chore(deps): update dependency markdownlint-cli to ^0.46.0 (#988)

Co-authored-by: Renovate Bot <renovate-bot@gitea.com>
Co-committed-by: Renovate Bot <renovate-bot@gitea.com>

.editorconfig

@@ -9,4 +9,7 @@ indent_size = 2
 end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = false
-insert_final_newline = false
+insert_final_newline = false
+
+[Makefile]
+indent_style = tab

.gitea/scripts/add-annotations.sh

@@ -0,0 +1,114 @@
+#!/bin/bash
+
+set -e
+
+CHART_FILE="Chart.yaml"
+if [ ! -f "${CHART_FILE}" ]; then
+  echo "ERROR: ${CHART_FILE} not found!" 1>&2
+  exit 1
+fi
+
+DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
+DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
+
+if [ -z "${1}" ]; then
+  read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
+  if [ -z "${OLD_TAG}" ]; then
+    OLD_TAG="${DEFAULT_OLD_TAG}"
+  fi
+
+  while [ -z "$(git tag --list "${OLD_TAG}")" ]; do
+    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
+    read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
+    if [ -z "${OLD_TAG}" ]; then
+      OLD_TAG="${DEFAULT_OLD_TAG}"
+    fi
+  done
+else
+  OLD_TAG=${1}
+  if [ -z "$(git tag --list "${OLD_TAG}")" ]; then
+    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
+    exit 1
+  fi
+fi
+
+if [ -z "${2}" ]; then
+  read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
+  if [ -z "${NEW_TAG}" ]; then
+    NEW_TAG="${DEFAULT_NEW_TAG}"
+  fi
+
+  while [ -z "$(git tag --list "${NEW_TAG}")" ]; do
+    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
+    read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
+    if [ -z "${NEW_TAG}" ]; then
+      NEW_TAG="${DEFAULT_NEW_TAG}"
+    fi
+  done
+else
+  NEW_TAG=${2}
+
+  if [ -z "$(git tag --list "${NEW_TAG}")" ]; then
+    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
+    exit 1
+  fi
+fi
+
+CHANGE_LOG_YAML=$(mktemp)
+echo "[]" > "${CHANGE_LOG_YAML}"
+
+function map_type_to_kind() {
+  case "${1}" in
+    feat)
+      echo "added"
+    ;;
+    fix)
+      echo "fixed"
+    ;;
+    chore|style|test|ci|docs|refac)
+      echo "changed"
+    ;;
+    revert)
+      echo "removed"
+    ;;
+    sec)
+      echo "security"
+    ;;
+    *)
+      echo "skip"
+    ;;
+  esac
+}
+
+COMMIT_TITLES="$(git log --pretty=format:"%s" "${OLD_TAG}..${NEW_TAG}")"
+
+echo "INFO: Generate change log entries from ${OLD_TAG} until ${NEW_TAG}"
+
+while IFS= read -r line; do
+  if [[ "${line}" =~ ^([a-zA-Z]+)(\([^\)]+\))?\:\ (.+)$ ]]; then
+    TYPE="${BASH_REMATCH[1]}"
+    KIND=$(map_type_to_kind "${TYPE}")
+
+    if [ "${KIND}" == "skip" ]; then
+      continue
+    fi
+
+    DESC="${BASH_REMATCH[3]}"
+
+    echo "- ${KIND}: ${DESC}"
+
+    jq --arg kind "${KIND}" --arg description "${DESC}" '. += [ $ARGS.named ]' < "${CHANGE_LOG_YAML}" > "${CHANGE_LOG_YAML}.new"
+    mv "${CHANGE_LOG_YAML}.new" "${CHANGE_LOG_YAML}"
+
+  fi
+done <<< "${COMMIT_TITLES}"
+
+if [ -s "${CHANGE_LOG_YAML}" ]; then
+  yq --inplace --input-format json --output-format yml "${CHANGE_LOG_YAML}"
+  yq --no-colors --inplace ".annotations.\"artifacthub.io/changes\" |= loadstr(\"${CHANGE_LOG_YAML}\") | sort_keys(.)" "${CHART_FILE}"
+else
+  echo "ERROR: Changelog file is empty: ${CHANGE_LOG_YAML}" 1>&2
+  exit 1
+fi
+
+rm "${CHANGE_LOG_YAML}"

.gitea/workflows/changelog.yml

@@ -8,12 +8,12 @@ on:
 jobs:
   changelog:
     runs-on: ubuntu-latest
-    container: docker.io/thegeeklab/git-sv:2.0.1
+    container: docker.io/thegeeklab/git-sv:2.0.7
     steps:
       - name: install tools
         run: |
           apk add -q --update --no-cache nodejs curl jq sed
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Generate upcoming changelog

.gitea/workflows/commitlint.yml

@@ -11,9 +11,9 @@ on:
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: commitlint/commitlint:19.8.1
+    container: commitlint/commitlint:20.1.0
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: check PR title
         run: |
           echo "${{ gitea.event.pull_request.title }}" | commitlint --config .commitlintrc.json

.gitea/workflows/release-version.yml

@@ -5,79 +5,106 @@ on:
     tags:
       - "*"
 
-env:
-  # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.17.3"
-
 jobs:
-  # generate-chart-publish:
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/checkout@v4
-  #     - name: install tools
-  #       run: |
-  #         apt update -y
-  #         apt install -y curl ca-certificates curl gnupg
-  #         # helm
-  #         curl -O https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-  #         tar -xzf helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-  #         mv linux-amd64/helm /usr/local/bin/
-  #         rm -rf linux-amd64 helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-  #         helm version
-  #         # docker
-  #         install -m 0755 -d /etc/apt/keyrings
-  #         curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
-  #         chmod a+r /etc/apt/keyrings/docker.gpg
-  #         echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
-  #         apt update -y
-  #         apt install -y python3 python3-pip apt-transport-https docker-ce-cli
-  #         pip install awscli --break-system-packages
+  generate-chart-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
 
-  #     - name: Import GPG key
-  #       id: import_gpg
-  #       uses: https://github.com/crazy-max/ghaction-import-gpg@v6
-  #       with:
-  #         gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-  #         passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
-  #         fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
+      - name: Install packages via apt
+        run: |
+          apt update --yes
+          apt install --yes curl ca-certificates curl gnupg jq
 
-  #     # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
-  #     - name: package chart
-  #       run: |
-  #         echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
-  #         # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
-  #         helm plugin install https://github.com/pat-s/helm-gpg
-  #         helm dependency build
-  #         helm package --version "${GITHUB_REF#refs/tags/v}" ./
-  #         mkdir gitea
-  #         mv gitea*.tgz gitea/
-  #         curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
-  #         helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
-  #         # push to dockerhub
-  #         echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
-  #         helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
-  #         helm registry logout registry-1.docker.io
+      - name: Install helm
+        env:
+          # renovate: datasource=docker depName=alpine/helm
+          HELM_VERSION: "3.19.0"
+        run: |
+          curl --fail --location --output /dev/stdout --silent --show-error https://get.helm.sh/helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz | tar --extract --gzip --file /dev/stdin
+          mv linux-$(dpkg --print-architecture)/helm /usr/local/bin/
+          rm --force --recursive linux-$(dpkg --print-architecture) helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz
+          helm version
 
-  #     - name: aws credential configure
-  #       uses: https://github.com/aws-actions/configure-aws-credentials@v4
-  #       with:
-  #         aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
-  #         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  #         aws-region: ${{ secrets.AWS_REGION }}
+      - name: Install yq
+        env:
+          YQ_VERSION: v4.45.4 # renovate: datasource=github-releases depName=mikefarah/yq
+        run: |
+          curl --fail --location --output /dev/stdout --silent --show-error https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_$(dpkg --print-architecture).tar.gz | tar --extract --gzip --file /dev/stdin
+          mv yq_linux_$(dpkg --print-architecture) /usr/local/bin
+          rm --force --recursive yq_linux_$(dpkg --print-architecture) yq_linux_$(dpkg --print-architecture).tar.gz
+          yq --version
 
-  #     - name: Copy files to S3 and clear cache
-  #       run: |
-  #         aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
+      - name: Install docker-ce via apt
+        run: |
+          install -m 0755 -d /etc/apt/keyrings
+          curl --fail --location --silent --show-error https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          chmod a+r /etc/apt/keyrings/docker.gpg
+          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+          apt update --yes
+          apt install --yes python3 python3-pip apt-transport-https docker-ce-cli
+
+      - name: Install awscli
+        run: |
+          pip install awscli --break-system-packages
+          aws --version
+
+      - name: Import GPG key
+        id: import_gpg
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
+          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
+
+      - name: Add Artifacthub.io annotations
+        run: |
+          NEW_TAG="$(git tag --sort=-version:refname | head --lines 1)"
+          OLD_TAG="$(git tag --sort=-version:refname | head --lines 2 | tail --lines 1)"
+          .gitea/scripts/add-annotations.sh "${OLD_TAG}" "${NEW_TAG}"
+
+      - name: Print Chart.yaml
+        run: cat Chart.yaml
+
+      # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
+      - name: package chart
+        run: |
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
+          # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
+          helm plugin install https://github.com/pat-s/helm-gpg
+          helm dependency build
+          helm package --version "${GITHUB_REF#refs/tags/v}" ./
+          mkdir gitea
+          mv gitea*.tgz gitea/
+          curl --fail --location --output gitea/index.yaml --silent --show-error https://dl.gitea.com/charts/index.yaml
+          helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
+          # push to dockerhub
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
+          helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
+          helm registry logout registry-1.docker.io
+
+      - name: aws credential configure
+        uses: https://github.com/aws-actions/configure-aws-credentials@v5
+        with:
+          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Copy files to S3 and clear cache
+        run: |
+          aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
 
   release-gitea:
-    # needs: generate-chart-publish
+    needs: generate-chart-publish
     runs-on: ubuntu-latest
-    container: docker.io/thegeeklab/git-sv:2.0.1
+    container: docker.io/thegeeklab/git-sv:2.0.7
     steps:
       - name: install tools
         run: |
           apk add -q --update --no-cache nodejs
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-tags: true
           fetch-depth: 0

.gitea/workflows/test-pr.yml

@@ -10,18 +10,18 @@ on:
 
 env:
   # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v0.8.2"
+  HELM_UNITTEST_VERSION: "v1.0.3"
 
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: alpine/helm:3.17.3
+    container: alpine/helm:3.19.0
     steps:
       - name: install tools
         run: |
           apk update
           apk add --update bash make nodejs npm yamllint ncurses
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: install chart dependencies
         run: helm dependency build
       - name: lint

.vscode/settings.json

@@ -1,6 +1,6 @@
 {
     "yaml.schemas": {
-        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.8.2/schema/helm-testsuite.json": [
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.3/schema/helm-testsuite.json": [
             "/unittests/**/*.yaml"
         ]
     },

CODEOWNERS

@@ -1 +1 @@
-charts/* @justusbunsi @pat-s
+* @rossigee @volker.raschek @ChristopherHX

Chart.lock

@@ -1,15 +1,15 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 16.7.2
+  version: 16.7.27
 - name: postgresql-ha
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 16.0.3
+  version: 16.3.2
 - name: valkey-cluster
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 3.0.5
+  version: 3.0.24
 - name: valkey
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 3.0.4
-digest: sha256:9f184e842e4e04f7a1a3791ed92ab2ce085c4cf8f9dc9ce9a70b45b8af4c3c3c
-generated: "2025-05-10T03:23:40.55670864Z"
+  version: 3.0.31
+digest: sha256:ceb6a1890cfdc2627abb85d3e2a4baa64d30afd21dcfabce978a824a67f0a2bb
+generated: "2025-08-30T00:03:04.59764502Z"

Chart.yaml

@@ -4,9 +4,14 @@ description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
-appVersion: 1.23.8
+appVersion: 1.25.1
 icon: https://gitea.com/assets/img/logo.svg
 
+annotations:
+  artifacthub.io/links: |
+    - name: support
+      url: https://gitea.com/gitea/helm-gitea/issues
+
 keywords:
   - git
   - issue tracker
@@ -14,42 +19,44 @@ keywords:
   - wiki
   - gitea
   - gogs
+
 sources:
   - https://gitea.com/gitea/helm-gitea
   - https://github.com/go-gitea/gitea
   - https://docker.gitea.com/gitea
+
 maintainers:
-  - name: Charlie Drage
-    email: charlie@charliedrage.com
-  - name: Gitea Authors
-    email: maintainers@gitea.io
-  - name: Konrad Lother
-    email: konrad.lother@novum-rgi.de
-  - name: Lucas Hahn
-    email: lucas.hahn@novum-rgi.de
-  - name: Steven Kriegler
-    email: sk.bunsenbrenner@gmail.com
-  - name: Patrick Schratz
-    email: patrick.schratz@gmail.com
+  # https://gitea.com/rossigee
+  - name: Ross Golder
+    email: ross@golder.org
+  # https://gitea.com/volker.raschek
+  - name: Markus Pesch
+    email: markus.pesch+apps@cryptic.systems
+  # https://gitea.com/DaanSelen
+  - name: Daan Selen
+    email: dselen@nerthus.nl
+  # https://gitea.com/ChristopherHX
+  - name: Christopher Homberger
+    email: christopher.homberger@web.de
 
 dependencies:
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
   - name: postgresql
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 16.7.2
+    version: 16.7.27
     condition: postgresql.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
   - name: postgresql-ha
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 16.0.3
+    version: 16.3.2
     condition: postgresql-ha.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml
   - name: valkey-cluster
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 3.0.5
+    version: 3.0.24
     condition: valkey-cluster.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml
   - name: valkey
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 3.0.4
+    version: 3.0.31
     condition: valkey.enabled

Makefile

@@ -20,7 +20,10 @@ unittests-helm:
 unittests-bash:
 	./unittests/bash/bats/bin/bats --pretty ./unittests/bash/tests/**/*.bats
 
-.PHONY: helm
+.PHONY: update-helm-dependencies
 update-helm-dependencies:
 	helm dependency update
-  
+
+.PHONY: yamllint
+yamllint:
+	yamllint -c .yamllint .

README.md

@@ -33,6 +33,7 @@
 - [Metrics and profiling](#metrics-and-profiling)
   - [Secure Metrics Endpoint](#secure-metrics-endpoint)
 - [Pod annotations](#pod-annotations)
+- [TLS certificate rotation](#tls-certificate-rotation)
 - [Themes](#themes)
 - [Renovate](#renovate)
 - [Parameters](#parameters)
@@ -101,8 +102,8 @@ These dependencies are enabled by default:
 
 Alternatively, the following non-HA replacements are available:
 
-- PostgreSQL ([Bitnami PostgreSQL](<Postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)>))
-- Valkey ([Bitnami Valkey](<Valkey](https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml)>))
+- PostgreSQL ([Bitnami PostgreSQL](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml))
+- Valkey ([Bitnami Valkey](https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml))
 
 ### Dependency Versioning
 
@@ -166,7 +167,7 @@ available. As this is a Golang application, this can be implemented using `GOMAX
 of defining `GOMAXPROCS` automatically based on the defined CPU limit like `1000m`. Please keep in mind, that the CFS
 rate of `100ms` - default on each kubernetes node, is also very important to avoid CPU throttling.
 
-Further information about this topic can be found [here](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
+Further information about this topic can be found [under this link](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
 
 > [!NOTE]
 > The environment variable `GOMAXPROCS` is set automatically, when a CPU limit is defined. An explicit configuration is
@@ -533,7 +534,7 @@ and the repository exists.
 ```
 
 To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
-More about this issue [here](https://gitea.com/gitea/helm-gitea/issues/161).
+More about this issue [under this link](https://gitea.com/gitea/helm-gitea/issues/161).
 
 ### Cache
 
@@ -693,7 +694,7 @@ Affected options:
 
 Like the admin user, OAuth2 settings can be updated and disabled but not deleted.
 Deleting OAuth2 settings has to be done in the ui.
-All OAuth2 values, which are documented [here](https://docs.gitea.com/administration/command-line#admin), are
+All OAuth2 values, which are documented [under this link](https://docs.gitea.com/administration/command-line#admin), are
 available.
 
 Multiple OAuth2 sources can be configured with additional OAuth list items.
@@ -816,6 +817,31 @@ gitea:
   podAnnotations: {}
 ```
 
+## TLS certificate rotation
+
+If Gitea uses TLS certificates that are mounted as a secret in the container file system, Gitea will not automatically apply them when the TLS certificates are rotated.
+Such a rotation can be for example triggered, when the cert-manager issues new TLS certificates before expiring. Further information is described as GitHub
+[issue](https://github.com/go-gitea/gitea/issues/27962).
+
+Until the issue is present, a workaround can be applied.
+For example stakater's [reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update.
+The following annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted `configMaps` and `secrets` have been changed.
+
+```yaml
+deployment:
+  annotations:
+    reloader.stakater.com/auto: "true"
+```
+
+Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for individual items.
+For example, when the secret named `gitea-tls` is mounted and the reloader controller should only listen for changes of this secret:
+
+```yaml
+deployment:
+  annotations:
+    secret.reloader.stakater.com/reload: "gitea-tls"
+```
+
 ## Themes
 
 Custom themes can be added via k8s secrets and referencing them in `values.yaml`.
@@ -1044,6 +1070,8 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `persistence.subPath`                             | Subdirectory of the volume to mount at                                                                | `nil`                  |
 | `persistence.volumeName`                          | Name of persistent volume in PVC                                                                      | `""`                   |
 | `extraContainers`                                 | Additional sidecar containers to run in the pod                                                       | `[]`                   |
+| `preExtraInitContainers`                          | Additional init containers to run in the pod before Gitea runs it owns init containers.               | `[]`                   |
+| `postExtraInitContainers`                         | Additional init containers to run in the pod after Gitea runs it owns init containers.                | `[]`                   |
 | `extraVolumes`                                    | Additional volumes to mount to the Gitea deployment                                                   | `[]`                   |
 | `extraContainerVolumeMounts`                      | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]`                   |
 | `extraInitVolumeMounts`                           | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.    | `[]`                   |
@@ -1134,52 +1162,69 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 
 Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time.
 
-| Name                                  | Description                                                          | Value   |
-| ------------------------------------- | -------------------------------------------------------------------- | ------- |
-| `valkey-cluster.enabled`              | Enable valkey cluster                                                | `true`  |
-| `valkey-cluster.usePassword`          | Whether to use password authentication                               | `false` |
-| `valkey-cluster.usePasswordFiles`     | Whether to mount passwords as files instead of environment variables | `false` |
-| `valkey-cluster.cluster.nodes`        | Number of valkey cluster master nodes                                | `3`     |
-| `valkey-cluster.cluster.replicas`     | Number of valkey cluster master node replicas                        | `0`     |
-| `valkey-cluster.service.ports.valkey` | Port of Valkey service                                               | `6379`  |
+| Name                                                | Description                                                           | Value                          |
+| --------------------------------------------------- | --------------------------------------------------------------------- | ------------------------------ |
+| `valkey-cluster.enabled`                            | Enable valkey cluster                                                 | `true`                         |
+| `valkey-cluster.usePassword`                        | Whether to use password authentication.                               | `false`                        |
+| `valkey-cluster.usePasswordFiles`                   | Whether to mount passwords as files instead of environment variables. | `false`                        |
+| `valkey-cluster.image.repository`                   | Image repository, eg. `bitnamilegacy/valkey-cluster`.                 | `bitnamilegacy/valkey-cluster` |
+| `valkey-cluster.cluster.nodes`                      | Number of valkey cluster master nodes                                 | `3`                            |
+| `valkey-cluster.cluster.replicas`                   | Number of valkey cluster master node replicas                         | `0`                            |
+| `valkey-cluster.metrics.image.repository`           | Image repository, eg. `bitnamilegacy/redis-exporter`.                 | `bitnamilegacy/redis-exporter` |
+| `valkey-cluster.service.ports.valkey`               | Port of Valkey service                                                | `6379`                         |
+| `valkey-cluster.sysctlImage.repository`             | Image repository, eg. `bitnamilegacy/os-shell`.                       | `bitnamilegacy/os-shell`       |
+| `valkey-cluster.volumePermissions.image.repository` | Image repository, eg. `bitnamilegacy/os-shell`.                       | `bitnamilegacy/os-shell`       |
 
 ### valkey
 
 Valkey and [Valkey cluster](#valkey-cluster) cannot be enabled at the same time.
 
-| Name                                 | Description                                 | Value        |
-| ------------------------------------ | ------------------------------------------- | ------------ |
-| `valkey.enabled`                     | Enable valkey standalone or replicated      | `false`      |
-| `valkey.architecture`                | Whether to use standalone or replication    | `standalone` |
-| `valkey.global.valkey.password`      | Required password                           | `changeme`   |
-| `valkey.master.count`                | Number of Valkey master instances to deploy | `1`          |
-| `valkey.master.service.ports.valkey` | Port of Valkey service                      | `6379`       |
+| Name                                        | Description                                           | Value                           |
+| ------------------------------------------- | ----------------------------------------------------- | ------------------------------- |
+| `valkey.enabled`                            | Enable valkey standalone or replicated                | `false`                         |
+| `valkey.architecture`                       | Whether to use standalone or replication              | `standalone`                    |
+| `valkey.kubectl.image.repository`           | Image repository, eg. `bitnamilegacy/kubectl`.        | `bitnamilegacy/kubectl`         |
+| `valkey.image.repository`                   | Image repository, eg. `bitnamilegacy/valkey`.         | `bitnamilegacy/valkey`          |
+| `valkey.global.valkey.password`             | Required password                                     | `changeme`                      |
+| `valkey.master.count`                       | Number of Valkey master instances to deploy           | `1`                             |
+| `valkey.master.service.ports.valkey`        | Port of Valkey service                                | `6379`                          |
+| `valkey.metrics.image.repository`           | Image repository, eg. `bitnamilegacy/redis-exporter`. | `bitnamilegacy/redis-exporter`  |
+| `valkey.sentinel.image.repository`          | Image repository, eg. `bitnamilegacy/sentinel`.       | `bitnamilegacy/valkey-sentinel` |
+| `valkey.volumePermissions.image.repository` | Image repository, eg. `bitnamilegacy/os-shell`.       | `bitnamilegacy/os-shell`        |
 
 ### PostgreSQL HA
 
-| Name                                        | Description                                                      | Value       |
-| ------------------------------------------- | ---------------------------------------------------------------- | ----------- |
-| `postgresql-ha.enabled`                     | Enable PostgreSQL HA                                             | `true`      |
-| `postgresql-ha.postgresql.password`         | Password for the `gitea` user (overrides `auth.password`)        | `changeme4` |
-| `postgresql-ha.global.postgresql.database`  | Name for a custom database to create (overrides `auth.database`) | `gitea`     |
-| `postgresql-ha.global.postgresql.username`  | Name for a custom user to create (overrides `auth.username`)     | `gitea`     |
-| `postgresql-ha.global.postgresql.password`  | Name for a custom password to create (overrides `auth.password`) | `gitea`     |
-| `postgresql-ha.postgresql.repmgrPassword`   | Repmgr Password                                                  | `changeme2` |
-| `postgresql-ha.postgresql.postgresPassword` | postgres Password                                                | `changeme1` |
-| `postgresql-ha.pgpool.adminPassword`        | pgpool adminPassword                                             | `changeme3` |
-| `postgresql-ha.service.ports.postgresql`    | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`      |
-| `postgresql-ha.persistence.size`            | PVC Storage Request for PostgreSQL HA volume                     | `10Gi`      |
+| Name                                               | Description                                                      | Value                             |
+| -------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------- |
+| `postgresql-ha.enabled`                            | Enable PostgreSQL HA                                             | `true`                            |
+| `postgresql-ha.global.postgresql.database`         | Name for a custom database to create (overrides `auth.database`) | `gitea`                           |
+| `postgresql-ha.global.postgresql.username`         | Name for a custom user to create (overrides `auth.username`)     | `gitea`                           |
+| `postgresql-ha.global.postgresql.password`         | Name for a custom password to create (overrides `auth.password`) | `gitea`                           |
+| `postgresql-ha.metrics.image.repository`           | Image repository, eg. `bitnamilegacy/postgres-exporter`.         | `bitnamilegacy/postgres-exporter` |
+| `postgresql-ha.postgresql.image.repository`        | Image repository, eg. `bitnamilegacy/postgresql-repmgr`.         | `bitnamilegacy/postgresql-repmgr` |
+| `postgresql-ha.postgresql.repmgrPassword`          | Repmgr Password                                                  | `changeme2`                       |
+| `postgresql-ha.postgresql.postgresPassword`        | postgres Password                                                | `changeme1`                       |
+| `postgresql-ha.postgresql.password`                | Password for the `gitea` user (overrides `auth.password`)        | `changeme4`                       |
+| `postgresql-ha.pgpool.adminPassword`               | pgpool adminPassword                                             | `changeme3`                       |
+| `postgresql-ha.pgpool.image.repository`            | Image repository, eg. `bitnamilegacy/pgpool`.                    | `bitnamilegacy/pgpool`            |
+| `postgresql-ha.pgpool.srCheckPassword`             | pgpool srCheckPassword                                           | `changeme4`                       |
+| `postgresql-ha.service.ports.postgresql`           | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`                            |
+| `postgresql-ha.persistence.size`                   | PVC Storage Request for PostgreSQL HA volume                     | `10Gi`                            |
+| `postgresql-ha.volumePermissions.image.repository` | Image repository, eg. `bitnamilegacy/os-shell`.                  | `bitnamilegacy/os-shell`          |
 
 ### PostgreSQL
 
-| Name                                                    | Description                                                      | Value   |
-| ------------------------------------------------------- | ---------------------------------------------------------------- | ------- |
-| `postgresql.enabled`                                    | Enable PostgreSQL                                                | `false` |
-| `postgresql.global.postgresql.auth.password`            | Password for the `gitea` user (overrides `auth.password`)        | `gitea` |
-| `postgresql.global.postgresql.auth.database`            | Name for a custom database to create (overrides `auth.database`) | `gitea` |
-| `postgresql.global.postgresql.auth.username`            | Name for a custom user to create (overrides `auth.username`)     | `gitea` |
-| `postgresql.global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`  |
-| `postgresql.primary.persistence.size`                   | PVC Storage Request for PostgreSQL volume                        | `10Gi`  |
+| Name                                                    | Description                                                      | Value                             |
+| ------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------- |
+| `postgresql.enabled`                                    | Enable PostgreSQL                                                | `false`                           |
+| `postgresql.global.postgresql.auth.password`            | Password for the `gitea` user (overrides `auth.password`)        | `gitea`                           |
+| `postgresql.global.postgresql.auth.database`            | Name for a custom database to create (overrides `auth.database`) | `gitea`                           |
+| `postgresql.global.postgresql.auth.username`            | Name for a custom user to create (overrides `auth.username`)     | `gitea`                           |
+| `postgresql.global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`                            |
+| `postgresql.image.repository`                           | Image repository, eg. `bitnamilegacy/postgresql`.                | `bitnamilegacy/postgresql`        |
+| `postgresql.primary.persistence.size`                   | PVC Storage Request for PostgreSQL volume                        | `10Gi`                            |
+| `postgresql.metrics.image.repository`                   | Image repository, eg. `bitnamilegacy/postgres-exporter`.         | `bitnamilegacy/postgres-exporter` |
+| `postgresql.volumePermissions.image.repository`         | Image repository, eg. `bitnamilegacy/os-shell`.                  | `bitnamilegacy/os-shell`          |
 
 ### Advanced
 
@@ -1216,7 +1261,7 @@ If you miss this, blindly upgrading may delete your Postgres instance and you ma
   To deploy and use "Actions", please see the new dedicated chart at <https://gitea.com/gitea/helm-actions>.
   It is maintained by a seperate maintainer group and hasn't seen a release yet (at the time of the 12.0 release).
   Feel encouraged to contribute if "Actions" is important to you!
-  
+
   This change was made to avoid overloading the existing helm chart, which is already quite large in size and configuration options.
   In addition, the existing maintainers team was not actively using "Actions" which slowed down development and community contributions.
   While the new chart is still young (and waiting for contributions! and maintainers), we believe that it is the best way moving forward for both parts.

package.json

@@ -14,6 +14,6 @@
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.44.0"
+    "markdownlint-cli": "^0.46.0"
   }
 }

renovate.json5

@@ -49,6 +49,14 @@
       ],
     },
   ],
+  lockFileMaintenance: {
+    "enabled": true,
+    "commitMessageAction": "update",
+    "commitMessageTopic": "lockfiles",
+    schedule: [
+      'at any time',
+    ]
+  },
   packageRules: [
     {
       groupName: 'subcharts (minor & patch)',

templates/_helpers.tpl

@@ -361,16 +361,18 @@ https
   {{- if not .Values.gitea.config.server.SSH_PORT -}}
     {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
   {{- end -}}
-  {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
-    {{- if not .Values.image.rootless -}}
-      {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
-    {{- else -}}
-      {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}}
-    {{- end -}}
-  {{- end -}}
   {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}}
     {{- if .Values.image.rootless -}}
       {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}}
+      {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
+        {{- if not .Values.gitea.config.server.SSH_LISTEN_PORT -}}
+          {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
+        {{- else -}}
+          {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_LISTEN_PORT -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "false" -}}
     {{- end -}}
   {{- end -}}
   {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}

templates/gitea/config.yaml

@@ -27,7 +27,7 @@ stringData:
     {{- end }}
     
     {{- /* multiple replicas assertions */ -}}
-    {{- if gt .Values.replicaCount 1.0 -}}
+    {{- if gt (.Values.replicaCount | int) 1 -}}
       {{- if .Values.gitea.config.cron -}}
         {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
           {{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}}

templates/gitea/deployment.yaml

@@ -59,6 +59,9 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
+        {{- if .Values.preExtraInitContainers }}
+        {{- toYaml .Values.preExtraInitContainers | nindent 8 }}
+        {{- end }}
         - name: init-directories
           image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -98,7 +101,7 @@ spec:
         - name: init-app-ini
           image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: 
+          command:
           - "{{ .Values.initContainersScriptsVolumeMountPath }}/config_environment.sh"
           env:
             - name: GITEA_APP_INI
@@ -143,7 +146,7 @@ spec:
         {{- if .Values.signing.enabled }}
         - name: configure-gpg
           image: "{{ include "gitea.image" . }}"
-          command: 
+          command:
           - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
@@ -272,6 +275,9 @@ spec:
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
+        {{- if .Values.postExtraInitContainers }}
+        {{- toYaml .Values.postExtraInitContainers | nindent 8 }}
+        {{- end }}
       terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
@@ -364,9 +370,9 @@ spec:
       hostAliases:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- range $key, $value := .Values.nodeSelector }}
+      {{- with .Values.nodeSelector }}
       nodeSelector:
-        {{ $key }}: {{ $value | quote }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
     {{- with .Values.affinity }}
       affinity:

templates/gitea/extra-list.yaml

@@ -1,8 +1,8 @@
 {{- range .Values.extraDeploy }}
 ---
 {{- if typeIs "string" . }}
-    {{- tpl . $ }}
+    {{ tpl . $ }}
 {{- else }}
-    {{- tpl (. | toYaml) $ }}
+    {{ tpl (. | toYaml) $ }}
 {{- end }}
 {{- end }}

templates/gitea/pvc.yaml

@@ -10,7 +10,7 @@ metadata:
 {{ .Values.persistence.labels | toYaml | indent 4}}
 spec:
   accessModes:
-  {{- if gt .Values.replicaCount 1.0 }}
+  {{- if gt (.Values.replicaCount | int) 1 }}
       - ReadWriteMany
   {{- else }}
     {{- .Values.persistence.accessModes | toYaml | nindent 4 }}

unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml

@@ -18,6 +18,7 @@ set:
       password: custom-password-overwritten-by-global-postgresql-password
     pgpool:
       adminPassword: custom-password-pgpool
+      srCheckPassword: custom-password-sr-check
     service:
       ports:
         postgresql: 1234
@@ -75,6 +76,13 @@ tests:
         equal:
           path: data["admin-password"]
           value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.srCheckPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["sr-check-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXNyLWNoZWNr"
   - it: "[postgresql-ha] persistence.size is applied as expected"
     template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
     asserts:

unittests/helm/dependency-checks/major-image-bump.yaml

@@ -15,7 +15,7 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/postgresql-repmgr:17.+$
+          pattern: bitnamilegacy/postgresql-repmgr:17.+$
   - it: "[postgresql] ensures we detect major image version upgrades"
     template: charts/postgresql/templates/primary/statefulset.yaml
     set:
@@ -28,7 +28,7 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/postgresql:17.+$
+          pattern: bitnamilegacy/postgresql:17.+$
   - it: "[valkey-cluster] ensures we detect major image version upgrades"
     template: charts/valkey-cluster/templates/valkey-statefulset.yaml
     set:
@@ -41,7 +41,7 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/valkey-cluster:8.+$
+          pattern: bitnamilegacy/valkey-cluster:8.+$
   - it: "[valkey] ensures we detect major image version upgrades"
     template: charts/valkey/templates/primary/application.yaml
     set:
@@ -54,4 +54,4 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/valkey:8.+$
+          pattern: bitnamilegacy/valkey:8.+$

unittests/helm/deployment/basic.yaml

@@ -29,6 +29,24 @@ tests:
           path: spec.template.metadata.labels
           content:
             hello: world
+  - it: nodeSelector is undefined
+    asserts:
+      - notExists:
+          path: spec.template.spec.nodeSelector
+        template: templates/gitea/deployment.yaml
+  - it: nodeSelector is defined
+    set:
+      nodeSelector:
+        foo: bar
+        bar: foo
+    asserts:
+      - isSubset:
+          path: spec.template.spec.nodeSelector
+          content:
+            foo: bar
+            bar: foo
+        template: templates/gitea/deployment.yaml
+
   - it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container"
     template: templates/gitea/deployment.yaml
     asserts:

unittests/helm/deployment/extraInitContainers.yaml

@@ -0,0 +1,59 @@
+suite: deployment template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: Render the deployment (default)
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/gitea/deployment.yaml
+      - lengthEqual:
+          path: spec.template.spec.initContainers
+          count: 3
+        template: templates/gitea/deployment.yaml
+
+  - it: Render the deployment (signing)
+    set:
+      signing.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/gitea/deployment.yaml
+      - lengthEqual:
+          path: spec.template.spec.initContainers
+          count: 4
+        template: templates/gitea/deployment.yaml
+
+  - it: Render the deployment (extraInitContainers)
+    set:
+      postExtraInitContainers:
+        - name: foo
+          image: docker.io/library/busybox:latest
+      preExtraInitContainers:
+        - name: bar
+          image: docker.io/library/busybox:latest
+      signing.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/gitea/deployment.yaml
+      - lengthEqual:
+          path: spec.template.spec.initContainers
+          count: 6
+        template: templates/gitea/deployment.yaml
+      - contains:
+          path: spec.template.spec.initContainers
+          content:
+            name: foo
+            image: docker.io/library/busybox:latest
+        template: templates/gitea/deployment.yaml
+      - contains:
+          path: spec.template.spec.initContainers
+          content:
+            name: bar
+            image: docker.io/library/busybox:latest
+        template: templates/gitea/deployment.yaml

values.yaml

@@ -279,7 +279,19 @@ persistence:
 extraContainers: []
 #  - name: sidecar-bob
 #    image: busybox
-#    command: [/bin/sh, -c, 'echo "Hello world"; sleep 86400']
+#    command: [/bin/sh, -c, 'echo "Hello world"']
+
+## @param preExtraInitContainers Additional init containers to run in the pod before gitea runs it owns init containers.
+preExtraInitContainers: []
+# - name: pre-init-container
+#   image: docker.io/library/busybox
+#   command: [ /bin/sh, -c, 'echo "Hello world! I am a pre init container."' ]
+
+## @param postExtraInitContainers Additional init containers to run in the pod after gitea runs it owns init containers.
+postExtraInitContainers: []
+# - name: post-init-container
+#   image: docker.io/library/busybox
+#   command: [ /bin/sh, -c, 'echo "Hello world! I am a post init container."' ]
 
 ## @param extraVolumes Additional volumes to mount to the Gitea deployment
 extraVolumes: []
@@ -502,92 +514,161 @@ gitea:
     failureThreshold: 10
 
 ## @section valkey-cluster
-## @param valkey-cluster.enabled Enable valkey cluster
-# ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
-# Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
-## @param valkey-cluster.usePassword Whether to use password authentication
-## @param valkey-cluster.usePasswordFiles Whether to mount passwords as files instead of environment variables
-## @param valkey-cluster.cluster.nodes Number of valkey cluster master nodes
-## @param valkey-cluster.cluster.replicas Number of valkey cluster master node replicas
-## @param valkey-cluster.service.ports.valkey Port of Valkey service
 ## @descriptionStart
 ## Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time.
 ## @descriptionEnd
 valkey-cluster:
+  ## @param valkey-cluster.enabled Enable valkey cluster
+  # ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
+  # Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
+  ## @param valkey-cluster.usePassword Whether to use password authentication.
+  ## @param valkey-cluster.usePasswordFiles Whether to mount passwords as files instead of environment variables.
   enabled: true
   usePassword: false
   usePasswordFiles: false
+
+  ## @param valkey-cluster.image.repository Image repository, eg. `bitnamilegacy/valkey-cluster`.
+  image:
+    repository: bitnamilegacy/valkey-cluster
+
+  ## @param valkey-cluster.cluster.nodes Number of valkey cluster master nodes
+  ## @param valkey-cluster.cluster.replicas Number of valkey cluster master node replicas
   cluster:
     nodes: 3 # default: 6
     replicas: 0 # default: 1
+
+  ## @param valkey-cluster.metrics.image.repository Image repository, eg. `bitnamilegacy/redis-exporter`.
+  metrics:
+    image:
+      repository: bitnamilegacy/redis-exporter
+
+  ## @param valkey-cluster.service.ports.valkey Port of Valkey service
   service:
     ports:
       valkey: 6379
 
+  ## @param valkey-cluster.sysctlImage.repository Image repository, eg. `bitnamilegacy/os-shell`.
+  sysctlImage:
+    repository: bitnamilegacy/os-shell
+
+  ## @param valkey-cluster.volumePermissions.image.repository Image repository, eg. `bitnamilegacy/os-shell`.
+  volumePermissions:
+    image:
+      repository: bitnamilegacy/os-shell
+
+
 ## @section valkey
-## @param valkey.enabled Enable valkey standalone or replicated
-## @param valkey.architecture Whether to use standalone or replication
-# ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
-# Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
-## @param valkey.global.valkey.password Required password
-## @param valkey.master.count Number of Valkey master instances to deploy
-## @param valkey.master.service.ports.valkey Port of Valkey service
+
 ## @descriptionStart
 ## Valkey and [Valkey cluster](#valkey-cluster) cannot be enabled at the same time.
 ## @descriptionEnd
 valkey:
+  ## @param valkey.enabled Enable valkey standalone or replicated
+  ## @param valkey.architecture Whether to use standalone or replication
   enabled: false
   architecture: standalone
+
+  ## @param valkey.kubectl.image.repository Image repository, eg. `bitnamilegacy/kubectl`.
+  kubectl:
+    image:
+      repository: bitnamilegacy/kubectl
+
+  ## @param valkey.image.repository Image repository, eg. `bitnamilegacy/valkey`.
+  image:
+    repository: bitnamilegacy/valkey
+
+  # ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
+  # Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
+  ## @param valkey.global.valkey.password Required password
   global:
     valkey:
       password: changeme
+
+  ## @param valkey.master.count Number of Valkey master instances to deploy
+  ## @param valkey.master.service.ports.valkey Port of Valkey service
   master:
     count: 1
     service:
       ports:
         valkey: 6379
 
+  ## @param valkey.metrics.image.repository Image repository, eg. `bitnamilegacy/redis-exporter`.
+  metrics:
+    image:
+      repository: bitnamilegacy/redis-exporter
+
+  ## @param valkey.sentinel.image.repository Image repository, eg. `bitnamilegacy/sentinel`.
+  sentinel:
+    image:
+      repository: bitnamilegacy/valkey-sentinel
+
+  ## @param valkey.volumePermissions.image.repository Image repository, eg. `bitnamilegacy/os-shell`.
+  volumePermissions:
+    image:
+      repository: bitnamilegacy/os-shell
+
 ## @section PostgreSQL HA
-#
-## @param postgresql-ha.enabled Enable PostgreSQL HA
-## @param postgresql-ha.postgresql.password Password for the `gitea` user (overrides `auth.password`)
-## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`)
-## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`)
-## @param postgresql-ha.global.postgresql.password Name for a custom password to create (overrides `auth.password`)
-## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password
-## @param postgresql-ha.postgresql.postgresPassword postgres Password
-## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword
-## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
-## @param postgresql-ha.persistence.size PVC Storage Request for PostgreSQL HA volume
 postgresql-ha:
+  ## @param postgresql-ha.enabled Enable PostgreSQL HA
+  enabled: true
+
+  ## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`)
+  ## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`)
+  ## @param postgresql-ha.global.postgresql.password Name for a custom password to create (overrides `auth.password`)
   global:
     postgresql:
       database: gitea
       password: gitea
       username: gitea
-  enabled: true
+
+  ## @param postgresql-ha.metrics.image.repository Image repository, eg. `bitnamilegacy/postgres-exporter`.
+  metrics:
+    image:
+      repository: bitnamilegacy/postgres-exporter
+
+  ## @param postgresql-ha.postgresql.image.repository Image repository, eg. `bitnamilegacy/postgresql-repmgr`.
+  ## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password
+  ## @param postgresql-ha.postgresql.postgresPassword postgres Password
+  ## @param postgresql-ha.postgresql.password Password for the `gitea` user (overrides `auth.password`)
   postgresql:
+    image:
+      repository: bitnamilegacy/postgresql-repmgr
     repmgrPassword: changeme2
     postgresPassword: changeme1
     password: changeme4
+
+  ## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword
+  ## @param postgresql-ha.pgpool.image.repository Image repository, eg. `bitnamilegacy/pgpool`.
+  ## @param postgresql-ha.pgpool.srCheckPassword pgpool srCheckPassword
   pgpool:
     adminPassword: changeme3
+    image:
+      repository: bitnamilegacy/pgpool
+    srCheckPassword: changeme4
+
+  ## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
   service:
     ports:
       postgresql: 5432
+
+  ## @param postgresql-ha.persistence.size PVC Storage Request for PostgreSQL HA volume
   persistence:
     size: 10Gi
 
+  ## @param postgresql-ha.volumePermissions.image.repository Image repository, eg. `bitnamilegacy/os-shell`.
+  volumePermissions:
+    image:
+      repository: bitnamilegacy/os-shell
+
 ## @section PostgreSQL
-#
-## @param postgresql.enabled Enable PostgreSQL
-## @param postgresql.global.postgresql.auth.password Password for the `gitea` user (overrides `auth.password`)
-## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
-## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
-## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
-## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
 postgresql:
+  ## @param postgresql.enabled Enable PostgreSQL
   enabled: false
+
+  ## @param postgresql.global.postgresql.auth.password Password for the `gitea` user (overrides `auth.password`)
+  ## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
+  ## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
+  ## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
   global:
     postgresql:
       auth:
@@ -597,10 +678,26 @@ postgresql:
       service:
         ports:
           postgresql: 5432
+
+  ## @param postgresql.image.repository Image repository, eg. `bitnamilegacy/postgresql`.
+  image:
+    repository: bitnamilegacy/postgresql
+
+  ## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
   primary:
     persistence:
       size: 10Gi
 
+  ## @param postgresql.metrics.image.repository Image repository, eg. `bitnamilegacy/postgres-exporter`.
+  metrics:
+    image:
+      repository: bitnamilegacy/postgres-exporter
+
+  ## @param postgresql.volumePermissions.image.repository Image repository, eg. `bitnamilegacy/os-shell`.
+  volumePermissions:
+    image:
+      repository: bitnamilegacy/os-shell
+
 # By default, removed or moved settings that still remain in a user defined values.yaml will cause Helm to fail running the install/update.
 # Set it to false to skip this basic validation check.
 ## @section Advanced