fix(ci): improve workflows (#959)

🤖 Split up helm chart workflows

The following patch adapts the CI workflows. The worflows has been splitted into
dedicated parts. For example the `helm template` and `helm unittest` command is
now a seperate step to notice that a change affects the template mechanism but
not the unittest. This was priviously not possible, because both commands were
part of one step.

🤖 Changelog Issue

Additionally has the changelog workflow be improved. The shell commands has
been migrated to a dedicated file named `.gitea/scripts/changelog.sh`. This has
the advantage, that the shellcheck plugin of IDE's support developers by
developing such shell scripts. Furthermore, the used container image has been
replaced by the ubuntu:latest image of the act_runner. This make it more
comfortable in using `curl` or `jq`, because the complete set of features/flags
are
avialable instead of the previously used container image
`docker.io/thegeeklab/git-sv:2.0.5`. Final note to the shell script
`changelog.sh`, this can now be executed locally as well as on ARM-based
act_runners and helps to test the helm chart in own Gitea environments
beforehand.

🤖 Markdown linter

In addition, a new workflow for markdown files has now been introduced. This
checks the `README.md` file for links, ensures that it is properly formatted,
and verifies that the parameters match those in `values.yaml`. Here, too, the
commands have been outsourced to separate jobs so that more precise interaction
is possible in the event of an error.

⚠️ Warning

This patch also requires an adjustment in branch protection. There, the
workflows that must be successful before a merge must be redefined.

Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/959
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Markus Pesch <markus.pesch@cryptic.systems>
Co-committed-by: Markus Pesch <markus.pesch@cryptic.systems>

.gitea/scripts/add-annotations.sh

@@ -0,0 +1,114 @@
+#!/bin/bash
+
+set -e
+
+CHART_FILE="Chart.yaml"
+if [ ! -f "${CHART_FILE}" ]; then
+  echo "ERROR: ${CHART_FILE} not found!" 1>&2
+  exit 1
+fi
+
+DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
+DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
+
+if [ -z "${1}" ]; then
+  read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
+  if [ -z "${OLD_TAG}" ]; then
+    OLD_TAG="${DEFAULT_OLD_TAG}"
+  fi
+
+  while [ -z "$(git tag --list "${OLD_TAG}")" ]; do
+    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
+    read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
+    if [ -z "${OLD_TAG}" ]; then
+      OLD_TAG="${DEFAULT_OLD_TAG}"
+    fi
+  done
+else
+  OLD_TAG=${1}
+  if [ -z "$(git tag --list "${OLD_TAG}")" ]; then
+    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
+    exit 1
+  fi
+fi
+
+if [ -z "${2}" ]; then
+  read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
+  if [ -z "${NEW_TAG}" ]; then
+    NEW_TAG="${DEFAULT_NEW_TAG}"
+  fi
+
+  while [ -z "$(git tag --list "${NEW_TAG}")" ]; do
+    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
+    read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
+    if [ -z "${NEW_TAG}" ]; then
+      NEW_TAG="${DEFAULT_NEW_TAG}"
+    fi
+  done
+else
+  NEW_TAG=${2}
+
+  if [ -z "$(git tag --list "${NEW_TAG}")" ]; then
+    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
+    exit 1
+  fi
+fi
+
+CHANGE_LOG_YAML=$(mktemp)
+echo "[]" > "${CHANGE_LOG_YAML}"
+
+function map_type_to_kind() {
+  case "${1}" in
+    feat)
+      echo "added"
+    ;;
+    fix)
+      echo "fixed"
+    ;;
+    chore|style|test|ci|docs|refac)
+      echo "changed"
+    ;;
+    revert)
+      echo "removed"
+    ;;
+    sec)
+      echo "security"
+    ;;
+    *)
+      echo "skip"
+    ;;
+  esac
+}
+
+COMMIT_TITLES="$(git log --pretty=format:"%s" "${OLD_TAG}..${NEW_TAG}")"
+
+echo "INFO: Generate change log entries from ${OLD_TAG} until ${NEW_TAG}"
+
+while IFS= read -r line; do
+  if [[ "${line}" =~ ^([a-zA-Z]+)(\([^\)]+\))?\:\ (.+)$ ]]; then
+    TYPE="${BASH_REMATCH[1]}"
+    KIND=$(map_type_to_kind "${TYPE}")
+
+    if [ "${KIND}" == "skip" ]; then
+      continue
+    fi
+
+    DESC="${BASH_REMATCH[3]}"
+
+    echo "- ${KIND}: ${DESC}"
+
+    jq --arg kind "${KIND}" --arg description "${DESC}" '. += [ $ARGS.named ]' < "${CHANGE_LOG_YAML}" > "${CHANGE_LOG_YAML}.new"
+    mv "${CHANGE_LOG_YAML}.new" "${CHANGE_LOG_YAML}"
+
+  fi
+done <<< "${COMMIT_TITLES}"
+
+if [ -s "${CHANGE_LOG_YAML}" ]; then
+  yq --inplace --input-format json --output-format yml "${CHANGE_LOG_YAML}"
+  yq --no-colors --inplace ".annotations.\"artifacthub.io/changes\" |= loadstr(\"${CHANGE_LOG_YAML}\") | sort_keys(.)" "${CHART_FILE}"
+else
+  echo "ERROR: Changelog file is empty: ${CHANGE_LOG_YAML}" 1>&2
+  exit 1
+fi
+
+rm "${CHANGE_LOG_YAML}"

.gitea/scripts/update-changelog.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+
+DEFAULT_GITEA_SERVER_URL="${GITHUB_SERVER_URL:-"https://gitea.com"}"
+DEFAULT_GITEA_REPOSITORY="${GITHUB_REPOSITORY:-"gitea/helm-gitea"}"
+DEFAULT_GITEA_TOKEN="${ISSUE_RW_TOKEN:-""}"
+
+if [ -z "${1}" ]; then
+  read -p "Enter hostname of the Gitea instance [${DEFAULT_GITEA_SERVER_URL}]: " CURRENT_GITEA_SERVER_URL
+  if [ -z "${CURRENT_GITEA_SERVER_URL}" ]; then
+    CURRENT_GITEA_SERVER_URL="${DEFAULT_GITEA_SERVER_URL}"
+  fi
+else
+  CURRENT_GITEA_SERVER_URL=$1
+fi
+
+if [ -z "${2}" ]; then
+  read -p "Enter name of the git repository [${DEFAULT_GITEA_REPOSITORY}]: " CURRENT_GITEA_REPOSITORY
+  if [ -z "${CURRENT_GITEA_REPOSITORY}" ]; then
+    CURRENT_GITEA_REPOSITORY="${DEFAULT_GITEA_REPOSITORY}"
+  fi
+else
+  CURRENT_GITEA_REPOSITORY=$2
+fi
+
+if [ -z "${3}" ]; then
+  read -p "Enter token to access the Gitea instance [${DEFAULT_GITEA_TOKEN}]: " CURRENT_GITEA_TOKEN
+  if [ -z "${CURRENT_GITEA_TOKEN}" ]; then
+    CURRENT_GITEA_TOKEN="${DEFAULT_GITEA_TOKEN}"
+  fi
+else
+  CURRENT_GITEA_TOKEN=$3
+fi
+
+if ! git sv rn -o /tmp/changelog.md; then
+  echo "ERROR: Failed to generate /tmp/changelog.md" 1>&2
+  exit 1
+fi
+
+CURL_ARGS=(
+  "--data-urlencode" "q=Changelog for upcoming version"
+  # "--data-urlencode=\"q=Changelog for upcoming version\""
+  "--data-urlencode" "state=open"
+  "--fail"
+  "--header" "Accept: application/json"
+  "--header" "Authorization: token ${CURRENT_GITEA_TOKEN}"
+  "--request" "GET"
+  "--silent"
+)
+
+if ! ISSUE_NUMBER="$(curl "${CURL_ARGS[@]}" "${CURRENT_GITEA_SERVER_URL}/api/v1/repos/${CURRENT_GITEA_REPOSITORY}/issues" | jq '.[].number')"; then
+  echo "ERROR: Failed query issue number" 1>&2
+  exit 1
+fi
+export ISSUE_NUMBER
+
+if ! echo "" | jq --raw-input --slurp --arg title "Changelog for upcoming version" --arg body "$(cat /tmp/changelog.md)" '{title: $title, body: $body}' 1> /tmp/payload.json; then
+  echo "ERROR: Failed to create JSON payload file" 1>&2
+  exit 1
+fi
+
+CURL_ARGS=(
+  "--data" "@/tmp/payload.json"
+  "--fail"
+  "--header" "Authorization: token ${CURRENT_GITEA_TOKEN}"
+  "--header" "Content-Type: application/json"
+  "--location"
+  "--silent"
+  "--output" "/dev/null"
+)
+
+if [ -z "${ISSUE_NUMBER}" ]; then
+  if ! curl "${CURL_ARGS[@]}" --request POST "${CURRENT_GITEA_SERVER_URL}/api/v1/repos/${CURRENT_GITEA_REPOSITORY}/issues"; then
+    echo "ERROR: Failed to create new issue!" 1>&2
+    exit 1
+  else
+    echo "INFO: Successfully created new issue!"
+  fi
+else
+  if ! curl "${CURL_ARGS[@]}" --request PATCH "${CURRENT_GITEA_SERVER_URL}/api/v1/repos/${CURRENT_GITEA_REPOSITORY}/issues/${ISSUE_NUMBER}"; then
+    echo "ERROR: Failed to update issue with ID ${ISSUE_NUMBER}!" 1>&2
+    exit 1
+  else
+    echo "INFO: Successfully updated existing issue with ID ${ISSUE_NUMBER}!"
+    echo "INFO: ${CURRENT_GITEA_SERVER_URL}/${CURRENT_GITEA_REPOSITORY}/issues/${ISSUE_NUMBER}"
+  fi
+fi

.gitea/workflows/changelog.yml

@@ -1,32 +0,0 @@
-name: changelog
-
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  changelog:
-    runs-on: ubuntu-latest
-    container: docker.io/thegeeklab/git-sv:2.0.1
-    steps:
-      - name: install tools
-        run: |
-          apk add -q --update --no-cache nodejs curl jq sed
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Generate upcoming changelog
-        run: |
-          git sv rn -o changelog.md
-          export RELEASE_NOTES=$(cat changelog.md)
-          export ISSUE_NUMBER=$(curl -s "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues?state=open&q=Changelog%20for%20upcoming%20version" | jq '.[].number')
-
-          echo $RELEASE_NOTES
-          JSON_DATA=$(echo "" | jq -Rs --arg title 'Changelog for upcoming version' --arg body "$(cat changelog.md)" '{title: $title, body: $body}')
-
-          if [ -z "$ISSUE_NUMBER" ]; then
-            curl -s -X POST "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
-          else
-            curl -s -X PATCH "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues/$ISSUE_NUMBER" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
-          fi

.gitea/workflows/commitlint.yml

@@ -1,19 +1,17 @@
-name: commitlint
+name: Rum commitlint
 
 on:
   pull_request:
-    branches:
-      - "*"
-    types:
-      - opened
-      - edited
+    branches: [ '**' ]
+    types: [ "opened", "edited" ]
 
 jobs:
   check-and-test:
+    container: docker.io/commitlint/commitlint:19.9.1
+    name: Execute commitlint
     runs-on: ubuntu-latest
-    container: commitlint/commitlint:19.8.1
     steps:
-      - uses: actions/checkout@v4
-      - name: check PR title
+      - uses: actions/checkout@v5.0.0
+      - name: Check PR title
         run: |
           echo "${{ gitea.event.pull_request.title }}" | commitlint --config .commitlintrc.json

.gitea/workflows/helm.yml

@@ -0,0 +1,75 @@
+name: Run Helm tests
+
+on:
+  pull_request:
+    branches: [ '**' ]
+  push:
+    branches: [ '**' ]
+    tags-ignore: [ '**' ]
+  workflow_call: {}
+
+env:
+  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
+  HELM_UNITTEST_VERSION: "v1.0.1"
+
+jobs:
+  helm-lint:
+    container: docker.io/alpine/helm:3.18.6
+    name: Execute helm lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install additional tools
+        run: |
+          apk update
+          apk add --update bash make nodejs
+      - uses: actions/checkout@v5.0.0
+      - name: Install helm chart dependencies
+        run: helm dependency build
+      - name: Execute helm lint
+        run: helm lint
+
+  helm-template:
+    container: docker.io/alpine/helm:3.18.6
+    name: Execute helm template
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install additional tools
+        run: |
+          apk update
+          apk add --update bash make nodejs
+      - uses: actions/checkout@v5.0.0
+      - name: Install helm chart dependencies
+        run: helm dependency build
+      - name: Execute helm template
+        run: helm template --debug gitea-helm .
+
+  helm-unittest:
+    container: docker.io/alpine/helm:3.18.6
+    name: Execute helm unittest
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install additional tools
+        run: |
+          apk update
+          apk add --update bash make nodejs npm yamllint ncurses
+      - uses: actions/checkout@v5.0.0
+      - name: Install helm chart dependencies
+        run: helm dependency build
+      - name: Install helm plugin 'unittest'
+        run: |
+          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
+          git submodule update --init --recursive
+      - name: Execute helm unittest
+        env:
+          TERM: xterm
+        run: make unittests
+
+
+
+
+      # - name: verify readme
+      #   run: |
+      #     make readme
+      #     git diff --exit-code --name-only README.md
+      # - name: yaml lint
+      #   uses: https://github.com/ibiqlik/action-yamllint@v3

.gitea/workflows/markdown-linters.yml

@@ -0,0 +1,52 @@
+name: Markdown linter
+
+on:
+  pull_request:
+    types: [ "opened", "reopened", "synchronize" ]
+  push:
+    branches: [ '**' ]
+    tags-ignore: [ '**' ]
+  workflow_dispatch: {}
+
+jobs:
+  readme-link:
+    container:
+      image: docker.io/library/node:24.9.0-alpine
+    name: Execute npm run readme:link
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5.0.0
+    - name: Execute npm run readme:link
+      run: |
+        npm install
+        npm run readme:link
+
+  readme-lint:
+    container:
+      image: docker.io/library/node:24.9.0-alpine
+    name: Execute npm run readme:lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5.0.0
+    - name: Execute npm run readme:lint
+      run: |
+        npm install
+        npm run readme:lint
+
+  readme-parameters:
+    container:
+      image: docker.io/library/node:24.9.0-alpine
+    name: Execute npm run readme:parameters
+    runs-on: ubuntu-latest
+    steps:
+    - name: Install tooling
+      run: |
+        apk update
+        apk add git
+    - uses: actions/checkout@v5.0.0
+    - name: Execute npm run readme:parameters
+      run: |
+        npm install
+        npm run readme:parameters
+    - name: Compare diff
+      run: git diff --exit-code --name-only README.md

.gitea/workflows/release-version.yml

@@ -2,82 +2,108 @@ name: generate-chart
 
 on:
   push:
-    tags:
-      - "*"
-
-env:
-  # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.17.3"
+    tags: [ '**' ]
 
 jobs:
-  # generate-chart-publish:
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/checkout@v4
-  #     - name: install tools
-  #       run: |
-  #         apt update -y
-  #         apt install -y curl ca-certificates curl gnupg
-  #         # helm
-  #         curl -O https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-  #         tar -xzf helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-  #         mv linux-amd64/helm /usr/local/bin/
-  #         rm -rf linux-amd64 helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-  #         helm version
-  #         # docker
-  #         install -m 0755 -d /etc/apt/keyrings
-  #         curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
-  #         chmod a+r /etc/apt/keyrings/docker.gpg
-  #         echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
-  #         apt update -y
-  #         apt install -y python3 python3-pip apt-transport-https docker-ce-cli
-  #         pip install awscli --break-system-packages
+  generate-chart-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5.0.0
+        with:
+          fetch-depth: 0
 
-  #     - name: Import GPG key
-  #       id: import_gpg
-  #       uses: https://github.com/crazy-max/ghaction-import-gpg@v6
-  #       with:
-  #         gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-  #         passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
-  #         fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
+      - name: Install packages via apt
+        run: |
+          apt update --yes
+          apt install --yes curl ca-certificates curl gnupg jq
 
-  #     # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
-  #     - name: package chart
-  #       run: |
-  #         echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
-  #         # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
-  #         helm plugin install https://github.com/pat-s/helm-gpg
-  #         helm dependency build
-  #         helm package --version "${GITHUB_REF#refs/tags/v}" ./
-  #         mkdir gitea
-  #         mv gitea*.tgz gitea/
-  #         curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
-  #         helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
-  #         # push to dockerhub
-  #         echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
-  #         helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
-  #         helm registry logout registry-1.docker.io
+      - name: Install helm
+        env:
+          # renovate: datasource=docker depName=alpine/helm
+          HELM_VERSION: "3.18.6"
+        run: |
+          curl --fail --location --output /dev/stdout --silent --show-error https://get.helm.sh/helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz | tar --extract --gzip --file /dev/stdin
+          mv linux-$(dpkg --print-architecture)/helm /usr/local/bin/
+          rm --force --recursive linux-$(dpkg --print-architecture) helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz
+          helm version
 
-  #     - name: aws credential configure
-  #       uses: https://github.com/aws-actions/configure-aws-credentials@v4
-  #       with:
-  #         aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
-  #         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  #         aws-region: ${{ secrets.AWS_REGION }}
+      - name: Install yq
+        env:
+          YQ_VERSION: v4.45.4 # renovate: datasource=github-releases depName=mikefarah/yq
+        run: |
+          curl --fail --location --output /dev/stdout --silent --show-error https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_$(dpkg --print-architecture).tar.gz | tar --extract --gzip --file /dev/stdin
+          mv yq_linux_$(dpkg --print-architecture) /usr/local/bin
+          rm --force --recursive yq_linux_$(dpkg --print-architecture) yq_linux_$(dpkg --print-architecture).tar.gz
+          yq --version
 
-  #     - name: Copy files to S3 and clear cache
-  #       run: |
-  #         aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
+      - name: Install docker-ce via apt
+        run: |
+          install -m 0755 -d /etc/apt/keyrings
+          curl --fail --location --silent --show-error https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          chmod a+r /etc/apt/keyrings/docker.gpg
+          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+          apt update --yes
+          apt install --yes python3 python3-pip apt-transport-https docker-ce-cli
+
+      - name: Install awscli
+        run: |
+          pip install awscli --break-system-packages
+          aws --version
+
+      - name: Import GPG key
+        id: import_gpg
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
+          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
+
+      - name: Add Artifacthub.io annotations
+        run: |
+          NEW_TAG="$(git tag --sort=-version:refname | head --lines 1)"
+          OLD_TAG="$(git tag --sort=-version:refname | head --lines 2 | tail --lines 1)"
+          .gitea/scripts/add-annotations.sh "${OLD_TAG}" "${NEW_TAG}"
+
+      - name: Print Chart.yaml on stdout
+        run: cat Chart.yaml
+
+      # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
+      - name: Package Helm chart
+        run: |
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
+          # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
+          helm plugin install https://github.com/pat-s/helm-gpg
+          helm dependency build
+          helm package --version "${GITHUB_REF#refs/tags/v}" ./
+          mkdir gitea
+          mv gitea*.tgz gitea/
+          curl --fail --location --output gitea/index.yaml --silent --show-error https://dl.gitea.com/charts/index.yaml
+          helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
+          # push to dockerhub
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
+          helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
+          helm registry logout registry-1.docker.io
+
+      - name: Configure AWS credentials
+        uses: https://github.com/aws-actions/configure-aws-credentials@v5
+        with:
+          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Copy files to S3 and clear cache
+        run: |
+          aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
 
   release-gitea:
-    # needs: generate-chart-publish
+    container: docker.io/thegeeklab/git-sv:2.0.5
+    needs: generate-chart-publish
     runs-on: ubuntu-latest
-    container: docker.io/thegeeklab/git-sv:2.0.1
     steps:
-      - name: install tools
+      - name: Install packages via apt
         run: |
           apk add -q --update --no-cache nodejs
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5.0.0
         with:
           fetch-tags: true
           fetch-depth: 0

.gitea/workflows/test-pr.yml

@@ -1,45 +0,0 @@
-name: check-and-test
-
-on:
-  pull_request:
-    branches:
-      - "*"
-  push:
-    branches:
-      - main
-
-env:
-  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v0.8.2"
-
-jobs:
-  check-and-test:
-    runs-on: ubuntu-latest
-    container: alpine/helm:3.17.3
-    steps:
-      - name: install tools
-        run: |
-          apk update
-          apk add --update bash make nodejs npm yamllint ncurses
-      - uses: actions/checkout@v4
-      - name: install chart dependencies
-        run: helm dependency build
-      - name: lint
-        run: helm lint
-      - name: template
-        run: helm template --debug gitea-helm .
-      - name: prepare unit test environment
-        run: |
-          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
-          git submodule update --init --recursive
-      - name: unit tests
-        env:
-          TERM: xterm
-        run: |
-          make unittests
-      - name: verify readme
-        run: |
-          make readme
-          git diff --exit-code --name-only README.md
-      - name: yaml lint
-        uses: https://github.com/ibiqlik/action-yamllint@v3

.gitea/workflows/update-changelog.yml

@@ -0,0 +1,29 @@
+name: Update changelog
+
+on:
+  push:
+    branches: [ "main" ]
+  workflow_dispatch: {}
+
+jobs:
+  changelog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install packages via apt-get
+        run: |
+          apt-get update &&
+          apt-get install --yes curl jq
+      - uses: actions/checkout@v5.0.0
+        with:
+          fetch-depth: 0
+      - name: Install git-sv
+        env:
+          GIT_SV_VERSION: v2.0.4 # renovate: datasource=github-releases depName=thegeeklab/git-sv
+        run: |
+          curl --fail --location --output /usr/local/bin/git-sv --silent --show-error https://github.com/thegeeklab/git-sv/releases/download/${GIT_SV_VERSION}/git-sv-linux-$(dpkg --print-architecture)
+          chmod +x /usr/local/bin/git-sv
+          git-sv --version
+      - name: Update changelog issue
+        env:
+          ISSUE_RW_TOKEN: ${{ secrets.ISSUE_RW_TOKEN }}
+        run: .gitea/scripts/update-changelog.sh

.markdownlink.json

@@ -0,0 +1,8 @@
+{
+  "projectBaseUrl":"${workspaceFolder}",
+  "ignorePatterns": [
+    {
+      "pattern": "^http://localhost"
+    }
+  ]
+}

.vscode/settings.json

@@ -1,6 +1,6 @@
 {
     "yaml.schemas": {
-        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.8.2/schema/helm-testsuite.json": [
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.1/schema/helm-testsuite.json": [
             "/unittests/**/*.yaml"
         ]
     },

CODEOWNERS

@@ -1 +1 @@
-charts/* @justusbunsi @pat-s
+* @rossigee @volker.raschek @ChristopherHX

CONTRIBUTING.md

@@ -44,8 +44,7 @@ be used:
    `helm install --dependency-update gitea . -f values.yaml`.
 1. Gitea is now deployed in `minikube`.
    To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace
-default port-forward svc/gitea-http 3000:3000`.
-   Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
+default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
 
 ### Unit tests
 

Chart.lock

@@ -1,15 +1,15 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 16.7.2
+  version: 16.7.27
 - name: postgresql-ha
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 16.0.3
+  version: 16.3.2
 - name: valkey-cluster
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 3.0.5
+  version: 3.0.24
 - name: valkey
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 3.0.4
-digest: sha256:9f184e842e4e04f7a1a3791ed92ab2ce085c4cf8f9dc9ce9a70b45b8af4c3c3c
-generated: "2025-05-10T03:23:40.55670864Z"
+  version: 3.0.31
+digest: sha256:ceb6a1890cfdc2627abb85d3e2a4baa64d30afd21dcfabce978a824a67f0a2bb
+generated: "2025-08-30T00:03:04.59764502Z"

Chart.yaml

@@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
-appVersion: 1.23.8
+appVersion: 1.24.6
 icon: https://gitea.com/assets/img/logo.svg
 
 keywords:
@@ -19,37 +19,40 @@ sources:
   - https://github.com/go-gitea/gitea
   - https://docker.gitea.com/gitea
 maintainers:
-  - name: Charlie Drage
-    email: charlie@charliedrage.com
-  - name: Gitea Authors
-    email: maintainers@gitea.io
-  - name: Konrad Lother
-    email: konrad.lother@novum-rgi.de
-  - name: Lucas Hahn
-    email: lucas.hahn@novum-rgi.de
-  - name: Steven Kriegler
-    email: sk.bunsenbrenner@gmail.com
-  - name: Patrick Schratz
-    email: patrick.schratz@gmail.com
+  # https://gitea.com/rossigee
+  - name: Ross Golder
+    email: ross@golder.org
+
+  # https://gitea.com/volker.raschek
+  - name: Markus Pesch
+    email: markus.pesch+apps@cryptic.systems
+
+  # https://gitea.com/DaanSelen
+  - name: Daan Selen
+    email: dselen@nerthus.nl
+
+  # https://gitea.com/ChristopherHX
+  - name: Christopher Homberger
+    email: christopher.homberger@web.de
 
 dependencies:
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
   - name: postgresql
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 16.7.2
+    version: 16.7.27
     condition: postgresql.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
   - name: postgresql-ha
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 16.0.3
+    version: 16.3.2
     condition: postgresql-ha.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml
   - name: valkey-cluster
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 3.0.5
+    version: 3.0.24
     condition: valkey-cluster.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml
   - name: valkey
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 3.0.4
+    version: 3.0.31
     condition: valkey.enabled

README.md

@@ -17,7 +17,7 @@
     - [Rootless Defaults](#rootless-defaults)
     - [Session, Cache and Queue](#session-cache-and-queue)
   - [Single-Pod Configurations](#single-pod-configurations)
-  - [Additional _app.ini_ settings](#additional-appini-settings)
+  - [Additional app.ini settings](#additional-appini-settings)
     - [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
   - [External Database](#external-database)
   - [Ports and external url](#ports-and-external-url)
@@ -33,6 +33,7 @@
 - [Metrics and profiling](#metrics-and-profiling)
   - [Secure Metrics Endpoint](#secure-metrics-endpoint)
 - [Pod annotations](#pod-annotations)
+- [TLS certificate rotation](#tls-certificate-rotation)
 - [Themes](#themes)
 - [Renovate](#renovate)
 - [Parameters](#parameters)
@@ -71,7 +72,7 @@ Additionally, this chart allows to provide LDAP and admin user configuration wit
 ## Update and versioning policy
 
 The Gitea helm chart versioning does not follow Gitea's versioning.
-The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-gitea/releases).
+The latest chart version can be looked up in [https://dl.gitea.com/charts/](https://dl.gitea.com/charts/) or in the [repository releases](https://gitea.com/gitea/helm-gitea/releases).
 
 The chart aims to follow Gitea's releases closely.
 There might be times when the chart is behind the latest Gitea release.
@@ -101,8 +102,8 @@ These dependencies are enabled by default:
 
 Alternatively, the following non-HA replacements are available:
 
-- PostgreSQL ([Bitnami PostgreSQL](<Postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)>))
-- Valkey ([Bitnami Valkey](<Valkey](https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml)>))
+- PostgreSQL ([Bitnami PostgreSQL](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml))
+- Valkey ([Bitnami Valkey](https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml))
 
 ### Dependency Versioning
 
@@ -166,7 +167,7 @@ available. As this is a Golang application, this can be implemented using `GOMAX
 of defining `GOMAXPROCS` automatically based on the defined CPU limit like `1000m`. Please keep in mind, that the CFS
 rate of `100ms` - default on each kubernetes node, is also very important to avoid CPU throttling.
 
-Further information about this topic can be found [here](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
+Further information about this topic can be found [under this link](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
 
 > [!NOTE]
 > The environment variable `GOMAXPROCS` is set automatically, when a CPU limit is defined. An explicit configuration is
@@ -265,7 +266,7 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
 
 - `$HOME` becomes `/data/gitea/git`
 
-  [see deployment.yaml](./templates/gitea/deployment.yaml) template inside (init-)container "env" declarations
+  [see deployment.yaml](./templates/deployment.yaml) template inside (init-)container "env" declarations
 
 - `START_SSH_SERVER: true` (Unless explicity overwritten by `gitea.config.server.START_SSH_SERVER`)
 
@@ -277,7 +278,7 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
 
 - `SSH_LOG_LEVEL` environment variable is not injected into the container
 
-  [see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations
+  [see deployment.yaml](./templates/deployment.yaml) template inside container "env" declarations
 
 #### Session, Cache and Queue
 
@@ -359,7 +360,7 @@ If HA is not needed/desired, the following configurations can be used to deploy
 
    </details>
 
-### Additional _app.ini_ settings
+### Additional app.ini settings
 
 > **The [generic](https://docs.gitea.com/administration/config-cheat-sheet#overall-default)
 > section cannot be defined that way.**
@@ -533,7 +534,7 @@ and the repository exists.
 ```
 
 To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
-More about this issue [here](https://gitea.com/gitea/helm-gitea/issues/161).
+More about this issue [under this link](https://gitea.com/gitea/helm-gitea/issues/161).
 
 ### Cache
 
@@ -693,7 +694,7 @@ Affected options:
 
 Like the admin user, OAuth2 settings can be updated and disabled but not deleted.
 Deleting OAuth2 settings has to be done in the ui.
-All OAuth2 values, which are documented [here](https://docs.gitea.com/administration/command-line#admin), are
+All OAuth2 values, which are documented [under this link](https://docs.gitea.com/administration/command-line#admin), are
 available.
 
 Multiple OAuth2 sources can be configured with additional OAuth list items.
@@ -816,6 +817,31 @@ gitea:
   podAnnotations: {}
 ```
 
+## TLS certificate rotation
+
+If Gitea uses TLS certificates that are mounted as a secret in the container file system, Gitea will not automatically apply them when the TLS certificates are rotated.
+Such a rotation can be for example triggered, when the cert-manager issues new TLS certificates before expiring. Further information is described as GitHub
+[issue](https://github.com/go-gitea/gitea/issues/27962).
+
+Until the issue is present, a workaround can be applied.
+For example stakater's [reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update.
+The following annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted `configMaps` and `secrets` have been changed.
+
+```yaml
+deployment:
+  annotations:
+    reloader.stakater.com/auto: "true"
+```
+
+Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for individual items.
+For example, when the secret named `gitea-tls` is mounted and the reloader controller should only listen for changes of this secret:
+
+```yaml
+deployment:
+  annotations:
+    secret.reloader.stakater.com/reload: "gitea-tls"
+```
+
 ## Themes
 
 Custom themes can be added via k8s secrets and referencing them in `values.yaml`.
@@ -1044,6 +1070,8 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `persistence.subPath`                             | Subdirectory of the volume to mount at                                                                | `nil`                  |
 | `persistence.volumeName`                          | Name of persistent volume in PVC                                                                      | `""`                   |
 | `extraContainers`                                 | Additional sidecar containers to run in the pod                                                       | `[]`                   |
+| `preExtraInitContainers`                          | Additional init containers to run in the pod before Gitea runs it owns init containers.               | `[]`                   |
+| `postExtraInitContainers`                         | Additional init containers to run in the pod after Gitea runs it owns init containers.                | `[]`                   |
 | `extraVolumes`                                    | Additional volumes to mount to the Gitea deployment                                                   | `[]`                   |
 | `extraContainerVolumeMounts`                      | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]`                   |
 | `extraInitVolumeMounts`                           | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.    | `[]`                   |
@@ -1130,6 +1158,17 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `gitea.startupProbe.successThreshold`    | Success threshold for startup probe             | `1`     |
 | `gitea.startupProbe.failureThreshold`    | Failure threshold for startup probe             | `10`    |
 
+### Network Policy
+
+| Name                        | Description                                                               | Value   |
+| --------------------------- | ------------------------------------------------------------------------- | ------- |
+| `networkPolicy.enabled`     | Enable network policies in general.                                       | `false` |
+| `networkPolicy.annotations` | Additional network policy annotations.                                    | `{}`    |
+| `networkPolicy.labels`      | Additional network policy labels.                                         | `{}`    |
+| `networkPolicy.policyTypes` | List of policy types. Supported is ingress, egress or ingress and egress. | `[]`    |
+| `networkPolicy.egress`      | Concrete egress network policy implementation.                            | `[]`    |
+| `networkPolicy.ingress`     | Concrete ingress network policy implementation.                           | `[]`    |
+
 ### valkey-cluster
 
 Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time.
@@ -1167,6 +1206,7 @@ Valkey and [Valkey cluster](#valkey-cluster) cannot be enabled at the same time.
 | `postgresql-ha.postgresql.repmgrPassword`   | Repmgr Password                                                  | `changeme2` |
 | `postgresql-ha.postgresql.postgresPassword` | postgres Password                                                | `changeme1` |
 | `postgresql-ha.pgpool.adminPassword`        | pgpool adminPassword                                             | `changeme3` |
+| `postgresql-ha.pgpool.srCheckPassword`      | pgpool srCheckPassword                                           | `changeme4` |
 | `postgresql-ha.service.ports.postgresql`    | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`      |
 | `postgresql-ha.persistence.size`            | PVC Storage Request for PostgreSQL HA volume                     | `10Gi`      |
 
@@ -1216,7 +1256,7 @@ If you miss this, blindly upgrading may delete your Postgres instance and you ma
   To deploy and use "Actions", please see the new dedicated chart at <https://gitea.com/gitea/helm-actions>.
   It is maintained by a seperate maintainer group and hasn't seen a release yet (at the time of the 12.0 release).
   Feel encouraged to contribute if "Actions" is important to you!
-  
+
   This change was made to avoid overloading the existing helm chart, which is already quite large in size and configuration options.
   In addition, the existing maintainers team was not actively using "Actions" which slowed down development and community contributions.
   While the new chart is still young (and waiting for contributions! and maintainers), we believe that it is the best way moving forward for both parts.

package.json

@@ -9,11 +9,13 @@
     "npm": ">=8.0.0"
   },
   "scripts": {
+    "readme:link": "markdown-link-check --config .markdownlink.json *.md",
     "readme:lint": "markdownlint *.md -f",
     "readme:parameters": "readme-generator -v values.yaml -r README.md"
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.44.0"
+    "markdown-link-check": "^3.13.6",
+    "markdownlint-cli": "^0.45.0"
   }
 }

renovate.json5

@@ -49,6 +49,14 @@
       ],
     },
   ],
+  lockFileMaintenance: {
+    "enabled": true,
+    "commitMessageAction": "update",
+    "commitMessageTopic": "lockfiles",
+    schedule: [
+      'at any time',
+    ]
+  },
   packageRules: [
     {
       groupName: 'subcharts (minor & patch)',

templates/_helpers.tpl

@@ -87,6 +87,12 @@ storageClassName: {{ $storageClass | quote }}
 {{- end }}
 {{- end -}}
 
+{{/*
+Common annotations
+*/}}
+{{- define "gitea.annotations" -}}
+{{- end }}
+
 {{/*
 Common labels
 */}}
@@ -361,16 +367,18 @@ https
   {{- if not .Values.gitea.config.server.SSH_PORT -}}
     {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
   {{- end -}}
-  {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
-    {{- if not .Values.image.rootless -}}
-      {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
-    {{- else -}}
-      {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}}
-    {{- end -}}
-  {{- end -}}
   {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}}
     {{- if .Values.image.rootless -}}
       {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}}
+      {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
+        {{- if not .Values.gitea.config.server.SSH_LISTEN_PORT -}}
+          {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
+        {{- else -}}
+          {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_LISTEN_PORT -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "false" -}}
     {{- end -}}
   {{- end -}}
   {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}

templates/_networkPolicy.tpl

@@ -0,0 +1,19 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "gitea.networkPolicy.annotations" -}}
+{{ include "gitea.annotations" . }}
+{{- if .Values.networkPolicy.annotations }}
+{{ toYaml .Values.networkPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "gitea.networkPolicy.labels" -}}
+{{ include "gitea.labels" . }}
+{{- if .Values.networkPolicy.labels }}
+{{ toYaml .Values.networkPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_pod.tpl

@@ -0,0 +1,17 @@
+---
+
+{{/* labels */}}
+
+{{- define "gitea.pod.labels" -}}
+{{- include "gitea.labels" . }}
+{{- if .Values.deployment.labels }}
+{{ toYaml .Values.deployment.labels }}
+{{- end }}
+{{- end }}
+
+{{- define "gitea.pod.selectorLabels" -}}
+{{- include "gitea.selectorLabels" . }}
+{{- if .Values.deployment.labels }}
+{{ toYaml .Values.deployment.labels }}
+{{- end }}
+{{- end }}

templates/config.yaml

@@ -27,7 +27,7 @@ stringData:
     {{- end }}
     
     {{- /* multiple replicas assertions */ -}}
-    {{- if gt .Values.replicaCount 1.0 -}}
+    {{- if gt (.Values.replicaCount | int) 1 -}}
       {{- if .Values.gitea.config.cron -}}
         {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
           {{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}}

templates/deployment.yaml

@@ -23,14 +23,11 @@ spec:
     {{- end }}
   selector:
     matchLabels:
-      {{- include "gitea.selectorLabels" . | nindent 6 }}
-      {{- if .Values.deployment.labels }}
-      {{- toYaml .Values.deployment.labels | nindent 6 }}
-      {{- end }}
+      {{- include "gitea.pod.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
+        checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
         {{- range $idx, $value := .Values.gitea.ldap }}
         checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }}
         {{- end }}
@@ -41,10 +38,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
-        {{- include "gitea.labels" . | nindent 8 }}
-        {{- if .Values.deployment.labels }}
-        {{- toYaml .Values.deployment.labels | nindent 8 }}
-        {{- end }}
+        {{- include "gitea.pod.labels" . | nindent 8 }}
     spec:
       {{- if .Values.schedulerName }}
       schedulerName: "{{ .Values.schedulerName }}"
@@ -59,6 +53,9 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
+        {{- if .Values.preExtraInitContainers }}
+        {{- toYaml .Values.preExtraInitContainers | nindent 8 }}
+        {{- end }}
         - name: init-directories
           image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -98,7 +95,7 @@ spec:
         - name: init-app-ini
           image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: 
+          command:
           - "{{ .Values.initContainersScriptsVolumeMountPath }}/config_environment.sh"
           env:
             - name: GITEA_APP_INI
@@ -143,7 +140,7 @@ spec:
         {{- if .Values.signing.enabled }}
         - name: configure-gpg
           image: "{{ include "gitea.image" . }}"
-          command: 
+          command:
           - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
@@ -272,6 +269,9 @@ spec:
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
+        {{- if .Values.postExtraInitContainers }}
+        {{- toYaml .Values.postExtraInitContainers | nindent 8 }}
+        {{- end }}
       terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}

templates/networkPolicy.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.networkPolicy.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  {{- with (include "gitea.networkPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+  {{- with (include "gitea.networkPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "gitea.pod.selectorLabels" $ | nindent 6 }}
+  {{- with .Values.networkPolicy.policyTypes }}
+  policyTypes:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.networkPolicy.egress }}
+  egress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.networkPolicy.ingress }}
+  ingress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}

templates/pvc.yaml

@@ -10,7 +10,7 @@ metadata:
 {{ .Values.persistence.labels | toYaml | indent 4}}
 spec:
   accessModes:
-  {{- if gt .Values.replicaCount 1.0 }}
+  {{- if gt (.Values.replicaCount | int) 1 }}
       - ReadWriteMany
   {{- else }}
     {{- .Values.persistence.accessModes | toYaml | nindent 4 }}

unittests/helm/config/actions-config.yaml

@@ -3,17 +3,17 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: "actions are enabled by default (based on vanilla Gitea behavior)"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         notExists:
           path: stringData.actions
 
   - it: "actions can be disabled via inline config"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea.config.actions.ENABLED: false
     asserts:

unittests/helm/config/cache-config.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: "cache is configured correctly for valkey-cluster"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: true
@@ -19,7 +19,7 @@ tests:
             HOST=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "cache is configured correctly for valkey"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -34,7 +34,7 @@ tests:
             HOST=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -49,7 +49,7 @@ tests:
             HOST=
 
   - it: "cache can be customized when valkey (or valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false

unittests/helm/config/metrics-section_metrics-token.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: metrics token is set
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea:
         metrics:
@@ -18,7 +18,7 @@ tests:
             ENABLED=true
             TOKEN=somepassword
   - it: metrics token is empty
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea:
         metrics:
@@ -31,7 +31,7 @@ tests:
           value: |-
             ENABLED=true
   - it: metrics token is nil
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea:
         metrics:
@@ -44,7 +44,7 @@ tests:
           value: |-
             ENABLED=true
   - it: does not configures a token if metrics are disabled
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea:
         metrics:

unittests/helm/config/queue-config.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: "queue is configured correctly for valkey-cluster"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: true
@@ -19,7 +19,7 @@ tests:
             TYPE=redis
 
   - it: "queue is configured correctly for valkey"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -34,7 +34,7 @@ tests:
             TYPE=redis
 
   - it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -49,7 +49,7 @@ tests:
             TYPE=level
 
   - it: "queue can be customized when valkey (and valkey-cluster) are disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false

unittests/helm/config/server-section_domain.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: "[default values] uses ingress host for DOMAIN|SSH_DOMAIN|ROOT_URL"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:
@@ -22,7 +22,7 @@ tests:
   ################################################
 
   - it: "[no ingress hosts] uses gitea http service for DOMAIN|SSH_DOMAIN|ROOT_URL"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       ingress:
         hosts: []
@@ -43,7 +43,7 @@ tests:
   ################################################
 
   - it: "[provided via values] uses that for DOMAIN|SSH_DOMAIN|ROOT_URL"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea.config.server.DOMAIN: provided.example.com
       ingress:

unittests/helm/config/session-config.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: "session is configured correctly for valkey-cluster"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: true
@@ -19,7 +19,7 @@ tests:
             PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "session is configured correctly for valkey"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -34,7 +34,7 @@ tests:
             PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -49,7 +49,7 @@ tests:
             PROVIDER_CONFIG=
 
   - it: "session can be customized when valkey (and valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false

unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml

@@ -18,6 +18,7 @@ set:
       password: custom-password-overwritten-by-global-postgresql-password
     pgpool:
       adminPassword: custom-password-pgpool
+      srCheckPassword: custom-password-sr-check
     service:
       ports:
         postgresql: 1234
@@ -75,6 +76,13 @@ tests:
         equal:
           path: data["admin-password"]
           value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.srCheckPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["sr-check-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXNyLWNoZWNr"
   - it: "[postgresql-ha] persistence.size is applied as expected"
     template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
     asserts:
@@ -98,14 +106,14 @@ tests:
           name: gitea-unittests-postgresql-ha-pgpool
           namespace: testing
   - it: "[gitea] connects to pgpool service"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:
           path: stringData.database
           pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:1234
   - it: "[gitea] connects to configured database"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:

unittests/helm/dependency-checks/customization-integrity-postgresql.yaml

@@ -65,14 +65,14 @@ tests:
           name: gitea-unittests-postgresql
           namespace: testing
   - it: "[gitea] connects to postgresql service"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:
           path: stringData.database
           pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:1234
   - it: "[gitea] connects to configured database"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:

unittests/helm/dependency-checks/customization-integrity-valkey-cluster.yaml

@@ -82,7 +82,7 @@ tests:
             port: 6379
             targetPort: tcp-redis
   - it: "[gitea] waits for valkey-cluster to be up and running"
-    template: templates/gitea/init.yaml
+    template: templates/init.yaml
     asserts:
       - documentIndex: 0
         matchRegex:

unittests/helm/dependency-checks/customization-integrity-valkey.yaml

@@ -44,7 +44,7 @@ tests:
             port: 6379
             targetPort: redis
   - it: "[gitea] waits for valkey to be up and running"
-    template: templates/gitea/init.yaml
+    template: templates/init.yaml
     asserts:
       - documentIndex: 0
         matchRegex:

unittests/helm/deployment/HA.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/deployment.yaml
+  - templates/config.yaml
 tests:
   - it: fails with multiple replicas and "GIT_GC_REPOS" enabled
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       replicaCount: 2
       persistence:
@@ -22,14 +22,14 @@ tests:
       - failedTemplate:
           errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'."
   - it: fails with multiple replicas and RWX file system not set
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       replicaCount: 2
     asserts:
       - failedTemplate:
           errorMessage: "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany."
   - it: fails with multiple replicas and bleve issue indexer
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       replicaCount: 2
       persistence:
@@ -43,7 +43,7 @@ tests:
       - failedTemplate:
           errorMessage: "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)."
   - it: fails with multiple replicas and bleve repo indexer
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       replicaCount: 2
       persistence:

unittests/helm/deployment/basic.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/deployment.yaml
+  - templates/config.yaml
 tests:
   - it: renders a deployment
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - hasDocuments:
           count: 1
@@ -16,7 +16,7 @@ tests:
           apiVersion: apps/v1
           name: gitea-unittests
   - it: deployment labels are set
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       deployment.labels:
         hello: world
@@ -30,7 +30,7 @@ tests:
           content:
             hello: world
   - it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container"
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - contains:
           path: spec.template.spec.initContainers[1].env
@@ -38,7 +38,7 @@ tests:
             name: TMP_EXISTING_ENVS_FILE
             value: /tmp/existing-envs
   - it: "injects ENV_TO_INI_MOUNT_POINT as environment variable to 'init-app-ini' init container"
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - contains:
           path: spec.template.spec.initContainers[1].env
@@ -46,7 +46,7 @@ tests:
             name: ENV_TO_INI_MOUNT_POINT
             value: /env-to-ini-mounts
   - it: CPU resources are defined as well as GOMAXPROCS
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       resources:
         limits:
@@ -74,7 +74,7 @@ tests:
               cpu: 100ms
               memory: 100Mi
   - it: Init containers have correct volumeMount path
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       initContainersScriptsVolumeMountPath: "/custom/init/path"
     asserts:
@@ -85,7 +85,7 @@ tests:
           path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="config")].mountPath
           value: "/custom/init/path"
   - it: Init containers have correct volumeMount path if there is no override
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - equal:
           path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="init")].mountPath

unittests/helm/deployment/deployment-additional-config.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/deployment.yaml
+  - templates/config.yaml
 tests:
   - it: Renders a deployment
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - hasDocuments:
           count: 1
@@ -16,7 +16,7 @@ tests:
           apiVersion: apps/v1
           name: gitea-unittests
   - it: Deployment with empty additionalConfigFromEnvs
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.additionalConfigFromEnvs: []
     asserts:
@@ -44,7 +44,7 @@ tests:
               - name: ENV_TO_INI_MOUNT_POINT
                 value: /env-to-ini-mounts
   - it: Deployment with standard additionalConfigFromEnvs
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.additionalConfigFromEnvs: [{name: GITEA_database_HOST, value: my-db:123}, {name: GITEA_database_USER, value: my-user}]
     asserts:
@@ -76,7 +76,7 @@ tests:
               - name: GITEA_database_USER
                 value: my-user
   - it: Deployment with templated additionalConfigFromEnvs
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.misc.host: my-db-host:321
       gitea.misc.user: my-db-user
@@ -110,7 +110,7 @@ tests:
               - name: GITEA_database_USER
                 value: my-db-user
   - it: Deployment with additionalConfigFromEnvs templated secret name
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.misc.existingSecret: my-db-secret
       gitea.additionalConfigFromEnvs[0]:

unittests/helm/deployment/extraInitContainers.yaml

@@ -0,0 +1,59 @@
+suite: deployment template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/deployment.yaml
+  - templates/config.yaml
+tests:
+  - it: Render the deployment (default)
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/deployment.yaml
+      - lengthEqual:
+          path: spec.template.spec.initContainers
+          count: 3
+        template: templates/deployment.yaml
+
+  - it: Render the deployment (signing)
+    set:
+      signing.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/deployment.yaml
+      - lengthEqual:
+          path: spec.template.spec.initContainers
+          count: 4
+        template: templates/deployment.yaml
+
+  - it: Render the deployment (extraInitContainers)
+    set:
+      postExtraInitContainers:
+        - name: foo
+          image: docker.io/library/busybox:latest
+      preExtraInitContainers:
+        - name: bar
+          image: docker.io/library/busybox:latest
+      signing.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/deployment.yaml
+      - lengthEqual:
+          path: spec.template.spec.initContainers
+          count: 6
+        template: templates/deployment.yaml
+      - contains:
+          path: spec.template.spec.initContainers
+          content:
+            name: foo
+            image: docker.io/library/busybox:latest
+        template: templates/deployment.yaml
+      - contains:
+          path: spec.template.spec.initContainers
+          content:
+            name: bar
+            image: docker.io/library/busybox:latest
+        template: templates/deployment.yaml

unittests/helm/deployment/image-configuration.yaml

@@ -6,17 +6,17 @@ chart:
   # Override appVersion to be consistent with used digest :)
   appVersion: 1.19.3
 templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/deployment.yaml
+  - templates/config.yaml
 tests:
   - it: default values
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3-rootless"
   - it: tag override
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.tag: "1.19.4"
     asserts:
@@ -24,7 +24,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.4-rootless"
   - it: root-based image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.rootless: false
     asserts:
@@ -32,7 +32,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3"
   - it: scoped registry
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.registry: "example.com"
     asserts:
@@ -40,7 +40,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "example.com/gitea:1.19.3-rootless"
   - it: global registry
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       global.imageRegistry: "global.example.com"
     asserts:
@@ -48,7 +48,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "global.example.com/gitea:1.19.3-rootless"
   - it: digest for rootless image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image:
         rootless: true
@@ -58,7 +58,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: image fullOverride (does not append rootless)
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image:
         fullOverride: docker.gitea.com/gitea:1.19.3
@@ -73,7 +73,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3"
   - it: digest for root-based image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image:
         rootless: false
@@ -83,7 +83,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: digest and global registry
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       global.imageRegistry: "global.example.com"
       image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
@@ -92,7 +92,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "global.example.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: correctly renders floating tag references
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-gitea/issues/631
     asserts:

unittests/helm/deployment/ingress-configuration.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress tpl use
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: Ingress Class using TPL
     set:

unittests/helm/deployment/inline-config.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: inline config stringData.server using TPL
     set:

unittests/helm/deployment/probes.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/deployment.yaml
+  - templates/config.yaml
 tests:
   - it: renders default liveness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notExists:
           path: spec.template.spec.containers[0].livenessProbe.enabled
@@ -22,7 +22,7 @@ tests:
               port: http
             timeoutSeconds: 1
   - it: renders default readiness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notExists:
           path: spec.template.spec.containers[0].readinessProbe.enabled
@@ -37,12 +37,12 @@ tests:
               port: http
             timeoutSeconds: 1
   - it: does not render a default startup probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notExists:
           path: spec.template.spec.containers[0].startupProbe
   - it: allows enabling a startup probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.startupProbe.enabled: true
     asserts:
@@ -60,7 +60,7 @@ tests:
             timeoutSeconds: 1
 
   - it: allows overwriting the default port of the liveness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         livenessProbe:
@@ -74,7 +74,7 @@ tests:
               port: my-port
 
   - it: allows overwriting the default port of the readiness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         readinessProbe:
@@ -88,7 +88,7 @@ tests:
               port: my-port
 
   - it: allows overwriting the default port of the startup probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         startupProbe:
@@ -103,7 +103,7 @@ tests:
               port: my-port
 
   - it: allows using a non-default method as liveness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         livenessProbe:
@@ -131,7 +131,7 @@ tests:
             timeoutSeconds: 13372
 
   - it: allows using a non-default method as readiness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         readinessProbe:
@@ -159,7 +159,7 @@ tests:
             timeoutSeconds: 13372
 
   - it: allows using a non-default method as startup probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         startupProbe:

unittests/helm/deployment/sidecar-container.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/deployment.yaml
+  - templates/config.yaml
 tests:
   - it: supports adding a sidecar container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       extraContainers:
         - name: sidecar-bob

unittests/helm/deployment/signing-disabled.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/deployment.yaml
+  - templates/config.yaml
 tests:
   - it: skips gpg init container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notContains:
           path: spec.template.spec.initContainers
@@ -15,7 +15,7 @@ tests:
           content:
             name: configure-gpg
   - it: skips gpg env in `init-directories` init container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing.enabled: false
     asserts:
@@ -25,14 +25,14 @@ tests:
             name: GNUPGHOME
             value: /data/git/.gnupg
   - it: skips gpg env in runtime container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notContains:
           path: spec.template.spec.containers[0].env
           content:
             name: GNUPGHOME
   - it: skips gpg volume spec
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notContains:
           path: spec.template.spec.volumes

unittests/helm/deployment/signing-enabled.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/deployment.yaml
+  - templates/config.yaml
 tests:
   - it: adds gpg init container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing:
         enabled: true
@@ -41,7 +41,7 @@ tests:
               mountPath: /raw
               readOnly: true
   - it: adds gpg env in `init-directories` init container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing.enabled: true
       signing.existingSecret: "custom-gpg-secret"
@@ -52,7 +52,7 @@ tests:
             name: GNUPGHOME
             value: /data/git/.gnupg
   - it: adds gpg env in runtime container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing.enabled: true
       signing.existingSecret: "custom-gpg-secret"
@@ -63,7 +63,7 @@ tests:
             name: GNUPGHOME
             value: /data/git/.gnupg
   - it: adds gpg volume spec
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing:
         enabled: true
@@ -80,7 +80,7 @@ tests:
                   path: private.asc
               defaultMode: 0100
   - it: supports gpg volume spec with external reference
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing:
         enabled: true

unittests/helm/deployment/ssh-configuration.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/deployment.yaml
+  - templates/config.yaml
 tests:
   - it: supports defining SSH log level for root based image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.rootless: false
     asserts:
@@ -17,7 +17,7 @@ tests:
             name: SSH_LOG_LEVEL
             value: "INFO"
   - it: supports overriding SSH log level
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.rootless: false
       gitea.ssh.logLevel: "DEBUG"
@@ -28,7 +28,7 @@ tests:
             name: SSH_LOG_LEVEL
             value: "DEBUG"
   - it: supports overriding SSH log level (even when image.fullOverride set)
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: false
@@ -40,7 +40,7 @@ tests:
             name: SSH_LOG_LEVEL
             value: "DEBUG"
   - it: skips SSH_LOG_LEVEL for rootless image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.rootless: true
       gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
@@ -51,7 +51,7 @@ tests:
           content:
             name: SSH_LOG_LEVEL
   - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: true

unittests/helm/deployment/storage-class-configuration.yaml

@@ -7,11 +7,11 @@ release:
   namespace: testing
 
 templates:
-  - templates/gitea/pvc.yaml
+  - templates/pvc.yaml
 
 tests:
   - it: should set storageClassName when persistence.storageClass is defined
-    template: templates/gitea/pvc.yaml
+    template: templates/pvc.yaml
     set:
       persistence.storageClass: "my-storage-class"
     asserts:
@@ -20,7 +20,7 @@ tests:
           value: "my-storage-class"
 
   - it: should set global.storageClass when persistence.storageClass is not defined
-    template: templates/gitea/pvc.yaml
+    template: templates/pvc.yaml
     set:
       global.storageClass: "default-storage-class"
     asserts:
@@ -29,7 +29,7 @@ tests:
           value: "default-storage-class"
 
   - it: should set storageClassName when persistence.storageClass is defined and global.storageClass is defined
-    template: templates/gitea/pvc.yaml
+    template: templates/pvc.yaml
     set:
       global.storageClass: "default-storage-class"
       persistence.storageClass: "my-storage-class"

unittests/helm/deployment/svc-configuration.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/ssh-svc.yaml
-  - templates/gitea/http-svc.yaml
+  - templates/ssh-svc.yaml
+  - templates/http-svc.yaml
 tests:
   - it: supports adding custom labels to ssh-svc
-    template: templates/gitea/ssh-svc.yaml
+    template: templates/ssh-svc.yaml
     set:
       service:
         ssh:
@@ -19,7 +19,7 @@ tests:
           value: "testvalue"
 
   - it: keeps existing labels (ssh)
-    template: templates/gitea/ssh-svc.yaml
+    template: templates/ssh-svc.yaml
     set:
       service:
         ssh:
@@ -29,7 +29,7 @@ tests:
           path: metadata.labels["app"]
 
   - it: supports adding custom labels to http-svc
-    template: templates/gitea/http-svc.yaml
+    template: templates/http-svc.yaml
     set:
       service:
         http:
@@ -41,7 +41,7 @@ tests:
           value: "testvalue"
 
   - it: keeps existing labels (http)
-    template: templates/gitea/http-svc.yaml
+    template: templates/http-svc.yaml
     set:
       service:
         http:
@@ -51,7 +51,7 @@ tests:
           path: metadata.labels["app"]
 
   - it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
-    template: templates/gitea/ssh-svc.yaml
+    template: templates/ssh-svc.yaml
     set:
       service:
         ssh:
@@ -73,7 +73,7 @@ tests:
           value: ["1.2.3.4/32", "5.6.7.8/32"]
 
   - it: does not render when loadbalancer properties are set but type is not loadBalancerClass
-    template: templates/gitea/http-svc.yaml
+    template: templates/http-svc.yaml
     set:
       service:
         http:
@@ -92,7 +92,7 @@ tests:
           path: spec.loadBalancerSourceRanges
 
   - it: does not render loadBalancerClass by default even when type is LoadBalancer
-    template: templates/gitea/http-svc.yaml
+    template: templates/http-svc.yaml
     set:
       service:
         http:
@@ -107,8 +107,8 @@ tests:
 
   - it: both ssh and http services exist
     templates:
-      - templates/gitea/ssh-svc.yaml
-      - templates/gitea/http-svc.yaml
+      - templates/ssh-svc.yaml
+      - templates/http-svc.yaml
     asserts:
       - matchRegex:
           path: metadata.name

unittests/helm/gpg-secret/signing-disabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/gpg-secret.yaml
+  - templates/gpg-secret.yaml
 tests:
   - it: renders nothing
     set:

unittests/helm/gpg-secret/signing-enabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/gpg-secret.yaml
+  - templates/gpg-secret.yaml
 tests:
   - it: fails rendering when nothing is configured
     set:

unittests/helm/ingress/basic.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress.yaml
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: should enable ingress when ingress.enabled is true
     set:

unittests/helm/ingress/implicit-defaults.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress with implicit path defaults
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: should use default path and pathType when no paths are specified
     set:

unittests/helm/ingress/ingress.tpl.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress tpl use
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: Ingress Class using TPL
     set:

unittests/helm/ingress/structured-paths.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress with structured paths
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: should work with structured path definitions
     set:

unittests/helm/init/basic.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/init.yaml
+  - templates/init.yaml
 tests:
   - it: renders a secret
     asserts:

unittests/helm/init/init_directory_structure.sh-rootless.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/init.yaml
+  - templates/init.yaml
 tests:
   - it: runs gpg in batch mode
     set:
@@ -63,7 +63,7 @@ tests:
               chown -v 1000:1000 "${GNUPGHOME}"
             fi
   - it: it does not chown /data even when image.fullOverride is set
-    template: templates/gitea/init.yaml
+    template: templates/init.yaml
     set:
       image.fullOverride: docker.gitea.com/gitea:1.20.5
     asserts:

unittests/helm/init/init_directory_structure.sh.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/init.yaml
+  - templates/init.yaml
 tests:
   - it: runs gpg in batch mode
     set:

unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/metrics-secret.yaml
+  - templates/metrics-secret.yaml
 tests:
   - it: renders nothing if monitoring disabled and gitea.metrics.token empty
     set:

unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/metrics-secret.yaml
+  - templates/metrics-secret.yaml
 tests:
   - it: renders nothing if monitoring enabled and gitea.metrics.token empty
     set:

unittests/helm/networkPolicy/networkPolicy.yaml

@@ -0,0 +1,100 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: NetworkPolicy template
+release:
+  name: gitea-unittest
+  namespace: testing
+templates:
+  - templates/networkPolicy.yaml
+tests:
+  - it: Skip rendering networkPolicy
+    set:
+      networkPolicy.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: Render default networkPolicy
+    set:
+      networkPolicy.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          apiVersion: networking.k8s.io/v1
+          kind: NetworkPolicy
+          name: gitea-unittest
+          namespace: testing
+      - notExists:
+          path: metadata.annotations
+      - equal:
+          path: metadata.labels
+          value:
+            app: gitea
+            app.kubernetes.io/instance: gitea-unittest
+            app.kubernetes.io/managed-by: Helm
+            app.kubernetes.io/name: gitea
+            app.kubernetes.io/version: 0.1.0
+            helm.sh/chart: gitea-0.1.0
+            version: 0.1.0
+      - equal:
+          path: spec.podSelector.matchLabels
+          value:
+            app.kubernetes.io/instance: gitea-unittest
+            app.kubernetes.io/name: gitea
+      - notExists:
+          path: spec.policyTypes
+      - notExists:
+          path: spec.egress
+      - notExists:
+          path: spec.ingress
+
+  - it: Template networkPolicy with policyTypes, egress and ingress configuration
+    set:
+      networkPolicy.enabled: true
+      networkPolicy.policyTypes:
+        - Egress
+        - Ingress
+      networkPolicy.ingress:
+        - from:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: monitoring
+              podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: prometheus
+      networkPolicy.egress:
+        - to:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: ingress-nginx
+              podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: ingress-nginx
+    asserts:
+      - equal:
+          path: spec.policyTypes
+          value:
+            - Egress
+            - Ingress
+      - equal:
+          path: spec.egress
+          value:
+            - to:
+                - namespaceSelector:
+                    matchLabels:
+                      kubernetes.io/metadata.name: ingress-nginx
+                  podSelector:
+                    matchLabels:
+                      app.kubernetes.io/name: ingress-nginx
+      - equal:
+          path: spec.ingress
+          value:
+            - from:
+                - namespaceSelector:
+                    matchLabels:
+                      kubernetes.io/metadata.name: monitoring
+                  podSelector:
+                    matchLabels:
+                      app.kubernetes.io/name: prometheus

unittests/helm/pvc/pvc-configuration.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/pvc.yaml
+  - templates/pvc.yaml
 tests:
   - it: Storage Class using TPL
     set:

unittests/helm/serviceaccount/basic.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/serviceaccount.yaml
+  - templates/serviceaccount.yaml
 tests:
   - it: skips rendering by default
     asserts:

unittests/helm/serviceaccount/reference.yaml

@@ -3,17 +3,17 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/serviceaccount.yaml
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/serviceaccount.yaml
+  - templates/deployment.yaml
+  - templates/config.yaml
 tests:
   - it: does not modify the deployment by default
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notExists:
           path: spec.serviceAccountName
   - it: adds the reference to the deployment with serviceAccount.create=true
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       serviceAccount.create: true
     asserts:
@@ -21,7 +21,7 @@ tests:
           path: spec.template.spec.serviceAccountName
           value: gitea-unittests
   - it: allows referencing an externally created ServiceAccount to the deployment
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       serviceAccount:
         create: false # explicitly set to define rendering behavior

unittests/helm/servicemonitor/basic.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/servicemonitor.yaml
+  - templates/servicemonitor.yaml
 tests:
   - it: skips rendering by default
     asserts:

unittests/helm/servicemonitor/servicemonitor-disabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/servicemonitor.yaml
+  - templates/servicemonitor.yaml
 tests:
   - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty
     set:

unittests/helm/servicemonitor/servicemonitor-enabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/servicemonitor.yaml
+  - templates/servicemonitor.yaml
 tests:
   - it: renders unsecure ServiceMonitor if gitea.metrics.token nil
     set:

values.yaml

@@ -20,7 +20,7 @@ global:
   #   hostnames:
   #   - example.com
 
-## @param namespace An explicit namespace to deploy gitea into. Defaults to the release namespace if not specified
+## @param namespace An explicit namespace to deploy Gitea into. Defaults to the release namespace if not specified
 namespace: ""
 
 ## @param replicaCount number of replicas for the deployment
@@ -279,7 +279,19 @@ persistence:
 extraContainers: []
 #  - name: sidecar-bob
 #    image: busybox
-#    command: [/bin/sh, -c, 'echo "Hello world"; sleep 86400']
+#    command: [/bin/sh, -c, 'echo "Hello world"']
+
+## @param preExtraInitContainers Additional init containers to run in the pod before Gitea runs it owns init containers.
+preExtraInitContainers: []
+# - name: pre-init-container
+#   image: docker.io/library/busybox
+#   command: [ /bin/sh, -c, 'echo "Hello world! I am a pre init container."' ]
+
+## @param postExtraInitContainers Additional init containers to run in the pod after Gitea runs it owns init containers.
+postExtraInitContainers: []
+# - name: post-init-container
+#   image: docker.io/library/busybox
+#   command: [ /bin/sh, -c, 'echo "Hello world! I am a post init container."' ]
 
 ## @param extraVolumes Additional volumes to mount to the Gitea deployment
 extraVolumes: []
@@ -501,6 +513,100 @@ gitea:
     successThreshold: 1
     failureThreshold: 10
 
+
+## @section Network Policy
+networkPolicy:
+  ## @param networkPolicy.enabled Enable network policies in general.
+  ## @param networkPolicy.annotations Additional network policy annotations.
+  ## @param networkPolicy.labels Additional network policy labels.
+  ## @param networkPolicy.policyTypes List of policy types. Supported is ingress, egress or ingress and egress.
+  ## @param networkPolicy.egress Concrete egress network policy implementation.
+  ## @skip networkPolicy.egress Skip individual egress configuration.
+  ## @param networkPolicy.ingress Concrete ingress network policy implementation.
+  ## @skip networkPolicy.ingress Skip individual ingress configuration.
+  enabled: false
+  annotations: {}
+  labels: {}
+  policyTypes: []
+  # - Egress
+  # - Ingress
+  egress: []
+  # Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns.
+  #
+  # - to:
+  #   - namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: kube-system
+  #     podSelector:
+  #       matchLabels:
+  #        k8s-app: kube-dns
+  #   ports:
+  #   - port: 53
+  #     protocol: TCP
+  #   - port: 53
+  #     protocol: UDP
+
+  # Allow outgoing traffic via HTTPS. For example for oAuth2, Gravatar and other third party APIs.
+  #
+  # - to:
+  #   ports:
+  #   - port: 443
+  #     protocol: TCP
+
+  # Allow outgoing traffic to PostgreSQL.
+  #
+  # - to:
+  #   - podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: postgresql-ha
+  #   ports: []
+  #   # Avoid explicit list of ports, because Gitea tries to ping the PostgreSQL database during the initialization
+  #   # process. The ICMP protocol is currently not supported as list of protocols by kubernetes. For this reason would
+  #   # lead listing of the ports to an issue. Therefore, please handle the database ports with care.
+  #   #
+  #   # - port: 5432
+  #   #   protocol: TCP
+
+  # Allow outgoing traffic to Valkey.
+  #
+  # - to:
+  #   - podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: valkey-cluster
+  #   ports:
+  #   - port: 6379
+  #     protocol: TCP
+  #   - port: 16379
+  #     protocol: TCP
+
+  ingress: []
+  # Allow incoming HTTP traffic from prometheus.
+  #
+  # - from:
+  #   - namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: monitoring
+  #     podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: prometheus
+  #   ports:
+  #   - port: http
+  #     protocol: TCP
+
+  # Allow incoming HTTP traffic from ingress-nginx.
+  #
+  # - from:
+  #   - namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: ingress-nginx
+  #     podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: ingress-nginx
+  #   ports:
+  #   - port: http
+  #     protocol: TCP
+
+
 ## @section valkey-cluster
 ## @param valkey-cluster.enabled Enable valkey cluster
 # ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
@@ -557,6 +663,7 @@ valkey:
 ## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password
 ## @param postgresql-ha.postgresql.postgresPassword postgres Password
 ## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword
+## @param postgresql-ha.pgpool.srCheckPassword pgpool srCheckPassword
 ## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
 ## @param postgresql-ha.persistence.size PVC Storage Request for PostgreSQL HA volume
 postgresql-ha:
@@ -572,6 +679,7 @@ postgresql-ha:
     password: changeme4
   pgpool:
     adminPassword: changeme3
+    srCheckPassword: changeme4
   service:
     ports:
       postgresql: 5432