WIP

The following PR add the annotation 'artifacthub.io/changes'. For each semantic
commit will be the annotation extended. Further information can be found in the
documentation of
[Artifacthub.io](https://artifacthub.io/docs/topics/annotations/helm/#supported-annotations).

The CI has been adapted. The binary jq as well as yq in >= v4.0 is required.
Otherwise will not be concatenated the YAML file correctly via the yq expression,
because the `loadstr()` expression is not available in lower versions.

Additionally the relation between the semantic commit and the Artifacthub.io
change log type should be clarified. The current relationshiop can be adapted if
needed.

Furthermore, yq will be installed as part of the CI steps. It would be great if
yq is also available as deb package in >=v4.0. This would reduce the boiler
plate to install yq and maintain the version via renovate.

Regarding the renovate expression. In my environment works this expression, but
I don't know if it also works in this gitea/renovate instance.

.commitlintrc.json

@@ -0,0 +1,7 @@
+{
+  "extends": ["@commitlint/config-conventional"],
+  "rules": {
+    "type-enum": [2, "always", ["feat", "fix", "chore", "docs", "style", "refactor", "test", "perf", "ci", "WIP"]],
+    "type-case": [0, "always", "lower-case"]
+  }
+}

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -23,7 +23,7 @@
 ### Applicable issues
 
 <!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
-  - fixes #
+- Fixes #
 
 ### Additional information
 
@@ -39,4 +39,6 @@
 
 - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
 - [ ] Breaking changes are documented in the `README.md`
-- [ ] Templating unittests are added
+- [ ] Helm templating unittests are added (required when changing anything in `templates` folder)
+- [ ] Bash unittests are added (required when changing anything in `scripts` folder)
+- [ ] All added template resources MUST render a namespace in metadata

.gitea/scripts/add-annotations.sh

@@ -0,0 +1,114 @@
+#!/bin/bash
+
+set -e
+
+CHART_FILE="Chart.yaml"
+if [ ! -f "${CHART_FILE}" ]; then
+  echo "ERROR: ${CHART_FILE} not found!" 1>&2
+  exit 1
+fi
+
+DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
+DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
+
+if [ -z "${1}" ]; then
+  read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
+  if [ -z "${OLD_TAG}" ]; then
+    OLD_TAG="${DEFAULT_OLD_TAG}"
+  fi
+
+  while [ -z "$(git tag --list "${OLD_TAG}")" ]; do
+    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
+    read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
+    if [ -z "${OLD_TAG}" ]; then
+      OLD_TAG="${DEFAULT_OLD_TAG}"
+    fi
+  done
+else
+  OLD_TAG=${1}
+  if [ -z "$(git tag --list "${OLD_TAG}")" ]; then
+    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
+    exit 1
+  fi
+fi
+
+if [ -z "${2}" ]; then
+  read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
+  if [ -z "${NEW_TAG}" ]; then
+    NEW_TAG="${DEFAULT_NEW_TAG}"
+  fi
+
+  while [ -z "$(git tag --list "${NEW_TAG}")" ]; do
+    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
+    read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
+    if [ -z "${NEW_TAG}" ]; then
+      NEW_TAG="${DEFAULT_NEW_TAG}"
+    fi
+  done
+else
+  NEW_TAG=${2}
+
+  if [ -z "$(git tag --list "${NEW_TAG}")" ]; then
+    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
+    exit 1
+  fi
+fi
+
+CHANGE_LOG_YAML=$(mktemp)
+echo "[]" > "${CHANGE_LOG_YAML}"
+
+function map_type_to_kind() {
+  case "${1}" in
+    feat)
+      echo "added"
+    ;;
+    fix)
+      echo "fixed"
+    ;;
+    chore|style|test|ci|docs|refac)
+      echo "changed"
+    ;;
+    revert)
+      echo "removed"
+    ;;
+    sec)
+      echo "security"
+    ;;
+    *)
+      echo "skip"
+    ;;
+  esac
+}
+
+COMMIT_TITLES="$(git log --pretty=format:"%s" "${OLD_TAG}..${NEW_TAG}")"
+
+echo "INFO: Generate change log entries from ${OLD_TAG} until ${NEW_TAG}"
+
+while IFS= read -r line; do
+  if [[ "${line}" =~ ^([a-zA-Z]+)(\([^\)]+\))?\:\ (.+)$ ]]; then
+    TYPE="${BASH_REMATCH[1]}"
+    KIND=$(map_type_to_kind "${TYPE}")
+
+    if [ "${KIND}" == "skip" ]; then
+      continue
+    fi
+
+    DESC="${BASH_REMATCH[3]}"
+
+    echo "- ${KIND}: ${DESC}"
+
+    jq --arg kind changed --arg description "$DESC" '. += [ $ARGS.named ]' < ${CHANGE_LOG_YAML} > ${CHANGE_LOG_YAML}.new
+    mv ${CHANGE_LOG_YAML}.new ${CHANGE_LOG_YAML}
+
+  fi
+done <<< "${COMMIT_TITLES}"
+
+if [ -s "${CHANGE_LOG_YAML}" ]; then
+  yq --inplace --input-format json --output-format yml "${CHANGE_LOG_YAML}"
+  yq --no-colors --inplace ".annotations.\"artifacthub.io/changes\" |= loadstr(\"${CHANGE_LOG_YAML}\") | sort_keys(.)" "${CHART_FILE}"
+else
+  echo "ERROR: Changelog file is empty: ${CHANGE_LOG_YAML}" 1>&2
+  exit 1
+fi
+
+rm "${CHANGE_LOG_YAML}"

.gitea/workflows/release-version.yml

@@ -2,69 +2,145 @@ name: generate-chart
 
 on:
   push:
-    tags:
+    branches:
       - "*"
 
 env:
   # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.15.3"
+  HELM_VERSION: "3.17.3"
 
 jobs:
   generate-chart-publish:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: install tools
+        with:
+          fetch-depth: 0
+
+      - name: Determine Architecture and Operating System to support x86_64 and ARM based CI nodes
         run: |
-          apt update -y
-          apt install -y curl ca-certificates curl gnupg
-          # helm
-          curl -O https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-          tar -xzf helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-          mv linux-amd64/helm /usr/local/bin/
-          rm -rf linux-amd64 helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
+          # determine operating system
+          OS=$(uname | tr '[:upper:]' '[:lower:]')
+          echo "OS=${OS}" >> $GITHUB_ENV
+          echo "INFO: Set environment variable OS=${OS}"
+
+          # determine architecture
+          ARCH="$(uname -m)"
+          case "${ARCH}" in
+            aarch64) ARCH=arm64;;
+            x86_64) ARCH=amd64;;
+          esac
+          echo "ARCH=${ARCH}" >> $GITHUB_ENV
+          echo "INFO: Set environment variable ARCH=${ARCH}"
+
+      - name: Install packages via apt
+        run: |
+          apt update --yes
+
+          echo "INFO: Install packages via apt"
+          apt install --yes curl ca-certificates curl gnupg jq
+
+      - name: Install helm
+        run: |
+          curl --fail --location --output /dev/stdout --silent --show-error https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-${OS}-${ARCH}.tar.gz | tar --extract --gzip --file /dev/stdin
+          mv ${OS}-${ARCH}/helm /usr/local/bin/
+          rm --force --recursive ${OS}-${ARCH} helm-v${{ env.HELM_VERSION }}-${OS}-${ARCH}.tar.gz
           helm version
-          # docker
+
+      - name: Install yq
+        env:
+          YQ_VERSION: v4.45.4 # renovate: datasource=github-releases depName=mikefarah/yq
+        run: |
+          curl --fail --location --output /dev/stdout --silent --show-error https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_${OS}_${ARCH}.tar.gz | tar --extract --gzip --file /dev/stdin
+          mv yq_${OS}_${ARCH} /usr/local/bin
+          rm --force --recursive yq_${OS}_${ARCH} yq_${OS}_${ARCH}.tar.gz
+          yq --version
+
+      - name: Install docker-ce via apt
+        run: |
+          echo "INFO: Install docker"
           install -m 0755 -d /etc/apt/keyrings
-          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          curl --fail --location --silent --show-error https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
           chmod a+r /etc/apt/keyrings/docker.gpg
           echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
-          apt update -y
-          apt install -y python3 python3-pip apt-transport-https docker-ce-cli
-          pip install awscli
+          apt update --yes
+          apt install --yes python3 python3-pip apt-transport-https docker-ce-cli
 
-      - name: Import GPG key
-        id: import_gpg
-        uses: https://github.com/crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
-          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
-
-      # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
-      - name: package chart
+      - name: Install awscli
         run: |
-          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
-          # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
-          helm plugin install https://github.com/pat-s/helm-gpg
-          helm dependency build
-          helm package --version "${GITHUB_REF#refs/tags/v}" ./
-          mkdir gitea
-          mv gitea*.tgz gitea/
-          curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
-          helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
-          # push to dockerhub
-          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
-          helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
-          helm registry logout registry-1.docker.io
+          echo "INFO: Install awscli via python pip"
+          pip install awscli --break-system-packages
+          aws --version
 
-      - name: aws credential configure
-        uses: https://github.com/aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ secrets.AWS_REGION }}
+  #     - name: Import GPG key
+  #       id: import_gpg
+  #       uses: https://github.com/crazy-max/ghaction-import-gpg@v6
+  #       with:
+  #         gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
+  #         passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+  #         fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
 
-      - name: Copy files to S3 and clear cache
+      - name: Add Artifacthub.io annotations
         run: |
-          aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
+          NEW_TAG=v12.0.0
+          OLD_TAG=v11.0.1
+          # NEW_TAG="$(git tag --sort=-version:refname | head --lines 1)"
+          # OLD_TAG="$(git tag --sort=-version:refname | head --lines 2 | tail --lines 1)"
+          .gitea/scripts/add-annotations.sh "${OLD_TAG}" "${NEW_TAG}"
+
+      - name: Print Chart.yaml
+        run: cat Chart.yaml
+
+  #     # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
+  #     - name: package chart
+  #       run: |
+  #         echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
+  #         # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
+  #         helm plugin install https://github.com/pat-s/helm-gpg
+  #         helm dependency build
+  #         helm package --version "${GITHUB_REF#refs/tags/v}" ./
+  #         mkdir gitea
+  #         mv gitea*.tgz gitea/
+  #         curl --fail --location --output gitea/index.yaml --silent --show-error https://dl.gitea.com/charts/index.yaml
+  #         helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
+  #         # push to dockerhub
+  #         echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
+  #         helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
+  #         helm registry logout registry-1.docker.io
+
+  #     - name: aws credential configure
+  #       uses: https://github.com/aws-actions/configure-aws-credentials@v4
+  #       with:
+  #         aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
+  #         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  #         aws-region: ${{ secrets.AWS_REGION }}
+
+  #     - name: Copy files to S3 and clear cache
+  #       run: |
+  #         aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
+
+  # release-gitea:
+  #   # needs: generate-chart-publish
+  #   runs-on: ubuntu-latest
+  #   container: docker.io/thegeeklab/git-sv:2.0.1
+  #   steps:
+  #     - name: install tools
+  #       run: |
+  #         apk add -q --update --no-cache nodejs
+  #     - uses: actions/checkout@v4
+  #       with:
+  #         fetch-tags: true
+  #         fetch-depth: 0
+
+  #     - name: Create changelog
+  #       run: |
+  #         git sv current-version
+  #         git sv release-notes -t ${GITHUB_REF#refs/tags/} -o CHANGELOG.md
+  #         sed -i '1,2d' CHANGELOG.md # remove version
+  #         cat CHANGELOG.md
+
+  #     - name: Release
+  #       uses: https://github.com/akkuman/gitea-release-action@v1
+  #       with:
+  #         body_path: CHANGELOG.md
+  #         token: "${{ secrets.RELEASE_TOKEN }}"

.gitea/workflows/test-pr.yml

@@ -1,41 +0,0 @@
-name: check-and-test
-
-on:
-  pull_request:
-    branches:
-      - "*"
-  push:
-    branches:
-      - main
-      - "renovate/**"
-
-env:
-  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v0.5.2"
-
-jobs:
-  check-and-test:
-    runs-on: ubuntu-latest
-    container: alpine/helm:3.15.3
-    steps:
-      - name: install tools
-        run: |
-          apk update
-          apk add --update make nodejs npm yamllint
-      - uses: actions/checkout@v4
-      - name: install chart dependencies
-        run: helm dependency build
-      - name: lint
-        run: helm lint
-      - name: template
-        run: helm template --debug gitea-helm .
-      - name: unit tests
-        run: |
-          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
-          make unittests
-      - name: verify readme
-        run: |
-          make readme
-          git diff --exit-code --name-only README.md
-      - name: yaml lint
-        uses: https://github.com/ibiqlik/action-yamllint@v3

.gitmodules

@@ -0,0 +1,12 @@
+[submodule "unittests/bash/bats"]
+	path = unittests/bash/bats
+	url = https://github.com/bats-core/bats-core.git
+[submodule "unittests/bash/test_helper/bats-support"]
+	path = unittests/bash/test_helper/bats-support
+	url = https://github.com/bats-core/bats-support.git
+[submodule "unittests/bash/test_helper/bats-assert"]
+	path = unittests/bash/test_helper/bats-assert
+	url = https://github.com/bats-core/bats-assert.git
+[submodule "unittests/bash/test_helper/bats-mock"]
+	path = unittests/bash/test_helper/bats-mock
+	url = https://github.com/jasonkarns/bats-mock.git

.gitsv/config.yaml

@@ -0,0 +1,57 @@
+version: '1.1' # Configuration version.
+
+versioning:
+  update-major: [breaking] # Commit types used to bump major.
+  update-minor: [feat, perf] # Commit types used to bump minor.
+  update-patch: [build, ci, chore, fix, perf, refactor, test] # Commit types used to bump patch.
+  # When type is not present on update rules and is unknown (not mapped on commit message types);
+  # if ignore-unknown=false bump patch, if ignore-unknown=true do not bump version.
+  ignore-unknown: false
+
+tag:
+  pattern: 'v%d.%d.%d' # Pattern used to create git tag.
+  filter: '' # Enables you to filter for considerable tags using git pattern syntax.
+
+release-notes:
+  sections: # Array with each section of release note. Check template section for more information.
+    - name: Breaking Changes
+      section-type: breaking-changes
+    - name: Features # Name used on section.
+      section-type: commits # Type of the section, supported types: commits, breaking-changes.
+      commit-types: [feat, perf] # Commit types for commit section-type, one commit type cannot be in more than one section.
+    - name: Bug Fixes
+      section-type: commits
+      commit-types: [fix]
+    - name: Maintenance
+      section-type: commits
+      commit-types: [chore, refactor]
+    - name: Documentation
+      commit-types: [docs]
+      section-type: commits
+    - name: CI
+      commit-types: [ci]
+      section-type: commits
+
+branches: # Git branches config.
+  prefix: ([a-z]+\/)? # Prefix used on branch name, it should be a regex group.
+  suffix: (-.*)? # Suffix used on branch name, it should be a regex group.
+  disable-issue: false # Set true if there is no need to recover issue id from branch name.
+  skip: [] # List of branch names ignored on commit message validation.
+  skip-detached: false # Set true if a detached branch should be ignored on commit message validation.
+
+commit-message:
+  # Supported commit types.
+  types: [build, ci, chore, docs, feat, fix, perf, refactor, revert, style, test]
+  header-selector: '' # You can put in a regex here to select only a certain part of the commit message. Please define a regex group 'header'.
+  scope:
+    # Define supported scopes, if blank, scope will not be validated, if not, only scope listed will be valid.
+    # Don't forget to add "" on your list if you need to define scopes and keep it optional.
+    values: []
+  footer:
+    issue: # Use "issue: {}" if you wish to disable issue footer.
+      key: jira # Name used to define an issue on footer metadata.
+      key-synonyms: [Jira, JIRA] # Supported variations for footer metadata.
+      use-hash: false # If false, use :<space> separator. If true, use <space># separator.
+      add-value-prefix: '' # Add a prefix to issue value.
+  issue:
+    regex: '[A-Z]+-[0-9]+' # Regex for issue id.

.helmignore

@@ -5,6 +5,7 @@
 # Common VCS dirs
 .git/
 .gitignore
+.gitmodules
 .bzr/
 .bzrignore
 .hg/
@@ -31,3 +32,10 @@ Makefile
 .drone.yml
 CONTRIBUTING.md
 unittests/
+.editorconfig
+.prettierignore
+.yamllint
+CODEOWNERS
+renovate.json5
+.commitlintrc.json
+.gitsv/

.markdownlint.yaml

@@ -129,6 +129,7 @@ MD041:
 MD044:
   # List of proper names
   names:
+    - docker.gitea.com
     - Gitea
     - PostgreSQL
     - Memcached

.vscode/extensions.json

@@ -3,6 +3,7 @@
         "yzhang.markdown-all-in-one",
         "DavidAnson.vscode-markdownlint",
         "Tim-Koehler.helm-intellisense",
-        "esbenp.prettier-vscode"
+        "esbenp.prettier-vscode",
+        "jetmartin.bats"
     ]
   }

.vscode/settings.json

@@ -1,8 +1,15 @@
 {
     "yaml.schemas": {
-        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.8.2/schema/helm-testsuite.json": [
             "/unittests/**/*.yaml"
         ]
     },
-    "yaml.schemaStore.enable": true
+    "yaml.schemaStore.enable": true,
+    "[bats]": {
+        "editor.tabSize": 2
+    },
+    "[shellscript]": {
+        "files.eol": "\n",
+        "editor.tabSize": 2
+    }
 }

.yamllint

@@ -5,7 +5,7 @@ ignore: |
   .yamllint
   node_modules
   templates
-
+  unittests/bash
 
 rules:
   truthy:
@@ -17,4 +17,4 @@ rules:
   comments:
     min-spaces-from-content: 1
   braces:
-    max-spaces-inside: 2
+    max-spaces-inside: 2

CODEOWNERS

@@ -1 +1 @@
-* @justusbunsi @pat-s
+charts/* @justusbunsi @pat-s

CONTRIBUTING.md

@@ -29,6 +29,7 @@ When submitting or updating a PR:
 - try to avoid rebases. They make code reviews for large PRs and comments much harder.
 - if applicable, use the PR template for a well-defined PR description.
 - clearly mark breaking changes.
+- format the PR title following the [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/#specification) schema
 
 ## Local development & testing
 
@@ -37,7 +38,7 @@ be used:
 
 1. Install `minikube` and `helm`.
 1. Start a `minikube` cluster via `minikube start`.
-1. From the `gitea/helm-chart` directory execute the following command.
+1. From the `gitea/helm-gitea` directory execute the following command.
    This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
    If you want to test a branch, make sure to switch to the respective branch first.
    `helm install --dependency-update gitea . -f values.yaml`.
@@ -48,18 +49,32 @@ default port-forward svc/gitea-http 3000:3000`.
 
 ### Unit tests
 
+#### Helm templating tests
+
 ```bash
 # install the unittest plugin
 $ helm plugin install https://github.com/helm-unittest/helm-unittest
 
-# run the unittests
-make unittests
+# run the Helm unittests
+make unittests-helm
 ```
 
 See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
 
+#### Bash script tests
+
+```bash
+# setup the environment
+git submodule update --init --recursive
+
+# run the bash tests
+make unittests-bash
+```
+
+See [bats documentation](https://bats-core.readthedocs.io/en/stable/) for usage instructions.
+
 ## Release process
 
-1. Create a tag following the tagging schema
-1. Push the tag
+1. Ensure you have [`git-sv`](https://github.com/thegeeklab/git-sv) installed
+1. Run `git sv tag` (this creates and pushes the tag following the respective next tag according to the semver commits issued since the last release)
 1. Let CI do it's work

Chart.lock

@@ -1,15 +1,15 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 15.5.20
+  version: 16.7.4
 - name: postgresql-ha
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 14.2.16
-- name: redis-cluster
+  version: 16.0.6
+- name: valkey-cluster
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 10.3.0
-- name: redis
+  version: 3.0.10
+- name: valkey
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 19.6.4
-digest: sha256:a28c809273f313c482e3f803a0a002c3bb3a0d2090bf6b732d68ecc4710b4732
-generated: "2024-08-03T00:21:16.080925346Z"
+  version: 3.0.9
+digest: sha256:aeafc605b86db0ff3999cd808af1c9ca3a6a749aae0d42f2fdae89803b3bb60a
+generated: "2025-05-25T00:23:17.804516988Z"

Chart.yaml

@@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
-appVersion: 1.22.3
+appVersion: 1.23.8
 icon: https://gitea.com/assets/img/logo.svg
 
 keywords:
@@ -15,9 +15,9 @@ keywords:
   - gitea
   - gogs
 sources:
-  - https://gitea.com/gitea/helm-chart
+  - https://gitea.com/gitea/helm-gitea
   - https://github.com/go-gitea/gitea
-  - https://hub.docker.com/r/gitea/gitea/
+  - https://docker.gitea.com/gitea
 maintainers:
   - name: Charlie Drage
     email: charlie@charliedrage.com
@@ -36,20 +36,20 @@ dependencies:
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
   - name: postgresql
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 15.5.20
+    version: 16.7.4
     condition: postgresql.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
   - name: postgresql-ha
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 14.2.16
+    version: 16.0.6
     condition: postgresql-ha.enabled
-  # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
-  - name: redis-cluster
+  # https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml
+  - name: valkey-cluster
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 10.3.0
-    condition: redis-cluster.enabled
-  # https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml
-  - name: redis
+    version: 3.0.10
+    condition: valkey-cluster.enabled
+  # https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml
+  - name: valkey
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 19.6.4
-    condition: redis.enabled
+    version: 3.0.9
+    condition: valkey.enabled

Makefile

@@ -1,3 +1,5 @@
+SHELL := /usr/bin/env bash -O globstar
+
 .PHONY: prepare-environment
 prepare-environment:
 	npm install
@@ -8,8 +10,15 @@ readme: prepare-environment
 	npm run readme:lint
 
 .PHONY: unittests
-unittests:
-	helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' -f 'unittests/values-conflicting-checks.yaml' ./
+unittests: unittests-helm unittests-bash
+
+.PHONY: unittests-helm
+unittests-helm:
+	helm unittest --strict -f 'unittests/helm/**/*.yaml' -f 'unittests/helm/values-conflicting-checks.yaml' ./
+
+.PHONY: unittests-bash
+unittests-bash:
+	./unittests/bash/bats/bin/bats --pretty ./unittests/bash/tests/**/*.bats
 
 .PHONY: helm
 update-helm-dependencies:

README.md

@@ -8,6 +8,7 @@
   - [Dependency Versioning](#dependency-versioning)
 - [Installing](#installing)
 - [High Availability](#high-availability)
+- [Limit resources](#limit-resources)
 - [Configuration](#configuration)
   - [Default Configuration](#default-configuration)
     - [Database defaults](#database-defaults)
@@ -30,6 +31,7 @@
   - [OAuth2 Settings](#oauth2-settings)
 - [Configure commit signing](#configure-commit-signing)
 - [Metrics and profiling](#metrics-and-profiling)
+  - [Secure Metrics Endpoint](#secure-metrics-endpoint)
 - [Pod annotations](#pod-annotations)
 - [Themes](#themes)
 - [Renovate](#renovate)
@@ -49,8 +51,8 @@
   - [LivenessProbe](#livenessprobe)
   - [ReadinessProbe](#readinessprobe)
   - [StartupProbe](#startupprobe)
-  - [redis-cluster](#redis-cluster)
-  - [redis](#redis)
+  - [valkey-cluster](#valkey-cluster)
+  - [valkey](#valkey)
   - [PostgreSQL HA](#postgresql-ha)
   - [PostgreSQL](#postgresql)
   - [Advanced](#advanced)
@@ -69,7 +71,7 @@ Additionally, this chart allows to provide LDAP and admin user configuration wit
 ## Update and versioning policy
 
 The Gitea helm chart versioning does not follow Gitea's versioning.
-The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-chart/releases).
+The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-gitea/releases).
 
 The chart aims to follow Gitea's releases closely.
 There might be times when the chart is behind the latest Gitea release.
@@ -93,14 +95,14 @@ Users can also configure their own external providers via the configuration.
 These dependencies are enabled by default:
 
 - PostgreSQL HA ([Bitnami PostgreSQL-HA](https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml))
-- Redis-Cluster ([Bitnami Redis-Cluster](https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml))
+- Valkey-Cluster ([Bitnami Valkey-Cluster](https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml))
 
 ### Non-HA Dependencies
 
 Alternatively, the following non-HA replacements are available:
 
 - PostgreSQL ([Bitnami PostgreSQL](<Postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)>))
-- Redis ([Bitnami Redis](<Redis](https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml)>))
+- Valkey ([Bitnami Valkey](<Valkey](https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml)>))
 
 ### Dependency Versioning
 
@@ -118,8 +120,8 @@ Please double-check the image repository and available tags in the sub-chart:
 
 - [PostgreSQL-HA](https://hub.docker.com/r/bitnami/postgresql-repmgr/tags)
 - [PostgreSQL](https://hub.docker.com/r/bitnami/postgresql/tags)
-- [Redis Cluster](https://hub.docker.com/r/bitnami/redis-cluster/tags)
-- [Redis](https://hub.docker.com/r/bitnami/redis/tags)
+- [Valkey Cluster](https://hub.docker.com/r/bitnami/valkey-cluster/tags)
+- [Valkey](https://hub.docker.com/r/bitnami/valkey/tags)
 
 and look up the image tag which fits your needs on Dockerhub.
 
@@ -137,6 +139,12 @@ Alternatively, the chart can also be installed from Dockerhub (since v9.6.0)
 helm install gitea oci://registry-1.docker.io/giteacharts/gitea
 ```
 
+To avoid potential Dockerhub rate limits, the chart can also be installed via [docker.gitea.com](https://blog.gitea.com/docker-registry-update/) (since v9.6.0)
+
+```sh
+helm install gitea oci://docker.gitea.com/charts/gitea
+```
+
 When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes.
 
 ## High Availability
@@ -147,6 +155,44 @@ Care must be taken for production use as not all implementation details of Gitea
 Deploying a HA-ready Gitea instance requires some effort including using HA-ready dependencies.
 See the [HA Setup](docs/ha-setup.md) document for more details.
 
+## Limit resources
+
+If the application is deployed with a CPU resource limit, Prometheus may throw a CPU throttling warning for the
+application. This has more or less to do with the fact that the application finds the number of CPUs of the host, but
+cannot use the available CPU time to perform computing operations.
+
+The application must be informed that despite several CPUs only a part (limit) of the available computing time is
+available. As this is a Golang application, this can be implemented using `GOMAXPROCS`. The following example is one way
+of defining `GOMAXPROCS` automatically based on the defined CPU limit like `1000m`. Please keep in mind, that the CFS
+rate of `100ms` - default on each kubernetes node, is also very important to avoid CPU throttling.
+
+Further information about this topic can be found [here](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
+
+> [!NOTE]
+> The environment variable `GOMAXPROCS` is set automatically, when a CPU limit is defined. An explicit configuration is
+> not anymore required.
+>
+> Please note that a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
+
+```yaml
+deployment:
+  env:
+    # Will be automatically defined!
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          divisor: "1" # Is required for GitDevOps systems like ArgoCD/Flux. Otherwise throw the system a diff error. (k8s-default=1)
+          resource: limits.cpu
+
+resources:
+  limits:
+    cpu: 1000m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 512Mi
+```
+
 ## Configuration
 
 Gitea offers lots of configuration options.
@@ -235,28 +281,28 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
 
 #### Session, Cache and Queue
 
-The session, cache and queue settings are set to use the built-in Redis Cluster sub-chart dependency.
-If Redis Cluster is disabled, the chart will fall back to the Gitea defaults which use "memory" for `session` and `cache` and "level" for `queue`.
+The session, cache and queue settings are set to use the built-in Valkey Cluster sub-chart dependency.
+If Valkey Cluster is disabled, the chart will fall back to the Gitea defaults which use "memory" for `session` and `cache` and "level" for `queue`.
 
 While these will work and even not cause immediate issues after startup, **they are not recommended for production use**.
 Reasons being that a single pod will take on all the work for `session` and `cache` tasks in its available memory.
 It is likely that the pod will run out of memory or will face substantial memory spikes, depending on the workload.
-External tools such as `redis-cluster` or `memcached` handle these workloads much better.
+External tools such as `valkey-cluster` or `memcached` handle these workloads much better.
 
 ### Single-Pod Configurations
 
 If HA is not needed/desired, the following configurations can be used to deploy a single-pod Gitea instance.
 
-1. For a production-ready single-pod Gitea instance without external dependencies (using the chart dependency `postgresql` and `redis`):
+1. For a production-ready single-pod Gitea instance without external dependencies (using the chart dependency `postgresql` and `valkey`):
 
    <details>
 
    <summary>values.yml</summary>
 
    ```yaml
-   redis-cluster:
+   valkey-cluster:
      enabled: false
-   redis:
+   valkey:
      enabled: true
    postgresql:
      enabled: true
@@ -287,9 +333,9 @@ If HA is not needed/desired, the following configurations can be used to deploy
    <summary>values.yml</summary>
 
    ```yaml
-   redis-cluster:
+   valkey-cluster:
      enabled: false
-   redis:
+   valkey:
      enabled: false
    postgresql:
      enabled: false
@@ -487,21 +533,21 @@ and the repository exists.
 ```
 
 To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
-More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
+More about this issue [here](https://gitea.com/gitea/helm-gitea/issues/161).
 
 ### Cache
 
-The cache handling is done via `redis-cluster` (via the `bitnami` chart) by default.
+The cache handling is done via `valkey-cluster` (via the `bitnami` chart) by default.
 This deployment is HA-ready but can also be used for single-pod deployments.
-By default, 6 replicas are deployed for a working `redis-cluster` deployment.
-Many cloud providers offer a managed redis service, which can be used instead of the built-in `redis-cluster`.
+By default, 6 replicas are deployed for a working `valkey-cluster` deployment.
+Many cloud providers offer a managed valkey service, which can be used instead of the built-in `valkey-cluster`.
 
 ```yaml
-redis-cluster:
+valkey-cluster:
   enabled: true
 ```
 
-⚠️ The redis charts [do not work well with special characters in the password](https://gitea.com/gitea/helm-chart/issues/690).
+⚠️ The valkey charts [do not work well with special characters in the password](https://gitea.com/gitea/helm-chart/issues/690).
 Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
 
 ### Persistence
@@ -537,7 +583,7 @@ You can interact with the postgres settings as displayed in the following exampl
 postgresql:
   persistence:
     enabled: true
-    claimName: MyAwesomeGiteaPostgresClaim
+    existingClaim: MyAwesomeGiteaPostgresClaim
 ```
 
 ### Admin User
@@ -692,7 +738,7 @@ gitea:
 
 When using the rootless image the gpg key folder is not persistent by default.
 If you consider using signed commits for internal Gitea activities (e.g. initial commit), you'd need to provide a signing key.
-Prior to [PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.
+Prior to [PR186](https://gitea.com/gitea/helm-gitea/pulls/186), imported keys had to be re-imported once the container got replaced by another.
 
 The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing.
 By default this section is disabled to maintain backwards compatibility.
@@ -746,6 +792,21 @@ gitea:
       ENABLE_PPROF: true
 ```
 
+### Secure Metrics Endpoint
+
+Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication.
+
+**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`.
+
+```yaml
+gitea:
+  metrics:
+    token: "secure-token"
+    enabled: true
+    serviceMonitor:
+      enabled: true
+```
+
 ## Pod annotations
 
 Annotations can be added to the Gitea pod.
@@ -875,16 +936,16 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 
 ### Image
 
-| Name                 | Description                                                                                                                                                      | Value          |
-| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- |
-| `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `""`           |
-| `image.repository`   | Image to start for this pod                                                                                                                                      | `gitea/gitea`  |
-| `image.tag`          | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.                          | `""`           |
-| `image.digest`       | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                                       | `""`           |
-| `image.pullPolicy`   | Image pull policy                                                                                                                                                | `IfNotPresent` |
-| `image.rootless`     | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher                                                                        | `true`         |
-| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""`           |
-| `imagePullSecrets`   | Secret to use for pulling the image                                                                                                                              | `[]`           |
+| Name                 | Description                                                                                                                                                      | Value              |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
+| `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `docker.gitea.com` |
+| `image.repository`   | Image to start for this pod                                                                                                                                      | `gitea`            |
+| `image.tag`          | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.                          | `""`               |
+| `image.digest`       | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                                       | `""`               |
+| `image.pullPolicy`   | Image pull policy                                                                                                                                                | `IfNotPresent`     |
+| `image.rootless`     | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher                                                                        | `true`             |
+| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""`               |
+| `imagePullSecrets`   | Secret to use for pulling the image                                                                                                                              | `[]`               |
 
 ### Security
 
@@ -929,16 +990,15 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 
 ### Ingress
 
-| Name                                 | Description                                                                 | Value             |
-| ------------------------------------ | --------------------------------------------------------------------------- | ----------------- |
-| `ingress.enabled`                    | Enable ingress                                                              | `false`           |
-| `ingress.className`                  | Ingress class name                                                          | `nil`             |
-| `ingress.annotations`                | Ingress annotations                                                         | `{}`              |
-| `ingress.hosts[0].host`              | Default Ingress host                                                        | `git.example.com` |
-| `ingress.hosts[0].paths[0].path`     | Default Ingress path                                                        | `/`               |
-| `ingress.hosts[0].paths[0].pathType` | Ingress path type                                                           | `Prefix`          |
-| `ingress.tls`                        | Ingress tls settings                                                        | `[]`              |
-| `ingress.apiVersion`                 | Specify APIVersion of ingress object. Mostly would only be used for argocd. |                   |
+| Name                             | Description                     | Value             |
+| -------------------------------- | ------------------------------- | ----------------- |
+| `ingress.enabled`                | Enable ingress                  | `false`           |
+| `ingress.className`              | DEPRECATED: Ingress class name. | `""`              |
+| `ingress.pathType`               | Ingress Path Type               | `Prefix`          |
+| `ingress.annotations`            | Ingress annotations             | `{}`              |
+| `ingress.hosts[0].host`          | Default Ingress host            | `git.example.com` |
+| `ingress.hosts[0].paths[0].path` | Default Ingress path            | `/`               |
+| `ingress.tls`                    | Ingress tls settings            | `[]`              |
 
 ### deployment
 
@@ -991,12 +1051,13 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 
 ### Init
 
-| Name                                       | Description                                                                          | Value   |
-| ------------------------------------------ | ------------------------------------------------------------------------------------ | ------- |
-| `initPreScript`                            | Bash shell script copied verbatim to the start of the init-container.                | `""`    |
-| `initContainers.resources.limits`          | initContainers.limits Kubernetes resource limits for init containers                 | `{}`    |
-| `initContainers.resources.requests.cpu`    | initContainers.requests.cpu Kubernetes cpu resource limits for init containers       | `100m`  |
-| `initContainers.resources.requests.memory` | initContainers.requests.memory Kubernetes memory resource limits for init containers | `128Mi` |
+| Name                                       | Description                                                                          | Value        |
+| ------------------------------------------ | ------------------------------------------------------------------------------------ | ------------ |
+| `initPreScript`                            | Bash shell script copied verbatim to the start of the init-container.                | `""`         |
+| `initContainersScriptsVolumeMountPath`     | Path to mount the scripts consumed from the Secrets                                  | `/usr/sbinx` |
+| `initContainers.resources.limits`          | initContainers.limits Kubernetes resource limits for init containers                 | `{}`         |
+| `initContainers.resources.requests.cpu`    | initContainers.requests.cpu Kubernetes cpu resource limits for init containers       | `100m`       |
+| `initContainers.resources.requests.memory` | initContainers.requests.memory Kubernetes memory resource limits for init containers | `128Mi`      |
 
 ### Signing
 
@@ -1017,6 +1078,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `gitea.admin.email`                          | Email for the Gitea admin user                                                                                                 | `gitea@local.domain` |
 | `gitea.admin.passwordMode`                   | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated  | `keepUpdated`        |
 | `gitea.metrics.enabled`                      | Enable Gitea metrics                                                                                                           | `false`              |
+| `gitea.metrics.token`                        | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.              | `nil`                |
 | `gitea.metrics.serviceMonitor.enabled`       | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false`              |
 | `gitea.metrics.serviceMonitor.interval`      | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                      | `""`                 |
 | `gitea.metrics.serviceMonitor.relabelings`   | RelabelConfigs to apply to samples before scraping.                                                                            | `[]`                 |
@@ -1068,27 +1130,30 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `gitea.startupProbe.successThreshold`    | Success threshold for startup probe             | `1`     |
 | `gitea.startupProbe.failureThreshold`    | Failure threshold for startup probe             | `10`    |
 
-### redis-cluster
+### valkey-cluster
 
-Redis cluster and [Redis](#redis) cannot be enabled at the same time.
+Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time.
 
-| Name                             | Description                                  | Value   |
-| -------------------------------- | -------------------------------------------- | ------- |
-| `redis-cluster.enabled`          | Enable redis cluster                         | `true`  |
-| `redis-cluster.usePassword`      | Whether to use password authentication       | `false` |
-| `redis-cluster.cluster.nodes`    | Number of redis cluster master nodes         | `3`     |
-| `redis-cluster.cluster.replicas` | Number of redis cluster master node replicas | `0`     |
+| Name                                  | Description                                                          | Value   |
+| ------------------------------------- | -------------------------------------------------------------------- | ------- |
+| `valkey-cluster.enabled`              | Enable valkey cluster                                                | `true`  |
+| `valkey-cluster.usePassword`          | Whether to use password authentication                               | `false` |
+| `valkey-cluster.usePasswordFiles`     | Whether to mount passwords as files instead of environment variables | `false` |
+| `valkey-cluster.cluster.nodes`        | Number of valkey cluster master nodes                                | `3`     |
+| `valkey-cluster.cluster.replicas`     | Number of valkey cluster master node replicas                        | `0`     |
+| `valkey-cluster.service.ports.valkey` | Port of Valkey service                                               | `6379`  |
 
-### redis
+### valkey
 
-Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
+Valkey and [Valkey cluster](#valkey-cluster) cannot be enabled at the same time.
 
-| Name                          | Description                                | Value        |
-| ----------------------------- | ------------------------------------------ | ------------ |
-| `redis.enabled`               | Enable redis standalone or replicated      | `false`      |
-| `redis.architecture`          | Whether to use standalone or replication   | `standalone` |
-| `redis.global.redis.password` | Required password                          | `changeme`   |
-| `redis.master.count`          | Number of Redis master instances to deploy | `1`          |
+| Name                                 | Description                                 | Value        |
+| ------------------------------------ | ------------------------------------------- | ------------ |
+| `valkey.enabled`                     | Enable valkey standalone or replicated      | `false`      |
+| `valkey.architecture`                | Whether to use standalone or replication    | `standalone` |
+| `valkey.global.valkey.password`      | Required password                           | `changeme`   |
+| `valkey.master.count`                | Number of Valkey master instances to deploy | `1`          |
+| `valkey.master.service.ports.valkey` | Port of Valkey service                      | `6379`       |
 
 ### PostgreSQL HA
 
@@ -1140,6 +1205,52 @@ If you miss this, blindly upgrading may delete your Postgres instance and you ma
 
 <details>
 
+<summary>To 12.0.0</summary>
+
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable-next-line -->
+**Breaking changes**
+<!-- prettier-ignore-end -->
+
+- Outsourced "Actions" related configuration.
+  To deploy and use "Actions", please see the new dedicated chart at <https://gitea.com/gitea/helm-actions>.
+  It is maintained by a seperate maintainer group and hasn't seen a release yet (at the time of the 12.0 release).
+  Feel encouraged to contribute if "Actions" is important to you!
+  
+  This change was made to avoid overloading the existing helm chart, which is already quite large in size and configuration options.
+  In addition, the existing maintainers team was not actively using "Actions" which slowed down development and community contributions.
+  While the new chart is still young (and waiting for contributions! and maintainers), we believe that it is the best way moving forward for both parts.
+- Migrated from Redis/Redis-cluster to Valkey/Valkey-cluster charts (#775).
+  While marked as breaking, there is no need to migrate data.
+  The cache will start to refill automatically.
+- Migrated ingress from `networking.k8s.io/v1beta` to `networking.k8s.io/v1`.
+  We didn't make any changes to the syntax, so the upgrade should be seamless.
+
+</details>
+
+<details>
+
+<summary>To 11.0.0</summary>
+
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable-next-line -->
+**Breaking changes**
+<!-- prettier-ignore-end -->
+
+- Update Gitea to 1.23.x (review the [1.23 release blog post](https://blog.gitea.com/release-of-1.23.0/) for all application breaking changes)
+- Update PostgreSQL sub-chart dependencies to appVersion 17.x
+- Update Redis sub-chart to version 20.x (appVersion 7.4)
+  Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes:
+  - [Redis Chart release notes (starting with v20.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis/CHANGELOG.md#2000-2024-08-09).
+  - [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES).
+- Update Redis Cluster sub-chart to version 11.x (appVersion 7.4)
+  Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes:
+  - [Redis Chart release notes (starting with v11.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis-cluster/CHANGELOG.md#1100-2024-08-09).
+  - [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES).
+  </details>
+
+<details>
+
 <summary>To 10.0.0</summary>
 
 <!-- prettier-ignore-start -->
@@ -1206,23 +1317,23 @@ The first item here (`<memcache service name>`) will be different compared to th
 The above changes are motivated by the idea to tidy dependencies but also have HA-ready ones at the same time.
 The previous `memcache` default was not HA-ready, hence we decided to switch to `redis-cluster` by default.
 
-If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-chart/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly:
+If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-gitea/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly:
 
 ```yaml
 gitea:
   config:
     session:
       PROVIDER: redis-cluster
-      PROVIDER_CONFIG: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+      PROVIDER_CONFIG: redis+cluster://:gitea@gitea-valkey-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
     cache:
       ENABLED: true
       ADAPTER: redis-cluster
-      HOST: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+      HOST: redis+cluster://:gitea@gitea-valkey-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
     queue:
       TYPE: redis
-      CONN_STR: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+      CONN_STR: redis+cluster://:gitea@gitea-valkey-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 ```
 
 <!-- prettier-ignore-start -->
@@ -1231,7 +1342,7 @@ gitea:
 <!-- prettier-ignore-end -->
 
 If you are facing errors like `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED` due to this automatic transition:
-Have a look at [this discussion](https://gitea.com/gitea/helm-chart/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
+Have a look at [this discussion](https://gitea.com/gitea/helm-gitea/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
 
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
@@ -1287,7 +1398,7 @@ With respect to `values.yaml`, parameters `username`, `database` and `password`
 Please adjust your `values.yaml` accordingly.
 
 **Attention**: The Postgres upgrade is not automatically handled by the chart and must be done by yourself.
-See [this comment](https://gitea.com/gitea/helm-chart/issues/452#issuecomment-740885) for an extensive walkthrough.
+See [this comment](https://gitea.com/gitea/helm-gitea/issues/452#issuecomment-740885) for an extensive walkthrough.
 We again highly encourage users to use an external (managed) database for production instances.
 
 </details>

docs/ha-setup.md

@@ -25,7 +25,7 @@ In addition, the following components are required for full HA-readiness:
 
 - A HA-ready issue (and optionally code) indexer: `elasticsearch` or `meilisearch`
 - A HA-ready external object/asset storage (`minio`) (optional, assets can also be stored on the RWX file-system)
-- A HA-ready cache (`redis-cluster`)
+- A HA-ready cache (`valkey-cluster`)
 - A HA-ready DB
 
 `postgres.enabled`, which default to `true`, must be set to `false` for a HA setup.
@@ -72,33 +72,33 @@ persistence:
 
 ## Cache, session and queue
 
-A `redis` instance is required for the in-memory cache.
+A `valkey` instance is required for the in-memory cache.
 Two options exist:
 
-- `redis`
-- `redis-cluster`
+- `valkey`
+- `valkey-cluster`
 
-The chart provides `redis-cluster` as a dependency as this one can be used for both HA and non-HA setups.
-You're also welcome to go with `redis` if you prefer or already have a running instance.
+The chart provides `valkey-cluster` as a dependency as this one can be used for both HA and non-HA setups.
+You're also welcome to go with `valkey` if you prefer or already have a running instance.
 
-It should be noted that `redis-cluster` support is only available starting with Gitea 1.19.2.
-You can also configure an external (managed) `redis` instance to be used.
+It should be noted that `valkey-cluster` support is only available starting with Gitea 1.19.2.
+You can also configure an external (managed) `valkey` instance to be used.
 To do so, you need to set the following configuration values yourself:
 
-- `gitea.config.queue.TYPE`: redis`
-- `gitea.config.queue.CONN_STR`: `<your redis connection string>`
+- `gitea.config.queue.TYPE`: valkey`
+- `gitea.config.queue.CONN_STR`: `<your valkey connection string>`
 
-- `gitea.config.session.PROVIDER`: `redis`
-- `gitea.config.session.PROVIDER_CONFIG`: `<your redis connection string>`
+- `gitea.config.session.PROVIDER`: `valkey`
+- `gitea.config.session.PROVIDER_CONFIG`: `<your valkey connection string>`
 
 - `gitea.config.cache.ENABLED`: `true`
-- `gitea.config.cache.ADAPTER`: `redis`
-- `gitea.config.cache.HOST`: `<your redis connection string>`
+- `gitea.config.cache.ADAPTER`: `valkey`
+- `gitea.config.cache.HOST`: `<your valkey connection string>`
 
-By default, the `redis-cluster` chart provisions three standalone master nodes of which each has a single replica.
+By default, the `valkey-cluster` chart provisions three standalone master nodes of which each has a single replica.
 To reduce the number of pods for a default Gitea deployment, we opted to omit the replicas (`replicas: 0`) by default.
-Only the minimum required number of master pods for a functional `redis-cluster` deployment are provisioned.
-For a "proper" `redis-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`.
+Only the minimum required number of master pods for a functional `valkey-cluster` deployment are provisioned.
+For a "proper" `valkey-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`.
 
 ## Object and asset storage
 

package.json

@@ -1,6 +1,6 @@
 {
-  "name": "gitea-helm-chart",
-  "homepage": "https://gitea.com/gitea/helm-chart.git",
+  "name": "gitea-helm",
+  "homepage": "https://gitea.com/gitea/helm-gitea.git",
   "license": "MIT",
   "private": true,
   "engineStrict": true,
@@ -14,6 +14,6 @@
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.41.0"
+    "markdownlint-cli": "^0.44.0"
   }
-}
+}

renovate.json5

@@ -9,13 +9,19 @@
   labels: [
     'kind/dependency',
   ],
+  digest: {
+    automerge: true,
+  },
   automergeStrategy: 'squash',
+  'git-submodules': {
+    enabled: true,
+  },
   customManagers: [
     {
       description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
       customType: 'regex',
-      fileMatch: [
-        '.gitea/workflows/.+\\.ya?ml$',
+      managerFilePatterns: [
+        '/.gitea/workflows/.+\\.ya?ml$/',
       ],
       matchStrings: [
         '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?<currentValue>.+?)["\']?\\s',
@@ -24,17 +30,21 @@
     {
       description: 'Detect helm-unittest yaml schema file',
       customType: 'regex',
-      fileMatch: ['.vscode/settings\\.json$'],
+      managerFilePatterns: [
+        '/.vscode/settings\\.json$/',
+      ],
       matchStrings: [
         'https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json',
       ],
       datasourceTemplate: 'github-releases',
     },
     {
-      'description': 'Automatically detect new Gitea releases',
-      'customType': 'regex',
-      'fileMatch': ['(^|/)Chart\\.yaml$'],
-      'matchStrings': [
+      description: 'Automatically detect new Gitea releases',
+      customType: 'regex',
+      managerFilePatterns: [
+        '/(^|/)Chart\\.yaml$/',
+      ],
+      matchStrings: [
         '# renovate datasource=(?<datasource>\\S+) depName=(?<depName>\\S+) extractVersion=(?<extractVersion>\\S+)\\nappVersion:\\s?(?<currentValue>\\S+)\\n',
       ],
     },
@@ -51,6 +61,17 @@
         'digest',
       ],
     },
+    {
+      groupName: 'bats testing framework',
+      matchManagers: [
+        'git-submodules',
+      ],
+      matchUpdateTypes: [
+        'minor',
+        'patch',
+        'digest',
+      ],
+    },
     {
       groupName: 'workflow dependencies (minor & patch)',
       matchManagers: [
@@ -63,6 +84,25 @@
         'patch',
         'digest',
       ],
+      matchFileNames: [
+        '!Chart.yaml',
+      ],
+    },
+    {
+      description: 'Update README.md on changes in values.yaml',
+      matchManagers: [
+        'helm-values',
+      ],
+      postUpgradeTasks: {
+        commands: [
+          'install-tool node',
+          'make readme',
+        ],
+        fileFilters: [
+          'README.md',
+        ],
+        executionMode: 'update',
+      },
     },
     {
       description: 'Override changelog url for Helm image, to have release notes in our PRs',
@@ -71,5 +111,14 @@
       ],
       changelogUrl: 'https://github.com/helm/helm',
     },
+    {
+      description: 'Bump Gitea as fast as possible - not only on weekends',
+      matchDepNames: [
+        'go-gitea/gitea',
+      ],
+      schedule: [
+        'at any time',
+      ],
+    },
   ],
 }

scripts/act_runner/token.sh

@@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -eu
+
+timeout_delay=15
+
+check_token() {
+  set +e
+
+  echo "Checking for existing token..."
+  token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
+  [ $? -ne 0 ] && return 1
+  [ -z "$token" ] && return 2
+  return 0
+}
+
+create_token() {
+  echo "Waiting for new token to be generated..."
+  begin=$(date +%s)
+  end=$((begin + timeout_delay))
+  while true; do
+    [ -f /data/actions/token ] && return 0
+    [ "$(date +%s)" -gt $end ] && return 1
+    sleep 5
+  done
+}
+
+store_token() {
+  echo "Storing the token in Kubernetes secret..."
+  kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
+}
+
+if check_token; then
+  echo "Key already in place, exiting."
+  exit
+fi
+
+if ! create_token; then
+  echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
+  exit 1
+fi
+
+store_token

scripts/init-containers/config/config_environment.sh

@@ -0,0 +1,154 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+function env2ini::log() {
+  printf "${1}\n"
+}
+
+function env2ini::read_config_to_env() {
+  local section="${1}"
+  local line="${2}"
+
+  if [[ -z "${line}" ]]; then
+    # skip empty line
+    return
+  fi
+
+  # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+  local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+  if [[ -z "${setting}" ]]; then
+    env2ini::log '  ! invalid setting'
+    exit 1
+  fi
+
+  local value=''
+  local regex="^${setting}(\s*)=(\s*)(.*)"
+  if [[ $line =~ $regex ]]; then
+    value="${BASH_REMATCH[3]}"
+  else
+    env2ini::log '  ! invalid setting'
+    exit 1
+  fi
+
+  env2ini::log "    + '${setting}'"
+
+  if [[ -z "${section}" ]]; then
+    export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+    return
+  fi
+
+  local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
+  masked_section="${masked_section//-/_0X2D_}"
+
+  export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
+}
+
+function env2ini::reload_preset_envs() {
+  env2ini::log "Reloading preset envs..."
+
+  while read -r line; do
+    if [[ -z "${line}" ]]; then
+      # skip empty line
+      return
+    fi
+
+    # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+    local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+    if [[ -z "${setting}" ]]; then
+      env2ini::log '  ! invalid setting'
+      exit 1
+    fi
+
+    local value=''
+    local regex="^${setting}(\s*)=(\s*)(.*)"
+    if [[ $line =~ $regex ]]; then
+      value="${BASH_REMATCH[3]}"
+    else
+      env2ini::log '  ! invalid setting'
+      exit 1
+    fi
+
+    env2ini::log "  + '${setting}'"
+
+    export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+  done < "$TMP_EXISTING_ENVS_FILE"
+
+  rm $TMP_EXISTING_ENVS_FILE
+}
+
+
+function env2ini::process_config_file() {
+  local config_file="${1}"
+  local section="$(basename "${config_file}")"
+
+  if [[ $section == '_generals_' ]]; then
+    env2ini::log "  [ini root]"
+    section=''
+  else
+    env2ini::log "  ${section}"
+  fi
+
+  while read -r line; do
+    env2ini::read_config_to_env "${section}" "${line}"
+  done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
+}
+
+function env2ini::load_config_sources() {
+  local path="${1}"
+
+  if [[ -d "${path}" ]]; then
+    env2ini::log "Processing $(basename "${path}")..."
+
+    while read -d '' configFile; do
+      env2ini::process_config_file "${configFile}"
+    done < <(find "${path}" -type l -not -name '..data' -print0)
+
+    env2ini::log "\n"
+  fi
+}
+
+function env2ini::generate_initial_secrets() {
+  # These environment variables will either be
+  #   - overwritten with user defined values,
+  #   - initially used to set up Gitea
+  # Anyway, they won't harm existing app.ini files
+
+  export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+  export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+  export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+  export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
+
+  env2ini::log "...Initial secrets generated\n"
+}
+
+# save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
+env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE
+
+# MUST BE CALLED BEFORE OTHER CONFIGURATION
+env2ini::generate_initial_secrets
+
+env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/"
+env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/"
+
+# load existing envs to override auto generated envs
+env2ini::reload_preset_envs
+
+env2ini::log "=== All configuration sources loaded ===\n"
+
+# safety to prevent rewrite of secret keys if an app.ini already exists
+if [ -f ${GITEA_APP_INI} ]; then
+  env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
+  env2ini::log '  - security.INTERNAL_TOKEN'
+  env2ini::log '  - security.SECRET_KEY'
+  env2ini::log '  - oauth2.JWT_SECRET'
+  env2ini::log '  - server.LFS_JWT_SECRET'
+
+  unset GITEA__SECURITY__INTERNAL_TOKEN
+  unset GITEA__SECURITY__SECRET_KEY
+  unset GITEA__OAUTH2__JWT_SECRET
+  unset GITEA__SERVER__LFS_JWT_SECRET
+fi
+
+environment-to-ini -o $GITEA_APP_INI

scripts/init-containers/init/configure_gpg_environment.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -eu
+
+gpg --batch --import "$TMP_RAW_GPG_KEY"

templates/_helpers.tpl

@@ -25,6 +25,13 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create a default worker name.
+*/}}
+{{- define "gitea.workername" -}}
+{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -92,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
+{{- define "gitea.labels.actRunner" -}}
+helm.sh/chart: {{ include "gitea.chart" . }}
+app: {{ include "gitea.name" . }}-act-runner
+{{ include "gitea.selectorLabels.actRunner" . }}
+app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
 {{/*
 Selector labels
 */}}
@@ -100,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
+{{- define "gitea.selectorLabels.actRunner" -}}
+app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
 {{- define "postgresql-ha.dns" -}}
 {{- if (index .Values "postgresql-ha").enabled -}}
 {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
@@ -112,29 +133,29 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 {{- end -}}
 
-{{- define "redis.dns" -}}
-{{- if and ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
-{{- fail "redis and redis-cluster cannot be enabled at the same time. Please only choose one." -}}
-{{- else if (index .Values "redis-cluster").enabled -}}
-{{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
-{{- else if (index .Values "redis").enabled -}}
-{{- printf "redis://:%s@%s-redis-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis").master.service.ports.redis -}}
+{{- define "valkey.dns" -}}
+{{- if and ((index .Values "valkey-cluster").enabled) ((index .Values "valkey").enabled) -}}
+{{- fail "valkey and valkey-cluster cannot be enabled at the same time. Please only choose one." -}}
+{{- else if (index .Values "valkey-cluster").enabled -}}
+{{- printf "redis+cluster://:%s@%s-valkey-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey-cluster").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey-cluster").service.ports.valkey -}}
+{{- else if (index .Values "valkey").enabled -}}
+{{- printf "redis://:%s@%s-valkey-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}}
 {{- end -}}
 {{- end -}}
 
-{{- define "redis.port" -}}
-{{- if (index .Values "redis-cluster").enabled -}}
-{{ (index .Values "redis-cluster").service.ports.redis }}
-{{- else if (index .Values "redis").enabled -}}
-{{ (index .Values "redis").master.service.ports.redis }}
+{{- define "valkey.port" -}}
+{{- if (index .Values "valkey-cluster").enabled -}}
+{{ (index .Values "valkey-cluster").service.ports.valkey }}
+{{- else if (index .Values "valkey").enabled -}}
+{{ (index .Values "valkey").master.service.ports.valkey }}
 {{- end -}}
 {{- end -}}
 
-{{- define "redis.servicename" -}}
-{{- if (index .Values "redis-cluster").enabled -}}
-{{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
-{{- else if (index .Values "redis").enabled -}}
-{{- printf "%s-redis-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
+{{- define "valkey.servicename" -}}
+{{- if (index .Values "valkey-cluster").enabled -}}
+{{- printf "%s-valkey-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
+{{- else if (index .Values "valkey").enabled -}}
+{{- printf "%s-valkey-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 {{- end -}}
 
@@ -263,6 +284,9 @@ https
   {{- if not (hasKey .Values.gitea.config "indexer") -}}
     {{- $_ := set .Values.gitea.config "indexer" dict -}}
   {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "actions") -}}
+    {{- $_ := set .Values.gitea.config "actions" dict -}}
+  {{- end -}}
 {{- end -}}
 
 {{- define "gitea.inline_configuration.defaults" -}}
@@ -278,14 +302,17 @@ https
   {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
     {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
   {{- end -}}
-  {{- /* redis queue */ -}}
-  {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
+  {{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}}
+    {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}}
+  {{- end -}}
+  {{- /* valkey queue */ -}}
+  {{- if or ((index .Values "valkey-cluster").enabled) ((index .Values "valkey").enabled) -}}
     {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
-    {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
+    {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "valkey.dns" .) -}}
     {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
-    {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "redis.dns" .) -}}
+    {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "valkey.dns" .) -}}
     {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
-    {{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
+    {{- $_ := set .Values.gitea.config.cache "HOST" (include "valkey.dns" .) -}}
   {{- else -}}
     {{- if not (get .Values.gitea.config.session "PROVIDER") -}}
       {{- $_ := set .Values.gitea.config.session "PROVIDER" "memory" -}}
@@ -401,6 +428,18 @@ https
 {{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
 {{- end -}}
 
+{{- define "ingress.annotations" -}}
+  {{- if .Values.ingress.annotations }}
+  annotations:
+    {{- $tp := typeOf .Values.ingress.annotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.ingress.annotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.ingress.annotations | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
 {{- define "gitea.admin.passwordMode" -}}
 {{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
 {{ .Values.gitea.admin.passwordMode }}
@@ -426,3 +465,7 @@ https
   {{- end -}}
   {{- toYaml $probe -}}
 {{- end -}}
+
+{{- define "gitea.metrics-secret-name" -}}
+{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }}
+{{- end -}}

templates/gitea/check-actions-not-present.yaml

@@ -0,0 +1,3 @@
+{{- if .Values.actions -}}
+    {{- fail "The actions sub-chart has been outsourced to a dedicated chart available at https://gitea.com/gitea/helm-actions. For assistance with the migration process, check https://gitea.com/gitea/helm-actions/issues/9." -}}
+{{- end -}}

templates/gitea/config.yaml

@@ -18,6 +18,7 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
+{{ (.Files.Glob "scripts/init-containers/config/*.sh").AsConfig | indent 2 }}
   assertions: |
 
     {{- /*assert that only one PG dep is enabled */ -}}
@@ -30,13 +31,13 @@ stringData:
       {{- if .Values.gitea.config.cron -}}
         {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
           {{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}}
-            {{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." }}
+            {{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'." }}
           {{- end }}
         {{- end }}
       {{- end }}
     
       {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
-        {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
+        {{- fail "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany." -}}
       {{- end }}
       {{- if .Values.gitea.config.indexer -}}
         {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
@@ -54,158 +55,3 @@ stringData:
       {{- end }}
       
     {{- end }}
-  config_environment.sh: |-
-    #!/usr/bin/env bash
-    set -euo pipefail
-
-    function env2ini::log() {
-      printf "${1}\n"
-    }
-
-    function env2ini::read_config_to_env() {
-      local section="${1}"
-      local line="${2}"
-
-      if [[ -z "${line}" ]]; then
-        # skip empty line
-        return
-      fi
-      
-      # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
-      local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
-
-      if [[ -z "${setting}" ]]; then
-        env2ini::log '  ! invalid setting'
-        exit 1
-      fi
-
-      local value=''
-      local regex="^${setting}(\s*)=(\s*)(.*)"
-      if [[ $line =~ $regex ]]; then
-        value="${BASH_REMATCH[3]}"
-      else
-        env2ini::log '  ! invalid setting'
-        exit 1
-      fi
-
-      env2ini::log "    + '${setting}'"
-
-      if [[ -z "${section}" ]]; then
-        export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-        return
-      fi
-
-      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
-      masked_section="${masked_section//-/_0X2D_}"
-
-      export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
-    }
-
-    function env2ini::reload_preset_envs() {
-      env2ini::log "Reloading preset envs..."
-
-      while read -r line; do
-        if [[ -z "${line}" ]]; then
-          # skip empty line
-          return
-        fi
-
-        # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
-        local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
-
-        if [[ -z "${setting}" ]]; then
-          env2ini::log '  ! invalid setting'
-          exit 1
-        fi
-
-        local value=''
-        local regex="^${setting}(\s*)=(\s*)(.*)"
-        if [[ $line =~ $regex ]]; then
-          value="${BASH_REMATCH[3]}"
-        else
-          env2ini::log '  ! invalid setting'
-          exit 1
-        fi
-
-        env2ini::log "  + '${setting}'"
-
-        export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-      done < "/tmp/existing-envs"
-
-      rm /tmp/existing-envs
-    }
-
-
-    function env2ini::process_config_file() {
-      local config_file="${1}"
-      local section="$(basename "${config_file}")"
-
-      if [[ $section == '_generals_' ]]; then
-        env2ini::log "  [ini root]"
-        section=''
-      else
-        env2ini::log "  ${section}"
-      fi
-
-      while read -r line; do
-        env2ini::read_config_to_env "${section}" "${line}"
-      done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
-    }
-
-    function env2ini::load_config_sources() {
-      local path="${1}"
-
-      if [[ -d "${path}" ]]; then
-        env2ini::log "Processing $(basename "${path}")..."
-
-        while read -d '' configFile; do
-          env2ini::process_config_file "${configFile}"
-        done < <(find "${path}" -type l -not -name '..data' -print0)
-
-        env2ini::log "\n"
-      fi
-    }
-
-    function env2ini::generate_initial_secrets() {
-      # These environment variables will either be
-      #   - overwritten with user defined values,
-      #   - initially used to set up Gitea
-      # Anyway, they won't harm existing app.ini files
-
-      export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
-      export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
-      export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
-      export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
-
-      env2ini::log "...Initial secrets generated\n"
-    }
-    
-    # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
-    env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > /tmp/existing-envs
-    
-    # MUST BE CALLED BEFORE OTHER CONFIGURATION
-    env2ini::generate_initial_secrets
-
-    env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
-    env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
-
-    # load existing envs to override auto generated envs
-    env2ini::reload_preset_envs
-
-    env2ini::log "=== All configuration sources loaded ===\n"
-
-    # safety to prevent rewrite of secret keys if an app.ini already exists
-    if [ -f ${GITEA_APP_INI} ]; then
-      env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
-      env2ini::log '  - security.INTERNAL_TOKEN'
-      env2ini::log '  - security.SECRET_KEY'
-      env2ini::log '  - oauth2.JWT_SECRET'
-      env2ini::log '  - server.LFS_JWT_SECRET'
-
-      unset GITEA__SECURITY__INTERNAL_TOKEN
-      unset GITEA__SECURITY__SECRET_KEY
-      unset GITEA__OAUTH2__JWT_SECRET
-      unset GITEA__SERVER__LFS_JWT_SECRET
-    fi
-
-    environment-to-ini -o $GITEA_APP_INI

templates/gitea/deployment.yaml

@@ -62,7 +62,8 @@ spec:
         - name: init-directories
           image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: ["/usr/sbin/init_directory_structure.sh"]
+          command:
+            - "{{ .Values.initContainersScriptsVolumeMountPath }}/init_directory_structure.sh"
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -81,7 +82,7 @@ spec:
             {{- end }}
           volumeMounts:
             - name: init
-              mountPath: /usr/sbin
+              mountPath: {{ .Values.initContainersScriptsVolumeMountPath }}
             - name: temp
               mountPath: /tmp
             - name: data
@@ -97,7 +98,8 @@ spec:
         - name: init-app-ini
           image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: ["/usr/sbin/config_environment.sh"]
+          command: 
+          - "{{ .Values.initContainersScriptsVolumeMountPath }}/config_environment.sh"
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -107,15 +109,19 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
+            - name: TMP_EXISTING_ENVS_FILE
+              value: /tmp/existing-envs
+            - name: ENV_TO_INI_MOUNT_POINT
+              value: /env-to-ini-mounts
             {{- if .Values.deployment.env }}
             {{- toYaml .Values.deployment.env | nindent 12 }}
             {{- end }}
             {{- if .Values.gitea.additionalConfigFromEnvs }}
-            {{- toYaml .Values.gitea.additionalConfigFromEnvs | nindent 12 }}
+            {{- tpl (toYaml .Values.gitea.additionalConfigFromEnvs) $ | nindent 12 }}
             {{- end }}
           volumeMounts:
             - name: config
-              mountPath: /usr/sbin
+              mountPath: {{ .Values.initContainersScriptsVolumeMountPath }}
             - name: temp
               mountPath: /tmp
             - name: data
@@ -137,7 +143,8 @@ spec:
         {{- if .Values.signing.enabled }}
         - name: configure-gpg
           image: "{{ include "gitea.image" . }}"
-          command: ["/usr/sbin/configure_gpg_environment.sh"]
+          command: 
+          - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
             {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
@@ -149,9 +156,11 @@ spec:
           env:
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}
+            - name: TMP_RAW_GPG_KEY
+              value: /raw/private.asc
           volumeMounts:
             - name: init
-              mountPath: /usr/sbin
+              mountPath: {{ .Values.initContainersScriptsVolumeMountPath }}
             - name: data
               mountPath: /data
               {{- if .Values.persistence.subPath }}
@@ -168,7 +177,8 @@ spec:
         {{- end }}
         - name: configure-gitea
           image: "{{ include "gitea.image" . }}"
-          command: ["/usr/sbin/configure_gitea.sh"]
+          command:
+          - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gitea.sh"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
             {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
@@ -251,7 +261,7 @@ spec:
             {{- end }}
           volumeMounts:
             - name: init
-              mountPath: /usr/sbin
+              mountPath: {{ .Values.initContainersScriptsVolumeMountPath }}
             - name: temp
               mountPath: /tmp
             - name: data
@@ -285,6 +295,13 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
+            {{- if and (hasKey .Values.resources "limits") (hasKey .Values.resources.limits "cpu") }}
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  divisor: "1"
+                  resource: limits.cpu
+            {{- end }}
             - name: TMPDIR
               value: /tmp/gitea
             {{- if .Values.image.rootless }}
@@ -347,16 +364,16 @@ spec:
       hostAliases:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.nodeSelector }}
+      {{- range $key, $value := .Values.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{ $key }}: {{ $value | quote }}
       {{- end }}
     {{- with .Values.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
     {{- end }}
     {{- with .Values.topologySpreadConstraints }}
-      topologySpreadConstraints: 
+      topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
     {{- end }}
     {{- with .Values.tolerations }}

templates/gitea/ingress.yaml

@@ -1,15 +1,7 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
 {{- $httpPort := .Values.service.http.port -}}
-{{- $apiVersion := "extensions/v1beta1" -}}
-{{- if .Values.ingress.apiVersion -}}
-{{- $apiVersion = .Values.ingress.apiVersion -}}
-{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
-{{- $apiVersion = "networking.k8s.io/v1" }}
-{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
-{{- $apiVersion = "networking.k8s.io/v1beta1" }}
-{{- end }}
-apiVersion: {{ $apiVersion }}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
@@ -21,9 +13,7 @@ metadata:
       {{ $key }}: {{ $value | quote }}
     {{- end }}
 spec:
-{{- if .Values.ingress.className }}
   ingressClassName: {{ tpl .Values.ingress.className . }}
-{{- end }}
 {{- if .Values.ingress.tls }}
   tls:
   {{- range .Values.ingress.tls }}
@@ -39,21 +29,34 @@ spec:
     - host: {{ tpl .host $ | quote }}
       http:
         paths:
+          {{- if .paths }}
           {{- range .paths }}
-          - path: {{ .path }}
-            {{- if and .pathType (eq $apiVersion "networking.k8s.io/v1") }}
-            pathType: {{ .pathType }}
-            {{- end }}
+          {{- if kindIs "string" . }}
+          - path: {{ . }}
+            pathType: {{ default "Prefix" $.Values.ingress.pathType }}
+            backend:
+              service:
+                name: {{ $fullName }}-http
+                port:
+                  number: {{ $httpPort }}
+          {{- else }}
+          - path: {{ .path | default "/" }}
+            pathType: {{ .pathType | default "Prefix" }}
+            backend:
+              service:
+                name: {{ $fullName }}-http
+                port:
+                  number: {{ $httpPort }}
+          {{- end }}
+          {{- end }}
+          {{- else }}
+          - path: "/"
+            pathType: "Prefix"
             backend:
-            {{- if eq $apiVersion "networking.k8s.io/v1" }}
               service:
                 name: {{ $fullName }}-http
                 port:
                   number: {{ $httpPort }}
-            {{- else }}
-              serviceName: {{ $fullName }}-http
-              servicePort: {{ $httpPort }}
-            {{- end }}
           {{- end }}
     {{- end }}
 {{- end }}

templates/gitea/init.yaml

@@ -7,11 +7,7 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  configure_gpg_environment.sh: |-
-    #!/usr/bin/env bash
-    set -eu
-
-    gpg --batch --import /raw/private.asc
+{{ (.Files.Glob "scripts/init-containers/init/*.sh").AsConfig | indent 2 }}
   init_directory_structure.sh: |-
     #!/usr/bin/env bash
 
@@ -61,25 +57,25 @@ stringData:
       exit 1
     }
 
-    {{- if include "redis.servicename" . }}
-    function test_redis_connection() {
+    {{- if include "valkey.servicename" . }}
+    function test_valkey_connection() {
       local RETRY=0
       local MAX=30
       
-      echo 'Wait for redis to become avialable...'
+      echo 'Wait for valkey to become avialable...'
       until [ "${RETRY}" -ge "${MAX}" ]; do
-        nc -vz -w2 {{ include "redis.servicename" . }} {{ include "redis.port" . }} && break
+        nc -vz -w2 {{ include "valkey.servicename" . }} {{ include "valkey.port" . }} && break
         RETRY=$[${RETRY}+1]
         echo "...not ready yet (${RETRY}/${MAX})"
       done
 
       if [ "${RETRY}" -ge "${MAX}" ]; then
-        echo "Redis not reachable after '${MAX}' attempts!"
+        echo "Valkey not reachable after '${MAX}' attempts!"
         exit 1
       fi
     }
 
-    test_redis_connection
+    test_valkey_connection
     {{- end }}
     
 
@@ -98,7 +94,7 @@ stringData:
 
         echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users."
         echo "       Please review the output of 'gitea admin user list --admin' shown below."
-        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
         echo "DEBUG: Output of 'gitea admin user list --admin'"
         echo "--"
         echo "${full_admin_list}"
@@ -121,7 +117,7 @@ stringData:
       else
         if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
           echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
-          # See https://gitea.com/gitea/helm-chart/issues/673
+          # See https://gitea.com/gitea/helm-gitea/issues/673
           # --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior
           #   which acted as if it were provided with =false. If the argument is present in this version of gitea, then we
           #   should add it to prevent requiring frequent admin password resets.
@@ -158,7 +154,7 @@ stringData:
 
         echo "ERROR: 'configure_ldap' was not able to determine the current list of authentication sources."
         echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
-        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
         echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
         echo "--"
         echo "${full_auth_list}"
@@ -202,7 +198,7 @@ stringData:
 
         echo "ERROR: 'configure_oauth' was not able to determine the current list of authentication sources."
         echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
-        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
         echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
         echo "--"
         echo "${full_auth_list}"
@@ -229,4 +225,4 @@ stringData:
 
     configure_oauth
 
-    echo '==== END GITEA CONFIGURATION ===='
+    echo '==== END GITEA CONFIGURATION ===='

templates/gitea/metrics-secret.yaml

@@ -0,0 +1,12 @@
+{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gitea.metrics-secret-name" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+data:
+  token: {{ .Values.gitea.metrics.token  | b64enc }}
+{{- end }}

templates/gitea/servicemonitor.yaml

@@ -32,4 +32,12 @@ spec:
     tlsConfig:
       {{- . | toYaml | nindent 6 }}
     {{- end }}
+    {{- if .Values.gitea.metrics.token }}
+    authorization:
+      type: Bearer
+      credentials:
+        name: {{ include "gitea.metrics-secret-name" . }}
+        key: token
+        optional: false
+    {{- end }}
 {{- end -}}

unittests/bash/bats

@@ -0,0 +1 @@
+Subproject commit 5ec2d815109358b3ad86f5aabf289d96e6535ac5

unittests/bash/test_helper/bats-assert

@@ -0,0 +1 @@
+Subproject commit b93143a1bfbde41d9b7343aab0d36f3ef6549e6b

unittests/bash/test_helper/bats-mock

@@ -0,0 +1 @@
+Subproject commit 93e0128b8787db05a2632c70501cd667dd35d253

unittests/bash/test_helper/bats-support

@@ -0,0 +1 @@
+Subproject commit d007fc1f451abbad55204fa9c9eb3e6ed5dc5f61

unittests/bash/test_helper/common-setup.bash

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+function common_setup() {
+  load "$TEST_ROOT/test_helper/bats-support/load"
+  load "$TEST_ROOT/test_helper/bats-assert/load"
+  load "$TEST_ROOT/test_helper/bats-mock/stub"
+}

unittests/bash/tests/init-containers/config/config_environment.bats

@@ -0,0 +1,204 @@
+#!/usr/bin/env bats
+
+function setup() {
+  PROJECT_ROOT="$(git rev-parse --show-toplevel)"
+  TEST_ROOT="$PROJECT_ROOT/unittests/bash"
+  load "$TEST_ROOT/test_helper/common-setup"
+  common_setup
+
+  export GITEA_APP_INI="$BATS_TEST_TMPDIR/app.ini"
+  export TMP_EXISTING_ENVS_FILE="$BATS_TEST_TMPDIR/existing-envs"
+  export ENV_TO_INI_MOUNT_POINT="$BATS_TEST_TMPDIR/env-to-ini-mounts"
+
+  stub gitea \
+      "generate secret INTERNAL_TOKEN : echo 'mocked-internal-token'" \
+      "generate secret SECRET_KEY : echo 'mocked-secret-key'" \
+      "generate secret JWT_SECRET : echo 'mocked-jwt-secret'" \
+      "generate secret LFS_JWT_SECRET : echo 'mocked-lfs-jwt-secret'"
+}
+
+function teardown() {
+  unstub gitea
+  # This condition exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
+  if [ $ENV_TO_INI_EXPECTED -eq 1 ]; then
+    unstub environment-to-ini
+  fi
+}
+
+# This function exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
+function expect_environment_to_ini_call() {
+  export ENV_TO_INI_EXPECTED=1
+  stub environment-to-ini \
+    "-o $GITEA_APP_INI : echo 'Stubbed environment-to-ini was called!'"
+}
+
+function execute_test_script() {
+  currentEnvsBefore=$(env | sort)
+  source $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
+  local exitCode=$?
+  currentEnvsAfter=$(env | sort)
+
+  # diff as unified +/- output without context before/after
+  diff --unified=0 <(echo "$currentEnvsBefore") <(echo "$currentEnvsAfter")
+
+  exit $exitCode
+}
+
+function write_mounted_file() {
+  # either "inlines" or "additionals"
+  scope="${1}"
+  file="${2}"
+  content="${3}"
+
+  mkdir -p "$ENV_TO_INI_MOUNT_POINT/$scope/..data/"
+  echo "${content}" > "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file"
+  ln -sf "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file" "$ENV_TO_INI_MOUNT_POINT/$scope/$file"
+}
+
+@test "works as expected when nothing is configured" {
+  expect_environment_to_ini_call
+  run $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
+
+  assert_success
+  assert_line '...Initial secrets generated'
+  assert_line 'Reloading preset envs...'
+  assert_line '=== All configuration sources loaded ==='
+  assert_line 'Stubbed environment-to-ini was called!'
+}
+
+@test "exports initial secrets" {
+  expect_environment_to_ini_call
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  assert_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
+  assert_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
+  assert_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
+}
+
+@test "does NOT export initial secrets when app.ini already exists" {
+  expect_environment_to_ini_call
+  touch $GITEA_APP_INI
+
+  run execute_test_script
+
+  assert_success
+  assert_line --partial 'An app.ini file already exists.'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
+  refute_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
+  refute_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
+}
+
+@test "ensures that preset environment variables take precedence over auto-generated ones" {
+  expect_environment_to_ini_call
+  export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+}
+
+@test "ensures that preset environment variables take precedence over mounted ones" {
+  expect_environment_to_ini_call
+  export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
+  write_mounted_file "inlines" "oauth2" "$(cat << EOF
+JWT_SECRET=inline-jwt-secret
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
+}
+
+@test "ensures that additionals take precedence over inlines" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "oauth2" "$(cat << EOF
+JWT_SECRET=inline-jwt-secret
+EOF
+)"
+  write_mounted_file "additionals" "oauth2" "$(cat << EOF
+JWT_SECRET=additional-jwt-secret
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=additional-jwt-secret'
+}
+
+@test "ensures that dotted/dashed sections are properly masked" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
+WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
+}
+
+###############################################################
+##### THIS IS A BUG, BUT I WANT IT TO BE COVERED BY TESTS #####
+###############################################################
+@test "ensures uppercase section and setting names (🐞)" {
+  expect_environment_to_ini_call
+  export GITEA__oauth2__JwT_Secret="pre-defined-jwt-secret"
+  write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
+WORK_IN_progress_PREFIXES=WIP:,[WIP]
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=pre-defined-jwt-secret'
+}
+
+@test "treats top-level configuration as section-less" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+APP_NAME=Hello top-level configuration
+RUN_MODE=dev
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA____APP_NAME=Hello top-level configuration'
+  assert_line '+GITEA____RUN_MODE=dev'
+}
+
+@test "fails on invalid setting" {
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+some random invalid string
+EOF
+)"
+
+  run execute_test_script
+
+  assert_failure
+}
+
+@test "treats empty setting name as invalid setting" {
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+=value
+EOF
+)"
+
+  run execute_test_script
+
+  assert_failure
+}

unittests/config/database-section_postgresql-ha.yaml

@@ -1,30 +0,0 @@
-suite: config template | database section (postgresql-ha)
-release:
-  name: gitea-unittests
-  namespace: testing
-tests:
-  - it: connects to pgpool service
-    template: templates/gitea/config.yaml
-    set:
-      postgresql:
-        enabled: false
-      postgresql-ha:
-        enabled: true
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.database
-          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:5432
-  - it: renders the referenced service
-    template: charts/postgresql-ha/templates/pgpool/service.yaml
-    set:
-      postgresql:
-        enabled: false
-      postgresql-ha:
-        enabled: true
-    asserts:
-      - containsDocument:
-          kind: Service
-          apiVersion: v1
-          name: gitea-unittests-postgresql-ha-pgpool
-          namespace: testing

unittests/config/database-section_postgresql.yaml

@@ -1,30 +0,0 @@
-suite: config template | database section (postgresql)
-release:
-  name: gitea-unittests
-  namespace: testing
-tests:
-  - it: "connects to postgresql service"
-    template: templates/gitea/config.yaml
-    set:
-      postgresql:
-        enabled: true
-      postgresql-ha:
-        enabled: false
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.database
-          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:5432
-  - it: "renders the referenced service"
-    template: charts/postgresql/templates/primary/svc.yaml
-    set:
-      postgresql:
-        enabled: true
-      postgresql-ha:
-        enabled: false
-    asserts:
-      - containsDocument:
-          kind: Service
-          apiVersion: v1
-          name: gitea-unittests-postgresql
-          namespace: testing

unittests/deployment/basic.yaml

@@ -1,31 +0,0 @@
-suite: deployment template (basic)
-release:
-  name: gitea-unittests
-  namespace: testing
-templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
-tests:
-  - it: renders a deployment
-    template: templates/gitea/deployment.yaml
-    asserts:
-      - hasDocuments:
-          count: 1
-      - containsDocument:
-          kind: Deployment
-          apiVersion: apps/v1
-          name: gitea-unittests
-  - it: deployment labels are set
-    template: templates/gitea/deployment.yaml
-    set:
-      deployment.labels:
-        hello: world
-    asserts:
-      - isSubset:
-          path: metadata.labels
-          content:
-            hello: world
-      - isSubset:
-          path: spec.template.metadata.labels
-          content:
-            hello: world

unittests/helm/check-actions-not-present.yaml

@@ -0,0 +1,12 @@
+suite: Check if actions raises an error
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: fails when trying to configure actions due to removal
+    set:
+      actions:
+        enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: The actions sub-chart has been outsourced to a dedicated chart available at https://gitea.com/gitea/helm-actions. For assistance with the migration process, check https://gitea.com/gitea/helm-actions/issues/9.

unittests/helm/config/actions-config.yaml

@@ -0,0 +1,24 @@
+suite: config template | actions config
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/config.yaml
+tests:
+  - it: "actions are enabled by default (based on vanilla Gitea behavior)"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        notExists:
+          path: stringData.actions
+
+  - it: "actions can be disabled via inline config"
+    template: templates/gitea/config.yaml
+    set:
+      gitea.config.actions.ENABLED: false
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=false

unittests/helm/config/cache-config.yaml

@@ -3,12 +3,12 @@ release:
   name: gitea-unittests
   namespace: testing
 tests:
-  - it: "cache is configured correctly for redis-cluster"
+  - it: "cache is configured correctly for valkey-cluster"
     template: templates/gitea/config.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: true
-      redis:
+      valkey:
         enabled: false
     asserts:
       - documentIndex: 0
@@ -16,14 +16,14 @@ tests:
           path: stringData.cache
           value: |-
             ADAPTER=redis
-            HOST=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            HOST=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
-  - it: "cache is configured correctly for redis"
+  - it: "cache is configured correctly for valkey"
     template: templates/gitea/config.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: false
-      redis:
+      valkey:
         enabled: true
     asserts:
       - documentIndex: 0
@@ -31,14 +31,14 @@ tests:
           path: stringData.cache
           value: |-
             ADAPTER=redis
-            HOST=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            HOST=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
-  - it: "cache is configured correctly for 'memory' when redis (or redis-cluster) is disabled"
+  - it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled"
     template: templates/gitea/config.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: false
-      redis:
+      valkey:
         enabled: false
     asserts:
       - documentIndex: 0
@@ -48,12 +48,12 @@ tests:
             ADAPTER=memory
             HOST=
 
-  - it: "cache can be customized when redis (or redis-cluster) is disabled"
+  - it: "cache can be customized when valkey (or valkey-cluster) is disabled"
     template: templates/gitea/config.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: false
-      redis:
+      valkey:
         enabled: false
       gitea.config.cache.ADAPTER: custom-adapter
       gitea.config.cache.HOST: custom-host

unittests/helm/config/metrics-section_metrics-token.yaml

@@ -0,0 +1,58 @@
+suite: config template | metrics section (metrics token)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: metrics token is set
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token: "somepassword"
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+            TOKEN=somepassword
+  - it: metrics token is empty
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token: ""
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+  - it: metrics token is nil
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token:
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+  - it: does not configures a token if metrics are disabled
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: false
+          token: "somepassword"
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=false

unittests/helm/config/queue-config.yaml

@@ -3,42 +3,42 @@ release:
   name: gitea-unittests
   namespace: testing
 tests:
-  - it: "queue is configured correctly for redis-cluster"
+  - it: "queue is configured correctly for valkey-cluster"
     template: templates/gitea/config.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: true
-      redis:
+      valkey:
         enabled: false
     asserts:
       - documentIndex: 0
         equal:
           path: stringData.queue
           value: |-
-            CONN_STR=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            CONN_STR=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
             TYPE=redis
 
-  - it: "queue is configured correctly for redis"
+  - it: "queue is configured correctly for valkey"
     template: templates/gitea/config.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: false
-      redis:
+      valkey:
         enabled: true
     asserts:
       - documentIndex: 0
         equal:
           path: stringData.queue
           value: |-
-            CONN_STR=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            CONN_STR=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
             TYPE=redis
 
-  - it: "queue is configured correctly for 'levelDB' when redis (and redis-cluster) is disabled"
+  - it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled"
     template: templates/gitea/config.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: false
-      redis:
+      valkey:
         enabled: false
     asserts:
       - documentIndex: 0
@@ -48,12 +48,12 @@ tests:
             CONN_STR=
             TYPE=level
 
-  - it: "queue can be customized when redis (and redis-cluster) are disabled"
+  - it: "queue can be customized when valkey (and valkey-cluster) are disabled"
     template: templates/gitea/config.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: false
-      redis:
+      valkey:
         enabled: false
       gitea.config.queue.TYPE: custom-type
       gitea.config.queue.CONN_STR: custom-connection-string

unittests/helm/config/session-config.yaml

@@ -3,12 +3,12 @@ release:
   name: gitea-unittests
   namespace: testing
 tests:
-  - it: "session is configured correctly for redis-cluster"
+  - it: "session is configured correctly for valkey-cluster"
     template: templates/gitea/config.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: true
-      redis:
+      valkey:
         enabled: false
     asserts:
       - documentIndex: 0
@@ -16,14 +16,14 @@ tests:
           path: stringData.session
           value: |-
             PROVIDER=redis
-            PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
-  - it: "session is configured correctly for redis"
+  - it: "session is configured correctly for valkey"
     template: templates/gitea/config.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: false
-      redis:
+      valkey:
         enabled: true
     asserts:
       - documentIndex: 0
@@ -31,14 +31,14 @@ tests:
           path: stringData.session
           value: |-
             PROVIDER=redis
-            PROVIDER_CONFIG=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
-  - it: "session is configured correctly for 'memory' when redis (and redis-cluster) is disabled"
+  - it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled"
     template: templates/gitea/config.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: false
-      redis:
+      valkey:
         enabled: false
     asserts:
       - documentIndex: 0
@@ -48,12 +48,12 @@ tests:
             PROVIDER=memory
             PROVIDER_CONFIG=
 
-  - it: "session can be customized when redis (and redis-cluster) is disabled"
+  - it: "session can be customized when valkey (and valkey-cluster) is disabled"
     template: templates/gitea/config.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: false
-      redis:
+      valkey:
         enabled: false
       gitea.config.session.PROVIDER: custom-provider
       gitea.config.session.PROVIDER_CONFIG: custom-provider-config

unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml

@@ -0,0 +1,121 @@
+suite: Dependency checks | Customization integrity | postgresql-ha
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  postgresql:
+    enabled: false
+  postgresql-ha:
+    enabled: true
+    global:
+      postgresql:
+        database: gitea-database
+        password: gitea-password
+        username: gitea-username
+    postgresql:
+      repmgrPassword: custom-password-repmgr
+      postgresPassword: custom-password-postgres
+      password: custom-password-overwritten-by-global-postgresql-password
+    pgpool:
+      adminPassword: custom-password-pgpool
+    service:
+      ports:
+        postgresql: 1234
+    persistence:
+      size: 1337Mi
+tests:
+  - it: "[postgresql-ha] DB settings are applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_DB
+            value: "gitea-database"
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_USER
+            value: "gitea-username"
+  - it: "[postgresql-ha] DB passwords are applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["repmgr-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXJlcG1ncg=="
+      - documentIndex: 0
+        equal:
+          path: data["postgres-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBvc3RncmVz"
+      - documentIndex: 0
+        equal:
+          path: data["password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ=" # postgresql-ha.postgresql.password is overwritten by postgresql-ha.global.postgresql.password and should not be referenced here
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] persistence.size is applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
+          value: "1337Mi"
+  - it: "[postgresql-ha] service.ports.postgresql is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/service.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.ports[0].port
+          value: 1234
+  - it: "[postgresql-ha] renders the referenced service"
+    template: charts/postgresql-ha/templates/pgpool/service.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql-ha-pgpool
+          namespace: testing
+  - it: "[gitea] connects to pgpool service"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:1234
+  - it: "[gitea] connects to configured database"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: NAME=gitea-database
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: USER=gitea-username
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: PASSWD=gitea-password

unittests/helm/dependency-checks/customization-integrity-postgresql.yaml

@@ -0,0 +1,88 @@
+suite: Dependency checks | Customization integrity | postgresql
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  postgresql-ha:
+    enabled: false
+  postgresql:
+    enabled: true
+    global:
+      postgresql:
+        auth:
+          password: gitea-password
+          database: gitea-database
+          username: gitea-username
+        service:
+          ports:
+            postgresql: 1234
+    primary:
+      persistence:
+        size: 1337Mi
+tests:
+  - it: "[postgresql] DB settings are applied as expected"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_DATABASE
+            value: "gitea-database"
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_USER
+            value: "gitea-username"
+  - it: "[postgresql] DB password is applied as expected"
+    template: charts/postgresql/templates/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ="
+  - it: "[postgresql] primary.persistence.size is applied as expected"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
+          value: "1337Mi"
+  - it: "[postgresql] global.postgresql.service.ports.postgresql is applied as expected"
+    template: charts/postgresql/templates/primary/svc.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.ports[0].port
+          value: 1234
+  - it: "[postgresql] renders the referenced service"
+    template: charts/postgresql/templates/primary/svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql
+          namespace: testing
+  - it: "[gitea] connects to postgresql service"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:1234
+  - it: "[gitea] connects to configured database"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: NAME=gitea-database
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: USER=gitea-username
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: PASSWD=gitea-password

unittests/helm/dependency-checks/customization-integrity-valkey-cluster.yaml

@@ -0,0 +1,90 @@
+suite: Dependency checks | Customization integrity | valkey-cluster
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  valkey:
+    enabled: false
+  valkey-cluster:
+    enabled: true
+    usePassword: false
+    cluster:
+      nodes: 5
+      replicas: 2
+tests:
+  - it: "[valkey-cluster] configures correct nodes/replicas"
+    template: charts/valkey-cluster/templates/valkey-statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.replicas
+          value: 5
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].args[0]
+          pattern: VALKEY_CLUSTER_REPLICAS="2"
+  - it: "[valkey-cluster] support auth-less connections"
+    asserts:
+      - template: charts/valkey-cluster/templates/secret.yaml
+        hasDocuments:
+          count: 0
+      - template: charts/valkey-cluster/templates/valkey-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOW_EMPTY_PASSWORD
+            value: "yes"
+  - it: "[valkey-cluster] support auth-full connections"
+    set:
+      valkey-cluster:
+        usePassword: true
+    asserts:
+      - template: charts/valkey-cluster/templates/secret.yaml
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-valkey-cluster
+          namespace: testing
+      - template: charts/valkey-cluster/templates/valkey-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDISCLI_AUTH
+            valueFrom:
+              secretKeyRef:
+                name: gitea-unittests-valkey-cluster
+                key: valkey-password
+      - template: charts/valkey-cluster/templates/valkey-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDISCLI_AUTH
+            valueFrom:
+              secretKeyRef:
+                name: gitea-unittests-valkey-cluster
+                key: valkey-password
+  - it: "[valkey-cluster] renders the referenced service"
+    template: charts/valkey-cluster/templates/headless-svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-valkey-cluster-headless
+          namespace: testing
+      - documentIndex: 0
+        contains:
+          path: spec.ports
+          content:
+            name: tcp-redis
+            port: 6379
+            targetPort: tcp-redis
+  - it: "[gitea] waits for valkey-cluster to be up and running"
+    template: templates/gitea/init.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData["configure_gitea.sh"]
+          pattern: nc -vz -w2 gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local 6379

unittests/helm/dependency-checks/customization-integrity-valkey.yaml

@@ -0,0 +1,52 @@
+suite: Dependency checks | Customization integrity | valkey
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  valkey-cluster:
+    enabled: false
+  valkey:
+    enabled: true
+    architecture: standalone
+    global:
+      valkey:
+        password: gitea-password
+    master:
+      count: 2
+tests:
+  - it: "[valkey] configures correct 'master' nodes"
+    template: charts/valkey/templates/primary/application.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.replicas
+          value: 1
+  - it: "[valkey] valkey.global.valkey.password is applied as expected"
+    template: charts/valkey/templates/secret.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["valkey-password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ="
+  - it: "[valkey] renders the referenced service"
+    template: charts/valkey/templates/headless-svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-valkey-headless
+          namespace: testing
+      - documentIndex: 0
+        contains:
+          path: spec.ports
+          content:
+            name: tcp-redis
+            port: 6379
+            targetPort: redis
+  - it: "[gitea] waits for valkey to be up and running"
+    template: templates/gitea/init.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData["configure_gitea.sh"]
+          pattern: nc -vz -w2 gitea-unittests-valkey-headless.testing.svc.cluster.local 6379

unittests/helm/dependency-checks/major-image-bump.yaml

@@ -1,4 +1,4 @@
-suite: Dependency update consistency
+suite: Dependency checks | Major image bumps
 release:
   name: gitea-unittests
   namespace: testing
@@ -15,7 +15,7 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/postgresql-repmgr:16.+$
+          pattern: bitnami/postgresql-repmgr:17.+$
   - it: "[postgresql] ensures we detect major image version upgrades"
     template: charts/postgresql/templates/primary/statefulset.yaml
     set:
@@ -28,30 +28,30 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/postgresql:16.+$
-  - it: "[redis-cluster] ensures we detect major image version upgrades"
-    template: charts/redis-cluster/templates/redis-statefulset.yaml
+          pattern: bitnami/postgresql:17.+$
+  - it: "[valkey-cluster] ensures we detect major image version upgrades"
+    template: charts/valkey-cluster/templates/valkey-statefulset.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: true
-      redis:
+      valkey:
         enabled: false
     asserts:
       - documentIndex: 0
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/redis-cluster:7.+$
-  - it: "[redis] ensures we detect major image version upgrades"
-    template: charts/redis/templates/master/application.yaml
+          pattern: bitnami/valkey-cluster:8.+$
+  - it: "[valkey] ensures we detect major image version upgrades"
+    template: charts/valkey/templates/primary/application.yaml
     set:
-      redis-cluster:
+      valkey-cluster:
         enabled: false
-      redis:
+      valkey:
         enabled: true
     asserts:
       - documentIndex: 0
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/redis:7.+$
+          pattern: bitnami/valkey:8.+$

unittests/helm/deployment/HA.yaml

@@ -20,14 +20,14 @@ tests:
               ENABLED: true
     asserts:
       - failedTemplate:
-          errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'."
+          errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'."
   - it: fails with multiple replicas and RWX file system not set
     template: templates/gitea/deployment.yaml
     set:
       replicaCount: 2
     asserts:
       - failedTemplate:
-          errorMessage: "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany."
+          errorMessage: "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany."
   - it: fails with multiple replicas and bleve issue indexer
     template: templates/gitea/deployment.yaml
     set:

unittests/helm/deployment/basic.yaml

@@ -0,0 +1,95 @@
+suite: deployment template (basic)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders a deployment
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Deployment
+          apiVersion: apps/v1
+          name: gitea-unittests
+  - it: deployment labels are set
+    template: templates/gitea/deployment.yaml
+    set:
+      deployment.labels:
+        hello: world
+    asserts:
+      - isSubset:
+          path: metadata.labels
+          content:
+            hello: world
+      - isSubset:
+          path: spec.template.metadata.labels
+          content:
+            hello: world
+  - it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container"
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[1].env
+          content:
+            name: TMP_EXISTING_ENVS_FILE
+            value: /tmp/existing-envs
+  - it: "injects ENV_TO_INI_MOUNT_POINT as environment variable to 'init-app-ini' init container"
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[1].env
+          content:
+            name: ENV_TO_INI_MOUNT_POINT
+            value: /env-to-ini-mounts
+  - it: CPU resources are defined as well as GOMAXPROCS
+    template: templates/gitea/deployment.yaml
+    set:
+      resources:
+        limits:
+          cpu: 200ms
+          memory: 200Mi
+        requests:
+          cpu: 100ms
+          memory: 100Mi
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                divisor: "1"
+                resource: limits.cpu
+      - equal:
+          path: spec.template.spec.containers[0].resources
+          value:
+            limits:
+              cpu: 200ms
+              memory: 200Mi
+            requests:
+              cpu: 100ms
+              memory: 100Mi
+  - it: Init containers have correct volumeMount path
+    template: templates/gitea/deployment.yaml
+    set:
+      initContainersScriptsVolumeMountPath: "/custom/init/path"
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="init")].mountPath
+          value: "/custom/init/path"
+      - equal:
+          path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="config")].mountPath
+          value: "/custom/init/path"
+  - it: Init containers have correct volumeMount path if there is no override
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="init")].mountPath
+          value: "/usr/sbinx"
+      - equal:
+          path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="config")].mountPath
+          value: "/usr/sbinx"

unittests/helm/deployment/deployment-additional-config.yaml

@@ -0,0 +1,150 @@
+suite: deployment template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: Renders a deployment
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Deployment
+          apiVersion: apps/v1
+          name: gitea-unittests
+  - it: Deployment with empty additionalConfigFromEnvs
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea.additionalConfigFromEnvs: []
+    asserts:
+      - hasDocuments:
+          count: 1
+      - exists:
+          path: spec.template.spec.initContainers[1].env
+      - lengthEqual:
+          path: spec.template.spec.initContainers[1].env
+          count: 6
+      - isSubset:
+          path: spec.template.spec.initContainers[1]
+          content:
+            env:
+              - name: GITEA_APP_INI
+                value: /data/gitea/conf/app.ini
+              - name: GITEA_CUSTOM
+                value: /data/gitea
+              - name: GITEA_WORK_DIR
+                value: /data
+              - name: GITEA_TEMP
+                value: /tmp/gitea
+              - name: TMP_EXISTING_ENVS_FILE
+                value: /tmp/existing-envs
+              - name: ENV_TO_INI_MOUNT_POINT
+                value: /env-to-ini-mounts
+  - it: Deployment with standard additionalConfigFromEnvs
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea.additionalConfigFromEnvs: [{name: GITEA_database_HOST, value: my-db:123}, {name: GITEA_database_USER, value: my-user}]
+    asserts:
+      - hasDocuments:
+          count: 1
+      - exists:
+          path: spec.template.spec.initContainers[1].env
+      - lengthEqual:
+          path: spec.template.spec.initContainers[1].env
+          count: 8
+      - isSubset:
+          path: spec.template.spec.initContainers[1]
+          content:
+            env:
+              - name: GITEA_APP_INI
+                value: /data/gitea/conf/app.ini
+              - name: GITEA_CUSTOM
+                value: /data/gitea
+              - name: GITEA_WORK_DIR
+                value: /data
+              - name: GITEA_TEMP
+                value: /tmp/gitea
+              - name: TMP_EXISTING_ENVS_FILE
+                value: /tmp/existing-envs
+              - name: ENV_TO_INI_MOUNT_POINT
+                value: /env-to-ini-mounts
+              - name: GITEA_database_HOST
+                value: my-db:123
+              - name: GITEA_database_USER
+                value: my-user
+  - it: Deployment with templated additionalConfigFromEnvs
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea.misc.host: my-db-host:321
+      gitea.misc.user: my-db-user
+      gitea.additionalConfigFromEnvs: [{name: GITEA_database_HOST, value: "{{ .Values.gitea.misc.host }}"}, {name: GITEA_database_USER, value: "{{ .Values.gitea.misc.user }}"}]
+    asserts:
+      - hasDocuments:
+          count: 1
+      - exists:
+          path: spec.template.spec.initContainers[1].env
+      - lengthEqual:
+          path: spec.template.spec.initContainers[1].env
+          count: 8
+      - isSubset:
+          path: spec.template.spec.initContainers[1]
+          content:
+            env:
+              - name: GITEA_APP_INI
+                value: /data/gitea/conf/app.ini
+              - name: GITEA_CUSTOM
+                value: /data/gitea
+              - name: GITEA_WORK_DIR
+                value: /data
+              - name: GITEA_TEMP
+                value: /tmp/gitea
+              - name: TMP_EXISTING_ENVS_FILE
+                value: /tmp/existing-envs
+              - name: ENV_TO_INI_MOUNT_POINT
+                value: /env-to-ini-mounts
+              - name: GITEA_database_HOST
+                value: my-db-host:321
+              - name: GITEA_database_USER
+                value: my-db-user
+  - it: Deployment with additionalConfigFromEnvs templated secret name
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea.misc.existingSecret: my-db-secret
+      gitea.additionalConfigFromEnvs[0]:
+        name: GITEA_database_HOST
+        valueFrom:
+          secretKeyRef:
+            name: "{{ .Values.gitea.misc.existingSecret }}"
+            key: password
+    asserts:
+      - hasDocuments:
+          count: 1
+      - exists:
+          path: spec.template.spec.initContainers[1].env
+      - lengthEqual:
+          path: spec.template.spec.initContainers[1].env
+          count: 7
+      - isSubset:
+          path: spec.template.spec.initContainers[1]
+          content:
+            env:
+              - name: GITEA_APP_INI
+                value: /data/gitea/conf/app.ini
+              - name: GITEA_CUSTOM
+                value: /data/gitea
+              - name: GITEA_WORK_DIR
+                value: /data
+              - name: GITEA_TEMP
+                value: /tmp/gitea
+              - name: TMP_EXISTING_ENVS_FILE
+                value: /tmp/existing-envs
+              - name: ENV_TO_INI_MOUNT_POINT
+                value: /env-to-ini-mounts
+              - name: GITEA_database_HOST
+                valueFrom:
+                  secretKeyRef:
+                    name: "my-db-secret"
+                    key: password

unittests/helm/deployment/image-configuration.yaml

@@ -14,7 +14,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3-rootless"
+          value: "docker.gitea.com/gitea:1.19.3-rootless"
   - it: tag override
     template: templates/gitea/deployment.yaml
     set:
@@ -22,7 +22,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.4-rootless"
+          value: "docker.gitea.com/gitea:1.19.4-rootless"
   - it: root-based image
     template: templates/gitea/deployment.yaml
     set:
@@ -30,7 +30,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3"
+          value: "docker.gitea.com/gitea:1.19.3"
   - it: scoped registry
     template: templates/gitea/deployment.yaml
     set:
@@ -38,7 +38,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "example.com/gitea/gitea:1.19.3-rootless"
+          value: "example.com/gitea:1.19.3-rootless"
   - it: global registry
     template: templates/gitea/deployment.yaml
     set:
@@ -46,7 +46,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "global.example.com/gitea/gitea:1.19.3-rootless"
+          value: "global.example.com/gitea:1.19.3-rootless"
   - it: digest for rootless image
     template: templates/gitea/deployment.yaml
     set:
@@ -56,12 +56,12 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+          value: "docker.gitea.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: image fullOverride (does not append rootless)
     template: templates/gitea/deployment.yaml
     set:
       image:
-        fullOverride: gitea/gitea:1.19.3
+        fullOverride: docker.gitea.com/gitea:1.19.3
         # setting rootless, registry, repository, tag, and digest to prove that override works
         rootless: true
         registry: example.com
@@ -71,7 +71,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3"
+          value: "docker.gitea.com/gitea:1.19.3"
   - it: digest for root-based image
     template: templates/gitea/deployment.yaml
     set:
@@ -81,7 +81,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+          value: "docker.gitea.com/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: digest and global registry
     template: templates/gitea/deployment.yaml
     set:
@@ -90,21 +90,21 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "global.example.com/gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+          value: "global.example.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: correctly renders floating tag references
     template: templates/gitea/deployment.yaml
     set:
-      image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-chart/issues/631
+      image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-gitea/issues/631
     asserts:
       - equal:
           path: spec.template.spec.initContainers[0].image
-          value: "gitea/gitea:1.21-rootless"
+          value: "docker.gitea.com/gitea:1.21-rootless"
       - equal:
           path: spec.template.spec.initContainers[1].image
-          value: "gitea/gitea:1.21-rootless"
+          value: "docker.gitea.com/gitea:1.21-rootless"
       - equal:
           path: spec.template.spec.initContainers[2].image
-          value: "gitea/gitea:1.21-rootless"
+          value: "docker.gitea.com/gitea:1.21-rootless"
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.21-rootless"
+          value: "docker.gitea.com/gitea:1.21-rootless"

unittests/helm/deployment/ingress-configuration.yaml

@@ -1,28 +1,7 @@
-suite: ingress template
-release:
-  name: gitea-unittests
-  namespace: testing
+suite: Test ingress tpl use
 templates:
   - templates/gitea/ingress.yaml
 tests:
-  - it: hostname using TPL
-    set:
-      global.giteaHostName: "gitea.example.com"
-      ingress.enabled: true
-      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
-      ingress.tls:
-        - secretName: gitea-tls
-          hosts:
-            - "{{ .Values.global.giteaHostName }}"
-    asserts:
-      - isKind:
-          of: Ingress
-      - equal:
-          path: spec.tls[0].hosts[0]
-          value: "gitea.example.com"
-      - equal:
-          path: spec.rules[0].host
-          value: "gitea.example.com"
   - it: Ingress Class using TPL
     set:
       global.ingress.className: "ingress-class"
@@ -45,3 +24,22 @@ tests:
       - equal:
           path: spec.ingressClassName
           value: "ingress-class"
+
+  - it: hostname using TPL
+    set:
+      global.giteaHostName: "gitea.example.com"
+      ingress.enabled: true
+      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "{{ .Values.global.giteaHostName }}"
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "gitea.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "gitea.example.com"

unittests/helm/deployment/signing-enabled.yaml

@@ -18,7 +18,7 @@ tests:
           value: configure-gpg
       - equal:
           path: spec.template.spec.initContainers[2].command
-          value: ["/usr/sbin/configure_gpg_environment.sh"]
+          value: ["/usr/sbinx/configure_gpg_environment.sh"]
       - equal:
           path: spec.template.spec.initContainers[2].securityContext
           value:
@@ -28,11 +28,13 @@ tests:
           value:
             - name: GNUPGHOME
               value: /data/git/.gnupg
+            - name: TMP_RAW_GPG_KEY
+              value: /raw/private.asc
       - equal:
           path: spec.template.spec.initContainers[2].volumeMounts
           value:
             - name: init
-              mountPath: /usr/sbin
+              mountPath: /usr/sbinx
             - name: data
               mountPath: /data
             - name: gpg-private-key

unittests/helm/deployment/ssh-configuration.yaml

@@ -30,7 +30,7 @@ tests:
   - it: supports overriding SSH log level (even when image.fullOverride set)
     template: templates/gitea/deployment.yaml
     set:
-      image.fullOverride: gitea/gitea:1.19.3
+      image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: false
       gitea.ssh.logLevel: "DEBUG"
     asserts:
@@ -53,7 +53,7 @@ tests:
   - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
     template: templates/gitea/deployment.yaml
     set:
-      image.fullOverride: gitea/gitea:1.19.3
+      image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: true
       gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
     asserts:

unittests/helm/ingress/basic.yaml

@@ -0,0 +1,93 @@
+suite: Test ingress.yaml
+templates:
+  - templates/gitea/ingress.yaml
+tests:
+  - it: should enable ingress when ingress.enabled is true
+    set:
+      ingress.enabled: true
+      ingress.apiVersion: networking.k8s.io/v1
+      ingress.annotations:
+        kubernetes.io/ingress.class: nginx
+      ingress.className: nginx
+      ingress.tls:
+        - hosts:
+            - example.com
+          secretName: tls-secret
+      ingress.hosts:
+        - host: example.com
+          paths: ["/"]
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Ingress
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-gitea
+      - matchRegex:
+          path: apiVersion
+          pattern: networking.k8s.io/v1
+      - equal:
+          path: spec.ingressClassName
+          value: nginx
+      - equal:
+          path: spec.rules[0].host
+          value: "example.com"
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "example.com"
+      - equal:
+          path: spec.tls[0].secretName
+          value: tls-secret
+      - equal:
+          path: metadata.annotations["kubernetes.io/ingress.class"]
+          value: nginx
+
+  - it: should not create ingress when ingress.enabled is false
+    set:
+      ingress.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: Ingress Class using TPL
+    set:
+      global.ingress.className: "ingress-class"
+      ingress.className: "{{ .Values.global.ingress.className }}"
+      ingress.enabled: true
+      ingress.hosts[0].host: "some-host"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "some-host"
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "some-host"
+      - equal:
+          path: spec.rules[0].host
+          value: "some-host"
+      - equal:
+          path: spec.ingressClassName
+          value: "ingress-class"
+
+  - it: hostname using TPL
+    set:
+      global.giteaHostName: "gitea.example.com"
+      ingress.enabled: true
+      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "{{ .Values.global.giteaHostName }}"
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "gitea.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "gitea.example.com"

unittests/helm/ingress/implicit-defaults.yaml

@@ -0,0 +1,23 @@
+suite: Test ingress with implicit path defaults
+templates:
+  - templates/gitea/ingress.yaml
+tests:
+  - it: should use default path and pathType when no paths are specified
+    set:
+      ingress.enabled: true
+      ingress.hosts:
+        - host: git.example.com
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.rules[0].host
+          value: "git.example.com"
+      - equal:
+          path: spec.rules[0].http.paths[0].path
+          value: "/"
+      - equal:
+          path: spec.rules[0].http.paths[0].pathType
+          value: "Prefix"

unittests/helm/ingress/ingress.tpl.yaml

@@ -0,0 +1,45 @@
+suite: Test ingress tpl use
+templates:
+  - templates/gitea/ingress.yaml
+tests:
+  - it: Ingress Class using TPL
+    set:
+      global.ingress.className: "ingress-class"
+      ingress.className: "{{ .Values.global.ingress.className }}"
+      ingress.enabled: true
+      ingress.hosts[0].host: "some-host"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "some-host"
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "some-host"
+      - equal:
+          path: spec.rules[0].host
+          value: "some-host"
+      - equal:
+          path: spec.ingressClassName
+          value: "ingress-class"
+
+  - it: hostname using TPL
+    set:
+      global.giteaHostName: "gitea.example.com"
+      ingress.enabled: true
+      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "{{ .Values.global.giteaHostName }}"
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "gitea.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "gitea.example.com"

unittests/helm/ingress/structured-paths.yaml

@@ -0,0 +1,26 @@
+suite: Test ingress with structured paths
+templates:
+  - templates/gitea/ingress.yaml
+tests:
+  - it: should work with structured path definitions
+    set:
+      ingress.enabled: true
+      ingress.hosts:
+        - host: git.devxy.io
+          paths:
+            - path: /
+              pathType: Prefix
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.rules[0].host
+          value: "git.devxy.io"
+      - equal:
+          path: spec.rules[0].http.paths[0].path
+          value: "/"
+      - equal:
+          path: spec.rules[0].http.paths[0].pathType
+          value: "Prefix"

unittests/helm/init/init_directory_structure.sh-rootless.yaml

@@ -15,11 +15,11 @@ tests:
     asserts:
       - equal:
           path: stringData["configure_gpg_environment.sh"]
-          value: |-
+          value: |
             #!/usr/bin/env bash
             set -eu
 
-            gpg --batch --import /raw/private.asc
+            gpg --batch --import "$TMP_RAW_GPG_KEY"
   - it: skips gpg script block for disabled signing
     asserts:
       - equal:
@@ -65,7 +65,7 @@ tests:
   - it: it does not chown /data even when image.fullOverride is set
     template: templates/gitea/init.yaml
     set:
-      image.fullOverride: gitea/gitea:1.20.5
+      image.fullOverride: docker.gitea.com/gitea:1.20.5
     asserts:
       - equal:
           path: stringData["init_directory_structure.sh"]

unittests/helm/init/init_directory_structure.sh.yaml

@@ -16,11 +16,11 @@ tests:
     asserts:
       - equal:
           path: stringData["configure_gpg_environment.sh"]
-          value: |-
+          value: |
             #!/usr/bin/env bash
             set -eu
 
-            gpg --batch --import /raw/private.asc
+            gpg --batch --import "$TMP_RAW_GPG_KEY"
   - it: skips gpg script block for disabled signing
     set:
       image.rootless: false

unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml

@@ -0,0 +1,23 @@
+suite: Metrics secret template (monitoring disabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/metrics-secret.yaml
+tests:
+  - it: renders nothing if monitoring disabled and gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.serviceMonitor.enabled: false
+      gitea.metrics.token: ""
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders nothing if monitoring disabled and gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.serviceMonitor.enabled: false
+      gitea.metrics.token: "test-token"
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml

@@ -0,0 +1,33 @@
+suite: Metrics secret template (monitoring enabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/metrics-secret.yaml
+tests:
+  - it: renders nothing if monitoring enabled and gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+      gitea.metrics.token: ""
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders Secret if monitoring enabled and gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+      gitea.metrics.token: "test-token"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-metrics-secret
+      - isNotNullOrEmpty:
+          path: metadata.labels
+      - equal:
+          path: data.token
+          value: "dGVzdC10b2tlbg=="

unittests/helm/servicemonitor/servicemonitor-disabled.yaml

@@ -0,0 +1,23 @@
+suite: ServiceMonitor template (monitoring disabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/servicemonitor.yaml
+tests:
+  - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.token: ""
+      gitea.metrics.serviceMonitor.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.token: "test-token"
+      gitea.metrics.serviceMonitor.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/servicemonitor/servicemonitor-enabled.yaml

@@ -0,0 +1,70 @@
+suite: ServiceMonitor template (monitoring enabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/servicemonitor.yaml
+tests:
+  - it: renders unsecure ServiceMonitor if gitea.metrics.token nil
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.token:
+      gitea.metrics.serviceMonitor.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: ServiceMonitor
+          apiVersion: monitoring.coreos.com/v1
+          name: gitea-unittests
+      - isNotNullOrEmpty:
+          path: metadata.labels
+      - equal:
+          path: spec.endpoints
+          value:
+            - port: http
+  - it: renders unsecure ServiceMonitor if gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.token: ""
+      gitea.metrics.serviceMonitor.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: ServiceMonitor
+          apiVersion: monitoring.coreos.com/v1
+          name: gitea-unittests
+      - isNotNullOrEmpty:
+          path: metadata.labels
+      - equal:
+          path: spec.endpoints
+          value:
+            - port: http
+  - it: renders secure ServiceMonitor if gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.token: "test-token"
+      gitea.metrics.serviceMonitor.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: ServiceMonitor
+          apiVersion: monitoring.coreos.com/v1
+          name: gitea-unittests
+      - isNotNullOrEmpty:
+          path: metadata.labels
+      - equal:
+          path: spec.endpoints
+          value:
+            - port: http
+              authorization:
+                type: Bearer
+                credentials:
+                  name: gitea-unittests-metrics-secret
+                  key: token
+                  optional: false

unittests/helm/values-conflicting-checks.yaml

@@ -0,0 +1,14 @@
+suite: Values conflicting checks
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: fails when trying to configure valkey and valkey-cluster the same time
+    set:
+      valkey-cluster:
+        enabled: true
+      valkey:
+        enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: valkey and valkey-cluster cannot be enabled at the same time. Please only choose one.

unittests/values-conflicting-checks.yaml

@@ -1,14 +0,0 @@
-suite: Values conflicting checks
-release:
-  name: gitea-unittests
-  namespace: testing
-tests:
-  - it: fails when trying to configure redis and redis-cluster the same time
-    set:
-      redis-cluster:
-        enabled: true
-      redis:
-        enabled: true
-    asserts:
-      - failedTemplate:
-          errorMessage: redis and redis-cluster cannot be enabled at the same time. Please only choose one.

values.yaml

@@ -48,8 +48,8 @@ clusterDomain: cluster.local
 ## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher
 ## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).**
 image:
-  registry: ""
-  repository: gitea/gitea
+  registry: "docker.gitea.com"
+  repository: gitea
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
   digest: ""
@@ -76,7 +76,7 @@ containerSecurityContext: {}
 #   # run pods on nodes that use the container runtime cri-o. Otherwise, you will
 #   # get an error message from the SSH server that it is not possible to read from
 #   # the repository.
-#   # https://gitea.com/gitea/helm-chart/issues/161
+#   # https://gitea.com/gitea/helm-gitea/issues/161
 #     add:
 #       - SYS_CHROOT
 #   privileged: false
@@ -157,33 +157,25 @@ service:
 
 ## @section Ingress
 ## @param ingress.enabled Enable ingress
-## @param ingress.className Ingress class name
+## @param ingress.className DEPRECATED: Ingress class name.
+## @param ingress.pathType Ingress Path Type
 ## @param ingress.annotations Ingress annotations
 ## @param ingress.hosts[0].host Default Ingress host
 ## @param ingress.hosts[0].paths[0].path Default Ingress path
-## @param ingress.hosts[0].paths[0].pathType Ingress path type
 ## @param ingress.tls Ingress tls settings
-## @extra ingress.apiVersion Specify APIVersion of ingress object. Mostly would only be used for argocd.
 ingress:
   enabled: false
-  # className: nginx
-  className:
-  annotations:
-    {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
+  className: ""
+  pathType: Prefix
+  annotations: {}
   hosts:
     - host: git.example.com
       paths:
         - path: /
-          pathType: Prefix
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
   #      - git.example.com
-  # Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar
-  # If helm doesn't correctly detect your ingress API version you can set it here.
-  # apiVersion: networking.k8s.io/v1
 
 ## @section deployment
 #
@@ -314,6 +306,8 @@ extraVolumeMounts: []
 ## @section Init
 ## @param initPreScript Bash shell script copied verbatim to the start of the init-container.
 initPreScript: ""
+## @param initContainersScriptsVolumeMountPath Path to mount the scripts consumed from the Secrets
+initContainersScriptsVolumeMountPath: "/usr/sbinx"
 #
 # initPreScript: |
 #   mkdir -p /data/git/.postgresql
@@ -365,6 +359,7 @@ gitea:
     passwordMode: keepUpdated
 
   ## @param gitea.metrics.enabled Enable Gitea metrics
+  ## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.
   ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally.
   ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
   ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping.
@@ -373,6 +368,7 @@ gitea:
   ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
   metrics:
     enabled: false
+    token:
     serviceMonitor:
       enabled: false
       #  additionalLabels:
@@ -505,41 +501,51 @@ gitea:
     successThreshold: 1
     failureThreshold: 10
 
-## @section redis-cluster
-## @param redis-cluster.enabled Enable redis cluster
-# ⚠️ The redis charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
+## @section valkey-cluster
+## @param valkey-cluster.enabled Enable valkey cluster
+# ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
 # Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
-## @param redis-cluster.usePassword Whether to use password authentication
-## @param redis-cluster.cluster.nodes Number of redis cluster master nodes
-## @param redis-cluster.cluster.replicas Number of redis cluster master node replicas
+## @param valkey-cluster.usePassword Whether to use password authentication
+## @param valkey-cluster.usePasswordFiles Whether to mount passwords as files instead of environment variables
+## @param valkey-cluster.cluster.nodes Number of valkey cluster master nodes
+## @param valkey-cluster.cluster.replicas Number of valkey cluster master node replicas
+## @param valkey-cluster.service.ports.valkey Port of Valkey service
 ## @descriptionStart
-## Redis cluster and [Redis](#redis) cannot be enabled at the same time.
+## Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time.
 ## @descriptionEnd
-redis-cluster:
+valkey-cluster:
   enabled: true
   usePassword: false
+  usePasswordFiles: false
   cluster:
     nodes: 3 # default: 6
     replicas: 0 # default: 1
+  service:
+    ports:
+      valkey: 6379
 
-## @section redis
-## @param redis.enabled Enable redis standalone or replicated
-## @param redis.architecture Whether to use standalone or replication
-# ⚠️ The redis charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
+## @section valkey
+## @param valkey.enabled Enable valkey standalone or replicated
+## @param valkey.architecture Whether to use standalone or replication
+# ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
 # Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
-## @param redis.global.redis.password Required password
-## @param redis.master.count Number of Redis master instances to deploy
+## @param valkey.global.valkey.password Required password
+## @param valkey.master.count Number of Valkey master instances to deploy
+## @param valkey.master.service.ports.valkey Port of Valkey service
 ## @descriptionStart
-## Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
+## Valkey and [Valkey cluster](#valkey-cluster) cannot be enabled at the same time.
 ## @descriptionEnd
-redis:
+valkey:
   enabled: false
   architecture: standalone
   global:
-    redis:
+    valkey:
       password: changeme
   master:
     count: 1
+    service:
+      ports:
+        valkey: 6379
 
 ## @section PostgreSQL HA
 #