docs: set full path of values.yaml key in output to user (#832)

Currently, the reported path of the values to be changed is not always correct (especially `gitea.persistence` vs. `persistence`).

Co-authored-by: techknowlogick <techknowlogick@noreply.gitea.com>
Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/832
Reviewed-by: techknowlogick <techknowlogick@noreply.gitea.com>
Co-authored-by: bachorp <bachorp@noreply.gitea.com>
Co-committed-by: bachorp <bachorp@noreply.gitea.com>

.commitlintrc.json

@@ -0,0 +1,7 @@
+{
+  "extends": ["@commitlint/config-conventional"],
+  "rules": {
+    "type-enum": [2, "always", ["feat", "fix", "chore", "docs", "style", "refactor", "test", "perf", "ci", "WIP"]],
+    "type-case": [0, "always", "lower-case"]
+  }
+}

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -23,7 +23,7 @@
 ### Applicable issues
 
 <!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
-  - fixes #
+- Fixes #
 
 ### Additional information
 
@@ -39,4 +39,6 @@
 
 - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
 - [ ] Breaking changes are documented in the `README.md`
-- [ ] Templating unittests are added
+- [ ] Helm templating unittests are added (required when changing anything in `templates` folder)
+- [ ] Bash unittests are added (required when changing anything in `scripts` folder)
+- [ ] All added template resources MUST render a namespace in metadata

.gitea/workflows/changelog.yml

@@ -0,0 +1,32 @@
+name: changelog
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  changelog:
+    runs-on: ubuntu-latest
+    container: docker.io/thegeeklab/git-sv:1.0.12
+    steps:
+      - name: install tools
+        run: |
+          apk add -q --update --no-cache nodejs curl jq sed
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Generate upcoming changelog
+        run: |
+          git sv rn -o changelog.md
+          export RELEASE_NOTES=$(cat changelog.md)
+          export ISSUE_NUMBER=$(curl -s "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues?state=open&q=Changelog%20for%20upcoming%20version" | jq '.[].number')
+
+          echo $RELEASE_NOTES
+          JSON_DATA=$(echo "" | jq -Rs --arg title 'Changelog for upcoming version' --arg body "$(cat changelog.md)" '{title: $title, body: $body}')
+
+          if [ -z "$ISSUE_NUMBER" ]; then
+            curl -s -X POST "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
+          else
+            curl -s -X PATCH "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues/$ISSUE_NUMBER" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
+          fi

.gitea/workflows/commitlint.yml

@@ -0,0 +1,19 @@
+name: commitlint
+
+on:
+  pull_request:
+    branches:
+      - "*"
+    types:
+      - opened
+      - edited
+
+jobs:
+  check-and-test:
+    runs-on: ubuntu-latest
+    container: commitlint/commitlint:19.7.1
+    steps:
+      - uses: actions/checkout@v4
+      - name: check PR title
+        run: |
+          echo "${{ gitea.event.pull_request.title }}" | commitlint --config .commitlintrc.json

.gitea/workflows/release-version.yml

@@ -7,7 +7,7 @@ on:
 
 env:
   # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.15.3"
+  HELM_VERSION: "3.17.1"
 
 jobs:
   generate-chart-publish:
@@ -31,7 +31,7 @@ jobs:
           echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
           apt update -y
           apt install -y python3 python3-pip apt-transport-https docker-ce-cli
-          pip install awscli
+          pip install awscli --break-system-packages
 
       - name: Import GPG key
         id: import_gpg

.gitea/workflows/test-pr.yml

@@ -7,21 +7,20 @@ on:
   push:
     branches:
       - main
-      - "renovate/**"
 
 env:
   # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v0.5.2"
+  HELM_UNITTEST_VERSION: "v0.7.2"
 
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: alpine/helm:3.15.3
+    container: alpine/helm:3.17.1
     steps:
       - name: install tools
         run: |
           apk update
-          apk add --update make nodejs npm yamllint
+          apk add --update bash make nodejs npm yamllint ncurses
       - uses: actions/checkout@v4
       - name: install chart dependencies
         run: helm dependency build
@@ -29,9 +28,14 @@ jobs:
         run: helm lint
       - name: template
         run: helm template --debug gitea-helm .
-      - name: unit tests
+      - name: prepare unit test environment
         run: |
           helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
+          git submodule update --init --recursive
+      - name: unit tests
+        env:
+          TERM: xterm
+        run: |
           make unittests
       - name: verify readme
         run: |

.gitmodules

@@ -0,0 +1,12 @@
+[submodule "unittests/bash/bats"]
+	path = unittests/bash/bats
+	url = https://github.com/bats-core/bats-core.git
+[submodule "unittests/bash/test_helper/bats-support"]
+	path = unittests/bash/test_helper/bats-support
+	url = https://github.com/bats-core/bats-support.git
+[submodule "unittests/bash/test_helper/bats-assert"]
+	path = unittests/bash/test_helper/bats-assert
+	url = https://github.com/bats-core/bats-assert.git
+[submodule "unittests/bash/test_helper/bats-mock"]
+	path = unittests/bash/test_helper/bats-mock
+	url = https://github.com/jasonkarns/bats-mock.git

.gitsv/config.yaml

@@ -0,0 +1,57 @@
+version: '1.1' # Configuration version.
+
+versioning:
+  update-major: [breaking] # Commit types used to bump major.
+  update-minor: [feat, perf] # Commit types used to bump minor.
+  update-patch: [build, ci, chore, fix, perf, refactor, test] # Commit types used to bump patch.
+  # When type is not present on update rules and is unknown (not mapped on commit message types);
+  # if ignore-unknown=false bump patch, if ignore-unknown=true do not bump version.
+  ignore-unknown: false
+
+tag:
+  pattern: 'v%d.%d.%d' # Pattern used to create git tag.
+  filter: '' # Enables you to filter for considerable tags using git pattern syntax.
+
+release-notes:
+  sections: # Array with each section of release note. Check template section for more information.
+    - name: Breaking Changes
+      section-type: breaking-changes
+    - name: Features # Name used on section.
+      section-type: commits # Type of the section, supported types: commits, breaking-changes.
+      commit-types: [feat, perf] # Commit types for commit section-type, one commit type cannot be in more than one section.
+    - name: Bug Fixes
+      section-type: commits
+      commit-types: [fix]
+    - name: Maintenance
+      section-type: commits
+      commit-types: [chore, refactor]
+    - name: Documentation
+      commit-types: [docs]
+      section-type: commits
+    - name: CI
+      commit-types: [ci]
+      section-type: commits
+
+branches: # Git branches config.
+  prefix: ([a-z]+\/)? # Prefix used on branch name, it should be a regex group.
+  suffix: (-.*)? # Suffix used on branch name, it should be a regex group.
+  disable-issue: false # Set true if there is no need to recover issue id from branch name.
+  skip: [] # List of branch names ignored on commit message validation.
+  skip-detached: false # Set true if a detached branch should be ignored on commit message validation.
+
+commit-message:
+  # Supported commit types.
+  types: [build, ci, chore, docs, feat, fix, perf, refactor, revert, style, test]
+  header-selector: '' # You can put in a regex here to select only a certain part of the commit message. Please define a regex group 'header'.
+  scope:
+    # Define supported scopes, if blank, scope will not be validated, if not, only scope listed will be valid.
+    # Don't forget to add "" on your list if you need to define scopes and keep it optional.
+    values: []
+  footer:
+    issue: # Use "issue: {}" if you wish to disable issue footer.
+      key: jira # Name used to define an issue on footer metadata.
+      key-synonyms: [Jira, JIRA] # Supported variations for footer metadata.
+      use-hash: false # If false, use :<space> separator. If true, use <space># separator.
+      add-value-prefix: '' # Add a prefix to issue value.
+  issue:
+    regex: '[A-Z]+-[0-9]+' # Regex for issue id.

.helmignore

@@ -5,6 +5,7 @@
 # Common VCS dirs
 .git/
 .gitignore
+.gitmodules
 .bzr/
 .bzrignore
 .hg/
@@ -31,3 +32,10 @@ Makefile
 .drone.yml
 CONTRIBUTING.md
 unittests/
+.editorconfig
+.prettierignore
+.yamllint
+CODEOWNERS
+renovate.json5
+.commitlintrc.json
+.gitsv/

.markdownlint.yaml

@@ -129,6 +129,7 @@ MD041:
 MD044:
   # List of proper names
   names:
+    - docker.gitea.com
     - Gitea
     - PostgreSQL
     - Memcached

.vscode/extensions.json

@@ -3,6 +3,7 @@
         "yzhang.markdown-all-in-one",
         "DavidAnson.vscode-markdownlint",
         "Tim-Koehler.helm-intellisense",
-        "esbenp.prettier-vscode"
+        "esbenp.prettier-vscode",
+        "jetmartin.bats"
     ]
   }

.vscode/settings.json

@@ -1,8 +1,15 @@
 {
     "yaml.schemas": {
-        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.2/schema/helm-testsuite.json": [
             "/unittests/**/*.yaml"
         ]
     },
-    "yaml.schemaStore.enable": true
+    "yaml.schemaStore.enable": true,
+    "[bats]": {
+        "editor.tabSize": 2
+    },
+    "[shellscript]": {
+        "files.eol": "\n",
+        "editor.tabSize": 2
+    }
 }

.yamllint

@@ -5,7 +5,7 @@ ignore: |
   .yamllint
   node_modules
   templates
-
+  unittests/bash
 
 rules:
   truthy:

CONTRIBUTING.md

@@ -29,6 +29,7 @@ When submitting or updating a PR:
 - try to avoid rebases. They make code reviews for large PRs and comments much harder.
 - if applicable, use the PR template for a well-defined PR description.
 - clearly mark breaking changes.
+- format the PR title following the [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/#specification) schema
 
 ## Local development & testing
 
@@ -37,7 +38,7 @@ be used:
 
 1. Install `minikube` and `helm`.
 1. Start a `minikube` cluster via `minikube start`.
-1. From the `gitea/helm-chart` directory execute the following command.
+1. From the `gitea/helm-gitea` directory execute the following command.
    This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
    If you want to test a branch, make sure to switch to the respective branch first.
    `helm install --dependency-update gitea . -f values.yaml`.
@@ -48,16 +49,30 @@ default port-forward svc/gitea-http 3000:3000`.
 
 ### Unit tests
 
+#### Helm templating tests
+
 ```bash
 # install the unittest plugin
 $ helm plugin install https://github.com/helm-unittest/helm-unittest
 
-# run the unittests
-make unittests
+# run the Helm unittests
+make unittests-helm
 ```
 
 See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
 
+#### Bash script tests
+
+```bash
+# setup the environment
+git submodule update --init --recursive
+
+# run the bash tests
+make unittests-bash
+```
+
+See [bats documentation](https://bats-core.readthedocs.io/en/stable/) for usage instructions.
+
 ## Release process
 
 1. Create a tag following the tagging schema

Chart.lock

@@ -1,15 +1,15 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 15.5.20
+  version: 16.4.14
 - name: postgresql-ha
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 14.2.16
+  version: 15.2.3
 - name: redis-cluster
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 10.3.0
+  version: 11.4.3
 - name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 19.6.4
-digest: sha256:a28c809273f313c482e3f803a0a002c3bb3a0d2090bf6b732d68ecc4710b4732
-generated: "2024-08-03T00:21:16.080925346Z"
+  version: 20.8.0
+digest: sha256:ce1a2a02c3e1adb764cae42ccce1efd2d41adb5024576e6d8a92b30b8dfe67db
+generated: "2025-02-23T00:12:41.541107288Z"

Chart.yaml

@@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
-appVersion: 1.22.3
+appVersion: 1.23.6
 icon: https://gitea.com/assets/img/logo.svg
 
 keywords:
@@ -15,9 +15,9 @@ keywords:
   - gitea
   - gogs
 sources:
-  - https://gitea.com/gitea/helm-chart
+  - https://gitea.com/gitea/helm-gitea
   - https://github.com/go-gitea/gitea
-  - https://hub.docker.com/r/gitea/gitea/
+  - https://docker.gitea.com/gitea
 maintainers:
   - name: Charlie Drage
     email: charlie@charliedrage.com
@@ -36,20 +36,20 @@ dependencies:
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
   - name: postgresql
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 15.5.20
+    version: 16.4.14
     condition: postgresql.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
   - name: postgresql-ha
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 14.2.16
+    version: 15.2.3
     condition: postgresql-ha.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
   - name: redis-cluster
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 10.3.0
+    version: 11.4.3
     condition: redis-cluster.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml
   - name: redis
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 19.6.4
+    version: 20.8.0
     condition: redis.enabled

Makefile

@@ -1,3 +1,5 @@
+SHELL := /usr/bin/env bash -O globstar
+
 .PHONY: prepare-environment
 prepare-environment:
 	npm install
@@ -8,8 +10,15 @@ readme: prepare-environment
 	npm run readme:lint
 
 .PHONY: unittests
-unittests:
-	helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' -f 'unittests/values-conflicting-checks.yaml' ./
+unittests: unittests-helm unittests-bash
+
+.PHONY: unittests-helm
+unittests-helm:
+	helm unittest --strict -f 'unittests/helm/**/*.yaml' -f 'unittests/helm/values-conflicting-checks.yaml' ./
+
+.PHONY: unittests-bash
+unittests-bash:
+	./unittests/bash/bats/bin/bats --pretty ./unittests/bash/tests/**/*.bats
 
 .PHONY: helm
 update-helm-dependencies:

README.md

@@ -8,6 +8,7 @@
   - [Dependency Versioning](#dependency-versioning)
 - [Installing](#installing)
 - [High Availability](#high-availability)
+- [Limit resources](#limit-resources)
 - [Configuration](#configuration)
   - [Default Configuration](#default-configuration)
     - [Database defaults](#database-defaults)
@@ -30,6 +31,7 @@
   - [OAuth2 Settings](#oauth2-settings)
 - [Configure commit signing](#configure-commit-signing)
 - [Metrics and profiling](#metrics-and-profiling)
+  - [Secure Metrics Endpoint](#secure-metrics-endpoint)
 - [Pod annotations](#pod-annotations)
 - [Themes](#themes)
 - [Renovate](#renovate)
@@ -70,7 +72,7 @@ Additionally, this chart allows to provide LDAP and admin user configuration wit
 ## Update and versioning policy
 
 The Gitea helm chart versioning does not follow Gitea's versioning.
-The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-chart/releases).
+The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-gitea/releases).
 
 The chart aims to follow Gitea's releases closely.
 There might be times when the chart is behind the latest Gitea release.
@@ -138,6 +140,12 @@ Alternatively, the chart can also be installed from Dockerhub (since v9.6.0)
 helm install gitea oci://registry-1.docker.io/giteacharts/gitea
 ```
 
+To avoid potential Dockerhub rate limits, the chart can also be installed via [docker.gitea.com](https://blog.gitea.com/docker-registry-update/) (since v9.6.0)
+
+```sh
+helm install gitea oci://docker.gitea.com/charts/gitea
+```
+
 When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes.
 
 ## High Availability
@@ -148,6 +156,44 @@ Care must be taken for production use as not all implementation details of Gitea
 Deploying a HA-ready Gitea instance requires some effort including using HA-ready dependencies.
 See the [HA Setup](docs/ha-setup.md) document for more details.
 
+## Limit resources
+
+If the application is deployed with a CPU resource limit, Prometheus may throw a CPU throttling warning for the
+application. This has more or less to do with the fact that the application finds the number of CPUs of the host, but
+cannot use the available CPU time to perform computing operations.
+
+The application must be informed that despite several CPUs only a part (limit) of the available computing time is
+available. As this is a Golang application, this can be implemented using `GOMAXPROCS`. The following example is one way
+of defining `GOMAXPROCS` automatically based on the defined CPU limit like `1000m`. Please keep in mind, that the CFS
+rate of `100ms` - default on each kubernetes node, is also very important to avoid CPU throttling.
+
+Further information about this topic can be found [here](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
+
+> [!NOTE]
+> The environment variable `GOMAXPROCS` is set automatically, when a CPU limit is defined. An explicit configuration is
+> not anymore required.
+>
+> Please note that a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
+
+```yaml
+deployment:
+  env:
+  # Will be automatically defined!
+  - name: GOMAXPROCS
+    valueFrom:
+      resourceFieldRef:
+        divisor: "1" # Is required for GitDevOps systems like ArgoCD/Flux. Otherwise throw the system a diff error. (k8s-default=1)
+        resource: limits.cpu
+
+resources:
+  limits:
+    cpu: 1000m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 512Mi
+```
+
 ## Configuration
 
 Gitea offers lots of configuration options.
@@ -488,7 +534,7 @@ and the repository exists.
 ```
 
 To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
-More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
+More about this issue [here](https://gitea.com/gitea/helm-gitea/issues/161).
 
 ### Cache
 
@@ -502,7 +548,7 @@ redis-cluster:
   enabled: true
 ```
 
-⚠️ The redis charts [do not work well with special characters in the password](https://gitea.com/gitea/helm-chart/issues/690).
+⚠️ The redis charts [do not work well with special characters in the password](https://gitea.com/gitea/helm-gitea/issues/690).
 Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
 
 ### Persistence
@@ -538,7 +584,7 @@ You can interact with the postgres settings as displayed in the following exampl
 postgresql:
   persistence:
     enabled: true
-    claimName: MyAwesomeGiteaPostgresClaim
+    existingClaim: MyAwesomeGiteaPostgresClaim
 ```
 
 ### Admin User
@@ -693,7 +739,7 @@ gitea:
 
 When using the rootless image the gpg key folder is not persistent by default.
 If you consider using signed commits for internal Gitea activities (e.g. initial commit), you'd need to provide a signing key.
-Prior to [PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.
+Prior to [PR186](https://gitea.com/gitea/helm-gitea/pulls/186), imported keys had to be re-imported once the container got replaced by another.
 
 The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing.
 By default this section is disabled to maintain backwards compatibility.
@@ -747,6 +793,21 @@ gitea:
       ENABLE_PPROF: true
 ```
 
+### Secure Metrics Endpoint
+
+Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication.
+
+**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`.
+
+```yaml
+gitea:
+  metrics:
+    token: "secure-token"
+    enabled: true
+    serviceMonitor:
+      enabled: true
+```
+
 ## Pod annotations
 
 Annotations can be added to the Gitea pod.
@@ -877,9 +938,9 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 ### Image
 
 | Name                 | Description                                                                                                                                                      | Value              |
-| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- |
-| `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `""`           |
-| `image.repository`   | Image to start for this pod                                                                                                                                      | `gitea/gitea`  |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
+| `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `docker.gitea.com` |
+| `image.repository`   | Image to start for this pod                                                                                                                                      | `gitea`            |
 | `image.tag`          | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.                          | `""`               |
 | `image.digest`       | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                                       | `""`               |
 | `image.pullPolicy`   | Image pull policy                                                                                                                                                | `IfNotPresent`     |
@@ -1011,23 +1072,26 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 ### Gitea Actions
 
 | Name                                              | Description                                                                                                                                 | Value                          |
-| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
+| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
 | `actions.enabled`                                 | Create an act runner StatefulSet.                                                                                                           | `false`                        |
 | `actions.init.image.repository`                   | The image used for the init containers                                                                                                      | `busybox`                      |
-| `actions.init.image.tag`                       | The image tag used for the init containers                                                                                                  | `1.36.1`                       |
+| `actions.init.image.tag`                          | The image tag used for the init containers                                                                                                  | `1.37.0`                       |
 | `actions.statefulset.annotations`                 | Act runner annotations                                                                                                                      | `{}`                           |
 | `actions.statefulset.labels`                      | Act runner labels                                                                                                                           | `{}`                           |
 | `actions.statefulset.resources`                   | Act runner resources                                                                                                                        | `{}`                           |
 | `actions.statefulset.nodeSelector`                | NodeSelector for the statefulset                                                                                                            | `{}`                           |
 | `actions.statefulset.tolerations`                 | Tolerations for the statefulset                                                                                                             | `[]`                           |
 | `actions.statefulset.affinity`                    | Affinity for the statefulset                                                                                                                | `{}`                           |
+| `actions.statefulset.extraVolumes`                | Extra volumes for the statefulset                                                                                                           | `[]`                           |
 | `actions.statefulset.actRunner.repository`        | The Gitea act runner image                                                                                                                  | `gitea/act_runner`             |
 | `actions.statefulset.actRunner.tag`               | The Gitea act runner tag                                                                                                                    | `0.2.11`                       |
 | `actions.statefulset.actRunner.pullPolicy`        | The Gitea act runner pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.actRunner.extraVolumeMounts` | Allows mounting extra volumes in the act runner container                                                                                   | `[]`                           |
 | `actions.statefulset.actRunner.config`            | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
 | `actions.statefulset.dind.repository`             | The Docker-in-Docker image                                                                                                                  | `docker`                       |
 | `actions.statefulset.dind.tag`                    | The Docker-in-Docker image tag                                                                                                              | `25.0.2-dind`                  |
 | `actions.statefulset.dind.pullPolicy`             | The Docker-in-Docker pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.dind.extraVolumeMounts`      | Allows mounting extra volumes in the Docker-in-Docker container                                                                             | `[]`                           |
 | `actions.statefulset.dind.extraEnvs`              | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`                                                                | `[]`                           |
 | `actions.provisioning.enabled`                    | Create a job that will create and save the token in a Kubernetes Secret                                                                     | `false`                        |
 | `actions.provisioning.annotations`                | Job's annotations                                                                                                                           | `{}`                           |
@@ -1053,6 +1117,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `gitea.admin.email`                          | Email for the Gitea admin user                                                                                                 | `gitea@local.domain` |
 | `gitea.admin.passwordMode`                   | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated  | `keepUpdated`        |
 | `gitea.metrics.enabled`                      | Enable Gitea metrics                                                                                                           | `false`              |
+| `gitea.metrics.token`                        | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.              | `nil`                |
 | `gitea.metrics.serviceMonitor.enabled`       | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false`              |
 | `gitea.metrics.serviceMonitor.interval`      | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                      | `""`                 |
 | `gitea.metrics.serviceMonitor.relabelings`   | RelabelConfigs to apply to samples before scraping.                                                                            | `[]`                 |
@@ -1176,6 +1241,28 @@ If you miss this, blindly upgrading may delete your Postgres instance and you ma
 
 <details>
 
+<summary>To 11.0.0</summary>
+
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable-next-line -->
+**Breaking changes**
+<!-- prettier-ignore-end -->
+
+- Update Gitea to 1.23.x (review the [1.23 release blog post](https://blog.gitea.com/release-of-1.23.0/) for all application breaking changes)
+- Update PostgreSQL sub-chart dependencies to appVersion 17.x
+- Update Redis sub-chart to version 20.x (appVersion 7.4)
+  Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes:
+  - [Redis Chart release notes (starting with v20.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis/CHANGELOG.md#2000-2024-08-09).
+  - [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES).
+- Update Redis Cluster sub-chart to version 11.x (appVersion 7.4)
+  Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes:
+  - [Redis Chart release notes (starting with v11.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis-cluster/CHANGELOG.md#1100-2024-08-09).
+  - [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES).
+
+</details>
+
+<details>
+
 <summary>To 10.0.0</summary>
 
 <!-- prettier-ignore-start -->
@@ -1242,7 +1329,7 @@ The first item here (`<memcache service name>`) will be different compared to th
 The above changes are motivated by the idea to tidy dependencies but also have HA-ready ones at the same time.
 The previous `memcache` default was not HA-ready, hence we decided to switch to `redis-cluster` by default.
 
-If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-chart/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly:
+If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-gitea/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly:
 
 ```yaml
 gitea:
@@ -1267,7 +1354,7 @@ gitea:
 <!-- prettier-ignore-end -->
 
 If you are facing errors like `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED` due to this automatic transition:
-Have a look at [this discussion](https://gitea.com/gitea/helm-chart/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
+Have a look at [this discussion](https://gitea.com/gitea/helm-gitea/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
 
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
@@ -1323,7 +1410,7 @@ With respect to `values.yaml`, parameters `username`, `database` and `password`
 Please adjust your `values.yaml` accordingly.
 
 **Attention**: The Postgres upgrade is not automatically handled by the chart and must be done by yourself.
-See [this comment](https://gitea.com/gitea/helm-chart/issues/452#issuecomment-740885) for an extensive walkthrough.
+See [this comment](https://gitea.com/gitea/helm-gitea/issues/452#issuecomment-740885) for an extensive walkthrough.
 We again highly encourage users to use an external (managed) database for production instances.
 
 </details>

package.json

@@ -1,6 +1,6 @@
 {
-  "name": "gitea-helm-chart",
-  "homepage": "https://gitea.com/gitea/helm-chart.git",
+  "name": "gitea-helm",
+  "homepage": "https://gitea.com/gitea/helm-gitea.git",
   "license": "MIT",
   "private": true,
   "engineStrict": true,
@@ -14,6 +14,6 @@
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.41.0"
+    "markdownlint-cli": "^0.44.0"
   }
 }

renovate.json5

@@ -9,7 +9,13 @@
   labels: [
     'kind/dependency',
   ],
+  "digest": {
+    "automerge": true
+  },
   automergeStrategy: 'squash',
+  'git-submodules': {
+    'enabled': true
+  },
   customManagers: [
     {
       description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
@@ -63,6 +69,25 @@
         'patch',
         'digest',
       ],
+      matchFileNames: [
+        '!Chart.yaml',
+      ],
+    },
+    {
+      description: 'Update README.md on changes in values.yaml',
+      matchManagers: [
+        'helm-values',
+      ],
+      postUpgradeTasks: {
+        commands: [
+          'install-tool node',
+          'make readme',
+        ],
+        fileFilters: [
+          'README.md',
+        ],
+        executionMode: 'update',
+      },
     },
     {
       description: 'Override changelog url for Helm image, to have release notes in our PRs',
@@ -71,5 +96,12 @@
       ],
       changelogUrl: 'https://github.com/helm/helm',
     },
+    {
+      description: 'Bump Gitea as fast as possible - not only on weekends',
+      matchDepNames: [
+        'go-gitea/gitea',
+      ],
+      schedule: ['at any time'],
+    },
   ],
 }

scripts/init-containers/config/config_environment.sh

@@ -0,0 +1,154 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+function env2ini::log() {
+  printf "${1}\n"
+}
+
+function env2ini::read_config_to_env() {
+  local section="${1}"
+  local line="${2}"
+
+  if [[ -z "${line}" ]]; then
+    # skip empty line
+    return
+  fi
+
+  # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+  local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+  if [[ -z "${setting}" ]]; then
+    env2ini::log '  ! invalid setting'
+    exit 1
+  fi
+
+  local value=''
+  local regex="^${setting}(\s*)=(\s*)(.*)"
+  if [[ $line =~ $regex ]]; then
+    value="${BASH_REMATCH[3]}"
+  else
+    env2ini::log '  ! invalid setting'
+    exit 1
+  fi
+
+  env2ini::log "    + '${setting}'"
+
+  if [[ -z "${section}" ]]; then
+    export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+    return
+  fi
+
+  local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
+  masked_section="${masked_section//-/_0X2D_}"
+
+  export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
+}
+
+function env2ini::reload_preset_envs() {
+  env2ini::log "Reloading preset envs..."
+
+  while read -r line; do
+    if [[ -z "${line}" ]]; then
+      # skip empty line
+      return
+    fi
+
+    # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+    local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+    if [[ -z "${setting}" ]]; then
+      env2ini::log '  ! invalid setting'
+      exit 1
+    fi
+
+    local value=''
+    local regex="^${setting}(\s*)=(\s*)(.*)"
+    if [[ $line =~ $regex ]]; then
+      value="${BASH_REMATCH[3]}"
+    else
+      env2ini::log '  ! invalid setting'
+      exit 1
+    fi
+
+    env2ini::log "  + '${setting}'"
+
+    export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+  done < "$TMP_EXISTING_ENVS_FILE"
+
+  rm $TMP_EXISTING_ENVS_FILE
+}
+
+
+function env2ini::process_config_file() {
+  local config_file="${1}"
+  local section="$(basename "${config_file}")"
+
+  if [[ $section == '_generals_' ]]; then
+    env2ini::log "  [ini root]"
+    section=''
+  else
+    env2ini::log "  ${section}"
+  fi
+
+  while read -r line; do
+    env2ini::read_config_to_env "${section}" "${line}"
+  done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
+}
+
+function env2ini::load_config_sources() {
+  local path="${1}"
+
+  if [[ -d "${path}" ]]; then
+    env2ini::log "Processing $(basename "${path}")..."
+
+    while read -d '' configFile; do
+      env2ini::process_config_file "${configFile}"
+    done < <(find "${path}" -type l -not -name '..data' -print0)
+
+    env2ini::log "\n"
+  fi
+}
+
+function env2ini::generate_initial_secrets() {
+  # These environment variables will either be
+  #   - overwritten with user defined values,
+  #   - initially used to set up Gitea
+  # Anyway, they won't harm existing app.ini files
+
+  export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+  export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+  export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+  export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
+
+  env2ini::log "...Initial secrets generated\n"
+}
+
+# save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
+env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE
+
+# MUST BE CALLED BEFORE OTHER CONFIGURATION
+env2ini::generate_initial_secrets
+
+env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/"
+env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/"
+
+# load existing envs to override auto generated envs
+env2ini::reload_preset_envs
+
+env2ini::log "=== All configuration sources loaded ===\n"
+
+# safety to prevent rewrite of secret keys if an app.ini already exists
+if [ -f ${GITEA_APP_INI} ]; then
+  env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
+  env2ini::log '  - security.INTERNAL_TOKEN'
+  env2ini::log '  - security.SECRET_KEY'
+  env2ini::log '  - oauth2.JWT_SECRET'
+  env2ini::log '  - server.LFS_JWT_SECRET'
+
+  unset GITEA__SECURITY__INTERNAL_TOKEN
+  unset GITEA__SECURITY__SECRET_KEY
+  unset GITEA__OAUTH2__JWT_SECRET
+  unset GITEA__SERVER__LFS_JWT_SECRET
+fi
+
+environment-to-ini -o $GITEA_APP_INI

scripts/init-containers/init/configure_gpg_environment.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -eu
+
+gpg --batch --import "$TMP_RAW_GPG_KEY"

templates/_helpers.tpl

@@ -311,6 +311,9 @@ https
   {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
     {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
   {{- end -}}
+  {{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}}
+    {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}}
+  {{- end -}}
   {{- /* redis queue */ -}}
   {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
     {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
@@ -465,3 +468,7 @@ https
   {{- end -}}
   {{- toYaml $probe -}}
 {{- end -}}
+
+{{- define "gitea.metrics-secret-name" -}}
+{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }}
+{{- end -}}

templates/gitea/act_runner/config-act-runner.yaml

@@ -4,6 +4,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ include "gitea.fullname" . }}-act-runner-config
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 data:

templates/gitea/act_runner/config-scripts.yaml

@@ -5,9 +5,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ include "gitea.fullname" . }}-scripts
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 data:
-{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
+{{ (.Files.Glob "scripts/act_runner/*.sh").AsConfig | indent 2 }}
 {{- end }}
 {{- end }}

templates/gitea/act_runner/job.yaml

@@ -7,6 +7,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- with .Values.actions.provisioning.labels }}
@@ -85,9 +86,9 @@ spec:
               {{- if .Values.persistence.subPath }}
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
-      {{- with .Values.actions.provisioning.nodeSelector }}
+      {{- range $key, $value := .Values.actions.provisioning.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{ $key }}: {{ $value | quote }}
       {{- end }}
       {{- with .Values.actions.provisioning.affinity }}
       affinity:

templates/gitea/act_runner/role-job.yaml

@@ -7,6 +7,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     app.kubernetes.io/component: token-job

templates/gitea/act_runner/rolebinding-job.yaml

@@ -7,6 +7,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     app.kubernetes.io/component: token-job

templates/gitea/act_runner/secret-token.yaml

@@ -7,6 +7,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ $secretName }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     app.kubernetes.io/component: token-job

templates/gitea/act_runner/serviceaccount-job.yaml

@@ -6,6 +6,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     app.kubernetes.io/component: token-job

templates/gitea/act_runner/statefulset.yaml

@@ -14,12 +14,15 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "gitea.fullname" . }}-act-runner
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
 spec:
   selector:
     matchLabels:
       {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
   template:
     metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/gitea/act_runner/config-act-runner.yaml") . | sha256sum }}
       labels:
         {{- include "gitea.labels.actRunner" . | nindent 8 }}
         {{- with .Values.actions.statefulset.labels }}
@@ -67,6 +70,9 @@ spec:
               name: docker-certs
             - mountPath: /data
               name: data-act-runner
+            {{- with .Values.actions.statefulset.actRunner.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
         - name: dind
           image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
           imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
@@ -87,9 +93,12 @@ spec:
           volumeMounts:
             - mountPath: /certs/server
               name: docker-certs
-      {{- with .Values.actions.statefulset.nodeSelector }}
+            {{- with .Values.actions.statefulset.dind.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+      {{- range $key, $value := .Values.actions.statefulset.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{ $key }}: {{ $value | quote }}
       {{- end }}
       {{- with .Values.actions.statefulset.affinity }}
       affinity:
@@ -105,6 +114,9 @@ spec:
             name: {{ include "gitea.fullname" . }}-act-runner-config
         - name: docker-certs
           emptyDir: {}
+        {{- with .Values.actions.statefulset.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
   volumeClaimTemplates:
     - metadata:
         name: data-act-runner

templates/gitea/config.yaml

@@ -18,6 +18,7 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
+{{ (.Files.Glob "scripts/init-containers/config/*.sh").AsConfig | indent 2 }}
   assertions: |
 
     {{- /*assert that only one PG dep is enabled */ -}}
@@ -30,13 +31,13 @@ stringData:
       {{- if .Values.gitea.config.cron -}}
         {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
           {{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}}
-            {{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." }}
+            {{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'." }}
           {{- end }}
         {{- end }}
       {{- end }}
     
       {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
-        {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
+        {{- fail "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany." -}}
       {{- end }}
       {{- if .Values.gitea.config.indexer -}}
         {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
@@ -54,158 +55,3 @@ stringData:
       {{- end }}
       
     {{- end }}
-  config_environment.sh: |-
-    #!/usr/bin/env bash
-    set -euo pipefail
-
-    function env2ini::log() {
-      printf "${1}\n"
-    }
-
-    function env2ini::read_config_to_env() {
-      local section="${1}"
-      local line="${2}"
-
-      if [[ -z "${line}" ]]; then
-        # skip empty line
-        return
-      fi
-      
-      # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
-      local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
-
-      if [[ -z "${setting}" ]]; then
-        env2ini::log '  ! invalid setting'
-        exit 1
-      fi
-
-      local value=''
-      local regex="^${setting}(\s*)=(\s*)(.*)"
-      if [[ $line =~ $regex ]]; then
-        value="${BASH_REMATCH[3]}"
-      else
-        env2ini::log '  ! invalid setting'
-        exit 1
-      fi
-
-      env2ini::log "    + '${setting}'"
-
-      if [[ -z "${section}" ]]; then
-        export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-        return
-      fi
-
-      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
-      masked_section="${masked_section//-/_0X2D_}"
-
-      export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
-    }
-
-    function env2ini::reload_preset_envs() {
-      env2ini::log "Reloading preset envs..."
-
-      while read -r line; do
-        if [[ -z "${line}" ]]; then
-          # skip empty line
-          return
-        fi
-
-        # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
-        local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
-
-        if [[ -z "${setting}" ]]; then
-          env2ini::log '  ! invalid setting'
-          exit 1
-        fi
-
-        local value=''
-        local regex="^${setting}(\s*)=(\s*)(.*)"
-        if [[ $line =~ $regex ]]; then
-          value="${BASH_REMATCH[3]}"
-        else
-          env2ini::log '  ! invalid setting'
-          exit 1
-        fi
-
-        env2ini::log "  + '${setting}'"
-
-        export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-      done < "/tmp/existing-envs"
-
-      rm /tmp/existing-envs
-    }
-
-
-    function env2ini::process_config_file() {
-      local config_file="${1}"
-      local section="$(basename "${config_file}")"
-
-      if [[ $section == '_generals_' ]]; then
-        env2ini::log "  [ini root]"
-        section=''
-      else
-        env2ini::log "  ${section}"
-      fi
-
-      while read -r line; do
-        env2ini::read_config_to_env "${section}" "${line}"
-      done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
-    }
-
-    function env2ini::load_config_sources() {
-      local path="${1}"
-
-      if [[ -d "${path}" ]]; then
-        env2ini::log "Processing $(basename "${path}")..."
-
-        while read -d '' configFile; do
-          env2ini::process_config_file "${configFile}"
-        done < <(find "${path}" -type l -not -name '..data' -print0)
-
-        env2ini::log "\n"
-      fi
-    }
-
-    function env2ini::generate_initial_secrets() {
-      # These environment variables will either be
-      #   - overwritten with user defined values,
-      #   - initially used to set up Gitea
-      # Anyway, they won't harm existing app.ini files
-
-      export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
-      export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
-      export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
-      export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
-
-      env2ini::log "...Initial secrets generated\n"
-    }
-    
-    # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
-    env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > /tmp/existing-envs
-    
-    # MUST BE CALLED BEFORE OTHER CONFIGURATION
-    env2ini::generate_initial_secrets
-
-    env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
-    env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
-
-    # load existing envs to override auto generated envs
-    env2ini::reload_preset_envs
-
-    env2ini::log "=== All configuration sources loaded ===\n"
-
-    # safety to prevent rewrite of secret keys if an app.ini already exists
-    if [ -f ${GITEA_APP_INI} ]; then
-      env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
-      env2ini::log '  - security.INTERNAL_TOKEN'
-      env2ini::log '  - security.SECRET_KEY'
-      env2ini::log '  - oauth2.JWT_SECRET'
-      env2ini::log '  - server.LFS_JWT_SECRET'
-
-      unset GITEA__SECURITY__INTERNAL_TOKEN
-      unset GITEA__SECURITY__SECRET_KEY
-      unset GITEA__OAUTH2__JWT_SECRET
-      unset GITEA__SERVER__LFS_JWT_SECRET
-    fi
-
-    environment-to-ini -o $GITEA_APP_INI

templates/gitea/deployment.yaml

@@ -107,6 +107,10 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
+            - name: TMP_EXISTING_ENVS_FILE
+              value: /tmp/existing-envs
+            - name: ENV_TO_INI_MOUNT_POINT
+              value: /env-to-ini-mounts
             {{- if .Values.deployment.env }}
             {{- toYaml .Values.deployment.env | nindent 12 }}
             {{- end }}
@@ -149,6 +153,8 @@ spec:
           env:
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}
+            - name: TMP_RAW_GPG_KEY
+              value: /raw/private.asc
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
@@ -285,6 +291,13 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
+            {{- if and (hasKey .Values.resources "limits") (hasKey .Values.resources.limits "cpu") }}
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  divisor: "1"
+                  resource: limits.cpu
+            {{- end }}
             - name: TMPDIR
               value: /tmp/gitea
             {{- if .Values.image.rootless }}
@@ -347,9 +360,9 @@ spec:
       hostAliases:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.nodeSelector }}
+      {{- range $key, $value := .Values.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{ $key }}: {{ $value | quote }}
       {{- end }}
     {{- with .Values.affinity }}
       affinity:

templates/gitea/init.yaml

@@ -7,11 +7,7 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  configure_gpg_environment.sh: |-
-    #!/usr/bin/env bash
-    set -eu
-
-    gpg --batch --import /raw/private.asc
+{{ (.Files.Glob "scripts/init-containers/init/*.sh").AsConfig | indent 2 }}
   init_directory_structure.sh: |-
     #!/usr/bin/env bash
 
@@ -66,7 +62,7 @@ stringData:
       local RETRY=0
       local MAX=30
       
-      echo 'Wait for redis to become avialable...'
+      echo 'Wait for redis to become available...'
       until [ "${RETRY}" -ge "${MAX}" ]; do
         nc -vz -w2 {{ include "redis.servicename" . }} {{ include "redis.port" . }} && break
         RETRY=$[${RETRY}+1]
@@ -98,7 +94,7 @@ stringData:
 
         echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users."
         echo "       Please review the output of 'gitea admin user list --admin' shown below."
-        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
         echo "DEBUG: Output of 'gitea admin user list --admin'"
         echo "--"
         echo "${full_admin_list}"
@@ -121,7 +117,7 @@ stringData:
       else
         if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
           echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
-          # See https://gitea.com/gitea/helm-chart/issues/673
+          # See https://gitea.com/gitea/helm-gitea/issues/673
           # --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior
           #   which acted as if it were provided with =false. If the argument is present in this version of gitea, then we
           #   should add it to prevent requiring frequent admin password resets.
@@ -158,7 +154,7 @@ stringData:
 
         echo "ERROR: 'configure_ldap' was not able to determine the current list of authentication sources."
         echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
-        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
         echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
         echo "--"
         echo "${full_auth_list}"
@@ -202,7 +198,7 @@ stringData:
 
         echo "ERROR: 'configure_oauth' was not able to determine the current list of authentication sources."
         echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
-        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
         echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
         echo "--"
         echo "${full_auth_list}"

templates/gitea/metrics-secret.yaml

@@ -0,0 +1,12 @@
+{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gitea.metrics-secret-name" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+data:
+  token: {{ .Values.gitea.metrics.token  | b64enc }}
+{{- end }}

templates/gitea/servicemonitor.yaml

@@ -32,4 +32,12 @@ spec:
     tlsConfig:
       {{- . | toYaml | nindent 6 }}
     {{- end }}
+    {{- if .Values.gitea.metrics.token }}
+    authorization:
+      type: Bearer
+      credentials:
+        name: {{ include "gitea.metrics-secret-name" . }}
+        key: token
+        optional: false
+    {{- end }}
 {{- end -}}

unittests/bash/test_helper/common-setup.bash

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+function common_setup() {
+  load "$TEST_ROOT/test_helper/bats-support/load"
+  load "$TEST_ROOT/test_helper/bats-assert/load"
+  load "$TEST_ROOT/test_helper/bats-mock/stub"
+}

unittests/bash/tests/init-containers/config/config_environment.bats

@@ -0,0 +1,204 @@
+#!/usr/bin/env bats
+
+function setup() {
+  PROJECT_ROOT="$(git rev-parse --show-toplevel)"
+  TEST_ROOT="$PROJECT_ROOT/unittests/bash"
+  load "$TEST_ROOT/test_helper/common-setup"
+  common_setup
+
+  export GITEA_APP_INI="$BATS_TEST_TMPDIR/app.ini"
+  export TMP_EXISTING_ENVS_FILE="$BATS_TEST_TMPDIR/existing-envs"
+  export ENV_TO_INI_MOUNT_POINT="$BATS_TEST_TMPDIR/env-to-ini-mounts"
+
+  stub gitea \
+      "generate secret INTERNAL_TOKEN : echo 'mocked-internal-token'" \
+      "generate secret SECRET_KEY : echo 'mocked-secret-key'" \
+      "generate secret JWT_SECRET : echo 'mocked-jwt-secret'" \
+      "generate secret LFS_JWT_SECRET : echo 'mocked-lfs-jwt-secret'"
+}
+
+function teardown() {
+  unstub gitea
+  # This condition exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
+  if [ $ENV_TO_INI_EXPECTED -eq 1 ]; then
+    unstub environment-to-ini
+  fi
+}
+
+# This function exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
+function expect_environment_to_ini_call() {
+  export ENV_TO_INI_EXPECTED=1
+  stub environment-to-ini \
+    "-o $GITEA_APP_INI : echo 'Stubbed environment-to-ini was called!'"
+}
+
+function execute_test_script() {
+  currentEnvsBefore=$(env | sort)
+  source $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
+  local exitCode=$?
+  currentEnvsAfter=$(env | sort)
+
+  # diff as unified +/- output without context before/after
+  diff --unified=0 <(echo "$currentEnvsBefore") <(echo "$currentEnvsAfter")
+
+  exit $exitCode
+}
+
+function write_mounted_file() {
+  # either "inlines" or "additionals"
+  scope="${1}"
+  file="${2}"
+  content="${3}"
+
+  mkdir -p "$ENV_TO_INI_MOUNT_POINT/$scope/..data/"
+  echo "${content}" > "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file"
+  ln -sf "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file" "$ENV_TO_INI_MOUNT_POINT/$scope/$file"
+}
+
+@test "works as expected when nothing is configured" {
+  expect_environment_to_ini_call
+  run $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
+
+  assert_success
+  assert_line '...Initial secrets generated'
+  assert_line 'Reloading preset envs...'
+  assert_line '=== All configuration sources loaded ==='
+  assert_line 'Stubbed environment-to-ini was called!'
+}
+
+@test "exports initial secrets" {
+  expect_environment_to_ini_call
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  assert_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
+  assert_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
+  assert_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
+}
+
+@test "does NOT export initial secrets when app.ini already exists" {
+  expect_environment_to_ini_call
+  touch $GITEA_APP_INI
+
+  run execute_test_script
+
+  assert_success
+  assert_line --partial 'An app.ini file already exists.'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
+  refute_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
+  refute_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
+}
+
+@test "ensures that preset environment variables take precedence over auto-generated ones" {
+  expect_environment_to_ini_call
+  export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+}
+
+@test "ensures that preset environment variables take precedence over mounted ones" {
+  expect_environment_to_ini_call
+  export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
+  write_mounted_file "inlines" "oauth2" "$(cat << EOF
+JWT_SECRET=inline-jwt-secret
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
+}
+
+@test "ensures that additionals take precedence over inlines" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "oauth2" "$(cat << EOF
+JWT_SECRET=inline-jwt-secret
+EOF
+)"
+  write_mounted_file "additionals" "oauth2" "$(cat << EOF
+JWT_SECRET=additional-jwt-secret
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=additional-jwt-secret'
+}
+
+@test "ensures that dotted/dashed sections are properly masked" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
+WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
+}
+
+###############################################################
+##### THIS IS A BUG, BUT I WANT IT TO BE COVERED BY TESTS #####
+###############################################################
+@test "ensures uppercase section and setting names (🐞)" {
+  expect_environment_to_ini_call
+  export GITEA__oauth2__JwT_Secret="pre-defined-jwt-secret"
+  write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
+WORK_IN_progress_PREFIXES=WIP:,[WIP]
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=pre-defined-jwt-secret'
+}
+
+@test "treats top-level configuration as section-less" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+APP_NAME=Hello top-level configuration
+RUN_MODE=dev
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA____APP_NAME=Hello top-level configuration'
+  assert_line '+GITEA____RUN_MODE=dev'
+}
+
+@test "fails on invalid setting" {
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+some random invalid string
+EOF
+)"
+
+  run execute_test_script
+
+  assert_failure
+}
+
+@test "treats empty setting name as invalid setting" {
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+=value
+EOF
+)"
+
+  run execute_test_script
+
+  assert_failure
+}

unittests/config/database-section_postgresql-ha.yaml

@@ -1,30 +0,0 @@
-suite: config template | database section (postgresql-ha)
-release:
-  name: gitea-unittests
-  namespace: testing
-tests:
-  - it: connects to pgpool service
-    template: templates/gitea/config.yaml
-    set:
-      postgresql:
-        enabled: false
-      postgresql-ha:
-        enabled: true
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.database
-          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:5432
-  - it: renders the referenced service
-    template: charts/postgresql-ha/templates/pgpool/service.yaml
-    set:
-      postgresql:
-        enabled: false
-      postgresql-ha:
-        enabled: true
-    asserts:
-      - containsDocument:
-          kind: Service
-          apiVersion: v1
-          name: gitea-unittests-postgresql-ha-pgpool
-          namespace: testing

unittests/config/database-section_postgresql.yaml

@@ -1,30 +0,0 @@
-suite: config template | database section (postgresql)
-release:
-  name: gitea-unittests
-  namespace: testing
-tests:
-  - it: "connects to postgresql service"
-    template: templates/gitea/config.yaml
-    set:
-      postgresql:
-        enabled: true
-      postgresql-ha:
-        enabled: false
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.database
-          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:5432
-  - it: "renders the referenced service"
-    template: charts/postgresql/templates/primary/svc.yaml
-    set:
-      postgresql:
-        enabled: true
-      postgresql-ha:
-        enabled: false
-    asserts:
-      - containsDocument:
-          kind: Service
-          apiVersion: v1
-          name: gitea-unittests-postgresql
-          namespace: testing

unittests/deployment/basic.yaml

@@ -1,31 +0,0 @@
-suite: deployment template (basic)
-release:
-  name: gitea-unittests
-  namespace: testing
-templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
-tests:
-  - it: renders a deployment
-    template: templates/gitea/deployment.yaml
-    asserts:
-      - hasDocuments:
-          count: 1
-      - containsDocument:
-          kind: Deployment
-          apiVersion: apps/v1
-          name: gitea-unittests
-  - it: deployment labels are set
-    template: templates/gitea/deployment.yaml
-    set:
-      deployment.labels:
-        hello: world
-    asserts:
-      - isSubset:
-          path: metadata.labels
-          content:
-            hello: world
-      - isSubset:
-          path: spec.template.metadata.labels
-          content:
-            hello: world

unittests/helm/act_runner/job.yaml

@@ -27,7 +27,7 @@ tests:
           name: gitea-unittests-actions-token-job
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3-rootless"
+          value: "docker.gitea.com/gitea:1.19.3-rootless"
   - it: tag override
     template: templates/gitea/act_runner/job.yaml
     set:
@@ -44,7 +44,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.4-rootless"
+          value: "docker.gitea.com/gitea:1.19.4-rootless"
       - equal:
           path: spec.template.spec.containers[1].image
           value: "bitnami/kubectl:1.29.0"

unittests/helm/act_runner/statefulset.yaml

@@ -4,6 +4,7 @@ release:
   namespace: testing
 templates:
   - templates/gitea/act_runner/statefulset.yaml
+  - templates/gitea/act_runner/config-act-runner.yaml
 tests:
   - it: doesn't renders a StatefulSet by default
     template: templates/gitea/act_runner/statefulset.yaml
@@ -54,6 +55,24 @@ tests:
               secretKeyRef:
                 name: "gitea-unittests-actions-token"
                 key: "token"
+  - it: renders a StatefulSet (that tracks changes of the runner configuration as annotation)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      image.tag: "1.22.3" # lock image tag to prevent test failures on future Gitea upgrades
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.metadata.annotations["checksum/config"]
+          value: "2a2200e80fc29111d18b675789c265cd3d5f917754850f946f1ce3c55dcd65f8"
   - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL)
     template: templates/gitea/act_runner/statefulset.yaml
     set:
@@ -109,3 +128,55 @@ tests:
           value:
             name: "CUSTOM_ENV_NAME"
             value: "custom env value"
+  - it: should mount an extra volume in the act runner container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          extraVolumes:
+            - name: my-act-runner-volume
+              emptyDir: {}
+          actRunner:
+            extraVolumeMounts:
+              - mountPath: /mnt
+                name: my-act-runner-volume
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - contains:
+          any: true
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /mnt
+            name: my-act-runner-volume
+  - it: should mount an extra volume in the docker-in-docker container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          extraVolumes:
+            - name: my-dind-volume
+              emptyDir: {}
+          dind:
+            extraVolumeMounts:
+              - mountPath: /mnt
+                name: my-dind-volume
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - contains:
+          any: true
+          path: spec.template.spec.containers[1].volumeMounts
+          content:
+            mountPath: /mnt
+            name: my-dind-volume

unittests/helm/config/metrics-section_metrics-token.yaml

@@ -0,0 +1,58 @@
+suite: config template | metrics section (metrics token)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: metrics token is set
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token: "somepassword"
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+            TOKEN=somepassword
+  - it: metrics token is empty
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token: ""
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+  - it: metrics token is nil
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token:
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+  - it: does not configures a token if metrics are disabled
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: false
+          token: "somepassword"
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=false

unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml

@@ -0,0 +1,121 @@
+suite: Dependency checks | Customization integrity | postgresql-ha
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  postgresql:
+    enabled: false
+  postgresql-ha:
+    enabled: true
+    global:
+      postgresql:
+        database: gitea-database
+        password: gitea-password
+        username: gitea-username
+    postgresql:
+      repmgrPassword: custom-password-repmgr
+      postgresPassword: custom-password-postgres
+      password: custom-password-overwritten-by-global-postgresql-password
+    pgpool:
+      adminPassword: custom-password-pgpool
+    service:
+      ports:
+        postgresql: 1234
+    persistence:
+      size: 1337Mi
+tests:
+  - it: "[postgresql-ha] DB settings are applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_DB
+            value: "gitea-database"
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_USER
+            value: "gitea-username"
+  - it: "[postgresql-ha] DB passwords are applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["repmgr-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXJlcG1ncg=="
+      - documentIndex: 0
+        equal:
+          path: data["postgres-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBvc3RncmVz"
+      - documentIndex: 0
+        equal:
+          path: data["password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ=" # postgresql-ha.postgresql.password is overwritten by postgresql-ha.global.postgresql.password and should not be referenced here
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] persistence.size is applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
+          value: "1337Mi"
+  - it: "[postgresql-ha] service.ports.postgresql is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/service.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.ports[0].port
+          value: 1234
+  - it: "[postgresql-ha] renders the referenced service"
+    template: charts/postgresql-ha/templates/pgpool/service.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql-ha-pgpool
+          namespace: testing
+  - it: "[gitea] connects to pgpool service"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:1234
+  - it: "[gitea] connects to configured database"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: NAME=gitea-database
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: USER=gitea-username
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: PASSWD=gitea-password

unittests/helm/dependency-checks/customization-integrity-postgresql.yaml

@@ -0,0 +1,88 @@
+suite: Dependency checks | Customization integrity | postgresql
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  postgresql-ha:
+    enabled: false
+  postgresql:
+    enabled: true
+    global:
+      postgresql:
+        auth:
+          password: gitea-password
+          database: gitea-database
+          username: gitea-username
+        service:
+          ports:
+            postgresql: 1234
+    primary:
+      persistence:
+        size: 1337Mi
+tests:
+  - it: "[postgresql] DB settings are applied as expected"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_DATABASE
+            value: "gitea-database"
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_USER
+            value: "gitea-username"
+  - it: "[postgresql] DB password is applied as expected"
+    template: charts/postgresql/templates/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ="
+  - it: "[postgresql] primary.persistence.size is applied as expected"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
+          value: "1337Mi"
+  - it: "[postgresql] global.postgresql.service.ports.postgresql is applied as expected"
+    template: charts/postgresql/templates/primary/svc.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.ports[0].port
+          value: 1234
+  - it: "[postgresql] renders the referenced service"
+    template: charts/postgresql/templates/primary/svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql
+          namespace: testing
+  - it: "[gitea] connects to postgresql service"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:1234
+  - it: "[gitea] connects to configured database"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: NAME=gitea-database
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: USER=gitea-username
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: PASSWD=gitea-password

unittests/helm/dependency-checks/customization-integrity-redis-cluster.yaml

@@ -0,0 +1,90 @@
+suite: Dependency checks | Customization integrity | redis-cluster
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  redis:
+    enabled: false
+  redis-cluster:
+    enabled: true
+    usePassword: false
+    cluster:
+      nodes: 5
+      replicas: 2
+tests:
+  - it: "[redis-cluster] configures correct nodes/replicas"
+    template: charts/redis-cluster/templates/redis-statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.replicas
+          value: 5
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].args[0]
+          pattern: REDIS_CLUSTER_REPLICAS="2"
+  - it: "[redis-cluster] support auth-less connections"
+    asserts:
+      - template: charts/redis-cluster/templates/secret.yaml
+        hasDocuments:
+          count: 0
+      - template: charts/redis-cluster/templates/redis-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOW_EMPTY_PASSWORD
+            value: "yes"
+  - it: "[redis-cluster] support auth-full connections"
+    set:
+      redis-cluster:
+        usePassword: true
+    asserts:
+      - template: charts/redis-cluster/templates/secret.yaml
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-redis-cluster
+          namespace: testing
+      - template: charts/redis-cluster/templates/redis-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDISCLI_AUTH
+            valueFrom:
+              secretKeyRef:
+                name: gitea-unittests-redis-cluster
+                key: redis-password
+      - template: charts/redis-cluster/templates/redis-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: gitea-unittests-redis-cluster
+                key: redis-password
+  - it: "[redis-cluster] renders the referenced service"
+    template: charts/redis-cluster/templates/headless-svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-redis-cluster-headless
+          namespace: testing
+      - documentIndex: 0
+        contains:
+          path: spec.ports
+          content:
+            name: tcp-redis
+            port: 6379
+            targetPort: tcp-redis
+  - it: "[gitea] waits for redis-cluster to be up and running"
+    template: templates/gitea/init.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData["configure_gitea.sh"]
+          pattern: nc -vz -w2 gitea-unittests-redis-cluster-headless.testing.svc.cluster.local 6379

unittests/helm/dependency-checks/customization-integrity-redis.yaml

@@ -0,0 +1,52 @@
+suite: Dependency checks | Customization integrity | redis
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  redis-cluster:
+    enabled: false
+  redis:
+    enabled: true
+    architecture: standalone
+    global:
+      redis:
+        password: gitea-password
+    master:
+      count: 2
+tests:
+  - it: "[redis] configures correct 'master' nodes"
+    template: charts/redis/templates/master/application.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.replicas
+          value: 2
+  - it: "[redis] redis.global.redis.password is applied as expected"
+    template: charts/redis/templates/secret.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["redis-password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ="
+  - it: "[redis] renders the referenced service"
+    template: charts/redis/templates/headless-svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-redis-headless
+          namespace: testing
+      - documentIndex: 0
+        contains:
+          path: spec.ports
+          content:
+            name: tcp-redis
+            port: 6379
+            targetPort: redis
+  - it: "[gitea] waits for redis to be up and running"
+    template: templates/gitea/init.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData["configure_gitea.sh"]
+          pattern: nc -vz -w2 gitea-unittests-redis-headless.testing.svc.cluster.local 6379

unittests/helm/dependency-checks/major-image-bump.yaml

@@ -1,4 +1,4 @@
-suite: Dependency update consistency
+suite: Dependency checks | Major image bumps
 release:
   name: gitea-unittests
   namespace: testing
@@ -15,7 +15,7 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/postgresql-repmgr:16.+$
+          pattern: bitnami/postgresql-repmgr:17.+$
   - it: "[postgresql] ensures we detect major image version upgrades"
     template: charts/postgresql/templates/primary/statefulset.yaml
     set:
@@ -28,7 +28,7 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/postgresql:16.+$
+          pattern: bitnami/postgresql:17.+$
   - it: "[redis-cluster] ensures we detect major image version upgrades"
     template: charts/redis-cluster/templates/redis-statefulset.yaml
     set:

unittests/helm/deployment/HA.yaml

@@ -20,14 +20,14 @@ tests:
               ENABLED: true
     asserts:
       - failedTemplate:
-          errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'."
+          errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'."
   - it: fails with multiple replicas and RWX file system not set
     template: templates/gitea/deployment.yaml
     set:
       replicaCount: 2
     asserts:
       - failedTemplate:
-          errorMessage: "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany."
+          errorMessage: "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany."
   - it: fails with multiple replicas and bleve issue indexer
     template: templates/gitea/deployment.yaml
     set:

unittests/helm/deployment/basic.yaml

@@ -0,0 +1,75 @@
+suite: deployment template (basic)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders a deployment
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Deployment
+          apiVersion: apps/v1
+          name: gitea-unittests
+  - it: deployment labels are set
+    template: templates/gitea/deployment.yaml
+    set:
+      deployment.labels:
+        hello: world
+    asserts:
+      - isSubset:
+          path: metadata.labels
+          content:
+            hello: world
+      - isSubset:
+          path: spec.template.metadata.labels
+          content:
+            hello: world
+  - it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container"
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[1].env
+          content:
+            name: TMP_EXISTING_ENVS_FILE
+            value: /tmp/existing-envs
+  - it: "injects ENV_TO_INI_MOUNT_POINT as environment variable to 'init-app-ini' init container"
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[1].env
+          content:
+            name: ENV_TO_INI_MOUNT_POINT
+            value: /env-to-ini-mounts
+  - it: CPU resources are defined as well as GOMAXPROCS
+    template: templates/gitea/deployment.yaml
+    set:
+      resources:
+        limits:
+          cpu: 200ms
+          memory: 200Mi
+        requests:
+          cpu: 100ms
+          memory: 100Mi
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                divisor: "1"
+                resource: limits.cpu
+      - equal:
+          path: spec.template.spec.containers[0].resources
+          value:
+            limits:
+              cpu: 200ms
+              memory: 200Mi
+            requests:
+              cpu: 100ms
+              memory: 100Mi

unittests/helm/deployment/image-configuration.yaml

@@ -14,7 +14,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3-rootless"
+          value: "docker.gitea.com/gitea:1.19.3-rootless"
   - it: tag override
     template: templates/gitea/deployment.yaml
     set:
@@ -22,7 +22,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.4-rootless"
+          value: "docker.gitea.com/gitea:1.19.4-rootless"
   - it: root-based image
     template: templates/gitea/deployment.yaml
     set:
@@ -30,7 +30,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3"
+          value: "docker.gitea.com/gitea:1.19.3"
   - it: scoped registry
     template: templates/gitea/deployment.yaml
     set:
@@ -38,7 +38,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "example.com/gitea/gitea:1.19.3-rootless"
+          value: "example.com/gitea:1.19.3-rootless"
   - it: global registry
     template: templates/gitea/deployment.yaml
     set:
@@ -46,7 +46,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "global.example.com/gitea/gitea:1.19.3-rootless"
+          value: "global.example.com/gitea:1.19.3-rootless"
   - it: digest for rootless image
     template: templates/gitea/deployment.yaml
     set:
@@ -56,12 +56,12 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+          value: "docker.gitea.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: image fullOverride (does not append rootless)
     template: templates/gitea/deployment.yaml
     set:
       image:
-        fullOverride: gitea/gitea:1.19.3
+        fullOverride: docker.gitea.com/gitea:1.19.3
         # setting rootless, registry, repository, tag, and digest to prove that override works
         rootless: true
         registry: example.com
@@ -71,7 +71,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3"
+          value: "docker.gitea.com/gitea:1.19.3"
   - it: digest for root-based image
     template: templates/gitea/deployment.yaml
     set:
@@ -81,7 +81,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+          value: "docker.gitea.com/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: digest and global registry
     template: templates/gitea/deployment.yaml
     set:
@@ -90,21 +90,21 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "global.example.com/gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+          value: "global.example.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: correctly renders floating tag references
     template: templates/gitea/deployment.yaml
     set:
-      image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-chart/issues/631
+      image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-gitea/issues/631
     asserts:
       - equal:
           path: spec.template.spec.initContainers[0].image
-          value: "gitea/gitea:1.21-rootless"
+          value: "docker.gitea.com/gitea:1.21-rootless"
       - equal:
           path: spec.template.spec.initContainers[1].image
-          value: "gitea/gitea:1.21-rootless"
+          value: "docker.gitea.com/gitea:1.21-rootless"
       - equal:
           path: spec.template.spec.initContainers[2].image
-          value: "gitea/gitea:1.21-rootless"
+          value: "docker.gitea.com/gitea:1.21-rootless"
       - equal:
           path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.21-rootless"
+          value: "docker.gitea.com/gitea:1.21-rootless"

unittests/helm/deployment/signing-enabled.yaml

@@ -28,6 +28,8 @@ tests:
           value:
             - name: GNUPGHOME
               value: /data/git/.gnupg
+            - name: TMP_RAW_GPG_KEY
+              value: /raw/private.asc
       - equal:
           path: spec.template.spec.initContainers[2].volumeMounts
           value:

unittests/helm/deployment/ssh-configuration.yaml

@@ -30,7 +30,7 @@ tests:
   - it: supports overriding SSH log level (even when image.fullOverride set)
     template: templates/gitea/deployment.yaml
     set:
-      image.fullOverride: gitea/gitea:1.19.3
+      image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: false
       gitea.ssh.logLevel: "DEBUG"
     asserts:
@@ -53,7 +53,7 @@ tests:
   - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
     template: templates/gitea/deployment.yaml
     set:
-      image.fullOverride: gitea/gitea:1.19.3
+      image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: true
       gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
     asserts:

unittests/helm/init/init_directory_structure.sh-rootless.yaml

@@ -15,11 +15,11 @@ tests:
     asserts:
       - equal:
           path: stringData["configure_gpg_environment.sh"]
-          value: |-
+          value: |
             #!/usr/bin/env bash
             set -eu
 
-            gpg --batch --import /raw/private.asc
+            gpg --batch --import "$TMP_RAW_GPG_KEY"
   - it: skips gpg script block for disabled signing
     asserts:
       - equal:
@@ -65,7 +65,7 @@ tests:
   - it: it does not chown /data even when image.fullOverride is set
     template: templates/gitea/init.yaml
     set:
-      image.fullOverride: gitea/gitea:1.20.5
+      image.fullOverride: docker.gitea.com/gitea:1.20.5
     asserts:
       - equal:
           path: stringData["init_directory_structure.sh"]

unittests/helm/init/init_directory_structure.sh.yaml

@@ -16,11 +16,11 @@ tests:
     asserts:
       - equal:
           path: stringData["configure_gpg_environment.sh"]
-          value: |-
+          value: |
             #!/usr/bin/env bash
             set -eu
 
-            gpg --batch --import /raw/private.asc
+            gpg --batch --import "$TMP_RAW_GPG_KEY"
   - it: skips gpg script block for disabled signing
     set:
       image.rootless: false

unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml

@@ -0,0 +1,23 @@
+suite: Metrics secret template (monitoring disabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/metrics-secret.yaml
+tests:
+  - it: renders nothing if monitoring disabled and gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.serviceMonitor.enabled: false
+      gitea.metrics.token: ""
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders nothing if monitoring disabled and gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.serviceMonitor.enabled: false
+      gitea.metrics.token: "test-token"
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml

@@ -0,0 +1,33 @@
+suite: Metrics secret template (monitoring enabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/metrics-secret.yaml
+tests:
+  - it: renders nothing if monitoring enabled and gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+      gitea.metrics.token: ""
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders Secret if monitoring enabled and gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+      gitea.metrics.token: "test-token"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-metrics-secret
+      - isNotNullOrEmpty:
+          path: metadata.labels
+      - equal:
+          path: data.token
+          value: "dGVzdC10b2tlbg=="

unittests/helm/servicemonitor/servicemonitor-disabled.yaml

@@ -0,0 +1,23 @@
+suite: ServiceMonitor template (monitoring disabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/servicemonitor.yaml
+tests:
+  - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.token: ""
+      gitea.metrics.serviceMonitor.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.token: "test-token"
+      gitea.metrics.serviceMonitor.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/helm/servicemonitor/servicemonitor-enabled.yaml

@@ -0,0 +1,70 @@
+suite: ServiceMonitor template (monitoring enabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/servicemonitor.yaml
+tests:
+  - it: renders unsecure ServiceMonitor if gitea.metrics.token nil
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.token:
+      gitea.metrics.serviceMonitor.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: ServiceMonitor
+          apiVersion: monitoring.coreos.com/v1
+          name: gitea-unittests
+      - isNotNullOrEmpty:
+          path: metadata.labels
+      - equal:
+          path: spec.endpoints
+          value:
+            - port: http
+  - it: renders unsecure ServiceMonitor if gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.token: ""
+      gitea.metrics.serviceMonitor.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: ServiceMonitor
+          apiVersion: monitoring.coreos.com/v1
+          name: gitea-unittests
+      - isNotNullOrEmpty:
+          path: metadata.labels
+      - equal:
+          path: spec.endpoints
+          value:
+            - port: http
+  - it: renders secure ServiceMonitor if gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.token: "test-token"
+      gitea.metrics.serviceMonitor.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: ServiceMonitor
+          apiVersion: monitoring.coreos.com/v1
+          name: gitea-unittests
+      - isNotNullOrEmpty:
+          path: metadata.labels
+      - equal:
+          path: spec.endpoints
+          value:
+            - port: http
+              authorization:
+                type: Bearer
+                credentials:
+                  name: gitea-unittests-metrics-secret
+                  key: token
+                  optional: false

values.yaml

@@ -48,8 +48,8 @@ clusterDomain: cluster.local
 ## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher
 ## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).**
 image:
-  registry: ""
-  repository: gitea/gitea
+  registry: "docker.gitea.com"
+  repository: gitea
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
   digest: ""
@@ -76,7 +76,7 @@ containerSecurityContext: {}
 #   # run pods on nodes that use the container runtime cri-o. Otherwise, you will
 #   # get an error message from the SSH server that it is not possible to read from
 #   # the repository.
-#   # https://gitea.com/gitea/helm-chart/issues/161
+#   # https://gitea.com/gitea/helm-gitea/issues/161
 #     add:
 #       - SYS_CHROOT
 #   privileged: false
@@ -361,13 +361,16 @@ signing:
 ## @param actions.statefulset.nodeSelector NodeSelector for the statefulset
 ## @param actions.statefulset.tolerations Tolerations for the statefulset
 ## @param actions.statefulset.affinity Affinity for the statefulset
+## @param actions.statefulset.extraVolumes Extra volumes for the statefulset
 ## @param actions.statefulset.actRunner.repository The Gitea act runner image
 ## @param actions.statefulset.actRunner.tag The Gitea act runner tag
 ## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
+## @param actions.statefulset.actRunner.extraVolumeMounts Allows mounting extra volumes in the act runner container
 ## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
 ## @param actions.statefulset.dind.repository The Docker-in-Docker image
 ## @param actions.statefulset.dind.tag The Docker-in-Docker image tag
 ## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
+## @param actions.statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container
 ## @param actions.statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`
 ## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret
 ## @param actions.provisioning.annotations Job's annotations
@@ -391,25 +394,27 @@ actions:
     nodeSelector: {}
     tolerations: []
     affinity: {}
+    extraVolumes: []
 
     actRunner:
       repository: gitea/act_runner
       tag: 0.2.11
       pullPolicy: IfNotPresent
+      extraVolumeMounts: []
 
+      # See full example here: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
       config: |
         log:
           level: debug
         cache:
           enabled: false
-        runner:
-          labels:
-            - "ubuntu-latest"
 
     dind:
       repository: docker
       tag: 25.0.2-dind
       pullPolicy: IfNotPresent
+      extraVolumeMounts: []
+
       # If the container keeps crashing in your environment, you might have to add the `DOCKER_IPTABLES_LEGACY` environment variable.
       # See https://github.com/docker-library/docker/issues/463#issuecomment-1881909456
       extraEnvs: []
@@ -420,7 +425,7 @@ actions:
     image:
       repository: busybox
       # Overrides the image tag whose default is the chart appVersion.
-      tag: "1.36.1"
+      tag: "1.37.0"
 
   provisioning:
     enabled: false
@@ -461,6 +466,7 @@ gitea:
     passwordMode: keepUpdated
 
   ## @param gitea.metrics.enabled Enable Gitea metrics
+  ## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.
   ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally.
   ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
   ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping.
@@ -469,6 +475,7 @@ gitea:
   ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
   metrics:
     enabled: false
+    token:
     serviceMonitor:
       enabled: false
       #  additionalLabels:
@@ -603,7 +610,7 @@ gitea:
 
 ## @section redis-cluster
 ## @param redis-cluster.enabled Enable redis cluster
-# ⚠️ The redis charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
+# ⚠️ The redis charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-gitea/issues/690>).
 # Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
 ## @param redis-cluster.usePassword Whether to use password authentication
 ## @param redis-cluster.cluster.nodes Number of redis cluster master nodes
@@ -621,7 +628,7 @@ redis-cluster:
 ## @section redis
 ## @param redis.enabled Enable redis standalone or replicated
 ## @param redis.architecture Whether to use standalone or replication
-# ⚠️ The redis charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
+# ⚠️ The redis charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-gitea/issues/690>).
 # Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
 ## @param redis.global.redis.password Required password
 ## @param redis.master.count Number of Redis master instances to deploy