fix(ci): improve workflows (#959)

🤖 Split up helm chart workflows

The following patch adapts the CI workflows. The worflows has been splitted into
dedicated parts. For example the `helm template` and `helm unittest` command is
now a seperate step to notice that a change affects the template mechanism but
not the unittest. This was priviously not possible, because both commands were
part of one step.

🤖 Changelog Issue

Additionally has the changelog workflow be improved. The shell commands has
been migrated to a dedicated file named `.gitea/scripts/changelog.sh`. This has
the advantage, that the shellcheck plugin of IDE's support developers by
developing such shell scripts. Furthermore, the used container image has been
replaced by the ubuntu:latest image of the act_runner. This make it more
comfortable in using `curl` or `jq`, because the complete set of features/flags
are
avialable instead of the previously used container image
`docker.io/thegeeklab/git-sv:2.0.5`. Final note to the shell script
`changelog.sh`, this can now be executed locally as well as on ARM-based
act_runners and helps to test the helm chart in own Gitea environments
beforehand.

🤖 Markdown linter

In addition, a new workflow for markdown files has now been introduced. This
checks the `README.md` file for links, ensures that it is properly formatted,
and verifies that the parameters match those in `values.yaml`. Here, too, the
commands have been outsourced to separate jobs so that more precise interaction
is possible in the event of an error.

⚠️ Warning

This patch also requires an adjustment in branch protection. There, the
workflows that must be successful before a merge must be redefined.

Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/959
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Markus Pesch <markus.pesch@cryptic.systems>
Co-committed-by: Markus Pesch <markus.pesch@cryptic.systems>

.gitea/scripts/add-annotations.sh

@@ -0,0 +1,114 @@
+#!/bin/bash
+
+set -e
+
+CHART_FILE="Chart.yaml"
+if [ ! -f "${CHART_FILE}" ]; then
+  echo "ERROR: ${CHART_FILE} not found!" 1>&2
+  exit 1
+fi
+
+DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
+DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
+
+if [ -z "${1}" ]; then
+  read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
+  if [ -z "${OLD_TAG}" ]; then
+    OLD_TAG="${DEFAULT_OLD_TAG}"
+  fi
+
+  while [ -z "$(git tag --list "${OLD_TAG}")" ]; do
+    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
+    read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
+    if [ -z "${OLD_TAG}" ]; then
+      OLD_TAG="${DEFAULT_OLD_TAG}"
+    fi
+  done
+else
+  OLD_TAG=${1}
+  if [ -z "$(git tag --list "${OLD_TAG}")" ]; then
+    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
+    exit 1
+  fi
+fi
+
+if [ -z "${2}" ]; then
+  read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
+  if [ -z "${NEW_TAG}" ]; then
+    NEW_TAG="${DEFAULT_NEW_TAG}"
+  fi
+
+  while [ -z "$(git tag --list "${NEW_TAG}")" ]; do
+    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
+    read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
+    if [ -z "${NEW_TAG}" ]; then
+      NEW_TAG="${DEFAULT_NEW_TAG}"
+    fi
+  done
+else
+  NEW_TAG=${2}
+
+  if [ -z "$(git tag --list "${NEW_TAG}")" ]; then
+    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
+    exit 1
+  fi
+fi
+
+CHANGE_LOG_YAML=$(mktemp)
+echo "[]" > "${CHANGE_LOG_YAML}"
+
+function map_type_to_kind() {
+  case "${1}" in
+    feat)
+      echo "added"
+    ;;
+    fix)
+      echo "fixed"
+    ;;
+    chore|style|test|ci|docs|refac)
+      echo "changed"
+    ;;
+    revert)
+      echo "removed"
+    ;;
+    sec)
+      echo "security"
+    ;;
+    *)
+      echo "skip"
+    ;;
+  esac
+}
+
+COMMIT_TITLES="$(git log --pretty=format:"%s" "${OLD_TAG}..${NEW_TAG}")"
+
+echo "INFO: Generate change log entries from ${OLD_TAG} until ${NEW_TAG}"
+
+while IFS= read -r line; do
+  if [[ "${line}" =~ ^([a-zA-Z]+)(\([^\)]+\))?\:\ (.+)$ ]]; then
+    TYPE="${BASH_REMATCH[1]}"
+    KIND=$(map_type_to_kind "${TYPE}")
+
+    if [ "${KIND}" == "skip" ]; then
+      continue
+    fi
+
+    DESC="${BASH_REMATCH[3]}"
+
+    echo "- ${KIND}: ${DESC}"
+
+    jq --arg kind "${KIND}" --arg description "${DESC}" '. += [ $ARGS.named ]' < "${CHANGE_LOG_YAML}" > "${CHANGE_LOG_YAML}.new"
+    mv "${CHANGE_LOG_YAML}.new" "${CHANGE_LOG_YAML}"
+
+  fi
+done <<< "${COMMIT_TITLES}"
+
+if [ -s "${CHANGE_LOG_YAML}" ]; then
+  yq --inplace --input-format json --output-format yml "${CHANGE_LOG_YAML}"
+  yq --no-colors --inplace ".annotations.\"artifacthub.io/changes\" |= loadstr(\"${CHANGE_LOG_YAML}\") | sort_keys(.)" "${CHART_FILE}"
+else
+  echo "ERROR: Changelog file is empty: ${CHANGE_LOG_YAML}" 1>&2
+  exit 1
+fi
+
+rm "${CHANGE_LOG_YAML}"

.gitea/scripts/update-changelog.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+
+DEFAULT_GITEA_SERVER_URL="${GITHUB_SERVER_URL:-"https://gitea.com"}"
+DEFAULT_GITEA_REPOSITORY="${GITHUB_REPOSITORY:-"gitea/helm-gitea"}"
+DEFAULT_GITEA_TOKEN="${ISSUE_RW_TOKEN:-""}"
+
+if [ -z "${1}" ]; then
+  read -p "Enter hostname of the Gitea instance [${DEFAULT_GITEA_SERVER_URL}]: " CURRENT_GITEA_SERVER_URL
+  if [ -z "${CURRENT_GITEA_SERVER_URL}" ]; then
+    CURRENT_GITEA_SERVER_URL="${DEFAULT_GITEA_SERVER_URL}"
+  fi
+else
+  CURRENT_GITEA_SERVER_URL=$1
+fi
+
+if [ -z "${2}" ]; then
+  read -p "Enter name of the git repository [${DEFAULT_GITEA_REPOSITORY}]: " CURRENT_GITEA_REPOSITORY
+  if [ -z "${CURRENT_GITEA_REPOSITORY}" ]; then
+    CURRENT_GITEA_REPOSITORY="${DEFAULT_GITEA_REPOSITORY}"
+  fi
+else
+  CURRENT_GITEA_REPOSITORY=$2
+fi
+
+if [ -z "${3}" ]; then
+  read -p "Enter token to access the Gitea instance [${DEFAULT_GITEA_TOKEN}]: " CURRENT_GITEA_TOKEN
+  if [ -z "${CURRENT_GITEA_TOKEN}" ]; then
+    CURRENT_GITEA_TOKEN="${DEFAULT_GITEA_TOKEN}"
+  fi
+else
+  CURRENT_GITEA_TOKEN=$3
+fi
+
+if ! git sv rn -o /tmp/changelog.md; then
+  echo "ERROR: Failed to generate /tmp/changelog.md" 1>&2
+  exit 1
+fi
+
+CURL_ARGS=(
+  "--data-urlencode" "q=Changelog for upcoming version"
+  # "--data-urlencode=\"q=Changelog for upcoming version\""
+  "--data-urlencode" "state=open"
+  "--fail"
+  "--header" "Accept: application/json"
+  "--header" "Authorization: token ${CURRENT_GITEA_TOKEN}"
+  "--request" "GET"
+  "--silent"
+)
+
+if ! ISSUE_NUMBER="$(curl "${CURL_ARGS[@]}" "${CURRENT_GITEA_SERVER_URL}/api/v1/repos/${CURRENT_GITEA_REPOSITORY}/issues" | jq '.[].number')"; then
+  echo "ERROR: Failed query issue number" 1>&2
+  exit 1
+fi
+export ISSUE_NUMBER
+
+if ! echo "" | jq --raw-input --slurp --arg title "Changelog for upcoming version" --arg body "$(cat /tmp/changelog.md)" '{title: $title, body: $body}' 1> /tmp/payload.json; then
+  echo "ERROR: Failed to create JSON payload file" 1>&2
+  exit 1
+fi
+
+CURL_ARGS=(
+  "--data" "@/tmp/payload.json"
+  "--fail"
+  "--header" "Authorization: token ${CURRENT_GITEA_TOKEN}"
+  "--header" "Content-Type: application/json"
+  "--location"
+  "--silent"
+  "--output" "/dev/null"
+)
+
+if [ -z "${ISSUE_NUMBER}" ]; then
+  if ! curl "${CURL_ARGS[@]}" --request POST "${CURRENT_GITEA_SERVER_URL}/api/v1/repos/${CURRENT_GITEA_REPOSITORY}/issues"; then
+    echo "ERROR: Failed to create new issue!" 1>&2
+    exit 1
+  else
+    echo "INFO: Successfully created new issue!"
+  fi
+else
+  if ! curl "${CURL_ARGS[@]}" --request PATCH "${CURRENT_GITEA_SERVER_URL}/api/v1/repos/${CURRENT_GITEA_REPOSITORY}/issues/${ISSUE_NUMBER}"; then
+    echo "ERROR: Failed to update issue with ID ${ISSUE_NUMBER}!" 1>&2
+    exit 1
+  else
+    echo "INFO: Successfully updated existing issue with ID ${ISSUE_NUMBER}!"
+    echo "INFO: ${CURRENT_GITEA_SERVER_URL}/${CURRENT_GITEA_REPOSITORY}/issues/${ISSUE_NUMBER}"
+  fi
+fi

.gitea/workflows/changelog.yml

@@ -1,32 +0,0 @@
-name: changelog
-
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  changelog:
-    runs-on: ubuntu-latest
-    container: docker.io/thegeeklab/git-sv:2.0.1
-    steps:
-      - name: install tools
-        run: |
-          apk add -q --update --no-cache nodejs curl jq sed
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Generate upcoming changelog
-        run: |
-          git sv rn -o changelog.md
-          export RELEASE_NOTES=$(cat changelog.md)
-          export ISSUE_NUMBER=$(curl -s "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues?state=open&q=Changelog%20for%20upcoming%20version" | jq '.[].number')
-
-          echo $RELEASE_NOTES
-          JSON_DATA=$(echo "" | jq -Rs --arg title 'Changelog for upcoming version' --arg body "$(cat changelog.md)" '{title: $title, body: $body}')
-
-          if [ -z "$ISSUE_NUMBER" ]; then
-            curl -s -X POST "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
-          else
-            curl -s -X PATCH "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues/$ISSUE_NUMBER" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
-          fi

.gitea/workflows/commitlint.yml

@@ -1,19 +1,17 @@
-name: commitlint
+name: Rum commitlint
 
 on:
   pull_request:
-    branches:
+    branches: [ '**' ]
-      - "*"
+    types: [ "opened", "edited" ]
-    types:
-      - opened
-      - edited
 
 jobs:
   check-and-test:
+    container: docker.io/commitlint/commitlint:19.9.1
+    name: Execute commitlint
     runs-on: ubuntu-latest
-    container: commitlint/commitlint:19.8.1
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5.0.0
-      - name: check PR title
+      - name: Check PR title
         run: |
           echo "${{ gitea.event.pull_request.title }}" | commitlint --config .commitlintrc.json

.gitea/workflows/helm.yml

@@ -0,0 +1,75 @@
+name: Run Helm tests
+
+on:
+  pull_request:
+    branches: [ '**' ]
+  push:
+    branches: [ '**' ]
+    tags-ignore: [ '**' ]
+  workflow_call: {}
+
+env:
+  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
+  HELM_UNITTEST_VERSION: "v1.0.1"
+
+jobs:
+  helm-lint:
+    container: docker.io/alpine/helm:3.18.6
+    name: Execute helm lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install additional tools
+        run: |
+          apk update
+          apk add --update bash make nodejs
+      - uses: actions/checkout@v5.0.0
+      - name: Install helm chart dependencies
+        run: helm dependency build
+      - name: Execute helm lint
+        run: helm lint
+
+  helm-template:
+    container: docker.io/alpine/helm:3.18.6
+    name: Execute helm template
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install additional tools
+        run: |
+          apk update
+          apk add --update bash make nodejs
+      - uses: actions/checkout@v5.0.0
+      - name: Install helm chart dependencies
+        run: helm dependency build
+      - name: Execute helm template
+        run: helm template --debug gitea-helm .
+
+  helm-unittest:
+    container: docker.io/alpine/helm:3.18.6
+    name: Execute helm unittest
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install additional tools
+        run: |
+          apk update
+          apk add --update bash make nodejs npm yamllint ncurses
+      - uses: actions/checkout@v5.0.0
+      - name: Install helm chart dependencies
+        run: helm dependency build
+      - name: Install helm plugin 'unittest'
+        run: |
+          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
+          git submodule update --init --recursive
+      - name: Execute helm unittest
+        env:
+          TERM: xterm
+        run: make unittests
+
+
+
+
+      # - name: verify readme
+      #   run: |
+      #     make readme
+      #     git diff --exit-code --name-only README.md
+      # - name: yaml lint
+      #   uses: https://github.com/ibiqlik/action-yamllint@v3

.gitea/workflows/markdown-linters.yml

@@ -0,0 +1,52 @@
+name: Markdown linter
+
+on:
+  pull_request:
+    types: [ "opened", "reopened", "synchronize" ]
+  push:
+    branches: [ '**' ]
+    tags-ignore: [ '**' ]
+  workflow_dispatch: {}
+
+jobs:
+  readme-link:
+    container:
+      image: docker.io/library/node:24.9.0-alpine
+    name: Execute npm run readme:link
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5.0.0
+    - name: Execute npm run readme:link
+      run: |
+        npm install
+        npm run readme:link
+
+  readme-lint:
+    container:
+      image: docker.io/library/node:24.9.0-alpine
+    name: Execute npm run readme:lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5.0.0
+    - name: Execute npm run readme:lint
+      run: |
+        npm install
+        npm run readme:lint
+
+  readme-parameters:
+    container:
+      image: docker.io/library/node:24.9.0-alpine
+    name: Execute npm run readme:parameters
+    runs-on: ubuntu-latest
+    steps:
+    - name: Install tooling
+      run: |
+        apk update
+        apk add git
+    - uses: actions/checkout@v5.0.0
+    - name: Execute npm run readme:parameters
+      run: |
+        npm install
+        npm run readme:parameters
+    - name: Compare diff
+      run: git diff --exit-code --name-only README.md

.gitea/workflows/release-version.yml

@@ -2,82 +2,108 @@ name: generate-chart
 
 on:
   push:
-    tags:
+    tags: [ '**' ]
-      - "*"
-
-env:
-  # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.17.3"
 
 jobs:
-  # generate-chart-publish:
+  generate-chart-publish:
-  #   runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
-  #   steps:
+    steps:
-  #     - uses: actions/checkout@v4
+      - uses: actions/checkout@v5.0.0
-  #     - name: install tools
+        with:
-  #       run: |
+          fetch-depth: 0
-  #         apt update -y
-  #         apt install -y curl ca-certificates curl gnupg
-  #         # helm
-  #         curl -O https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-  #         tar -xzf helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-  #         mv linux-amd64/helm /usr/local/bin/
-  #         rm -rf linux-amd64 helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-  #         helm version
-  #         # docker
-  #         install -m 0755 -d /etc/apt/keyrings
-  #         curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
-  #         chmod a+r /etc/apt/keyrings/docker.gpg
-  #         echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
-  #         apt update -y
-  #         apt install -y python3 python3-pip apt-transport-https docker-ce-cli
-  #         pip install awscli --break-system-packages
 
-  #     - name: Import GPG key
+      - name: Install packages via apt
-  #       id: import_gpg
+        run: |
-  #       uses: https://github.com/crazy-max/ghaction-import-gpg@v6
+          apt update --yes
-  #       with:
+          apt install --yes curl ca-certificates curl gnupg jq
-  #         gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-  #         passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
-  #         fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
 
-  #     # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
+      - name: Install helm
-  #     - name: package chart
+        env:
-  #       run: |
+          # renovate: datasource=docker depName=alpine/helm
-  #         echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
+          HELM_VERSION: "3.18.6"
-  #         # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
+        run: |
-  #         helm plugin install https://github.com/pat-s/helm-gpg
+          curl --fail --location --output /dev/stdout --silent --show-error https://get.helm.sh/helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz | tar --extract --gzip --file /dev/stdin
-  #         helm dependency build
+          mv linux-$(dpkg --print-architecture)/helm /usr/local/bin/
-  #         helm package --version "${GITHUB_REF#refs/tags/v}" ./
+          rm --force --recursive linux-$(dpkg --print-architecture) helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz
-  #         mkdir gitea
+          helm version
-  #         mv gitea*.tgz gitea/
-  #         curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
-  #         helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
-  #         # push to dockerhub
-  #         echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
-  #         helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
-  #         helm registry logout registry-1.docker.io
 
-  #     - name: aws credential configure
+      - name: Install yq
-  #       uses: https://github.com/aws-actions/configure-aws-credentials@v4
+        env:
-  #       with:
+          YQ_VERSION: v4.45.4 # renovate: datasource=github-releases depName=mikefarah/yq
-  #         aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
+        run: |
-  #         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          curl --fail --location --output /dev/stdout --silent --show-error https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_$(dpkg --print-architecture).tar.gz | tar --extract --gzip --file /dev/stdin
-  #         aws-region: ${{ secrets.AWS_REGION }}
+          mv yq_linux_$(dpkg --print-architecture) /usr/local/bin
+          rm --force --recursive yq_linux_$(dpkg --print-architecture) yq_linux_$(dpkg --print-architecture).tar.gz
+          yq --version
 
-  #     - name: Copy files to S3 and clear cache
+      - name: Install docker-ce via apt
-  #       run: |
+        run: |
-  #         aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
+          install -m 0755 -d /etc/apt/keyrings
+          curl --fail --location --silent --show-error https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          chmod a+r /etc/apt/keyrings/docker.gpg
+          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+          apt update --yes
+          apt install --yes python3 python3-pip apt-transport-https docker-ce-cli
+
+      - name: Install awscli
+        run: |
+          pip install awscli --break-system-packages
+          aws --version
+
+      - name: Import GPG key
+        id: import_gpg
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
+          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
+
+      - name: Add Artifacthub.io annotations
+        run: |
+          NEW_TAG="$(git tag --sort=-version:refname | head --lines 1)"
+          OLD_TAG="$(git tag --sort=-version:refname | head --lines 2 | tail --lines 1)"
+          .gitea/scripts/add-annotations.sh "${OLD_TAG}" "${NEW_TAG}"
+
+      - name: Print Chart.yaml on stdout
+        run: cat Chart.yaml
+
+      # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
+      - name: Package Helm chart
+        run: |
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
+          # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
+          helm plugin install https://github.com/pat-s/helm-gpg
+          helm dependency build
+          helm package --version "${GITHUB_REF#refs/tags/v}" ./
+          mkdir gitea
+          mv gitea*.tgz gitea/
+          curl --fail --location --output gitea/index.yaml --silent --show-error https://dl.gitea.com/charts/index.yaml
+          helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
+          # push to dockerhub
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
+          helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
+          helm registry logout registry-1.docker.io
+
+      - name: Configure AWS credentials
+        uses: https://github.com/aws-actions/configure-aws-credentials@v5
+        with:
+          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Copy files to S3 and clear cache
+        run: |
+          aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
 
   release-gitea:
-    # needs: generate-chart-publish
+    container: docker.io/thegeeklab/git-sv:2.0.5
+    needs: generate-chart-publish
     runs-on: ubuntu-latest
-    container: docker.io/thegeeklab/git-sv:2.0.1
     steps:
-      - name: install tools
+      - name: Install packages via apt
         run: |
           apk add -q --update --no-cache nodejs
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5.0.0
         with:
           fetch-tags: true
           fetch-depth: 0

.gitea/workflows/test-pr.yml

@@ -1,45 +0,0 @@
-name: check-and-test
-
-on:
-  pull_request:
-    branches:
-      - "*"
-  push:
-    branches:
-      - main
-
-env:
-  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v0.8.2"
-
-jobs:
-  check-and-test:
-    runs-on: ubuntu-latest
-    container: alpine/helm:3.17.3
-    steps:
-      - name: install tools
-        run: |
-          apk update
-          apk add --update bash make nodejs npm yamllint ncurses
-      - uses: actions/checkout@v4
-      - name: install chart dependencies
-        run: helm dependency build
-      - name: lint
-        run: helm lint
-      - name: template
-        run: helm template --debug gitea-helm .
-      - name: prepare unit test environment
-        run: |
-          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
-          git submodule update --init --recursive
-      - name: unit tests
-        env:
-          TERM: xterm
-        run: |
-          make unittests
-      - name: verify readme
-        run: |
-          make readme
-          git diff --exit-code --name-only README.md
-      - name: yaml lint
-        uses: https://github.com/ibiqlik/action-yamllint@v3

.gitea/workflows/update-changelog.yml

@@ -0,0 +1,29 @@
+name: Update changelog
+
+on:
+  push:
+    branches: [ "main" ]
+  workflow_dispatch: {}
+
+jobs:
+  changelog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install packages via apt-get
+        run: |
+          apt-get update &&
+          apt-get install --yes curl jq
+      - uses: actions/checkout@v5.0.0
+        with:
+          fetch-depth: 0
+      - name: Install git-sv
+        env:
+          GIT_SV_VERSION: v2.0.4 # renovate: datasource=github-releases depName=thegeeklab/git-sv
+        run: |
+          curl --fail --location --output /usr/local/bin/git-sv --silent --show-error https://github.com/thegeeklab/git-sv/releases/download/${GIT_SV_VERSION}/git-sv-linux-$(dpkg --print-architecture)
+          chmod +x /usr/local/bin/git-sv
+          git-sv --version
+      - name: Update changelog issue
+        env:
+          ISSUE_RW_TOKEN: ${{ secrets.ISSUE_RW_TOKEN }}
+        run: .gitea/scripts/update-changelog.sh

.markdownlink.json

@@ -0,0 +1,8 @@
+{
+  "projectBaseUrl":"${workspaceFolder}",
+  "ignorePatterns": [
+    {
+      "pattern": "^http://localhost"
+    }
+  ]
+}

.vscode/settings.json

@@ -1,6 +1,6 @@
 {
     "yaml.schemas": {
-        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.8.2/schema/helm-testsuite.json": [
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.1/schema/helm-testsuite.json": [
             "/unittests/**/*.yaml"
         ]
     },

CODEOWNERS

@@ -1 +1 @@
-charts/* @justusbunsi @pat-s
+* @rossigee @volker.raschek @ChristopherHX

CONTRIBUTING.md

@@ -44,8 +44,7 @@ be used:
    `helm install --dependency-update gitea . -f values.yaml`.
 1. Gitea is now deployed in `minikube`.
    To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace
-default port-forward svc/gitea-http 3000:3000`.
+default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
-   Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
 
 ### Unit tests
 

Chart.lock

@@ -1,15 +1,15 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 16.7.2
+  version: 16.7.27
 - name: postgresql-ha
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 16.0.3
+  version: 16.3.2
 - name: valkey-cluster
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 3.0.5
+  version: 3.0.24
 - name: valkey
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 3.0.4
+  version: 3.0.31
-digest: sha256:9f184e842e4e04f7a1a3791ed92ab2ce085c4cf8f9dc9ce9a70b45b8af4c3c3c
+digest: sha256:ceb6a1890cfdc2627abb85d3e2a4baa64d30afd21dcfabce978a824a67f0a2bb
-generated: "2025-05-10T03:23:40.55670864Z"
+generated: "2025-08-30T00:03:04.59764502Z"

Chart.yaml

@@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
-appVersion: 1.23.8
+appVersion: 1.24.6
 icon: https://gitea.com/assets/img/logo.svg
 
 keywords:
@@ -19,37 +19,40 @@ sources:
   - https://github.com/go-gitea/gitea
   - https://docker.gitea.com/gitea
 maintainers:
-  - name: Charlie Drage
+  # https://gitea.com/rossigee
-    email: charlie@charliedrage.com
+  - name: Ross Golder
-  - name: Gitea Authors
+    email: ross@golder.org
-    email: maintainers@gitea.io
+
-  - name: Konrad Lother
+  # https://gitea.com/volker.raschek
-    email: konrad.lother@novum-rgi.de
+  - name: Markus Pesch
-  - name: Lucas Hahn
+    email: markus.pesch+apps@cryptic.systems
-    email: lucas.hahn@novum-rgi.de
+
-  - name: Steven Kriegler
+  # https://gitea.com/DaanSelen
-    email: sk.bunsenbrenner@gmail.com
+  - name: Daan Selen
-  - name: Patrick Schratz
+    email: dselen@nerthus.nl
-    email: patrick.schratz@gmail.com
+
+  # https://gitea.com/ChristopherHX
+  - name: Christopher Homberger
+    email: christopher.homberger@web.de
 
 dependencies:
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
   - name: postgresql
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 16.7.2
+    version: 16.7.27
     condition: postgresql.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
   - name: postgresql-ha
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 16.0.3
+    version: 16.3.2
     condition: postgresql-ha.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml
   - name: valkey-cluster
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 3.0.5
+    version: 3.0.24
     condition: valkey-cluster.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml
   - name: valkey
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 3.0.4
+    version: 3.0.31
     condition: valkey.enabled

README.md

@@ -17,7 +17,7 @@
     - [Rootless Defaults](#rootless-defaults)
     - [Session, Cache and Queue](#session-cache-and-queue)
   - [Single-Pod Configurations](#single-pod-configurations)
-  - [Additional _app.ini_ settings](#additional-appini-settings)
+  - [Additional app.ini settings](#additional-appini-settings)
     - [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
   - [External Database](#external-database)
   - [Ports and external url](#ports-and-external-url)
@@ -33,6 +33,7 @@
 - [Metrics and profiling](#metrics-and-profiling)
   - [Secure Metrics Endpoint](#secure-metrics-endpoint)
 - [Pod annotations](#pod-annotations)
+- [TLS certificate rotation](#tls-certificate-rotation)
 - [Themes](#themes)
 - [Renovate](#renovate)
 - [Parameters](#parameters)
@@ -71,7 +72,7 @@ Additionally, this chart allows to provide LDAP and admin user configuration wit
 ## Update and versioning policy
 
 The Gitea helm chart versioning does not follow Gitea's versioning.
-The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-gitea/releases).
+The latest chart version can be looked up in [https://dl.gitea.com/charts/](https://dl.gitea.com/charts/) or in the [repository releases](https://gitea.com/gitea/helm-gitea/releases).
 
 The chart aims to follow Gitea's releases closely.
 There might be times when the chart is behind the latest Gitea release.
@@ -101,8 +102,8 @@ These dependencies are enabled by default:
 
 Alternatively, the following non-HA replacements are available:
 
-- PostgreSQL ([Bitnami PostgreSQL](<Postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)>))
+- PostgreSQL ([Bitnami PostgreSQL](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml))
-- Valkey ([Bitnami Valkey](<Valkey](https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml)>))
+- Valkey ([Bitnami Valkey](https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml))
 
 ### Dependency Versioning
 
@@ -166,7 +167,7 @@ available. As this is a Golang application, this can be implemented using `GOMAX
 of defining `GOMAXPROCS` automatically based on the defined CPU limit like `1000m`. Please keep in mind, that the CFS
 rate of `100ms` - default on each kubernetes node, is also very important to avoid CPU throttling.
 
-Further information about this topic can be found [here](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
+Further information about this topic can be found [under this link](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
 
 > [!NOTE]
 > The environment variable `GOMAXPROCS` is set automatically, when a CPU limit is defined. An explicit configuration is
@@ -265,7 +266,7 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
 
 - `$HOME` becomes `/data/gitea/git`
 
-  [see deployment.yaml](./templates/gitea/deployment.yaml) template inside (init-)container "env" declarations
+  [see deployment.yaml](./templates/deployment.yaml) template inside (init-)container "env" declarations
 
 - `START_SSH_SERVER: true` (Unless explicity overwritten by `gitea.config.server.START_SSH_SERVER`)
 
@@ -277,7 +278,7 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
 
 - `SSH_LOG_LEVEL` environment variable is not injected into the container
 
-  [see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations
+  [see deployment.yaml](./templates/deployment.yaml) template inside container "env" declarations
 
 #### Session, Cache and Queue
 
@@ -359,7 +360,7 @@ If HA is not needed/desired, the following configurations can be used to deploy
 
    </details>
 
-### Additional _app.ini_ settings
+### Additional app.ini settings
 
 > **The [generic](https://docs.gitea.com/administration/config-cheat-sheet#overall-default)
 > section cannot be defined that way.**
@@ -533,7 +534,7 @@ and the repository exists.
 ```
 
 To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
-More about this issue [here](https://gitea.com/gitea/helm-gitea/issues/161).
+More about this issue [under this link](https://gitea.com/gitea/helm-gitea/issues/161).
 
 ### Cache
 
@@ -693,7 +694,7 @@ Affected options:
 
 Like the admin user, OAuth2 settings can be updated and disabled but not deleted.
 Deleting OAuth2 settings has to be done in the ui.
-All OAuth2 values, which are documented [here](https://docs.gitea.com/administration/command-line#admin), are
+All OAuth2 values, which are documented [under this link](https://docs.gitea.com/administration/command-line#admin), are
 available.
 
 Multiple OAuth2 sources can be configured with additional OAuth list items.
@@ -816,6 +817,31 @@ gitea:
   podAnnotations: {}
 ```
 
+## TLS certificate rotation
+
+If Gitea uses TLS certificates that are mounted as a secret in the container file system, Gitea will not automatically apply them when the TLS certificates are rotated.
+Such a rotation can be for example triggered, when the cert-manager issues new TLS certificates before expiring. Further information is described as GitHub
+[issue](https://github.com/go-gitea/gitea/issues/27962).
+
+Until the issue is present, a workaround can be applied.
+For example stakater's [reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update.
+The following annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted `configMaps` and `secrets` have been changed.
+
+```yaml
+deployment:
+  annotations:
+    reloader.stakater.com/auto: "true"
+```
+
+Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for individual items.
+For example, when the secret named `gitea-tls` is mounted and the reloader controller should only listen for changes of this secret:
+
+```yaml
+deployment:
+  annotations:
+    secret.reloader.stakater.com/reload: "gitea-tls"
+```
+
 ## Themes
 
 Custom themes can be added via k8s secrets and referencing them in `values.yaml`.
@@ -1044,6 +1070,8 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `persistence.subPath`                             | Subdirectory of the volume to mount at                                                                | `nil`                  |
 | `persistence.volumeName`                          | Name of persistent volume in PVC                                                                      | `""`                   |
 | `extraContainers`                                 | Additional sidecar containers to run in the pod                                                       | `[]`                   |
+| `preExtraInitContainers`                          | Additional init containers to run in the pod before Gitea runs it owns init containers.               | `[]`                   |
+| `postExtraInitContainers`                         | Additional init containers to run in the pod after Gitea runs it owns init containers.                | `[]`                   |
 | `extraVolumes`                                    | Additional volumes to mount to the Gitea deployment                                                   | `[]`                   |
 | `extraContainerVolumeMounts`                      | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]`                   |
 | `extraInitVolumeMounts`                           | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.    | `[]`                   |
@@ -1130,6 +1158,17 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `gitea.startupProbe.successThreshold`    | Success threshold for startup probe             | `1`     |
 | `gitea.startupProbe.failureThreshold`    | Failure threshold for startup probe             | `10`    |
 
+### Network Policy
+
+| Name                        | Description                                                               | Value   |
+| --------------------------- | ------------------------------------------------------------------------- | ------- |
+| `networkPolicy.enabled`     | Enable network policies in general.                                       | `false` |
+| `networkPolicy.annotations` | Additional network policy annotations.                                    | `{}`    |
+| `networkPolicy.labels`      | Additional network policy labels.                                         | `{}`    |
+| `networkPolicy.policyTypes` | List of policy types. Supported is ingress, egress or ingress and egress. | `[]`    |
+| `networkPolicy.egress`      | Concrete egress network policy implementation.                            | `[]`    |
+| `networkPolicy.ingress`     | Concrete ingress network policy implementation.                           | `[]`    |
+
 ### valkey-cluster
 
 Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time.
@@ -1167,6 +1206,7 @@ Valkey and [Valkey cluster](#valkey-cluster) cannot be enabled at the same time.
 | `postgresql-ha.postgresql.repmgrPassword`   | Repmgr Password                                                  | `changeme2` |
 | `postgresql-ha.postgresql.postgresPassword` | postgres Password                                                | `changeme1` |
 | `postgresql-ha.pgpool.adminPassword`        | pgpool adminPassword                                             | `changeme3` |
+| `postgresql-ha.pgpool.srCheckPassword`      | pgpool srCheckPassword                                           | `changeme4` |
 | `postgresql-ha.service.ports.postgresql`    | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`      |
 | `postgresql-ha.persistence.size`            | PVC Storage Request for PostgreSQL HA volume                     | `10Gi`      |
 

package.json

@@ -9,11 +9,13 @@
     "npm": ">=8.0.0"
   },
   "scripts": {
+    "readme:link": "markdown-link-check --config .markdownlink.json *.md",
     "readme:lint": "markdownlint *.md -f",
     "readme:parameters": "readme-generator -v values.yaml -r README.md"
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.44.0"
+    "markdown-link-check": "^3.13.6",
+    "markdownlint-cli": "^0.45.0"
   }
 }

renovate.json5

@@ -49,6 +49,14 @@
       ],
     },
   ],
+  lockFileMaintenance: {
+    "enabled": true,
+    "commitMessageAction": "update",
+    "commitMessageTopic": "lockfiles",
+    schedule: [
+      'at any time',
+    ]
+  },
   packageRules: [
     {
       groupName: 'subcharts (minor & patch)',

templates/_helpers.tpl

@@ -87,6 +87,12 @@ storageClassName: {{ $storageClass | quote }}
 {{- end }}
 {{- end -}}
 
+{{/*
+Common annotations
+*/}}
+{{- define "gitea.annotations" -}}
+{{- end }}
+
 {{/*
 Common labels
 */}}
@@ -361,16 +367,18 @@ https
   {{- if not .Values.gitea.config.server.SSH_PORT -}}
     {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
   {{- end -}}
-  {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
-    {{- if not .Values.image.rootless -}}
-      {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
-    {{- else -}}
-      {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}}
-    {{- end -}}
-  {{- end -}}
   {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}}
     {{- if .Values.image.rootless -}}
       {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}}
+      {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
+        {{- if not .Values.gitea.config.server.SSH_LISTEN_PORT -}}
+          {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
+        {{- else -}}
+          {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_LISTEN_PORT -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "false" -}}
     {{- end -}}
   {{- end -}}
   {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}

templates/_networkPolicy.tpl

@@ -0,0 +1,19 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "gitea.networkPolicy.annotations" -}}
+{{ include "gitea.annotations" . }}
+{{- if .Values.networkPolicy.annotations }}
+{{ toYaml .Values.networkPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "gitea.networkPolicy.labels" -}}
+{{ include "gitea.labels" . }}
+{{- if .Values.networkPolicy.labels }}
+{{ toYaml .Values.networkPolicy.labels }}
+{{- end }}
+{{- end }}

templates/_pod.tpl

@@ -0,0 +1,17 @@
+---
+
+{{/* labels */}}
+
+{{- define "gitea.pod.labels" -}}
+{{- include "gitea.labels" . }}
+{{- if .Values.deployment.labels }}
+{{ toYaml .Values.deployment.labels }}
+{{- end }}
+{{- end }}
+
+{{- define "gitea.pod.selectorLabels" -}}
+{{- include "gitea.selectorLabels" . }}
+{{- if .Values.deployment.labels }}
+{{ toYaml .Values.deployment.labels }}
+{{- end }}
+{{- end }}

templates/config.yaml

@@ -27,7 +27,7 @@ stringData:
     {{- end }}
     
     {{- /* multiple replicas assertions */ -}}
-    {{- if gt .Values.replicaCount 1.0 -}}
+    {{- if gt (.Values.replicaCount | int) 1 -}}
       {{- if .Values.gitea.config.cron -}}
         {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
           {{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}}

templates/deployment.yaml

@@ -23,14 +23,11 @@ spec:
     {{- end }}
   selector:
     matchLabels:
-      {{- include "gitea.selectorLabels" . | nindent 6 }}
+      {{- include "gitea.pod.selectorLabels" . | nindent 6 }}
-      {{- if .Values.deployment.labels }}
-      {{- toYaml .Values.deployment.labels | nindent 6 }}
-      {{- end }}
   template:
     metadata:
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
+        checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
         {{- range $idx, $value := .Values.gitea.ldap }}
         checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }}
         {{- end }}
@@ -41,10 +38,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
-        {{- include "gitea.labels" . | nindent 8 }}
+        {{- include "gitea.pod.labels" . | nindent 8 }}
-        {{- if .Values.deployment.labels }}
-        {{- toYaml .Values.deployment.labels | nindent 8 }}
-        {{- end }}
     spec:
       {{- if .Values.schedulerName }}
       schedulerName: "{{ .Values.schedulerName }}"
@@ -59,6 +53,9 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
+        {{- if .Values.preExtraInitContainers }}
+        {{- toYaml .Values.preExtraInitContainers | nindent 8 }}
+        {{- end }}
         - name: init-directories
           image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -272,6 +269,9 @@ spec:
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
+        {{- if .Values.postExtraInitContainers }}
+        {{- toYaml .Values.postExtraInitContainers | nindent 8 }}
+        {{- end }}
       terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}

templates/networkPolicy.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.networkPolicy.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  {{- with (include "gitea.networkPolicy.annotations" . | fromYaml) }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+  {{- with (include "gitea.networkPolicy.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "gitea.pod.selectorLabels" $ | nindent 6 }}
+  {{- with .Values.networkPolicy.policyTypes }}
+  policyTypes:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.networkPolicy.egress }}
+  egress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.networkPolicy.ingress }}
+  ingress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}

templates/pvc.yaml

@@ -10,7 +10,7 @@ metadata:
 {{ .Values.persistence.labels | toYaml | indent 4}}
 spec:
   accessModes:
-  {{- if gt .Values.replicaCount 1.0 }}
+  {{- if gt (.Values.replicaCount | int) 1 }}
       - ReadWriteMany
   {{- else }}
     {{- .Values.persistence.accessModes | toYaml | nindent 4 }}

unittests/helm/config/actions-config.yaml

@@ -3,17 +3,17 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: "actions are enabled by default (based on vanilla Gitea behavior)"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         notExists:
           path: stringData.actions
 
   - it: "actions can be disabled via inline config"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea.config.actions.ENABLED: false
     asserts:

unittests/helm/config/cache-config.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: "cache is configured correctly for valkey-cluster"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: true
@@ -19,7 +19,7 @@ tests:
             HOST=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "cache is configured correctly for valkey"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -34,7 +34,7 @@ tests:
             HOST=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -49,7 +49,7 @@ tests:
             HOST=
 
   - it: "cache can be customized when valkey (or valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false

unittests/helm/config/metrics-section_metrics-token.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: metrics token is set
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea:
         metrics:
@@ -18,7 +18,7 @@ tests:
             ENABLED=true
             TOKEN=somepassword
   - it: metrics token is empty
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea:
         metrics:
@@ -31,7 +31,7 @@ tests:
           value: |-
             ENABLED=true
   - it: metrics token is nil
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea:
         metrics:
@@ -44,7 +44,7 @@ tests:
           value: |-
             ENABLED=true
   - it: does not configures a token if metrics are disabled
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea:
         metrics:

unittests/helm/config/queue-config.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: "queue is configured correctly for valkey-cluster"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: true
@@ -19,7 +19,7 @@ tests:
             TYPE=redis
 
   - it: "queue is configured correctly for valkey"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -34,7 +34,7 @@ tests:
             TYPE=redis
 
   - it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -49,7 +49,7 @@ tests:
             TYPE=level
 
   - it: "queue can be customized when valkey (and valkey-cluster) are disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false

unittests/helm/config/server-section_domain.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: "[default values] uses ingress host for DOMAIN|SSH_DOMAIN|ROOT_URL"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:
@@ -22,7 +22,7 @@ tests:
   ################################################
 
   - it: "[no ingress hosts] uses gitea http service for DOMAIN|SSH_DOMAIN|ROOT_URL"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       ingress:
         hosts: []
@@ -43,7 +43,7 @@ tests:
   ################################################
 
   - it: "[provided via values] uses that for DOMAIN|SSH_DOMAIN|ROOT_URL"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       gitea.config.server.DOMAIN: provided.example.com
       ingress:

unittests/helm/config/session-config.yaml

@@ -4,7 +4,7 @@ release:
   namespace: testing
 tests:
   - it: "session is configured correctly for valkey-cluster"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: true
@@ -19,7 +19,7 @@ tests:
             PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "session is configured correctly for valkey"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -34,7 +34,7 @@ tests:
             PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
   - it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false
@@ -49,7 +49,7 @@ tests:
             PROVIDER_CONFIG=
 
   - it: "session can be customized when valkey (and valkey-cluster) is disabled"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     set:
       valkey-cluster:
         enabled: false

unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml

@@ -18,6 +18,7 @@ set:
       password: custom-password-overwritten-by-global-postgresql-password
     pgpool:
       adminPassword: custom-password-pgpool
+      srCheckPassword: custom-password-sr-check
     service:
       ports:
         postgresql: 1234
@@ -75,6 +76,13 @@ tests:
         equal:
           path: data["admin-password"]
           value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.srCheckPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["sr-check-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXNyLWNoZWNr"
   - it: "[postgresql-ha] persistence.size is applied as expected"
     template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
     asserts:
@@ -98,14 +106,14 @@ tests:
           name: gitea-unittests-postgresql-ha-pgpool
           namespace: testing
   - it: "[gitea] connects to pgpool service"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:
           path: stringData.database
           pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:1234
   - it: "[gitea] connects to configured database"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:

unittests/helm/dependency-checks/customization-integrity-postgresql.yaml

@@ -65,14 +65,14 @@ tests:
           name: gitea-unittests-postgresql
           namespace: testing
   - it: "[gitea] connects to postgresql service"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:
           path: stringData.database
           pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:1234
   - it: "[gitea] connects to configured database"
-    template: templates/gitea/config.yaml
+    template: templates/config.yaml
     asserts:
       - documentIndex: 0
         matchRegex:

unittests/helm/dependency-checks/customization-integrity-valkey-cluster.yaml

@@ -82,7 +82,7 @@ tests:
             port: 6379
             targetPort: tcp-redis
   - it: "[gitea] waits for valkey-cluster to be up and running"
-    template: templates/gitea/init.yaml
+    template: templates/init.yaml
     asserts:
       - documentIndex: 0
         matchRegex:

unittests/helm/dependency-checks/customization-integrity-valkey.yaml

@@ -44,7 +44,7 @@ tests:
             port: 6379
             targetPort: redis
   - it: "[gitea] waits for valkey to be up and running"
-    template: templates/gitea/init.yaml
+    template: templates/init.yaml
     asserts:
       - documentIndex: 0
         matchRegex:

unittests/helm/deployment/HA.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: fails with multiple replicas and "GIT_GC_REPOS" enabled
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       replicaCount: 2
       persistence:
@@ -22,14 +22,14 @@ tests:
       - failedTemplate:
           errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'."
   - it: fails with multiple replicas and RWX file system not set
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       replicaCount: 2
     asserts:
       - failedTemplate:
           errorMessage: "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany."
   - it: fails with multiple replicas and bleve issue indexer
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       replicaCount: 2
       persistence:
@@ -43,7 +43,7 @@ tests:
       - failedTemplate:
           errorMessage: "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)."
   - it: fails with multiple replicas and bleve repo indexer
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       replicaCount: 2
       persistence:

unittests/helm/deployment/basic.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: renders a deployment
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - hasDocuments:
           count: 1
@@ -16,7 +16,7 @@ tests:
           apiVersion: apps/v1
           name: gitea-unittests
   - it: deployment labels are set
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       deployment.labels:
         hello: world
@@ -30,7 +30,7 @@ tests:
           content:
             hello: world
   - it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container"
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - contains:
           path: spec.template.spec.initContainers[1].env
@@ -38,7 +38,7 @@ tests:
             name: TMP_EXISTING_ENVS_FILE
             value: /tmp/existing-envs
   - it: "injects ENV_TO_INI_MOUNT_POINT as environment variable to 'init-app-ini' init container"
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - contains:
           path: spec.template.spec.initContainers[1].env
@@ -46,7 +46,7 @@ tests:
             name: ENV_TO_INI_MOUNT_POINT
             value: /env-to-ini-mounts
   - it: CPU resources are defined as well as GOMAXPROCS
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       resources:
         limits:
@@ -74,7 +74,7 @@ tests:
               cpu: 100ms
               memory: 100Mi
   - it: Init containers have correct volumeMount path
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       initContainersScriptsVolumeMountPath: "/custom/init/path"
     asserts:
@@ -85,7 +85,7 @@ tests:
           path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="config")].mountPath
           value: "/custom/init/path"
   - it: Init containers have correct volumeMount path if there is no override
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - equal:
           path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="init")].mountPath

unittests/helm/deployment/deployment-additional-config.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: Renders a deployment
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - hasDocuments:
           count: 1
@@ -16,7 +16,7 @@ tests:
           apiVersion: apps/v1
           name: gitea-unittests
   - it: Deployment with empty additionalConfigFromEnvs
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.additionalConfigFromEnvs: []
     asserts:
@@ -44,7 +44,7 @@ tests:
               - name: ENV_TO_INI_MOUNT_POINT
                 value: /env-to-ini-mounts
   - it: Deployment with standard additionalConfigFromEnvs
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.additionalConfigFromEnvs: [{name: GITEA_database_HOST, value: my-db:123}, {name: GITEA_database_USER, value: my-user}]
     asserts:
@@ -76,7 +76,7 @@ tests:
               - name: GITEA_database_USER
                 value: my-user
   - it: Deployment with templated additionalConfigFromEnvs
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.misc.host: my-db-host:321
       gitea.misc.user: my-db-user
@@ -110,7 +110,7 @@ tests:
               - name: GITEA_database_USER
                 value: my-db-user
   - it: Deployment with additionalConfigFromEnvs templated secret name
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.misc.existingSecret: my-db-secret
       gitea.additionalConfigFromEnvs[0]:

unittests/helm/deployment/extraInitContainers.yaml

@@ -0,0 +1,59 @@
+suite: deployment template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/deployment.yaml
+  - templates/config.yaml
+tests:
+  - it: Render the deployment (default)
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/deployment.yaml
+      - lengthEqual:
+          path: spec.template.spec.initContainers
+          count: 3
+        template: templates/deployment.yaml
+
+  - it: Render the deployment (signing)
+    set:
+      signing.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/deployment.yaml
+      - lengthEqual:
+          path: spec.template.spec.initContainers
+          count: 4
+        template: templates/deployment.yaml
+
+  - it: Render the deployment (extraInitContainers)
+    set:
+      postExtraInitContainers:
+        - name: foo
+          image: docker.io/library/busybox:latest
+      preExtraInitContainers:
+        - name: bar
+          image: docker.io/library/busybox:latest
+      signing.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/deployment.yaml
+      - lengthEqual:
+          path: spec.template.spec.initContainers
+          count: 6
+        template: templates/deployment.yaml
+      - contains:
+          path: spec.template.spec.initContainers
+          content:
+            name: foo
+            image: docker.io/library/busybox:latest
+        template: templates/deployment.yaml
+      - contains:
+          path: spec.template.spec.initContainers
+          content:
+            name: bar
+            image: docker.io/library/busybox:latest
+        template: templates/deployment.yaml

unittests/helm/deployment/image-configuration.yaml

@@ -6,17 +6,17 @@ chart:
   # Override appVersion to be consistent with used digest :)
   appVersion: 1.19.3
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: default values
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3-rootless"
   - it: tag override
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.tag: "1.19.4"
     asserts:
@@ -24,7 +24,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.4-rootless"
   - it: root-based image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.rootless: false
     asserts:
@@ -32,7 +32,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3"
   - it: scoped registry
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.registry: "example.com"
     asserts:
@@ -40,7 +40,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "example.com/gitea:1.19.3-rootless"
   - it: global registry
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       global.imageRegistry: "global.example.com"
     asserts:
@@ -48,7 +48,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "global.example.com/gitea:1.19.3-rootless"
   - it: digest for rootless image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image:
         rootless: true
@@ -58,7 +58,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: image fullOverride (does not append rootless)
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image:
         fullOverride: docker.gitea.com/gitea:1.19.3
@@ -73,7 +73,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3"
   - it: digest for root-based image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image:
         rootless: false
@@ -83,7 +83,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "docker.gitea.com/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: digest and global registry
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       global.imageRegistry: "global.example.com"
       image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
@@ -92,7 +92,7 @@ tests:
           path: spec.template.spec.containers[0].image
           value: "global.example.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
   - it: correctly renders floating tag references
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-gitea/issues/631
     asserts:

unittests/helm/deployment/ingress-configuration.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress tpl use
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: Ingress Class using TPL
     set:

unittests/helm/deployment/inline-config.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: inline config stringData.server using TPL
     set:

unittests/helm/deployment/probes.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: renders default liveness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notExists:
           path: spec.template.spec.containers[0].livenessProbe.enabled
@@ -22,7 +22,7 @@ tests:
               port: http
             timeoutSeconds: 1
   - it: renders default readiness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notExists:
           path: spec.template.spec.containers[0].readinessProbe.enabled
@@ -37,12 +37,12 @@ tests:
               port: http
             timeoutSeconds: 1
   - it: does not render a default startup probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notExists:
           path: spec.template.spec.containers[0].startupProbe
   - it: allows enabling a startup probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea.startupProbe.enabled: true
     asserts:
@@ -60,7 +60,7 @@ tests:
             timeoutSeconds: 1
 
   - it: allows overwriting the default port of the liveness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         livenessProbe:
@@ -74,7 +74,7 @@ tests:
               port: my-port
 
   - it: allows overwriting the default port of the readiness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         readinessProbe:
@@ -88,7 +88,7 @@ tests:
               port: my-port
 
   - it: allows overwriting the default port of the startup probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         startupProbe:
@@ -103,7 +103,7 @@ tests:
               port: my-port
 
   - it: allows using a non-default method as liveness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         livenessProbe:
@@ -131,7 +131,7 @@ tests:
             timeoutSeconds: 13372
 
   - it: allows using a non-default method as readiness probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         readinessProbe:
@@ -159,7 +159,7 @@ tests:
             timeoutSeconds: 13372
 
   - it: allows using a non-default method as startup probe
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       gitea:
         startupProbe:

unittests/helm/deployment/sidecar-container.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: supports adding a sidecar container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       extraContainers:
         - name: sidecar-bob

unittests/helm/deployment/signing-disabled.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: skips gpg init container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notContains:
           path: spec.template.spec.initContainers
@@ -15,7 +15,7 @@ tests:
           content:
             name: configure-gpg
   - it: skips gpg env in `init-directories` init container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing.enabled: false
     asserts:
@@ -25,14 +25,14 @@ tests:
             name: GNUPGHOME
             value: /data/git/.gnupg
   - it: skips gpg env in runtime container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notContains:
           path: spec.template.spec.containers[0].env
           content:
             name: GNUPGHOME
   - it: skips gpg volume spec
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notContains:
           path: spec.template.spec.volumes

unittests/helm/deployment/signing-enabled.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: adds gpg init container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing:
         enabled: true
@@ -41,7 +41,7 @@ tests:
               mountPath: /raw
               readOnly: true
   - it: adds gpg env in `init-directories` init container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing.enabled: true
       signing.existingSecret: "custom-gpg-secret"
@@ -52,7 +52,7 @@ tests:
             name: GNUPGHOME
             value: /data/git/.gnupg
   - it: adds gpg env in runtime container
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing.enabled: true
       signing.existingSecret: "custom-gpg-secret"
@@ -63,7 +63,7 @@ tests:
             name: GNUPGHOME
             value: /data/git/.gnupg
   - it: adds gpg volume spec
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing:
         enabled: true
@@ -80,7 +80,7 @@ tests:
                   path: private.asc
               defaultMode: 0100
   - it: supports gpg volume spec with external reference
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       signing:
         enabled: true

unittests/helm/deployment/ssh-configuration.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: supports defining SSH log level for root based image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.rootless: false
     asserts:
@@ -17,7 +17,7 @@ tests:
             name: SSH_LOG_LEVEL
             value: "INFO"
   - it: supports overriding SSH log level
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.rootless: false
       gitea.ssh.logLevel: "DEBUG"
@@ -28,7 +28,7 @@ tests:
             name: SSH_LOG_LEVEL
             value: "DEBUG"
   - it: supports overriding SSH log level (even when image.fullOverride set)
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: false
@@ -40,7 +40,7 @@ tests:
             name: SSH_LOG_LEVEL
             value: "DEBUG"
   - it: skips SSH_LOG_LEVEL for rootless image
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.rootless: true
       gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
@@ -51,7 +51,7 @@ tests:
           content:
             name: SSH_LOG_LEVEL
   - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       image.fullOverride: docker.gitea.com/gitea:1.19.3
       image.rootless: true

unittests/helm/deployment/storage-class-configuration.yaml

@@ -7,11 +7,11 @@ release:
   namespace: testing
 
 templates:
-  - templates/gitea/pvc.yaml
+  - templates/pvc.yaml
 
 tests:
   - it: should set storageClassName when persistence.storageClass is defined
-    template: templates/gitea/pvc.yaml
+    template: templates/pvc.yaml
     set:
       persistence.storageClass: "my-storage-class"
     asserts:
@@ -20,7 +20,7 @@ tests:
           value: "my-storage-class"
 
   - it: should set global.storageClass when persistence.storageClass is not defined
-    template: templates/gitea/pvc.yaml
+    template: templates/pvc.yaml
     set:
       global.storageClass: "default-storage-class"
     asserts:
@@ -29,7 +29,7 @@ tests:
           value: "default-storage-class"
 
   - it: should set storageClassName when persistence.storageClass is defined and global.storageClass is defined
-    template: templates/gitea/pvc.yaml
+    template: templates/pvc.yaml
     set:
       global.storageClass: "default-storage-class"
       persistence.storageClass: "my-storage-class"

unittests/helm/deployment/svc-configuration.yaml

@@ -3,11 +3,11 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/ssh-svc.yaml
+  - templates/ssh-svc.yaml
-  - templates/gitea/http-svc.yaml
+  - templates/http-svc.yaml
 tests:
   - it: supports adding custom labels to ssh-svc
-    template: templates/gitea/ssh-svc.yaml
+    template: templates/ssh-svc.yaml
     set:
       service:
         ssh:
@@ -19,7 +19,7 @@ tests:
           value: "testvalue"
 
   - it: keeps existing labels (ssh)
-    template: templates/gitea/ssh-svc.yaml
+    template: templates/ssh-svc.yaml
     set:
       service:
         ssh:
@@ -29,7 +29,7 @@ tests:
           path: metadata.labels["app"]
 
   - it: supports adding custom labels to http-svc
-    template: templates/gitea/http-svc.yaml
+    template: templates/http-svc.yaml
     set:
       service:
         http:
@@ -41,7 +41,7 @@ tests:
           value: "testvalue"
 
   - it: keeps existing labels (http)
-    template: templates/gitea/http-svc.yaml
+    template: templates/http-svc.yaml
     set:
       service:
         http:
@@ -51,7 +51,7 @@ tests:
           path: metadata.labels["app"]
 
   - it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
-    template: templates/gitea/ssh-svc.yaml
+    template: templates/ssh-svc.yaml
     set:
       service:
         ssh:
@@ -73,7 +73,7 @@ tests:
           value: ["1.2.3.4/32", "5.6.7.8/32"]
 
   - it: does not render when loadbalancer properties are set but type is not loadBalancerClass
-    template: templates/gitea/http-svc.yaml
+    template: templates/http-svc.yaml
     set:
       service:
         http:
@@ -92,7 +92,7 @@ tests:
           path: spec.loadBalancerSourceRanges
 
   - it: does not render loadBalancerClass by default even when type is LoadBalancer
-    template: templates/gitea/http-svc.yaml
+    template: templates/http-svc.yaml
     set:
       service:
         http:
@@ -107,8 +107,8 @@ tests:
 
   - it: both ssh and http services exist
     templates:
-      - templates/gitea/ssh-svc.yaml
+      - templates/ssh-svc.yaml
-      - templates/gitea/http-svc.yaml
+      - templates/http-svc.yaml
     asserts:
       - matchRegex:
           path: metadata.name

unittests/helm/gpg-secret/signing-disabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/gpg-secret.yaml
+  - templates/gpg-secret.yaml
 tests:
   - it: renders nothing
     set:

unittests/helm/gpg-secret/signing-enabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/gpg-secret.yaml
+  - templates/gpg-secret.yaml
 tests:
   - it: fails rendering when nothing is configured
     set:

unittests/helm/ingress/basic.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress.yaml
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: should enable ingress when ingress.enabled is true
     set:

unittests/helm/ingress/implicit-defaults.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress with implicit path defaults
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: should use default path and pathType when no paths are specified
     set:

unittests/helm/ingress/ingress.tpl.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress tpl use
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: Ingress Class using TPL
     set:

unittests/helm/ingress/structured-paths.yaml

@@ -1,6 +1,6 @@
 suite: Test ingress with structured paths
 templates:
-  - templates/gitea/ingress.yaml
+  - templates/ingress.yaml
 tests:
   - it: should work with structured path definitions
     set:

unittests/helm/init/basic.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/init.yaml
+  - templates/init.yaml
 tests:
   - it: renders a secret
     asserts:

unittests/helm/init/init_directory_structure.sh-rootless.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/init.yaml
+  - templates/init.yaml
 tests:
   - it: runs gpg in batch mode
     set:
@@ -63,7 +63,7 @@ tests:
               chown -v 1000:1000 "${GNUPGHOME}"
             fi
   - it: it does not chown /data even when image.fullOverride is set
-    template: templates/gitea/init.yaml
+    template: templates/init.yaml
     set:
       image.fullOverride: docker.gitea.com/gitea:1.20.5
     asserts:

unittests/helm/init/init_directory_structure.sh.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/init.yaml
+  - templates/init.yaml
 tests:
   - it: runs gpg in batch mode
     set:

unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/metrics-secret.yaml
+  - templates/metrics-secret.yaml
 tests:
   - it: renders nothing if monitoring disabled and gitea.metrics.token empty
     set:

unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/metrics-secret.yaml
+  - templates/metrics-secret.yaml
 tests:
   - it: renders nothing if monitoring enabled and gitea.metrics.token empty
     set:

unittests/helm/networkPolicy/networkPolicy.yaml

@@ -0,0 +1,100 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: NetworkPolicy template
+release:
+  name: gitea-unittest
+  namespace: testing
+templates:
+  - templates/networkPolicy.yaml
+tests:
+  - it: Skip rendering networkPolicy
+    set:
+      networkPolicy.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: Render default networkPolicy
+    set:
+      networkPolicy.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          apiVersion: networking.k8s.io/v1
+          kind: NetworkPolicy
+          name: gitea-unittest
+          namespace: testing
+      - notExists:
+          path: metadata.annotations
+      - equal:
+          path: metadata.labels
+          value:
+            app: gitea
+            app.kubernetes.io/instance: gitea-unittest
+            app.kubernetes.io/managed-by: Helm
+            app.kubernetes.io/name: gitea
+            app.kubernetes.io/version: 0.1.0
+            helm.sh/chart: gitea-0.1.0
+            version: 0.1.0
+      - equal:
+          path: spec.podSelector.matchLabels
+          value:
+            app.kubernetes.io/instance: gitea-unittest
+            app.kubernetes.io/name: gitea
+      - notExists:
+          path: spec.policyTypes
+      - notExists:
+          path: spec.egress
+      - notExists:
+          path: spec.ingress
+
+  - it: Template networkPolicy with policyTypes, egress and ingress configuration
+    set:
+      networkPolicy.enabled: true
+      networkPolicy.policyTypes:
+        - Egress
+        - Ingress
+      networkPolicy.ingress:
+        - from:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: monitoring
+              podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: prometheus
+      networkPolicy.egress:
+        - to:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: ingress-nginx
+              podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: ingress-nginx
+    asserts:
+      - equal:
+          path: spec.policyTypes
+          value:
+            - Egress
+            - Ingress
+      - equal:
+          path: spec.egress
+          value:
+            - to:
+                - namespaceSelector:
+                    matchLabels:
+                      kubernetes.io/metadata.name: ingress-nginx
+                  podSelector:
+                    matchLabels:
+                      app.kubernetes.io/name: ingress-nginx
+      - equal:
+          path: spec.ingress
+          value:
+            - from:
+                - namespaceSelector:
+                    matchLabels:
+                      kubernetes.io/metadata.name: monitoring
+                  podSelector:
+                    matchLabels:
+                      app.kubernetes.io/name: prometheus

unittests/helm/pvc/pvc-configuration.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/pvc.yaml
+  - templates/pvc.yaml
 tests:
   - it: Storage Class using TPL
     set:

unittests/helm/serviceaccount/basic.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/serviceaccount.yaml
+  - templates/serviceaccount.yaml
 tests:
   - it: skips rendering by default
     asserts:

unittests/helm/serviceaccount/reference.yaml

@@ -3,17 +3,17 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/serviceaccount.yaml
+  - templates/serviceaccount.yaml
-  - templates/gitea/deployment.yaml
+  - templates/deployment.yaml
-  - templates/gitea/config.yaml
+  - templates/config.yaml
 tests:
   - it: does not modify the deployment by default
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     asserts:
       - notExists:
           path: spec.serviceAccountName
   - it: adds the reference to the deployment with serviceAccount.create=true
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       serviceAccount.create: true
     asserts:
@@ -21,7 +21,7 @@ tests:
           path: spec.template.spec.serviceAccountName
           value: gitea-unittests
   - it: allows referencing an externally created ServiceAccount to the deployment
-    template: templates/gitea/deployment.yaml
+    template: templates/deployment.yaml
     set:
       serviceAccount:
         create: false # explicitly set to define rendering behavior

unittests/helm/servicemonitor/basic.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/servicemonitor.yaml
+  - templates/servicemonitor.yaml
 tests:
   - it: skips rendering by default
     asserts:

unittests/helm/servicemonitor/servicemonitor-disabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/servicemonitor.yaml
+  - templates/servicemonitor.yaml
 tests:
   - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty
     set:

unittests/helm/servicemonitor/servicemonitor-enabled.yaml

@@ -3,7 +3,7 @@ release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/servicemonitor.yaml
+  - templates/servicemonitor.yaml
 tests:
   - it: renders unsecure ServiceMonitor if gitea.metrics.token nil
     set:

values.yaml

@@ -20,7 +20,7 @@ global:
   #   hostnames:
   #   - example.com
 
-## @param namespace An explicit namespace to deploy gitea into. Defaults to the release namespace if not specified
+## @param namespace An explicit namespace to deploy Gitea into. Defaults to the release namespace if not specified
 namespace: ""
 
 ## @param replicaCount number of replicas for the deployment
@@ -279,7 +279,19 @@ persistence:
 extraContainers: []
 #  - name: sidecar-bob
 #    image: busybox
-#    command: [/bin/sh, -c, 'echo "Hello world"; sleep 86400']
+#    command: [/bin/sh, -c, 'echo "Hello world"']
+
+## @param preExtraInitContainers Additional init containers to run in the pod before Gitea runs it owns init containers.
+preExtraInitContainers: []
+# - name: pre-init-container
+#   image: docker.io/library/busybox
+#   command: [ /bin/sh, -c, 'echo "Hello world! I am a pre init container."' ]
+
+## @param postExtraInitContainers Additional init containers to run in the pod after Gitea runs it owns init containers.
+postExtraInitContainers: []
+# - name: post-init-container
+#   image: docker.io/library/busybox
+#   command: [ /bin/sh, -c, 'echo "Hello world! I am a post init container."' ]
 
 ## @param extraVolumes Additional volumes to mount to the Gitea deployment
 extraVolumes: []
@@ -501,6 +513,100 @@ gitea:
     successThreshold: 1
     failureThreshold: 10
 
+
+## @section Network Policy
+networkPolicy:
+  ## @param networkPolicy.enabled Enable network policies in general.
+  ## @param networkPolicy.annotations Additional network policy annotations.
+  ## @param networkPolicy.labels Additional network policy labels.
+  ## @param networkPolicy.policyTypes List of policy types. Supported is ingress, egress or ingress and egress.
+  ## @param networkPolicy.egress Concrete egress network policy implementation.
+  ## @skip networkPolicy.egress Skip individual egress configuration.
+  ## @param networkPolicy.ingress Concrete ingress network policy implementation.
+  ## @skip networkPolicy.ingress Skip individual ingress configuration.
+  enabled: false
+  annotations: {}
+  labels: {}
+  policyTypes: []
+  # - Egress
+  # - Ingress
+  egress: []
+  # Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns.
+  #
+  # - to:
+  #   - namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: kube-system
+  #     podSelector:
+  #       matchLabels:
+  #        k8s-app: kube-dns
+  #   ports:
+  #   - port: 53
+  #     protocol: TCP
+  #   - port: 53
+  #     protocol: UDP
+
+  # Allow outgoing traffic via HTTPS. For example for oAuth2, Gravatar and other third party APIs.
+  #
+  # - to:
+  #   ports:
+  #   - port: 443
+  #     protocol: TCP
+
+  # Allow outgoing traffic to PostgreSQL.
+  #
+  # - to:
+  #   - podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: postgresql-ha
+  #   ports: []
+  #   # Avoid explicit list of ports, because Gitea tries to ping the PostgreSQL database during the initialization
+  #   # process. The ICMP protocol is currently not supported as list of protocols by kubernetes. For this reason would
+  #   # lead listing of the ports to an issue. Therefore, please handle the database ports with care.
+  #   #
+  #   # - port: 5432
+  #   #   protocol: TCP
+
+  # Allow outgoing traffic to Valkey.
+  #
+  # - to:
+  #   - podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: valkey-cluster
+  #   ports:
+  #   - port: 6379
+  #     protocol: TCP
+  #   - port: 16379
+  #     protocol: TCP
+
+  ingress: []
+  # Allow incoming HTTP traffic from prometheus.
+  #
+  # - from:
+  #   - namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: monitoring
+  #     podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: prometheus
+  #   ports:
+  #   - port: http
+  #     protocol: TCP
+
+  # Allow incoming HTTP traffic from ingress-nginx.
+  #
+  # - from:
+  #   - namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: ingress-nginx
+  #     podSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/name: ingress-nginx
+  #   ports:
+  #   - port: http
+  #     protocol: TCP
+
+
 ## @section valkey-cluster
 ## @param valkey-cluster.enabled Enable valkey cluster
 # ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
@@ -557,6 +663,7 @@ valkey:
 ## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password
 ## @param postgresql-ha.postgresql.postgresPassword postgres Password
 ## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword
+## @param postgresql-ha.pgpool.srCheckPassword pgpool srCheckPassword
 ## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
 ## @param postgresql-ha.persistence.size PVC Storage Request for PostgreSQL HA volume
 postgresql-ha:
@@ -572,6 +679,7 @@ postgresql-ha:
     password: changeme4
   pgpool:
     adminPassword: changeme3
+    srCheckPassword: changeme4
   service:
     ports:
       postgresql: 5432