout_delay))
+  while true; do
+    [ -f /data/actions/token ] && return 0
+    [ "$(date +%s)" -gt $end ] && return 1
+    sleep 5
+  done
+}
+
+store_token() {
+  echo "Storing the token in Kubernetes secret..."
+  kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
+}
+
+if check_token; then
+  echo "Key already in place, exiting."
+  exit
+fi
+
+if ! create_token; then
+  echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
+  exit 1
+fi
+
+store_token

scripts/init-containers/config/config_environment.sh

@@ -0,0 +1,154 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+function env2ini::log() {
+  printf "${1}\n"
+}
+
+function env2ini::read_config_to_env() {
+  local section="${1}"
+  local line="${2}"
+
+  if [[ -z "${line}" ]]; then
+    # skip empty line
+    return
+  fi
+
+  # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+  local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+  if [[ -z "${setting}" ]]; then
+    env2ini::log '  ! invalid setting'
+    exit 1
+  fi
+
+  local value=''
+  local regex="^${setting}(\s*)=(\s*)(.*)"
+  if [[ $line =~ $regex ]]; then
+    value="${BASH_REMATCH[3]}"
+  else
+    env2ini::log '  ! invalid setting'
+    exit 1
+  fi
+
+  env2ini::log "    + '${setting}'"
+
+  if [[ -z "${section}" ]]; then
+    export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+    return
+  fi
+
+  local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
+  masked_section="${masked_section//-/_0X2D_}"
+
+  export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
+}
+
+function env2ini::reload_preset_envs() {
+  env2ini::log "Reloading preset envs..."
+
+  while read -r line; do
+    if [[ -z "${line}" ]]; then
+      # skip empty line
+      return
+    fi
+
+    # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+    local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+    if [[ -z "${setting}" ]]; then
+      env2ini::log '  ! invalid setting'
+      exit 1
+    fi
+
+    local value=''
+    local regex="^${setting}(\s*)=(\s*)(.*)"
+    if [[ $line =~ $regex ]]; then
+      value="${BASH_REMATCH[3]}"
+    else
+      env2ini::log '  ! invalid setting'
+      exit 1
+    fi
+
+    env2ini::log "  + '${setting}'"
+
+    export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+  done < "$TMP_EXISTING_ENVS_FILE"
+
+  rm $TMP_EXISTING_ENVS_FILE
+}
+
+
+function env2ini::process_config_file() {
+  local config_file="${1}"
+  local section="$(basename "${config_file}")"
+
+  if [[ $section == '_generals_' ]]; then
+    env2ini::log "  [ini root]"
+    section=''
+  else
+    env2ini::log "  ${section}"
+  fi
+
+  while read -r line; do
+    env2ini::read_config_to_env "${section}" "${line}"
+  done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
+}
+
+function env2ini::load_config_sources() {
+  local path="${1}"
+
+  if [[ -d "${path}" ]]; then
+    env2ini::log "Processing $(basename "${path}")..."
+
+    while read -d '' configFile; do
+      env2ini::process_config_file "${configFile}"
+    done < <(find "${path}" -type l -not -name '..data' -print0)
+
+    env2ini::log "\n"
+  fi
+}
+
+function env2ini::generate_initial_secrets() {
+  # These environment variables will either be
+  #   - overwritten with user defined values,
+  #   - initially used to set up Gitea
+  # Anyway, they won't harm existing app.ini files
+
+  export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+  export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+  export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+  export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
+
+  env2ini::log "...Initial secrets generated\n"
+}
+
+# save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
+env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE
+
+# MUST BE CALLED BEFORE OTHER CONFIGURATION
+env2ini::generate_initial_secrets
+
+env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/"
+env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/"
+
+# load existing envs to override auto generated envs
+env2ini::reload_preset_envs
+
+env2ini::log "=== All configuration sources loaded ===\n"
+
+# safety to prevent rewrite of secret keys if an app.ini already exists
+if [ -f ${GITEA_APP_INI} ]; then
+  env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
+  env2ini::log '  - security.INTERNAL_TOKEN'
+  env2ini::log '  - security.SECRET_KEY'
+  env2ini::log '  - oauth2.JWT_SECRET'
+  env2ini::log '  - server.LFS_JWT_SECRET'
+
+  unset GITEA__SECURITY__INTERNAL_TOKEN
+  unset GITEA__SECURITY__SECRET_KEY
+  unset GITEA__OAUTH2__JWT_SECRET
+  unset GITEA__SERVER__LFS_JWT_SECRET
+fi
+
+environment-to-ini -o $GITEA_APP_INI

scripts/init-containers/init/configure_gpg_environment.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -eu
+
+gpg --batch --import "$TMP_RAW_GPG_KEY"

templates/_helpers.tpl

@@ -25,6 +25,13 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create a default worker name.
+*/}}
+{{- define "gitea.workername" -}}
+{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -92,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
+{{- define "gitea.labels.actRunner" -}}
+helm.sh/chart: {{ include "gitea.chart" . }}
+app: {{ include "gitea.name" . }}-act-runner
+{{ include "gitea.selectorLabels.actRunner" . }}
+app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
 {{/*
 Selector labels
 */}}
@@ -100,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
+{{- define "gitea.selectorLabels.actRunner" -}}
+app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
 {{- define "postgresql-ha.dns" -}}
 {{- if (index .Values "postgresql-ha").enabled -}}
 {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
@@ -199,6 +220,15 @@ https
 {{- end -}}
 {{- end -}}
 
+{{- define "gitea.act_runner.local_root_url" -}}
+{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}}
+    {{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}}
+{{- else -}}
+  {{/* fallback for allowing to overwrite this value via inline config */}}
+  {{- .Values.gitea.config.server.LOCAL_ROOT_URL -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "gitea.inline_configuration" -}}
   {{- include "gitea.inline_configuration.init" . -}}
   {{- include "gitea.inline_configuration.defaults" . -}}
@@ -263,6 +293,9 @@ https
   {{- if not (hasKey .Values.gitea.config "indexer") -}}
     {{- $_ := set .Values.gitea.config "indexer" dict -}}
   {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "actions") -}}
+    {{- $_ := set .Values.gitea.config "actions" dict -}}
+  {{- end -}}
 {{- end -}}
 
 {{- define "gitea.inline_configuration.defaults" -}}
@@ -278,6 +311,9 @@ https
   {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
     {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
   {{- end -}}
+  {{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}}
+    {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}}
+  {{- end -}}
   {{- /* redis queue */ -}}
   {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
     {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
@@ -309,6 +345,9 @@ https
   {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
      {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
   {{- end -}}
+  {{- if not .Values.gitea.config.actions.ENABLED -}}
+     {{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}}
+  {{- end -}}
 {{- end -}}
 
 {{- define "gitea.inline_configuration.defaults.server" -}}
@@ -328,6 +367,9 @@ https
   {{- if not .Values.gitea.config.server.ROOT_URL -}}
     {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
   {{- end -}}
+  {{- if .Values.actions.enabled -}}
+     {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}}
+  {{- end -}}
   {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
     {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
   {{- end -}}
@@ -408,3 +450,25 @@ https
 {{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
 {{- end -}}
 {{- end -}}
+
+{{/* Create a functioning probe object for rendering. Given argument must be either a livenessProbe, readinessProbe, or startupProbe */}}
+{{- define "gitea.deployment.probe" -}}
+  {{- $probe := unset . "enabled" -}}
+  {{- $probeKeys := keys $probe -}}
+  {{- $containsCustomMethod := false -}}
+  {{- $chartDefaultMethod := "tcpSocket" -}}
+  {{- $nonChartDefaultMethods := list "exec" "httpGet" "grpc" -}}
+  {{- range $probeKeys -}}
+    {{- if has . $nonChartDefaultMethods -}}
+      {{- $containsCustomMethod = true -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if $containsCustomMethod -}}
+    {{- $probe = unset . $chartDefaultMethod -}}
+  {{- end -}}
+  {{- toYaml $probe -}}
+{{- end -}}
+
+{{- define "gitea.metrics-secret-name" -}}
+{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }}
+{{- end -}}

templates/gitea/act_runner/01-consistency-checks.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.actions.enabled -}}
+    {{- if .Values.actions.provisioning.enabled -}}
+        {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}}
+            {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}}
+        {{- end -}}
+        {{- if and .Values.persistence.enabled .Values.persistence.mount -}}
+            {{- if .Values.actions.existingSecret -}}
+                {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}}
+            {{- end -}}
+        {{- end -}}
+    {{- end -}}
+    {{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}}
+        {{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}}
+    {{- end -}}
+{{- end -}}

templates/gitea/act_runner/config-act-runner.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.actions.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-act-runner-config
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- with .Values.actions.statefulset.actRunner.config -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+{{- end }}

templates/gitea/act_runner/config-scripts.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-scripts
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+{{ (.Files.Glob "scripts/act_runner/*.sh").AsConfig | indent 2 }}
+{{- end }}
+{{- end }}

templates/gitea/act_runner/job.yaml

@@ -0,0 +1,115 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    {{- with .Values.actions.provisioning.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/component: token-job
+  annotations:
+    {{- with .Values.actions.provisioning.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }}
+  template:
+    metadata:
+      labels:
+        {{- include "gitea.labels" . | nindent 8 }}
+        {{- with .Values.actions.provisioning.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        app.kubernetes.io/component: token-job
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
+                sleep 5
+              done
+      containers:
+        - name: actions-token-create
+          image: "{{ include "gitea.image" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+          command:
+            - sh
+            - -c
+            - |
+              echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
+              mkdir -p /data/actions/
+              gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
+          resources:
+            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
+          volumeMounts:
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+        - name: actions-token-upload
+          image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
+          imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
+          env:
+            - name: SECRET_NAME
+              value: {{ $secretName }}
+          command:
+            - sh
+            - -c
+            - |
+              printf "Checking rights to update kubernetes act_runner secret..."
+              kubectl auth can-i update secret/${SECRET_NAME}
+              /scripts/token.sh
+          resources:
+            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+              readOnly: true
+            - mountPath: /data
+              name: data
+              readOnly: true
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+      {{- range $key, $value := .Values.actions.provisioning.nodeSelector }}
+      nodeSelector:
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+      {{- with .Values.actions.provisioning.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.provisioning.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      serviceAccount: {{ $name }}
+      volumes:
+        - name: scripts
+          configMap:
+            name: {{ include "gitea.fullname" . }}-scripts
+            defaultMode: 0755
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.claimName }}
+  parallelism: 1
+  completions: 1
+  backoffLimit: 1
+{{- end }}
+{{- end }}

templates/gitea/act_runner/role-job.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - {{ $secretName }}
+    verbs:
+      - get
+      - update
+      - patch
+{{- end }}
+{{- end }}

templates/gitea/act_runner/rolebinding-job.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $name }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}

templates/gitea/act_runner/secret-token.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
+{{ if $secret -}}
+data:
+  token: {{ (b64dec (index $secret.data "token")) | b64enc }}
+{{ end -}}
+{{- end }}
+{{- end }}

templates/gitea/act_runner/serviceaccount-job.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+{{- end }}
+{{- end }}

templates/gitea/act_runner/statefulset.yaml

@@ -0,0 +1,129 @@
+{{- if .Values.actions.enabled }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    {{- include "gitea.labels.actRunner" . | nindent 4 }}
+    {{- with .Values.actions.statefulset.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.actions.statefulset.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "gitea.fullname" . }}-act-runner
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/gitea/act_runner/config-act-runner.yaml") . | sha256sum }}
+      labels:
+        {{- include "gitea.labels.actRunner" . | nindent 8 }}
+        {{- with .Values.actions.statefulset.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
+                sleep 5
+              done
+      containers:
+        - name: act-runner
+          image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
+          workingDir: /data
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.actions.existingSecret | default $secretName }}"
+                  key: "{{ .Values.actions.existingSecretKey | default "token" }}"
+            - name: GITEA_INSTANCE_URL
+              value: {{ include "gitea.act_runner.local_root_url" . }}
+            - name: CONFIG_FILE
+              value: /actrunner/config.yaml
+          resources:
+            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /actrunner/config.yaml
+              name: act-runner-config
+              subPath: config.yaml
+            - mountPath: /certs/server
+              name: docker-certs
+            - mountPath: /data
+              name: data-act-runner
+            {{- with .Values.actions.statefulset.actRunner.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+        - name: dind
+          image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            {{- if .Values.actions.statefulset.dind.extraEnvs }}
+            {{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }}
+            {{- end }}
+          securityContext:
+            privileged: true
+          resources:
+            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /certs/server
+              name: docker-certs
+            {{- with .Values.actions.statefulset.dind.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+      {{- range $key, $value := .Values.actions.statefulset.nodeSelector }}
+      nodeSelector:
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+      {{- with .Values.actions.statefulset.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.statefulset.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: act-runner-config
+          configMap:
+            name: {{ include "gitea.fullname" . }}-act-runner-config
+        - name: docker-certs
+          emptyDir: {}
+        {{- with .Values.actions.statefulset.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data-act-runner
+      spec:
+        accessModes: [ "ReadWriteOnce" ]
+        {{- include "gitea.persistence.storageClass" . | nindent 8 }}
+        resources:
+          requests:
+            storage: 1Mi
+{{- end }}

templates/gitea/config.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}-inline-config
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@@ -12,10 +13,12 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
+{{ (.Files.Glob "scripts/init-containers/config/*.sh").AsConfig | indent 2 }}
   assertions: |
 
     {{- /*assert that only one PG dep is enabled */ -}}
@@ -52,158 +55,3 @@ stringData:
       {{- end }}
       
     {{- end }}
-  config_environment.sh: |-
-    #!/usr/bin/env bash
-    set -euo pipefail
-
-    function env2ini::log() {
-      printf "${1}\n"
-    }
-
-    function env2ini::read_config_to_env() {
-      local section="${1}"
-      local line="${2}"
-
-      if [[ -z "${line}" ]]; then
-        # skip empty line
-        return
-      fi
-      
-      # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
-      local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
-
-      if [[ -z "${setting}" ]]; then
-        env2ini::log '  ! invalid setting'
-        exit 1
-      fi
-
-      local value=''
-      local regex="^${setting}(\s*)=(\s*)(.*)"
-      if [[ $line =~ $regex ]]; then
-        value="${BASH_REMATCH[3]}"
-      else
-        env2ini::log '  ! invalid setting'
-        exit 1
-      fi
-
-      env2ini::log "    + '${setting}'"
-
-      if [[ -z "${section}" ]]; then
-        export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-        return
-      fi
-
-      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
-      masked_section="${masked_section//-/_0X2D_}"
-
-      export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
-    }
-
-    function env2ini::reload_preset_envs() {
-      env2ini::log "Reloading preset envs..."
-
-      while read -r line; do
-        if [[ -z "${line}" ]]; then
-          # skip empty line
-          return
-        fi
-
-        # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
-        local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
-
-        if [[ -z "${setting}" ]]; then
-          env2ini::log '  ! invalid setting'
-          exit 1
-        fi
-
-        local value=''
-        local regex="^${setting}(\s*)=(\s*)(.*)"
-        if [[ $line =~ $regex ]]; then
-          value="${BASH_REMATCH[3]}"
-        else
-          env2ini::log '  ! invalid setting'
-          exit 1
-        fi
-
-        env2ini::log "  + '${setting}'"
-
-        export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-      done < "/tmp/existing-envs"
-
-      rm /tmp/existing-envs
-    }
-
-
-    function env2ini::process_config_file() {
-      local config_file="${1}"
-      local section="$(basename "${config_file}")"
-
-      if [[ $section == '_generals_' ]]; then
-        env2ini::log "  [ini root]"
-        section=''
-      else
-        env2ini::log "  ${section}"
-      fi
-
-      while read -r line; do
-        env2ini::read_config_to_env "${section}" "${line}"
-      done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
-    }
-
-    function env2ini::load_config_sources() {
-      local path="${1}"
-
-      if [[ -d "${path}" ]]; then
-        env2ini::log "Processing $(basename "${path}")..."
-
-        while read -d '' configFile; do
-          env2ini::process_config_file "${configFile}"
-        done < <(find "${path}" -type l -not -name '..data' -print0)
-
-        env2ini::log "\n"
-      fi
-    }
-
-    function env2ini::generate_initial_secrets() {
-      # These environment variables will either be
-      #   - overwritten with user defined values,
-      #   - initially used to set up Gitea
-      # Anyway, they won't harm existing app.ini files
-
-      export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
-      export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
-      export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
-      export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
-
-      env2ini::log "...Initial secrets generated\n"
-    }
-    
-    # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
-    env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > /tmp/existing-envs
-    
-    # MUST BE CALLED BEFORE OTHER CONFIGURATION
-    env2ini::generate_initial_secrets
-
-    env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
-    env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
-
-    # load existing envs to override auto generated envs
-    env2ini::reload_preset_envs
-
-    env2ini::log "=== All configuration sources loaded ===\n"
-
-    # safety to prevent rewrite of secret keys if an app.ini already exists
-    if [ -f ${GITEA_APP_INI} ]; then
-      env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
-      env2ini::log '  - security.INTERNAL_TOKEN'
-      env2ini::log '  - security.SECRET_KEY'
-      env2ini::log '  - oauth2.JWT_SECRET'
-      env2ini::log '  - server.LFS_JWT_SECRET'
-
-      unset GITEA__SECURITY__INTERNAL_TOKEN
-      unset GITEA__SECURITY__SECRET_KEY
-      unset GITEA__OAUTH2__JWT_SECRET
-      unset GITEA__SERVER__LFS_JWT_SECRET
-    fi
-
-    environment-to-ini -o $GITEA_APP_INI

templates/gitea/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   annotations:
     {{- if .Values.deployment.annotations }}
     {{- toYaml .Values.deployment.annotations | nindent 4 }}
@@ -106,6 +107,10 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
+            - name: TMP_EXISTING_ENVS_FILE
+              value: /tmp/existing-envs
+            - name: ENV_TO_INI_MOUNT_POINT
+              value: /env-to-ini-mounts
             {{- if .Values.deployment.env }}
             {{- toYaml .Values.deployment.env | nindent 12 }}
             {{- end }}
@@ -148,6 +153,8 @@ spec:
           env:
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}
+            - name: TMP_RAW_GPG_KEY
+              value: /raw/private.asc
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
@@ -284,6 +291,13 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
+            {{- if and (hasKey .Values.resources "limits") (hasKey .Values.resources.limits "cpu") }}
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  divisor: "1"
+                  resource: limits.cpu
+            {{- end }}
             - name: TMPDIR
               value: /tmp/gitea
             {{- if .Values.image.rootless }}
@@ -311,15 +325,15 @@ spec:
             {{- end }}
           {{- if .Values.gitea.livenessProbe.enabled }}
           livenessProbe:
-            {{- toYaml (omit .Values.gitea.livenessProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.livenessProbe | nindent 12 }}
           {{- end }}
           {{- if .Values.gitea.readinessProbe.enabled }}
           readinessProbe:
-            {{- toYaml (omit .Values.gitea.readinessProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.readinessProbe | nindent 12 }}
           {{- end }}
           {{- if .Values.gitea.startupProbe.enabled }}
           startupProbe:
-            {{- toYaml (omit .Values.gitea.startupProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.startupProbe | nindent 12 }}
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
@@ -339,13 +353,16 @@ spec:
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
             {{- include "gitea.container-additional-mounts" . | nindent 12 }}
+        {{- if .Values.extraContainers }}
+        {{- toYaml .Values.extraContainers | nindent 8 }}
+        {{- end }}
       {{- with .Values.global.hostAliases }}
       hostAliases:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.nodeSelector }}
+      {{- range $key, $value := .Values.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{ $key }}: {{ $value | quote }}
       {{- end }}
     {{- with .Values.affinity }}
       affinity:

templates/gitea/gpg-secret.yaml

@@ -7,6 +7,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.gpg-key-secret-name" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque

templates/gitea/http-svc.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "gitea.fullname" . }}-http
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.service.http.labels }}
@@ -11,7 +12,11 @@ metadata:
     {{- toYaml .Values.service.http.annotations | nindent 4 }}
 spec:
   type: {{ .Values.service.http.type }}
-  {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
+  {{- if eq .Values.service.http.type "LoadBalancer" }}
+  {{- if .Values.service.http.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.http.loadBalancerClass }}
+  {{- end }}
+  {{- if and .Values.service.http.loadBalancerIP }}
   loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
   {{- end }}
   {{- if .Values.service.http.loadBalancerSourceRanges }}
@@ -20,6 +25,7 @@ spec:
     - {{ . }}
   {{- end }}
   {{- end }}
+  {{- end }}
   {{- if .Values.service.http.externalIPs }}
   externalIPs:
     {{- toYaml .Values.service.http.externalIPs | nindent 4 }}

templates/gitea/ingress.yaml

@@ -13,6 +13,7 @@ apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
   annotations:

templates/gitea/init.yaml

@@ -2,15 +2,12 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}-init
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  configure_gpg_environment.sh: |-
-    #!/usr/bin/env bash
-    set -eu
-
-    gpg --batch --import /raw/private.asc
+{{ (.Files.Glob "scripts/init-containers/init/*.sh").AsConfig | indent 2 }}
   init_directory_structure.sh: |-
     #!/usr/bin/env bash
 
@@ -24,27 +21,25 @@ stringData:
     # END: initPreScript
     {{- end }}
 
-    set -x
-
     {{- if not .Values.image.rootless }}
-    chown 1000:1000 /data
+    chown -v 1000:1000 /data
     {{- end }}
-    mkdir -p /data/git/.ssh
-    chmod -R 700 /data/git/.ssh
-    [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+    mkdir -pv /data/git/.ssh
+    chmod -Rv 700 /data/git/.ssh
+    [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
 
     # prepare temp directory structure
-    mkdir -p "${GITEA_TEMP}"
+    mkdir -pv "${GITEA_TEMP}"
     {{- if not .Values.image.rootless }}
-    chown 1000:1000 "${GITEA_TEMP}"
+    chown -v 1000:1000 "${GITEA_TEMP}"
     {{- end }}
-    chmod ug+rwx "${GITEA_TEMP}"
+    chmod -v ug+rwx "${GITEA_TEMP}"
 
     {{ if .Values.signing.enabled -}}
     if [ ! -d "${GNUPGHOME}" ]; then
-      mkdir -p "${GNUPGHOME}"
-      chmod 700 "${GNUPGHOME}"
-      chown 1000:1000 "${GNUPGHOME}"
+      mkdir -pv "${GNUPGHOME}"
+      chmod -v 700 "${GNUPGHOME}"
+      chown -v 1000:1000 "${GNUPGHOME}"
     fi
     {{- end }}
 

templates/gitea/metrics-secret.yaml

@@ -0,0 +1,12 @@
+{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gitea.metrics-secret-name" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+data:
+  token: {{ .Values.gitea.metrics.token  | b64enc }}
+{{- end }}

templates/gitea/poddisruptionbudget.yaml

@@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 spec:

templates/gitea/pvc.yaml

@@ -3,7 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ .Values.persistence.claimName }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   annotations:
 {{ .Values.persistence.annotations | toYaml | indent 4}}
   labels:

templates/gitea/serviceaccount.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "gitea.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- with .Values.serviceAccount.labels }}

templates/gitea/servicemonitor.yaml

@@ -1,8 +1,9 @@
-{{- if .Values.gitea.metrics.serviceMonitor.enabled -}}
+{{- if and .Values.gitea.metrics.enabled .Values.gitea.metrics.serviceMonitor.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
@@ -14,4 +15,29 @@ spec:
       {{- include "gitea.selectorLabels" . | nindent 6 }}
   endpoints:
   - port: http
+    {{- if .Values.gitea.metrics.serviceMonitor.interval }}
+    interval: {{ .Values.gitea.metrics.serviceMonitor.interval }}
+    {{- end }}
+    {{- with .Values.gitea.metrics.serviceMonitor.relabelings }}
+    relabelings:
+      {{- . | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.serviceMonitor.scheme }}
+    scheme: {{ .Values.gitea.metrics.serviceMonitor.scheme }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
+    scrapeTimeout: {{ .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
+    {{- end }}
+    {{- with .Values.gitea.metrics.serviceMonitor.tlsConfig }}
+    tlsConfig:
+      {{- . | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.token }}
+    authorization:
+      type: Bearer
+      credentials:
+        name: {{ include "gitea.metrics-secret-name" . }}
+        key: token
+        optional: false
+    {{- end }}
 {{- end -}}

templates/gitea/ssh-svc.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "gitea.fullname" . }}-ssh
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.service.ssh.labels }}
@@ -12,6 +13,9 @@ metadata:
 spec:
   type: {{ .Values.service.ssh.type }}
   {{- if eq .Values.service.ssh.type "LoadBalancer" }}
+  {{- if .Values.service.ssh.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.ssh.loadBalancerClass }}
+  {{- end }}
   {{- if .Values.service.ssh.loadBalancerIP }}
   loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
   {{- end -}}

templates/tests/test-http-connection.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: "{{ include "gitea.fullname" . }}-test-connection"
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
 {{ include "gitea.labels" . | nindent 4 }}
   annotations:

unittests/bash/test_helper/common-setup.bash

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+function common_setup() {
+  load "$TEST_ROOT/test_helper/bats-support/load"
+  load "$TEST_ROOT/test_helper/bats-assert/load"
+  load "$TEST_ROOT/test_helper/bats-mock/stub"
+}

unittests/bash/tests/init-containers/config/config_environment.bats

@@ -0,0 +1,204 @@
+#!/usr/bin/env bats
+
+function setup() {
+  PROJECT_ROOT="$(git rev-parse --show-toplevel)"
+  TEST_ROOT="$PROJECT_ROOT/unittests/bash"
+  load "$TEST_ROOT/test_helper/common-setup"
+  common_setup
+
+  export GITEA_APP_INI="$BATS_TEST_TMPDIR/app.ini"
+  export TMP_EXISTING_ENVS_FILE="$BATS_TEST_TMPDIR/existing-envs"
+  export ENV_TO_INI_MOUNT_POINT="$BATS_TEST_TMPDIR/env-to-ini-mounts"
+
+  stub gitea \
+      "generate secret INTERNAL_TOKEN : echo 'mocked-internal-token'" \
+      "generate secret SECRET_KEY : echo 'mocked-secret-key'" \
+      "generate secret JWT_SECRET : echo 'mocked-jwt-secret'" \
+      "generate secret LFS_JWT_SECRET : echo 'mocked-lfs-jwt-secret'"
+}
+
+function teardown() {
+  unstub gitea
+  # This condition exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
+  if [ $ENV_TO_INI_EXPECTED -eq 1 ]; then
+    unstub environment-to-ini
+  fi
+}
+
+# This function exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
+function expect_environment_to_ini_call() {
+  export ENV_TO_INI_EXPECTED=1
+  stub environment-to-ini \
+    "-o $GITEA_APP_INI : echo 'Stubbed environment-to-ini was called!'"
+}
+
+function execute_test_script() {
+  currentEnvsBefore=$(env | sort)
+  source $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
+  local exitCode=$?
+  currentEnvsAfter=$(env | sort)
+
+  # diff as unified +/- output without context before/after
+  diff --unified=0 <(echo "$currentEnvsBefore") <(echo "$currentEnvsAfter")
+
+  exit $exitCode
+}
+
+function write_mounted_file() {
+  # either "inlines" or "additionals"
+  scope="${1}"
+  file="${2}"
+  content="${3}"
+
+  mkdir -p "$ENV_TO_INI_MOUNT_POINT/$scope/..data/"
+  echo "${content}" > "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file"
+  ln -sf "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file" "$ENV_TO_INI_MOUNT_POINT/$scope/$file"
+}
+
+@test "works as expected when nothing is configured" {
+  expect_environment_to_ini_call
+  run $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
+
+  assert_success
+  assert_line '...Initial secrets generated'
+  assert_line 'Reloading preset envs...'
+  assert_line '=== All configuration sources loaded ==='
+  assert_line 'Stubbed environment-to-ini was called!'
+}
+
+@test "exports initial secrets" {
+  expect_environment_to_ini_call
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  assert_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
+  assert_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
+  assert_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
+}
+
+@test "does NOT export initial secrets when app.ini already exists" {
+  expect_environment_to_ini_call
+  touch $GITEA_APP_INI
+
+  run execute_test_script
+
+  assert_success
+  assert_line --partial 'An app.ini file already exists.'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
+  refute_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
+  refute_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
+}
+
+@test "ensures that preset environment variables take precedence over auto-generated ones" {
+  expect_environment_to_ini_call
+  export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+}
+
+@test "ensures that preset environment variables take precedence over mounted ones" {
+  expect_environment_to_ini_call
+  export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
+  write_mounted_file "inlines" "oauth2" "$(cat << EOF
+JWT_SECRET=inline-jwt-secret
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
+}
+
+@test "ensures that additionals take precedence over inlines" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "oauth2" "$(cat << EOF
+JWT_SECRET=inline-jwt-secret
+EOF
+)"
+  write_mounted_file "additionals" "oauth2" "$(cat << EOF
+JWT_SECRET=additional-jwt-secret
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=additional-jwt-secret'
+}
+
+@test "ensures that dotted/dashed sections are properly masked" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
+WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
+}
+
+###############################################################
+##### THIS IS A BUG, BUT I WANT IT TO BE COVERED BY TESTS #####
+###############################################################
+@test "ensures uppercase section and setting names (🐞)" {
+  expect_environment_to_ini_call
+  export GITEA__oauth2__JwT_Secret="pre-defined-jwt-secret"
+  write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
+WORK_IN_progress_PREFIXES=WIP:,[WIP]
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=pre-defined-jwt-secret'
+}
+
+@test "treats top-level configuration as section-less" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+APP_NAME=Hello top-level configuration
+RUN_MODE=dev
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA____APP_NAME=Hello top-level configuration'
+  assert_line '+GITEA____RUN_MODE=dev'
+}
+
+@test "fails on invalid setting" {
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+some random invalid string
+EOF
+)"
+
+  run execute_test_script
+
+  assert_failure
+}
+
+@test "treats empty setting name as invalid setting" {
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+=value
+EOF
+)"
+
+  run execute_test_script
+
+  assert_failure
+}

unittests/config/database-section_postgresql-ha.yaml

@@ -1,30 +0,0 @@
-suite: config template | database section (postgresql-ha)
-release:
-  name: gitea-unittests
-  namespace: testing
-tests:
-  - it: connects to pgpool service
-    template: templates/gitea/config.yaml
-    set:
-      postgresql:
-        enabled: false
-      postgresql-ha:
-        enabled: true
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.database
-          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:5432
-  - it: renders the referenced service
-    template: charts/postgresql-ha/templates/pgpool/service.yaml
-    set:
-      postgresql:
-        enabled: false
-      postgresql-ha:
-        enabled: true
-    asserts:
-      - containsDocument:
-          kind: Service
-          apiVersion: v1
-          name: gitea-unittests-postgresql-ha-pgpool
-          namespace: testing

unittests/config/database-section_postgresql.yaml

@@ -1,30 +0,0 @@
-suite: config template | database section (postgresql)
-release:
-  name: gitea-unittests
-  namespace: testing
-tests:
-  - it: "connects to postgresql service"
-    template: templates/gitea/config.yaml
-    set:
-      postgresql:
-        enabled: true
-      postgresql-ha:
-        enabled: false
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.database
-          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:5432
-  - it: "renders the referenced service"
-    template: charts/postgresql/templates/primary/svc.yaml
-    set:
-      postgresql:
-        enabled: true
-      postgresql-ha:
-        enabled: false
-    asserts:
-      - containsDocument:
-          kind: Service
-          apiVersion: v1
-          name: gitea-unittests-postgresql
-          namespace: testing

unittests/deployment/basic.yaml

@@ -1,31 +0,0 @@
-suite: deployment template (basic)
-release:
-  name: gitea-unittests
-  namespace: testing
-templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
-tests:
-  - it: renders a deployment
-    template: templates/gitea/deployment.yaml
-    asserts:
-      - hasDocuments:
-          count: 1
-      - containsDocument:
-          kind: Deployment
-          apiVersion: apps/v1
-          name: gitea-unittests
-  - it: deployment labels are set
-    template: templates/gitea/deployment.yaml
-    set:
-      deployment.labels:
-        hello: world
-    asserts:
-      - isSubset:
-          path: metadata.labels
-          content:
-            hello: world
-      - isSubset:
-          path: spec.template.metadata.labels
-          content:
-            hello: world

unittests/deployment/svc-configuration.yaml

@@ -1,51 +0,0 @@
-suite: ssh-svc / http-svc template (Services configuration)
-release:
-  name: gitea-unittests
-  namespace: testing
-templates:
-  - templates/gitea/ssh-svc.yaml
-  - templates/gitea/http-svc.yaml
-tests:
-  - it: supports adding custom labels to ssh-svc
-    template: templates/gitea/ssh-svc.yaml
-    set:
-      service:
-        ssh:
-          labels:
-            gitea/testkey: testvalue
-    asserts:
-      - equal:
-          path: metadata.labels["gitea/testkey"]
-          value: "testvalue"
-
-  - it: keeps existing labels (ssh)
-    template: templates/gitea/ssh-svc.yaml
-    set:
-      service:
-        ssh:
-          labels: {}
-    asserts:
-      - exists:
-          path: metadata.labels["app"]
-
-  - it: supports adding custom labels to http-svc
-    template: templates/gitea/http-svc.yaml
-    set:
-      service:
-        http:
-          labels:
-            gitea/testkey: testvalue
-    asserts:
-      - equal:
-          path: metadata.labels["gitea/testkey"]
-          value: "testvalue"
-
-  - it: keeps existing labels (http)
-    template: templates/gitea/http-svc.yaml
-    set:
-      service:
-        http:
-          labels: {}
-    asserts:
-      - exists:
-          path: metadata.labels["app"]

unittests/helm/act_runner/01-consistency-checks.yaml

@@ -0,0 +1,69 @@
+suite: actions template | consistency checks
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/01-consistency-checks.yaml
+tests:
+  - it: fails when provisioning is enabled BUT persistence is completely disabled
+    set:
+      persistence:
+        enabled: false
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
+  - it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled
+    set:
+      persistence:
+        enabled: true
+        mount: false
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
+  - it: fails when provisioning is enabled AND existingSecret is given
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+        existingSecret: "secret-reference"
+    asserts:
+      - failedTemplate:
+          errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret"
+  - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
+  - it: fails when provisioning is disabled BUT existingSecretKey is missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+        existingSecret: "my-secret"
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
+  - it: fails when provisioning is disabled BUT existingSecret is missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"

unittests/helm/act_runner/config-act-runner.yaml

@@ -0,0 +1,45 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: actions template | config-act-runner
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/config-act-runner.yaml
+tests:
+  - it: doesn't renders a ConfigMap by default
+    template: templates/gitea/act_runner/config-act-runner.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a ConfigMap
+    template: templates/gitea/act_runner/config-act-runner.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          actRunner:
+            config: |
+              log:
+                level: info
+              cache:
+                enabled: false
+              runner:
+                labels:
+                  - "ubuntu-latest"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-act-runner-config
+      - equal:
+          path: data["config.yaml"]
+          value: |
+            log:
+              level: info
+            cache:
+              enabled: false
+            runner:
+              labels:
+                - "ubuntu-latest"

unittests/helm/act_runner/config-scripts.yaml

@@ -0,0 +1,49 @@
+suite: actions template | config-scripts
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/config-scripts.yaml
+tests:
+  - it: renders a ConfigMap when all criteria are met
+    template: templates/gitea/act_runner/config-scripts.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-scripts
+      - isNotNullOrEmpty:
+          path: data["token.sh"]
+  - it: doesn't renders a ConfigMap by default
+    template: templates/gitea/act_runner/config-scripts.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a ConfigMap with disabled actions but enabled provisioning
+    template: templates/gitea/act_runner/config-scripts.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria
+    template: templates/gitea/act_runner/config-scripts.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/act_runner/job.yaml

@@ -0,0 +1,65 @@
+suite: actions template | job
+release:
+  name: gitea-unittests
+  namespace: testing
+chart:
+  # Override appVersion to have a pinned version for comparison
+  appVersion: 1.19.3
+templates:
+  - templates/gitea/act_runner/job.yaml
+tests:
+  - it: renders a Job
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Job
+          apiVersion: batch/v1
+          name: gitea-unittests-actions-token-job
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.19.3-rootless"
+  - it: tag override
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      image.tag: "1.19.4"
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+          publish:
+            tag: "1.29.0"
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.19.4-rootless"
+      - equal:
+          path: spec.template.spec.containers[1].image
+          value: "bitnami/kubectl:1.29.0"
+  - it: doesn't renders a Job by default
+    template: templates/gitea/act_runner/job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/act_runner/role-job.yaml

@@ -0,0 +1,42 @@
+suite: actions template | role-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/role-job.yaml
+tests:
+  - it: doesn't renders a Role by default
+    template: templates/gitea/act_runner/role-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a Role
+    template: templates/gitea/act_runner/role-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a Role when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/role-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/act_runner/rolebinding-job.yaml

@@ -0,0 +1,42 @@
+suite: actions template | rolebinding-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/rolebinding-job.yaml
+tests:
+  - it: doesn't renders a RoleBinding by default
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a RoleBinding
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/act_runner/secret-token.yaml

@@ -0,0 +1,42 @@
+suite: actions template | secret-token
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/secret-token.yaml
+tests:
+  - it: doesn't renders a Secret by default
+    template: templates/gitea/act_runner/secret-token.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a Secret
+    template: templates/gitea/act_runner/secret-token.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-actions-token
+  - it: doesn't renders a Secret when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/secret-token.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/act_runner/serviceaccount-job.yaml

@@ -0,0 +1,42 @@
+suite: actions template | serviceaccount-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/serviceaccount-job.yaml
+tests:
+  - it: doesn't renders a ServiceAccount by default
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a ServiceAccount
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/act_runner/statefulset.yaml

@@ -0,0 +1,182 @@
+suite: actions template | statefulset
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/statefulset.yaml
+  - templates/gitea/act_runner/config-act-runner.yaml
+tests:
+  - it: doesn't renders a StatefulSet by default
+    template: templates/gitea/act_runner/statefulset.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a StatefulSet (with given existingSecret/existingSecretKey)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[3]
+          value:
+            name: GITEA_RUNNER_REGISTRATION_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: "my-secret"
+                key: "my-secret-key"
+  - it: renders a StatefulSet (with secret reference defaults for enabled provisioning)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[3]
+          value:
+            name: GITEA_RUNNER_REGISTRATION_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: "gitea-unittests-actions-token"
+                key: "token"
+  - it: renders a StatefulSet (that tracks changes of the runner configuration as annotation)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      image.tag: "1.22.3" # lock image tag to prevent test failures on future Gitea upgrades
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.metadata.annotations["checksum/config"]
+          value: "2a2200e80fc29111d18b675789c265cd3d5f917754850f946f1ce3c55dcd65f8"
+  - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[4]
+          value:
+            name: GITEA_INSTANCE_URL
+            value: "http://gitea-unittests-http:3000"
+  - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env from customized LOCAL_ROOT_URL)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[4]
+          value:
+            name: GITEA_INSTANCE_URL
+            value: "http://git.example.com"
+  - it: allows adding custom environment variables to the docker-in-docker container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          dind:
+            extraEnvs:
+              - name: "CUSTOM_ENV_NAME"
+                value: "custom env value"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[1].env[3]
+          value:
+            name: "CUSTOM_ENV_NAME"
+            value: "custom env value"
+  - it: should mount an extra volume in the act runner container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          extraVolumes:
+            - name: my-act-runner-volume
+              emptyDir: {}
+          actRunner:
+            extraVolumeMounts:
+              - mountPath: /mnt
+                name: my-act-runner-volume
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - contains:
+          any: true
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /mnt
+            name: my-act-runner-volume
+  - it: should mount an extra volume in the docker-in-docker container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          extraVolumes:
+            - name: my-dind-volume
+              emptyDir: {}
+          dind:
+            extraVolumeMounts:
+              - mountPath: /mnt
+                name: my-dind-volume
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - contains:
+          any: true
+          path: spec.template.spec.containers[1].volumeMounts
+          content:
+            mountPath: /mnt
+            name: my-dind-volume

unittests/helm/config/actions-config.yaml

@@ -0,0 +1,61 @@
+suite: config template | actions config
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/config.yaml
+tests:
+  - it: "actions are not enabled by default"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=false
+
+  - it: "actions can be enabled via inline config"
+    template: templates/gitea/config.yaml
+    set:
+      gitea.config.actions.ENABLED: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=true
+
+  - it: "actions can be enabled via dedicated values object"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=true
+
+  - it: "defines LOCAL_ROOT_URL when actions are enabled"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nLOCAL_ROOT_URL=http://gitea-unittests-http:3000
+
+  - it: "respects custom LOCAL_ROOT_URL, even when actions are enabled"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+      gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nLOCAL_ROOT_URL=http://git.example.com

unittests/helm/config/metrics-section_metrics-token.yaml

@@ -0,0 +1,58 @@
+suite: config template | metrics section (metrics token)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: metrics token is set
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token: "somepassword"
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+            TOKEN=somepassword
+  - it: metrics token is empty
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token: ""
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+  - it: metrics token is nil
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token:
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+  - it: does not configures a token if metrics are disabled
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: false
+          token: "somepassword"
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=false

unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml

@@ -0,0 +1,121 @@
+suite: Dependency checks | Customization integrity | postgresql-ha
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  postgresql:
+    enabled: false
+  postgresql-ha:
+    enabled: true
+    global:
+      postgresql:
+        database: gitea-database
+        password: gitea-password
+        username: gitea-username
+    postgresql:
+      repmgrPassword: custom-password-repmgr
+      postgresPassword: custom-password-postgres
+      password: custom-password-overwritten-by-global-postgresql-password
+    pgpool:
+      adminPassword: custom-password-pgpool
+    service:
+      ports:
+        postgresql: 1234
+    persistence:
+      size: 1337Mi
+tests:
+  - it: "[postgresql-ha] DB settings are applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_DB
+            value: "gitea-database"
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_USER
+            value: "gitea-username"
+  - it: "[postgresql-ha] DB passwords are applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["repmgr-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXJlcG1ncg=="
+      - documentIndex: 0
+        equal:
+          path: data["postgres-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBvc3RncmVz"
+      - documentIndex: 0
+        equal:
+          path: data["password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ=" # postgresql-ha.postgresql.password is overwritten by postgresql-ha.global.postgresql.password and should not be referenced here
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] persistence.size is applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
+          value: "1337Mi"
+  - it: "[postgresql-ha] service.ports.postgresql is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/service.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.ports[0].port
+          value: 1234
+  - it: "[postgresql-ha] renders the referenced service"
+    template: charts/postgresql-ha/templates/pgpool/service.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql-ha-pgpool
+          namespace: testing
+  - it: "[gitea] connects to pgpool service"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:1234
+  - it: "[gitea] connects to configured database"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: NAME=gitea-database
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: USER=gitea-username
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: PASSWD=gitea-password

unittests/helm/dependency-checks/customization-integrity-postgresql.yaml

@@ -0,0 +1,88 @@
+suite: Dependency checks | Customization integrity | postgresql
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  postgresql-ha:
+    enabled: false
+  postgresql:
+    enabled: true
+    global:
+      postgresql:
+        auth:
+          password: gitea-password
+          database: gitea-database
+          username: gitea-username
+        service:
+          ports:
+            postgresql: 1234
+    primary:
+      persistence:
+        size: 1337Mi
+tests:
+  - it: "[postgresql] DB settings are applied as expected"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_DATABASE
+            value: "gitea-database"
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_USER
+            value: "gitea-username"
+  - it: "[postgresql] DB password is applied as expected"
+    template: charts/postgresql/templates/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ="
+  - it: "[postgresql] primary.persistence.size is applied as expected"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
+          value: "1337Mi"
+  - it: "[postgresql] global.postgresql.service.ports.postgresql is applied as expected"
+    template: charts/postgresql/templates/primary/svc.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.ports[0].port
+          value: 1234
+  - it: "[postgresql] renders the referenced service"
+    template: charts/postgresql/templates/primary/svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql
+          namespace: testing
+  - it: "[gitea] connects to postgresql service"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:1234
+  - it: "[gitea] connects to configured database"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: NAME=gitea-database
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: USER=gitea-username
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: PASSWD=gitea-password

unittests/helm/dependency-checks/customization-integrity-redis-cluster.yaml

@@ -0,0 +1,90 @@
+suite: Dependency checks | Customization integrity | redis-cluster
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  redis:
+    enabled: false
+  redis-cluster:
+    enabled: true
+    usePassword: false
+    cluster:
+      nodes: 5
+      replicas: 2
+tests:
+  - it: "[redis-cluster] configures correct nodes/replicas"
+    template: charts/redis-cluster/templates/redis-statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.replicas
+          value: 5
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].args[0]
+          pattern: REDIS_CLUSTER_REPLICAS="2"
+  - it: "[redis-cluster] support auth-less connections"
+    asserts:
+      - template: charts/redis-cluster/templates/secret.yaml
+        hasDocuments:
+          count: 0
+      - template: charts/redis-cluster/templates/redis-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOW_EMPTY_PASSWORD
+            value: "yes"
+  - it: "[redis-cluster] support auth-full connections"
+    set:
+      redis-cluster:
+        usePassword: true
+    asserts:
+      - template: charts/redis-cluster/templates/secret.yaml
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-redis-cluster
+          namespace: testing
+      - template: charts/redis-cluster/templates/redis-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDISCLI_AUTH
+            valueFrom:
+              secretKeyRef:
+                name: gitea-unittests-redis-cluster
+                key: redis-password
+      - template: charts/redis-cluster/templates/redis-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: gitea-unittests-redis-cluster
+                key: redis-password
+  - it: "[redis-cluster] renders the referenced service"
+    template: charts/redis-cluster/templates/headless-svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-redis-cluster-headless
+          namespace: testing
+      - documentIndex: 0
+        contains:
+          path: spec.ports
+          content:
+            name: tcp-redis
+            port: 6379
+            targetPort: tcp-redis
+  - it: "[gitea] waits for redis-cluster to be up and running"
+    template: templates/gitea/init.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData["configure_gitea.sh"]
+          pattern: nc -vz -w2 gitea-unittests-redis-cluster-headless.testing.svc.cluster.local 6379

unittests/helm/dependency-checks/customization-integrity-redis.yaml

@@ -0,0 +1,52 @@
+suite: Dependency checks | Customization integrity | redis
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  redis-cluster:
+    enabled: false
+  redis:
+    enabled: true
+    architecture: standalone
+    global:
+      redis:
+        password: gitea-password
+    master:
+      count: 2
+tests:
+  - it: "[redis] configures correct 'master' nodes"
+    template: charts/redis/templates/master/application.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.replicas
+          value: 2
+  - it: "[redis] redis.global.redis.password is applied as expected"
+    template: charts/redis/templates/secret.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["redis-password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ="
+  - it: "[redis] renders the referenced service"
+    template: charts/redis/templates/headless-svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-redis-headless
+          namespace: testing
+      - documentIndex: 0
+        contains:
+          path: spec.ports
+          content:
+            name: tcp-redis
+            port: 6379
+            targetPort: redis
+  - it: "[gitea] waits for redis to be up and running"
+    template: templates/gitea/init.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData["configure_gitea.sh"]
+          pattern: nc -vz -w2 gitea-unittests-redis-headless.testing.svc.cluster.local 6379

unittests/helm/dependency-checks/major-image-bump.yaml

@@ -1,4 +1,4 @@
-suite: Dependency update consistency
+suite: Dependency checks | Major image bumps
 release:
   name: gitea-unittests
   namespace: testing
@@ -15,7 +15,7 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/postgresql-repmgr:16.+$
+          pattern: bitnami/postgresql-repmgr:17.+$
   - it: "[postgresql] ensures we detect major image version upgrades"
     template: charts/postgresql/templates/primary/statefulset.yaml
     set:
@@ -28,7 +28,7 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/postgresql:16.+$
+          pattern: bitnami/postgresql:17.+$
   - it: "[redis-cluster] ensures we detect major image version upgrades"
     template: charts/redis-cluster/templates/redis-statefulset.yaml
     set:

unittests/helm/deployment/basic.yaml

@@ -0,0 +1,75 @@
+suite: deployment template (basic)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders a deployment
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Deployment
+          apiVersion: apps/v1
+          name: gitea-unittests
+  - it: deployment labels are set
+    template: templates/gitea/deployment.yaml
+    set:
+      deployment.labels:
+        hello: world
+    asserts:
+      - isSubset:
+          path: metadata.labels
+          content:
+            hello: world
+      - isSubset:
+          path: spec.template.metadata.labels
+          content:
+            hello: world
+  - it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container"
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[1].env
+          content:
+            name: TMP_EXISTING_ENVS_FILE
+            value: /tmp/existing-envs
+  - it: "injects ENV_TO_INI_MOUNT_POINT as environment variable to 'init-app-ini' init container"
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[1].env
+          content:
+            name: ENV_TO_INI_MOUNT_POINT
+            value: /env-to-ini-mounts
+  - it: CPU resources are defined as well as GOMAXPROCS
+    template: templates/gitea/deployment.yaml
+    set:
+      resources:
+        limits:
+          cpu: 200ms
+          memory: 200Mi
+        requests:
+          cpu: 100ms
+          memory: 100Mi
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                divisor: "1"
+                resource: limits.cpu
+      - equal:
+          path: spec.template.spec.containers[0].resources
+          value:
+            limits:
+              cpu: 200ms
+              memory: 200Mi
+            requests:
+              cpu: 100ms
+              memory: 100Mi

unittests/helm/deployment/image-configuration.yaml

@@ -14,7 +14,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3-rootless"
+          value: "docker.gitea.com/gitea:1.19.3-rootless"
   - it: tag override
     template: templates/gitea/deployment.yaml
     set:
@@ -22,7 +22,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.4-rootless"
+          value: "docker.gitea.com/gitea:1.19.4-rootless"
   - it: root-based image
     template: templates/gitea/deployment.yaml
     set:
@@ -30,7 +30,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3"
+          value: "docker.gitea.com/gitea:1.19.3"
   - it: scoped registry
     template: templates/gitea/deployment.yaml
     set:
@@ -38,7 +38,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "example.com/gitea/gitea:1.19.3-rootless"
+          value: "example.com/gitea:1.19.3-rootless"
   - it: global registry
     template: templates/gitea/deployment.yaml
     set:
@@ -46,7 +46,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "global.example.com/gitea/gitea:1.19.3-rootless"
+          value: "global.example.com/gitea:1.19.3-rootless"
   - it: digest for rootless image
     template: templates/gitea/deployment.yaml
     set:
@@ -56,12 +56,12 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+          value: "docker.gitea.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: image fullOverride (does not append rootless)
     template: templates/gitea/deployment.yaml
     set:
       image:
-        fullOverride: gitea/gitea:1.19.3
+        fullOverride: docker.gitea.com/gitea:1.19.3
         # setting rootless, registry, repository, tag, and digest to prove that override works
         rootless: true
         registry: example.com
@@ -71,7 +71,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3"
+          value: "docker.gitea.com/gitea:1.19.3"
   - it: digest for root-based image
     template: templates/gitea/deployment.yaml
     set:
@@ -81,7 +81,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+          value: "docker.gitea.com/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: digest and global registry
     template: templates/gitea/deployment.yaml
     set:
@@ -90,7 +90,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "global.example.com/gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+          value: "global.example.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: correctly renders floating tag references
     template: templates/gitea/deployment.yaml
     set:
@@ -98,13 +98,13 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.initContainers[0].image
-          value: "gitea/gitea:1.21-rootless"
+          value: "docker.gitea.com/gitea:1.21-rootless"
       - equal:
           path: spec.template.spec.initContainers[1].image
-          value: "gitea/gitea:1.21-rootless"
+          value: "docker.gitea.com/gitea:1.21-rootless"
       - equal:
           path: spec.template.spec.initContainers[2].image
-          value: "gitea/gitea:1.21-rootless"
+          value: "docker.gitea.com/gitea:1.21-rootless"
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.21-rootless"
+          value: "docker.gitea.com/gitea:1.21-rootless"

unittests/helm/deployment/probes.yaml

@@ -0,0 +1,188 @@
+suite: deployment template (probes)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders default liveness probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            failureThreshold: 10
+            initialDelaySeconds: 200
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+  - it: renders default readiness probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].readinessProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            failureThreshold: 3
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+  - it: does not render a default startup probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe
+  - it: allows enabling a startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea.startupProbe.enabled: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            failureThreshold: 10
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+
+  - it: allows overwriting the default port of the liveness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        livenessProbe:
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows overwriting the default port of the readiness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        readinessProbe:
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows overwriting the default port of the startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        startupProbe:
+          enabled: true
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows using a non-default method as liveness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        livenessProbe:
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372
+
+  - it: allows using a non-default method as readiness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        readinessProbe:
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].readinessProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372
+
+  - it: allows using a non-default method as startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        startupProbe:
+          enabled: true
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372

unittests/helm/deployment/sidecar-container.yaml

@@ -0,0 +1,21 @@
+suite: sidecar container
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: supports adding a sidecar container
+    template: templates/gitea/deployment.yaml
+    set:
+      extraContainers:
+        - name: sidecar-bob
+          image: busybox
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[1].name
+          value: "sidecar-bob"
+      - equal:
+          path: spec.template.spec.containers[1].image
+          value: "busybox"

unittests/helm/deployment/signing-enabled.yaml

@@ -28,6 +28,8 @@ tests:
           value:
             - name: GNUPGHOME
               value: /data/git/.gnupg
+            - name: TMP_RAW_GPG_KEY
+              value: /raw/private.asc
       - equal:
           path: spec.template.spec.initContainers[2].volumeMounts
           value:

unittests/helm/deployment/ssh-configuration.yaml

@@ -30,7 +30,7 @@ tests:
   - it: supports overriding SSH log level (even when image.fullOverride set)
     template: templates/gitea/deployment.yaml
     set:
-      image.fullOverride: gitea/gitea:1.19.3
+      image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: false
       gitea.ssh.logLevel: "DEBUG"
     asserts:
@@ -53,7 +53,7 @@ tests:
   - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
     template: templates/gitea/deployment.yaml
     set:
-      image.fullOverride: gitea/gitea:1.19.3
+      image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: true
       gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
     asserts:

unittests/helm/deployment/svc-configuration.yaml

@@ -0,0 +1,118 @@
+suite: ssh-svc / http-svc template (Services configuration)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/ssh-svc.yaml
+  - templates/gitea/http-svc.yaml
+tests:
+  - it: supports adding custom labels to ssh-svc
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          labels:
+            gitea/testkey: testvalue
+    asserts:
+      - equal:
+          path: metadata.labels["gitea/testkey"]
+          value: "testvalue"
+
+  - it: keeps existing labels (ssh)
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          labels: {}
+    asserts:
+      - exists:
+          path: metadata.labels["app"]
+
+  - it: supports adding custom labels to http-svc
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          labels:
+            gitea/testkey: testvalue
+    asserts:
+      - equal:
+          path: metadata.labels["gitea/testkey"]
+          value: "testvalue"
+
+  - it: keeps existing labels (http)
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          labels: {}
+    asserts:
+      - exists:
+          path: metadata.labels["app"]
+
+  - it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          loadBalancerClass: "example.com/class"
+          type: LoadBalancer
+          loadBalancerIP: "1.2.3.4"
+          loadBalancerSourceRanges:
+            - "1.2.3.4/32"
+            - "5.6.7.8/32"
+    asserts:
+      - equal:
+          path: spec.loadBalancerClass
+          value: "example.com/class"
+      - equal:
+          path: spec.loadBalancerIP
+          value: "1.2.3.4"
+      - equal:
+          path: spec.loadBalancerSourceRanges
+          value: ["1.2.3.4/32", "5.6.7.8/32"]
+
+  - it: does not render when loadbalancer properties are set but type is not loadBalancerClass
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          type: ClusterIP
+          loadBalancerClass: "example.com/class"
+          loadBalancerIP: "1.2.3.4"
+          loadBalancerSourceRanges:
+            - "1.2.3.4/32"
+            - "5.6.7.8/32"
+    asserts:
+      - notExists:
+          path: spec.loadBalancerClass
+      - notExists:
+          path: spec.loadBalancerIP
+      - notExists:
+          path: spec.loadBalancerSourceRanges
+
+  - it: does not render loadBalancerClass by default even when type is LoadBalancer
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          type: LoadBalancer
+          loadBalancerIP: "1.2.3.4"
+    asserts:
+      - notExists:
+          path: spec.loadBalancerClass
+      - equal:
+          path: spec.loadBalancerIP
+          value: "1.2.3.4"
+
+  - it: both ssh and http services exist
+    templates:
+      - templates/gitea/ssh-svc.yaml
+      - templates/gitea/http-svc.yaml
+    asserts:
+      - matchRegex:
+          path: metadata.name
+          pattern: "^gitea-unittests-(?:ssh|http)$"
+      - matchRegex:
+          path: spec.ports[0].name
+          pattern: "^(?:ssh|http)$"

unittests/helm/init/init_directory_structure.sh-rootless.yaml

@@ -15,11 +15,11 @@ tests:
     asserts:
       - equal:
           path: stringData["configure_gpg_environment.sh"]
-          value: |-
+          value: |
             #!/usr/bin/env bash
             set -eu
 
-            gpg --batch --import /raw/private.asc
+            gpg --batch --import "$TMP_RAW_GPG_KEY"
   - it: skips gpg script block for disabled signing
     asserts:
       - equal:
@@ -28,15 +28,13 @@ tests:
             #!/usr/bin/env bash
 
             set -euo pipefail
-
-            set -x
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
 
             # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
   - it: adds gpg script block for enabled signing
     set:
       signing.enabled: true
@@ -51,25 +49,23 @@ tests:
             #!/usr/bin/env bash
 
             set -euo pipefail
-
-            set -x
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
 
             # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
 
             if [ ! -d "${GNUPGHOME}" ]; then
-              mkdir -p "${GNUPGHOME}"
-              chmod 700 "${GNUPGHOME}"
-              chown 1000:1000 "${GNUPGHOME}"
+              mkdir -pv "${GNUPGHOME}"
+              chmod -v 700 "${GNUPGHOME}"
+              chown -v 1000:1000 "${GNUPGHOME}"
             fi
   - it: it does not chown /data even when image.fullOverride is set
     template: templates/gitea/init.yaml
     set:
-      image.fullOverride: gitea/gitea:1.20.5
+      image.fullOverride: docker.gitea.com/gitea:1.20.5
     asserts:
       - equal:
           path: stringData["init_directory_structure.sh"]
@@ -77,12 +73,10 @@ tests:
             #!/usr/bin/env bash
 
             set -euo pipefail
-
-            set -x
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
 
             # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"

unittests/helm/init/init_directory_structure.sh.yaml

@@ -16,11 +16,11 @@ tests:
     asserts:
       - equal:
           path: stringData["configure_gpg_environment.sh"]
-          value: |-
+          value: |
             #!/usr/bin/env bash
             set -eu
 
-            gpg --batch --import /raw/private.asc
+            gpg --batch --import "$TMP_RAW_GPG_KEY"
   - it: skips gpg script block for disabled signing
     set:
       image.rootless: false
@@ -31,17 +31,15 @@ tests:
             #!/usr/bin/env bash
 
             set -euo pipefail
-
-            set -x
-            chown 1000:1000 /data
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            chown -v 1000:1000 /data
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
 
             # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chown 1000:1000 "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chown -v 1000:1000 "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
   - it: adds gpg script block for enabled signing
     set:
       image.rootless: false
@@ -57,20 +55,18 @@ tests:
             #!/usr/bin/env bash
 
             set -euo pipefail
-
-            set -x
-            chown 1000:1000 /data
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            chown -v 1000:1000 /data
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
 
             # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chown 1000:1000 "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chown -v 1000:1000 "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
 
             if [ ! -d "${GNUPGHOME}" ]; then
-              mkdir -p "${GNUPGHOME}"
-              chmod 700 "${GNUPGHOME}"
-              chown 1000:1000 "${GNUPGHOME}"
+              mkdir -pv "${GNUPGHOME}"
+              chmod -v 700 "${GNUPGHOME}"
+              chown -v 1000:1000 "${GNUPGHOME}"
             fi

unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml

@@ -0,0 +1,23 @@
+suite: Metrics secret template (monitoring disabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/metrics-secret.yaml
+tests:
+  - it: renders nothing if monitoring disabled and gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.serviceMonitor.enabled: false
+      gitea.metrics.token: ""
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders nothing if monitoring disabled and gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.serviceMonitor.enabled: false
+      gitea.metrics.token: "test-token"
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml

@@ -0,0 +1,33 @@
+suite: Metrics secret template (monitoring enabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/metrics-secret.yaml
+tests:
+  - it: renders nothing if monitoring enabled and gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+      gitea.metrics.token: ""
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders Secret if monitoring enabled and gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+      gitea.metrics.token: "test-token"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-metrics-secret
+      - isNotNullOrEmpty:
+          path: metadata.labels
+      - equal:
+          path: data.token
+          value: "dGVzdC10b2tlbg=="