update helm deps and add makefile rule

# Changes

A big shoutout to @luhahn for all his work in #205 which served as the base for this PR.

## Documentation

- [x] After thinking for some time about it, I still prefer the distinct option (as started in #350), i.e. having a standalone "HA" doc under `docs/ha-setup.md` to not have a very long README (which is already quite long).
      Most of the information below should go into it with more details and explanations behind all of the individual components.

## Chart deps

~~- Adds `meilisearch` as a chart dependency for a HA-ready issue indexer. Only works with >= Gitea 1.20~~
~~- Adds `redis` as a chart dependency for a HA-ready session and queue store.~~
- Adds `redis-cluster` as a chart dependency for a HA-ready session and queue store (alternative to `redis`). Only works with >= Gitea 1.19.2.
- Removes `memcached` instead of `redis-cluster`
- Add `postgresql-ha` as default DB dep in favor of `postgres`

## Adds smart HA chart logic

The goal is to set smart config values that result in a HA-ready Gitea deployment if `replicaCount` > 1.

- If `replicaCount` > 1,
  - `gitea.config.session.PROVIDER` is automatically set to `redis-cluster`
  - `gitea.config.indexer.REPO_INDEXER_ENABLED` is automatically set to `false` unless the value is `elasticsearch` or `meilisearch`
  - `redis-cluster` is used for `[queue]` and `[cache]` and `[session]`mode or not

Configuration of external instances of `meilisearch` and `minio` are documented in a new markdown doc.

## Deployment vs Statefulset

Given all the discussions about this lately (#428), I think we could use both.
In the end, we do not have the requirement for a sequential pod scale up/scale down as it would happen in statefulsets.
On the other side, we do not have actual stateless pods as we are attaching a RWX to the deployment.
Yet I think because we do not have a leader-election requirement, spawning the pods as a deployment makes "Rolling Updates" easier and also signals users that there is no "leader election" logic and each pod can just be "destroyed" at anytime without causing interruption.

Hence I think we should be able to switch from a statefulset to a deployment, even in the single-replica case.

This change also brought up a templating/linting issue: the definition of `.Values.gitea.config.server.SSH_LISTEN_PORT` in `ssh-svc.yaml` just "luckily" worked so far due to naming-related lint processing. Due to the change from "statefulset" to "deployment", the processing queue changed and caused a failure complaining about `config.server.SSH_LISTEN_PORT` not being defined yet.
The only way I could see to fix this was to "properly" define the value in `values.yaml` instead of conditionally definining it in `helpers.tpl`. Maybe there's a better way?

## Chart PVC Creation

I've adapted the automated PVC creation from another chart to be able to provide the `storageClassName` as I couldn't get dynamic provisioning for EFS going with the current implementation.
In addition the naming and approach within the Gitea chart for PV creation is a bit unusual and aligning it might be beneficial.

A semi-unrelated change which will result in a breaking change for existing users but this PR includes a lot of breaking changes already, so including another one might not make it much worse...

- New `persistence.mount`: whether to mount an existing PVC (via `persistence.existingClaim`
- New `persistence.create`: whether to create a new PVC

## Testing

As this PR does a lot of things, we need proper testing.
The helm chart can be installed from the Git branch via `helm-git` as follows:

```
helm repo add gitea-charts git+https://gitea.com/gitea/helm-chart@/?ref=deployment
helm install gitea --version 0.0.0
```
It is **highly recommended** to test the chart in a dedicated namespace.

I've tested this myself with both `redis` and `redis-cluster` and it seemed to work fine.
I just did some basic operations though and we should do more niche testing before merging.

Examplary `values.yml` for testing (only needs a valid RWX storage class):

<details>

<summary>values.yaml</summary>

```yml
image:
  tag: "dev"
  PullPolicy: "Always"
  rootless: true

replicaCount: 2

persistence:
  enabled: true
  accessModes:
    - ReadWriteMany
  storageClass: FIXME

redis-cluster:
  enabled: false
  global:
    redis:
      password: gitea

gitea:
  config:
    indexer:
      ISSUE_INDEXER_ENABLED: true
      REPO_INDEXER_ENABLED: false
```
</details>

## Preferred setup

The preferred HA setup with respect to performance and stability might currently be as follows:

- Repos: RWX (e.g. EFS or Azurefiles NFS)
- Issue indexer: Meilisearch (HA)
- Session and cache: Redis Cluster (HA)
- Attachments/Avatars: Minio (HA)

This will result in a ~ 10-pod HA setup overall.
All pods have very low resource requests.

fix #98

Co-authored-by: pat-s <pat-s@noreply.gitea.io>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/437
Co-authored-by: pat-s <patrick.schratz@gmail.com>
Co-committed-by: pat-s <patrick.schratz@gmail.com>

.drone.yml

@@ -1,96 +0,0 @@
----
-kind: pipeline
-type: docker
-name: lint
-
-platform:
-  os: linux
-  arch: arm64
-
-steps:
-- name: helm lint
-  pull: always
-  image: alpine:3.16
-  commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-  - helm lint
-
-- name: helm template
-  pull: always
-  image: alpine:3.16
-  commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-  - helm dependency update
-  - helm template --debug gitea-helm .
-
-- name: helm unittests
-  pull: always
-  image: alpine:3.16
-  commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make helm git bash
-  - helm plugin install https://github.com/heyhabito/helm-unittest
-  - helm dependency update
-  - make unittests
-
-- name: verify readme
-  pull: always
-  image: alpine:3.16
-  commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make npm git
-  - make readme
-  - git diff --exit-code --name-only README.md
-
-- name: discord
-  pull: always
-  image: appleboy/drone-discord:1.2.4
-  environment:
-    DISCORD_WEBHOOK_ID:
-      from_secret: discord_webhook_id
-    DISCORD_WEBHOOK_TOKEN:
-      from_secret: discord_webhook_token
-  when:
-    status:
-    - changed
-    - failure
-
-
----
-kind: pipeline
-type: docker
-name: release-version
-
-platform:
-  os: linux
-  arch: arm64
-
-trigger:
-  event:
-  - tag
-
-steps:
-- name: generate-chart
-  pull: always
-  image: alpine:3.16
-  commands:
-    - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-    - apk add --no-cache curl
-    - helm dependency update
-    - helm package --version "${DRONE_TAG##v}" ./
-    - mkdir gitea
-    - mv gitea*.tgz gitea/
-    - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
-    - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
-
-- name: upload-chart
-  pull: always
-  image: plugins/s3:latest
-  settings:
-    bucket: gitea-artifacts
-    endpoint: https://ams3.digitaloceanspaces.com
-    access_key:
-      from_secret: aws_access_key_id
-    secret_key:
-      from_secret: aws_secret_access_key
-    source: gitea/*
-    target: /charts
-    strip_prefix: gitea/

.editorconfig

@@ -0,0 +1,12 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = false
+insert_final_newline = false

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -39,3 +39,4 @@
 
 - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
 - [ ] Breaking changes are documented in the `README.md`
+- [ ] Templating unittests are added

.gitea/workflows/release-version.yml

@@ -0,0 +1,53 @@
+name: generate-chart
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  generate-chart-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: install tools
+        run: |
+          apt update -y
+          apt install -y curl
+          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          apt update -y
+          apt install -y python helm python3-pip apt-transport-https
+          pip install awscli
+
+      - name: Import GPG key
+        id: import_gpg
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v5
+        with:
+          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
+          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
+
+      # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
+      - name: package chart
+        run: |
+          # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
+          helm plugin install https://github.com/pat-s/helm-gpg
+          helm dependency update
+          helm package --version "${GITHUB_REF#refs/tags/v}" ./
+          helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
+          mkdir gitea
+          mv gitea*.tgz gitea/
+          curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
+          helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
+
+      - name: aws credential configure
+        uses: https://github.com/aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Copy files to S3 and clear cache
+        run: |
+          aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/

.gitea/workflows/test-pr.yml

@@ -0,0 +1,36 @@
+name: check-and-test
+
+on:
+  - pull_request
+
+jobs:
+  check-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: install tools
+        run: |
+          apt update -y
+          apt install -y curl make
+          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          apt update -y
+          apt install -y helm python3-pip
+          pip install yamllint
+      - name: dependency update
+        run: helm dependency update
+      - name: lint
+        run: helm lint
+      - name: template
+        run: |
+          helm template --debug gitea-helm .
+      - name: unit tests
+        run: |
+          helm plugin install --version 0.3.3 https://github.com/helm-unittest/helm-unittest
+          make unittests
+      - name: verify readme
+        run: |
+          make readme
+          git diff --exit-code --name-only README.md
+      - name: yaml lint
+        uses: https://github.com/ibiqlik/action-yamllint@v3

.helmignore

@@ -25,4 +25,9 @@ node_modules/
 package.json
 package-lock.json
 .gitea/
+Makefile
+.markdownlintignore
+.markdownlint.yaml
+.drone.yml
+CONTRIBUTING.md
 unittests/

.markdownlint.yaml

@@ -47,7 +47,7 @@ MD013:
   # Number of characters
   line_length: 200
   # Number of characters for headings
-  heading_line_length: 80
+  heading_line_length: 100
   # Number of characters for code blocks
   code_block_line_length: 80
   # Include code blocks
@@ -106,7 +106,7 @@ MD030:
 # MD033/no-inline-html - Inline HTML
 MD033:
   # Allowed elements
-  allowed_elements: []
+  allowed_elements: [details, summary]
 
 # MD035/hr-style - Horizontal rule style
 MD035:
@@ -129,14 +129,12 @@ MD041:
 MD044:
   # List of proper names
   names:
-  - Gitea
-  - PostgreSQL
-  - MariaDB
-  - MySQL
-  - Memcached
-  - Prometheus
-  - Git
-  - GitOps
+    - Gitea
+    - PostgreSQL
+    - Memcached
+    - Prometheus
+    - Git
+    - GitOps
   # Include code blocks
   code_blocks: false
 

.markdownlintignore

@@ -1,3 +1,4 @@
 .gitea/
 node_modules/
 charts/
+Chart.lock

.prettierignore

@@ -0,0 +1 @@
+Chart.lock

.yamllint

@@ -0,0 +1,20 @@
+---
+extends: default
+
+ignore: |
+  .yamllint
+  node_modules
+  templates
+
+
+rules:
+  truthy:
+    allowed-values: ['true', 'false']
+    check-keys: False
+    level: error
+  line-length: disable
+  document-start: disable
+  comments:
+    min-spaces-from-content: 1
+  braces:
+    max-spaces-inside: 2

CONTRIBUTING.md

@@ -14,15 +14,16 @@ When using Visual Studio Code as IDE, following plugins might be useful:
 - [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
 - [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
 - [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
+- [Prettier - Code formatter](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode)
 
 ## Documentation Requirements
 
-The `README.md` must include all configuration options. The parameters section
-is generated by extracting the parameter annotations from the `values.yaml` file,
-by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
+The `README.md` must include all configuration options.
+The parameters section is generated by extracting the parameter annotations from the `values.yaml` file, by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
 
-If changes were made on configuration options, run `make readme` to update the
-README file.
+If changes were made on configuration options, run `make readme` to update the README file.
+
+The ToC is created via the VSCode [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one) extension which can/must also be used used to update it.
 
 ## Pull Request Requirements
 
@@ -40,23 +41,30 @@ For local development and testing of pull requests, the following workflow can
 be used:
 
 1. Install `minikube` and `helm`.
-2. Start a `minikube` cluster via `minikube start`.
-3. From the `gitea/helm-chart` directory execute the following command. This
-   will install the dependencies listed in `Chart.yml` and deploy the current
-   state of the helm chart found locally. If you want to test a branch, make
-   sure to switch to the respective branch first.
-  `helm install --dependency-update gitea . -f values.yaml`.
-4. Gitea is now deployed in `minikube`. To access it, it's port needs to be
-   forwarded first from `minikube` to localhost first via `kubectl --namespace
-   default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
-   [http://localhost:3000](http://localhost:3000).
+1. Start a `minikube` cluster via `minikube start`.
+1. From the `gitea/helm-chart` directory execute the following command.
+   This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
+   If you want to test a branch, make sure to switch to the respective branch first.
+   `helm install --dependency-update gitea . -f values.yaml`.
+1. Gitea is now deployed in `minikube`.
+   To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace
+default port-forward svc/gitea-http 3000:3000`.
+   Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
 
 ### Unit tests
 
 ```bash
 # install the unittest plugin
-$ helm plugin install https://github.com/heyhabito/helm-unittest
+$ helm plugin install https://github.com/helm-unittest/helm-unittest
 
 # run the unittests
 make unittests
 ```
+
+See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/v0.3.3/DOCUMENT.md) for usage instructions.
+
+## Release process
+
+1. Create a tag following the tagging schema
+1. Push the tag
+1. Let CI do it's work

Chart.lock

@@ -1,15 +1,12 @@
 dependencies:
-- name: memcached
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 5.9.0
-- name: mysql
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 6.14.10
 - name: postgresql
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 10.3.17
-- name: mariadb
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 9.3.6
-digest: sha256:08f967276fa0c083e9756a974a9791a487a71be0a226dc14351b3e5a2641e8fd
-generated: "2022-06-11T12:18:36.672047+02:00"
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 12.6.6
+- name: postgresql-ha
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 11.7.9
+- name: redis-cluster
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 8.6.9
+digest: sha256:52296a48610712a8eb69a32b1b5818b014bfb8dac79d883e11ebdaf97d41e85d
+generated: "2023-07-17T21:24:06.888357+02:00"

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.17.3
+appVersion: 1.20.0
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -28,22 +28,23 @@ maintainers:
     email: lucas.hahn@novum-rgi.de
   - name: Steven Kriegler
     email: sk.bunsenbrenner@gmail.com
+  - name: Patrick Schratz
+    email: patrick.schratz@gmail.com
 
 # Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
-- name: memcached
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 5.9.0
-  condition: memcached.enabled
-- name: mysql
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 6.14.10
-  condition: mysql.enabled
-- name: postgresql
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 10.3.17
-  condition: postgresql.enabled
-- name: mariadb
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 9.3.6
-  condition: mariadb.enabled
+  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)
+  - name: postgresql
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 12.6.6
+    condition: postgresql.enabled
+  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml)
+  - name: postgresql-ha
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 11.7.9
+    condition: postgresql-ha.enabled
+  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml)
+  - name: redis-cluster
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 8.6.9
+    condition: redis-cluster.enabled

Makefile

@@ -9,4 +9,9 @@ readme: prepare-environment
 
 .PHONY: unittests
 unittests:
-	helm unittest --helm3 --strict -f 'unittests/**/*.yaml' ./
+	helm unittest --strict -f 'unittests/**/*.yaml' ./
+
+.PHONY: helm
+update-helm-dependencies:
+	helm dependency update
+  

docs/ha-setup.md

@@ -0,0 +1,175 @@
+# High Availability
+
+⚠️ **EXPERIMENTAL** ⚠️
+
+All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment.
+The following document explains how to achieve this for all individual components.
+
+The resulting Gitea deployment will consist of ~ 10 pods (depending on the chosen components and their replicas).
+One should evaluate upfront whether a HA-deployment is required as switching between HA/non-HA comes with some effort.
+For production instances, HA is always recommended to increase uptime and have a frictionless update process.
+
+A general comment about chart dependencies and external services:
+Instead of relying on chart dependencies, it is often better to rely on an external, (managed) instances (in-memory database, asset storage provider, database, etc.).
+Many cloud providers offer such services, at least for databases or in-memory databases.
+They might cost a bit more than using a self-hosted k8s variant but are usually easier to maintain and scale, if needed.
+Also they can be centrally managed and are not linked to the Gitea helm chart or namespace.
+Please consider using external services before you start with your Gitea HA setup, it will make your life (and the life of the Gitea maintainers) easier.
+
+This helm chart tries to help as much as possible to simplify and assert the provisioning of a HA-ready Gitea instance by implementing smart conditionals if `replicaCount` is set to a value > 1.
+Nevertheless, we cannot guarantee for every possible combination of Gitea settings to work together perfectly in a HA setup.
+As a general advice, we recommend to have a test environment aside on which to test possible changes/upgrades before applying these to a production installation.
+
+## Requirements for HA
+
+Storage-wise, the HA-Gitea setup requires a RWX file-system which can be shared among the deployment-based replica pods.
+In addition, the following components are required for full HA-readiness:
+
+- A HA-ready issue (and optionally code) indexer: `elasticsearch` or `meilisearch`
+- A HA-ready external object/asset storage (`minio`) (optional, assets can also be stored on the RWX file-system)
+- A HA-ready cache (`redis-cluster`)
+- A HA-ready DB
+
+`postgres.enabled`, which default to `true`, must be set to `false` for a HA setup.
+The default `postgres` chart dependency is not HA-ready (there's a dedicated `postgres-ha` chart).
+
+The following sections discuss each of the components in more detail.
+Note that for each component discussed, the shown configurations only provides a (working) starting point, not necessarily the most optimal setup.
+We try to optimize this document over time as we have gained more experience with HA setups from users.
+
+## Indexers (Issues and code/repo)
+
+The default code indexer `bleve` is not able to allow multiple connections and hence cannot be used in a HA setup.
+Alternatives are `elasticsearch` and `meilisearch` (as of >= 1.19.2).
+Unless you have an existing `elasticsearch` cluster, we recommend using `meilisearch` as it is faster and requires way less resources.
+
+Unfortunately, `meilisearch` does only support the `ISSUE_INDEXER` and not the `REPO_INDEXER` yet ([tracking issue](https://github.com/go-gitea/gitea/pull/24149)).
+This means that the `REPO_INDEXER` must still be disabled for a HA setup right now.
+An alternative to the two options above for the `ISSUE_INDEXER` is `"db"`, however we recommend to just go with `meilisearch` in this case and to not bother the DB with indexing.
+
+To configure `meilisearch` within Gitea, do the following:
+
+```yml
+gitea:
+  config:
+    indexer:
+      ISSUE_INDEXER_CONN_STR: <http://meilisearch.<namespace>.svc.cluster.local:7700>
+      ISSUE_INDEXER_ENABLED: true
+      ISSUE_INDEXER_TYPE: meilisearch
+      REPO_INDEXER_ENABLED: false
+      # REPO_INDEXER_TYPE: meilisearch # not yet working
+```
+
+Unfortunately `meilisearch` cannot be deployed in HA as of now.
+Nevertheless it allows for multiple Gitea requests at the same time and is therefore required in a HA setup.
+
+Exemplary configuration for the [meilisearch-kubernetes](https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch) chart:
+
+```yaml
+persistence:
+  enabled: true
+  accessMode: ReadWriteOnce
+  size: 5Gi
+```
+
+## Cache, session and queue
+
+A `redis` instance is required for the in-memory cache.
+Two options exist:
+
+- `redis`
+- `redis-cluster`
+
+The chart provides `redis-cluster` as a dependency as this one can be used for both HA and non-HA setups.
+You're also welcome to go with `redis` if you prefer or already have a running instance.
+
+It should be noted that `redis-cluster` support is only available starting with Gitea 1.19.2.
+You can also configure an external (managed) `redis` instance to be used.
+To do so, you need to set the following configuration values yourself:
+
+- `gitea.config.queue.TYPE`: redis`
+- `gitea.config.queue.CONN_STR`: `<your redis connection string>`
+
+- `gitea.config.session.PROVIDER`: `redis`
+- `gitea.config.session.PROVIDER_CONFIG`: `<your redis connection string>`
+
+- `gitea.config.cache.ENABLED`: `true`
+- `gitea.config.cache.ADAPTER`: `redis`
+- `gitea.config.cache.HOST`: `<your redis connection string>`
+
+## Object and asset storage
+
+Object/asset storage refers to the storage of attachments, avatars, LFS files, etc.
+While most of these can be stored on the RWX file-system, it is recommended to use an external S3-compatible object storage for such, mainly for performance reasons.
+
+By default the chart provisions a single RWO volume to store everything (repos, avatars, packages, etc.).
+This volume cannot be mounted by multiple pods.
+Hence, a RWX volume is required and (optionally) an external HA-ready object storage.
+
+> **Note:** Double-check that the file permissions are set correctly on the RWX volume! That is everything should be owned by the `git` user which usually has `uid=1000` and `gid=1000`.
+
+To use `minio` you need to deploy and configure an external `minio` instance yourself and explicitly define the `STORAGE_TYPE` values as shown below.
+
+Note that `MINIO_BUCKET` here is just a name and does not refer to a S3 bucket.
+It's the root access point for all objects belonging to the respective application, i.e., to Gitea in this case.
+
+```yaml
+gitea:
+  config:
+    attachment:
+      STORAGE_TYPE: minio
+    lfs:
+      STORAGE_TYPE: minio
+    picture:
+      AVATAR_STORAGE_TYPE: minio
+    "storage.packages":
+      STORAGE_TYPE: minio
+
+    storage:
+      MINIO_ENDPOINT: <minio-headless.<namespace>.svc.cluster.local:9000>
+      MINIO_LOCATION: <location>
+      MINIO_ACCESS_KEY_ID: <access key>
+      MINIO_SECRET_ACCESS_KEY: <secret key>
+      MINIO_BUCKET: <bucket name>
+      MINIO_USE_SSL: false
+```
+
+Exemplary configuration for the [bitnami minio](https://github.com/bitnami/charts/blob/main/bitnami/minio) chart:
+
+```yaml
+auth:
+  rootUser: minio
+mode: distributed
+replicaCount: 4
+persistence:
+  enabled: true
+  size: 20Gi
+  accessModes:
+    - ReadWriteOnce
+```
+
+## Database
+
+If you do not have an HA-ready DB, using a managed database service in the cloud might be the easiest and most robust solution.
+Remember: disable the built-in `postgres` dependency and configure the database connection manually via `gitea.config.database`:
+
+```yml
+gitea:
+  database:
+    builtIn:
+      postgresql:
+        enabled: false
+  config:
+    database:
+      DB_TYPE: postgres
+      HOST: <host>
+      NAME: <name>
+      USER: <user>
+```
+
+## Known issues
+
+- Currently Cron jobs are run on all replicas as no leader election is implemented.
+  See [https://github.com/go-gitea/gitea/issues/13791](https://github.com/go-gitea/gitea/issues/13791) for a discussion and possible solution.
+
+- Running with multiple replicas slows down Gitea a bit, i.e. page loading time increases. 

package.json

@@ -13,7 +13,7 @@
     "readme:parameters": "readme-generator -v values.yaml -r README.md"
   },
   "devDependencies": {
-    "markdownlint-cli": "^0.31.1",
-    "readme-generator-for-helm": "https://github.com/bitnami-labs/readme-generator-for-helm/tarball/498ea5d19478a36556f1636e1e041a7510d09289"
+    "@bitnami/readme-generator-for-helm": "^2.5.0",
+    "markdownlint-cli": "^0.34.0"
   }
 }

templates/_helpers.tpl

@@ -2,6 +2,27 @@
 {{/*
 Expand the name of the chart.
 */}}
+
+{{- /* multiple replicas assertions */ -}}
+{{- if gt .Values.replicaCount 1.0 -}}
+  {{- fail "When using multiple replicas, a RWX file system is required" -}}
+  {{- if eq (get (.Values.persistence.accessModes 0) "ReadWriteOnce") -}}
+    {{- fail "When using multiple replicas, a RWX file system is required" -}}
+  {{- end }}
+  
+  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
+    {{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
+  {{- end }}
+  
+  {{- if and (eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve") (eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED "true") -}}
+    {{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
+  {{- end }}
+  
+  {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
+    {{- (printf "DEBUG: When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'") | fail -}}
+  {{- end }}
+{{- end }}
+
 {{- define "gitea.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
@@ -92,19 +113,25 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "postgresql.dns" -}}
-{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.servicePort -}}
+{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}}
 {{- end -}}
 
-{{- define "mysql.dns" -}}
-{{- printf "%s-mysql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mysql.service.port | trunc 63 | trimSuffix "-" -}}
+{{- define "redis.dns" -}}
+{{- if (index .Values "redis-cluster").enabled -}}
+{{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
+{{- end -}}
 {{- end -}}
 
-{{- define "mariadb.dns" -}}
-{{- printf "%s-mariadb.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mariadb.primary.service.port | trunc 63 | trimSuffix "-" -}}
+{{- define "redis.port" -}}
+{{- if (index .Values "redis-cluster").enabled -}}
+{{ (index .Values "redis-cluster").service.ports.redis }}
+{{- end -}}
 {{- end -}}
 
-{{- define "memcached.dns" -}}
-{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.port | trunc 63 | trimSuffix "-" -}}
+{{- define "redis.servicename" -}}
+{{- if (index .Values "redis-cluster").enabled -}}
+{{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
+{{- end -}}
 {{- end -}}
 
 {{- define "gitea.default_domain" -}}
@@ -190,6 +217,7 @@ https
       {{- else -}}
         {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
       {{- end -}}
+
     {{- end }}
   {{- end }}
 
@@ -219,6 +247,18 @@ https
   {{- if not (hasKey .Values.gitea.config "oauth2") -}}
     {{- $_ := set .Values.gitea.config "oauth2" dict -}}
   {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "session") -}}
+    {{- $_ := set .Values.gitea.config "session" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "queue") -}}
+    {{- $_ := set .Values.gitea.config "queue" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "queue.issue_indexer") -}}
+    {{- $_ := set .Values.gitea.config "queue.issue_indexer" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "indexer") -}}
+    {{- $_ := set .Values.gitea.config "indexer" dict -}}
+  {{- end -}}
 {{- end -}}
 
 {{- define "gitea.inline_configuration.defaults" -}}
@@ -234,13 +274,30 @@ https
   {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
     {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
   {{- end -}}
-  {{- if .Values.memcached.enabled -}}
+ {{- if (index .Values "redis-cluster").enabled -}}
     {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
-    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
+    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
     {{- if not (.Values.gitea.config.cache.HOST) -}}
-      {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
+      {{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
     {{- end -}}
   {{- end -}}
+  {{- /* redis queue */ -}}
+  {{- if (index .Values "redis-cluster").enabled -}}
+    {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
+    {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
+  {{- end -}}
+  {{- /* multiple replicas */ -}}
+  {{- if gt .Values.replicaCount 1.0 -}}
+    {{- if not (get .Values.gitea.config.session "PROVIDER") -}}
+    {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
+    {{- end -}}
+    {{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
+    {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "redis.dns" .) -}}
+    {{- end -}}
+  {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
+     {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
+  {{- end -}}
+  {{- end -}}
 {{- end -}}
 
 {{- define "gitea.inline_configuration.defaults.server" -}}
@@ -292,25 +349,9 @@ https
     {{- if not (.Values.gitea.config.database.HOST) -}}
       {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
     {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
-  {{- else if .Values.mysql.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
-  {{- else if .Values.mariadb.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.auth.database -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.auth.username -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.auth.database -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.auth.username -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.auth.password -}}
   {{- end -}}
 {{- end -}}
 
@@ -335,3 +376,7 @@ https
 {{- define "gitea.gpg-key-secret-name" -}}
 {{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
 {{- end -}}
+
+{{- define "gitea.serviceAccountName" -}}
+{{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
+{{- end -}}

templates/gitea/config.yaml

@@ -16,6 +16,32 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
+  assertions: |
+{{- /* multiple replicas assertions */ -}}
+{{- if gt .Values.replicaCount 1.0 -}}
+  {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
+    {{- if .Values.gitea.config.cron.GIT_GC_REPOS.enabled -}}
+      {{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'GIT_GC_REPOS.enabled = false'." -}}
+    {{- end }}
+  {{- end }}
+  {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
+    {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
+  {{- end }}
+  
+  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
+    {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
+  {{- end }}
+  {{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
+    {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_TYPE") "bleve" -}}
+      {{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
+        {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_ENABLED") "true" -}}
+          {{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  
+{{- end }}
   config_environment.sh: |-
     #!/usr/bin/env bash
     set -euo pipefail
@@ -53,14 +79,14 @@ stringData:
       env2ini::log "    + '${setting}'"
 
       if [[ -z "${section}" ]]; then
-        export "ENV_TO_INI____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+        export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
         return
       fi
 
       local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
       masked_section="${masked_section//-/_0X2D_}"
 
-      export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
+      export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
     }
 
     function env2ini::reload_preset_envs() {
@@ -134,15 +160,16 @@ stringData:
       #   - initially used to set up Gitea
       # Anyway, they won't harm existing app.ini files
 
-      export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
-      export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
-      export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
-      export ENV_TO_INI__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
+      export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+      export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+      export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+      export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
 
       env2ini::log "...Initial secrets generated\n"
     }
-
-    env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs
+    
+    # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
+    env | (grep GITEA || [[ $? == 1 ]]) > /tmp/existing-envs
     
     # MUST BE CALLED BEFORE OTHER CONFIGURATION
     env2ini::generate_initial_secrets
@@ -163,10 +190,10 @@ stringData:
       env2ini::log '  - oauth2.JWT_SECRET'
       env2ini::log '  - server.LFS_JWT_SECRET'
 
-      unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
-      unset ENV_TO_INI__SECURITY__SECRET_KEY
-      unset ENV_TO_INI__OAUTH2__JWT_SECRET
-      unset ENV_TO_INI__SERVER__LFS_JWT_SECRET
+      unset GITEA__SECURITY__INTERNAL_TOKEN
+      unset GITEA__SECURITY__SECRET_KEY
+      unset GITEA__OAUTH2__JWT_SECRET
+      unset GITEA__SERVER__LFS_JWT_SECRET
     fi
 
-    environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI
+    environment-to-ini -o $GITEA_APP_INI

templates/gitea/deployment.yaml

@@ -1,20 +1,27 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
   name: {{ include "gitea.fullname" . }}
   annotations:
-    {{- if .Values.statefulset.annotations }}
-    {{- toYaml .Values.statefulset.annotations | nindent 4 }}
+    {{- if .Values.deployment.annotations }}
+    {{- toYaml .Values.deployment.annotations | nindent 4 }}
     {{- end }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
+  strategy:
+    type: {{ .Values.strategy.type }}
+    {{- if eq .Values.strategy.type "RollingUpdate" }}
+    rollingUpdate:
+      maxUnavailable: {{ .Values.strategy.rollingUpdate.maxUnavailable }}
+      maxSurge: {{ .Values.strategy.rollingUpdate.maxSurge }}
+    {{- end }}
   selector:
     matchLabels:
       {{- include "gitea.selectorLabels" . | nindent 6 }}
-      {{- if .Values.statefulset.labels }}
-      {{- toYaml .Values.statefulset.labels | nindent 6 }}
+      {{- if .Values.deployment.labels }}
+      {{- toYaml .Values.deployment.labels | nindent 6 }}
       {{- end }}
   serviceName: {{ include "gitea.fullname" . }}
   template:
@@ -32,13 +39,19 @@ spec:
         {{- end }}
       labels:
         {{- include "gitea.labels" . | nindent 8 }}
-        {{- if .Values.statefulset.labels }}
-        {{- toYaml .Values.statefulset.labels | nindent 8 }}
+        {{- if .Values.deployment.labels }}
+        {{- toYaml .Values.deployment.labels | nindent 8 }}
         {{- end }}
     spec:
       {{- if .Values.schedulerName }}
       schedulerName: "{{ .Values.schedulerName }}"
       {{- end }}
+      {{- if (or .Values.serviceAccount.create .Values.serviceAccount.name) }}
+      serviceAccountName: {{ include "gitea.serviceAccountName" . }}
+      {{- end }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
+      {{- end }}
       {{- include "gitea.images.pullSecrets" . | nindent 6 }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -56,8 +69,8 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
-            {{- if .Values.statefulset.env }}
-            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- if .Values.deployment.env }}
+            {{- toYaml .Values.deployment.env | nindent 12 }}
             {{- end }}
             {{- if .Values.signing.enabled }}
             - name: GNUPGHOME
@@ -76,6 +89,8 @@ spec:
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
         - name: init-app-ini
           image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -89,8 +104,8 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
-            {{- if .Values.statefulset.env }}
-            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- if .Values.deployment.env }}
+            {{- toYaml .Values.deployment.env | nindent 12 }}
             {{- end }}
             {{- if .Values.gitea.additionalConfigFromEnvs }}
             {{- toYaml .Values.gitea.additionalConfigFromEnvs | nindent 12 }}
@@ -114,6 +129,8 @@ spec:
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
         {{- if .Values.signing.enabled }}
         - name: configure-gpg
           image: "{{ include "gitea.image" . }}"
@@ -143,6 +160,8 @@ spec:
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
         {{- end }}
         - name: configure-gitea
           image: "{{ include "gitea.image" . }}"
@@ -164,6 +183,10 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
+            {{- if .Values.image.rootless }}
+            - name: HOME
+              value: /data/gitea/git
+            {{- end }}
             {{- if .Values.gitea.ldap }}
             {{- range $idx, $value := .Values.gitea.ldap }}
             {{- if $value.existingSecret }}
@@ -218,8 +241,8 @@ spec:
             - name: GITEA_ADMIN_PASSWORD
               value: {{ .Values.gitea.admin.password | quote }}
             {{- end }}
-            {{- if .Values.statefulset.env }}
-            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- if .Values.deployment.env }}
+            {{- toYaml .Values.deployment.env | nindent 12 }}
             {{- end }}
           volumeMounts:
             - name: init
@@ -232,7 +255,9 @@ spec:
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
-      terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
+      terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ include "gitea.image" . }}"
@@ -243,6 +268,10 @@ spec:
               value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }}
             - name: SSH_PORT
               value: {{ .Values.gitea.config.server.SSH_PORT | quote }}
+            {{- if not .Values.image.rootless }}
+            - name: SSH_LOG_LEVEL
+              value: {{ .Values.gitea.ssh.logLevel | quote }}
+            {{- end }}
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
             - name: GITEA_CUSTOM
@@ -253,12 +282,16 @@ spec:
               value: /tmp/gitea
             - name: TMPDIR
               value: /tmp/gitea
+            {{- if .Values.image.rootless }}
+            - name: HOME
+              value: /data/gitea/git
+            {{- end }}
             {{- if .Values.signing.enabled }}
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}
             {{- end }}
-            {{- if .Values.statefulset.env }}
-            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- if .Values.deployment.env }}
+            {{- toYaml .Values.deployment.env | nindent 12 }}
             {{- end }}
           ports:
             - name: ssh
@@ -302,6 +335,10 @@ spec:
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
             {{- include "gitea.container-additional-mounts" . | nindent 12 }}
+      {{- with .Values.global.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -310,6 +347,10 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+    {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints: 
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
     {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
@@ -348,38 +389,13 @@ spec:
                 path: private.asc
             defaultMode: 0100
         {{- end }}
-  {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
+  {{- if .Values.persistence.enabled }}
+    {{- if .Values.persistence.mount }}
         - name: data
           persistentVolumeClaim:
-  {{- with .Values.persistence.existingClaim }}
-            claimName: {{ tpl . $ }}
-  {{- end }}
+            claimName: {{ .Values.persistence.claimName }}
+    {{- end }}
   {{- else if not .Values.persistence.enabled }}
         - name: data
           emptyDir: {}
-  {{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      {{- with .Values.persistence.annotations }}
-        annotations:
-        {{- range $key, $value := . }}
-          {{ $key }}: {{ $value }}
-        {{- end }}
-      {{- end }}
-      {{- with .Values.persistence.labels }}
-        labels:
-        {{- range $key, $value := . }}
-          {{ $key }}: {{ $value }}
-        {{- end }}
-      {{- end }}
-      spec:
-        accessModes:
-          {{- range .Values.persistence.accessModes }}
-            - {{ . | quote }}
-          {{- end }}
-        {{- include "gitea.persistence.storageClass" . | indent 8 }}
-        resources:
-          requests:
-            storage: {{ .Values.persistence.size | quote }}
   {{- end }}

templates/gitea/extra-list.yaml

@@ -0,0 +1,8 @@
+{{- range .Values.extraDeploy }}
+---
+{{- if typeIs "string" . }}
+    {{- tpl . $ }}
+{{- else }}
+    {{- tpl (. | toYaml) $ }}
+{{- end }}
+{{- end }}

templates/gitea/gpg-secret.yaml

@@ -1,6 +1,6 @@
 {{- if .Values.signing.enabled -}}
 {{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}}
-  {{- fail "Either specify `signing.privateKey` or `signing.existingKey`" -}}
+  {{- fail "Either specify `signing.privateKey` or `signing.existingSecret`" -}}
 {{- end }}
 {{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}}
 apiVersion: v1

templates/gitea/init.yaml

@@ -10,7 +10,7 @@ stringData:
     #!/usr/bin/env bash
     set -eu
 
-    gpg --import /raw/private.asc
+    gpg --batch --import /raw/private.asc
   init_directory_structure.sh: |-
     #!/usr/bin/env bash
 
@@ -61,6 +61,27 @@ stringData:
       echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds"
       exit 1
     }
+
+    {{- if include "redis.servicename" . }}
+    function test_redis_connection() {
+      local RETRY=0
+      local MAX=30
+      
+      echo 'Wait for redis to become avialable...'
+      until [ "${RETRY}" -ge "${MAX}" ]; do
+        nc -vz -w2 {{ include "redis.servicename" . }} {{ include "redis.port" . }} && break
+        RETRY=$[${RETRY}+1]
+        echo "...not ready yet (${RETRY}/${MAX})"
+      done
+
+      if [ "${RETRY}" -ge "${MAX}" ]; then
+        echo "Redis not reachable after '${MAX}' attempts!"
+        exit 1
+      fi
+    }
+
+    test_redis_connection
+    {{- end }}
     
 
     {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}

templates/gitea/poddisruptionbudget.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.podDisruptionBudget -}}
+{{- if .Capabilities.APIVersions.Has "policy/v1" }}
+apiVersion: policy/v1
+{{- else }}
+apiVersion: policy/v1beta1
+{{- end }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gitea.fullname" . }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels" . | nindent 6 }}
+  {{- toYaml .Values.podDisruptionBudget | nindent 2 }}
+{{- end -}}

templates/gitea/pvc.yaml

@@ -0,0 +1,24 @@
+{{- if and .Values.persistence.enabled .Values.persistence.create }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ .Values.persistence.claimName }}
+  namespace: {{ $.Release.Namespace }}
+  annotations:
+{{ .Values.persistence.annotations | toYaml | indent 4}}
+spec:
+  accessModes:
+  {{- if gt .Values.replicaCount 1.0 }}
+      - ReadWriteMany
+  {{- else }}
+    {{- .Values.persistence.accessModes | toYaml | nindent 4 }}
+  {{- end }}
+  volumeMode: Filesystem
+  {{- if .Values.persistence.storageClass }}
+  storageClassName: {{ .Values.persistence.storageClass }}
+  {{- end }}
+  volumeName: ""
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size }}
+{{- end }}

templates/gitea/serviceaccount.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gitea.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    {{- with .Values.serviceAccount.labels }}
+    {{- . | toYaml | nindent 4 }}
+  {{- end }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- . | toYaml | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- with .Values.serviceAccount.imagePullSecrets }}
+imagePullSecrets:
+  {{- . | toYaml | nindent 2 }}
+{{- end }}
+{{- end }}

templates/gitea/ssh-svc.yaml

@@ -39,7 +39,9 @@ spec:
   ports:
   - name: ssh
     port: {{ .Values.service.ssh.port }}
+    {{- if .Values.gitea.config.server.SSH_LISTEN_PORT }}
     targetPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
+    {{- end }}
     protocol: TCP
     {{- if .Values.service.ssh.nodePort }}
     nodePort: {{ .Values.service.ssh.nodePort }}

templates/tests/test-http-connection.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.test.enabled }}
 apiVersion: v1
 kind: Pod
 metadata:
@@ -9,7 +10,8 @@ metadata:
 spec:
   containers:
     - name: wget
-      image: busybox
+      image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}"
       command: ['wget']
       args:  ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
   restartPolicy: Never
+{{- end }}

unittests/deployment/basic.yaml

@@ -1,17 +1,17 @@
-suite: Statefulset template (basic)
+suite: deployment template (basic)
 release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/statefulset.yaml
+  - templates/gitea/deployment.yaml
   - templates/gitea/config.yaml
 tests:
-  - it: renders a statefulset
-    template: templates/gitea/statefulset.yaml
+  - it: renders a deployment
+    template: templates/gitea/deployment.yaml
     asserts:
       - hasDocuments:
           count: 1
       - containsDocument:
-          kind: StatefulSet  
+          kind: Deployment
           apiVersion: apps/v1
           name: gitea-unittests

unittests/deployment/signing-disabled.yaml

@@ -1,13 +1,13 @@
-suite: Statefulset template (signing disabled)
+suite: deployment template (signing disabled)
 release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/statefulset.yaml
+  - templates/gitea/deployment.yaml
   - templates/gitea/config.yaml
 tests:
   - it: skips gpg init container
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
     asserts:
       - notContains:
           path: spec.template.spec.initContainers
@@ -15,24 +15,24 @@ tests:
           content:
             name: configure-gpg
   - it: skips gpg env in `init-directories` init container
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
     set:
-      signing.enabled: true
+      signing.enabled: false
     asserts:
-      - contains:
+      - notContains:
           path: spec.template.spec.initContainers[0].env
           content:
             name: GNUPGHOME
             value: /data/git/.gnupg
   - it: skips gpg env in runtime container
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
     asserts:
       - notContains:
           path: spec.template.spec.containers[0].env
           content:
             name: GNUPGHOME
   - it: skips gpg volume spec
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
     asserts:
       - notContains:
           path: spec.template.spec.volumes

unittests/deployment/signing-enabled.yaml

@@ -1,13 +1,13 @@
-suite: Statefulset template (signing enabled)
+suite: deployment template (signing enabled)
 release:
   name: gitea-unittests
   namespace: testing
 templates:
-  - templates/gitea/statefulset.yaml
+  - templates/gitea/deployment.yaml
   - templates/gitea/config.yaml
 tests:
   - it: adds gpg init container
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
     set:
       signing:
         enabled: true
@@ -39,9 +39,10 @@ tests:
               mountPath: /raw
               readOnly: true
   - it: adds gpg env in `init-directories` init container
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
     set:
       signing.enabled: true
+      signing.existingSecret: "custom-gpg-secret"
     asserts:
       - contains:
           path: spec.template.spec.initContainers[0].env
@@ -49,9 +50,10 @@ tests:
             name: GNUPGHOME
             value: /data/git/.gnupg
   - it: adds gpg env in runtime container
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
     set:
       signing.enabled: true
+      signing.existingSecret: "custom-gpg-secret"
     asserts:
       - contains:
           path: spec.template.spec.containers[0].env
@@ -59,10 +61,11 @@ tests:
             name: GNUPGHOME
             value: /data/git/.gnupg
   - it: adds gpg volume spec
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
     set:
       signing:
         enabled: true
+        existingSecret: "gitea-unittests-gpg-key"
     asserts:
       - contains:
           path: spec.template.spec.volumes
@@ -75,7 +78,7 @@ tests:
                   path: private.asc
               defaultMode: 0100
   - it: supports gpg volume spec with external reference
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
     set:
       signing:
         enabled: true

unittests/deployment/ssh-configuration.yaml

@@ -0,0 +1,40 @@
+suite: deployment template (SSH configuration)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: supports defining SSH log level for root based image
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSH_LOG_LEVEL
+            value: "INFO"
+  - it: supports overriding SSH log level
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+      gitea.ssh.logLevel: "DEBUG"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSH_LOG_LEVEL
+            value: "DEBUG"
+  - it: skips SSH_LOG_LEVEL for rootless image
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: true
+      gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          any: true
+          content:
+            name: SSH_LOG_LEVEL

unittests/gpg-secret/signing-enabled.yaml

@@ -11,7 +11,7 @@ tests:
         enabled: true
     asserts:
       - failedTemplate:
-          errorMessage: Either specify `signing.privateKey` or `signing.existingKey`
+          errorMessage: Either specify `signing.privateKey` or `signing.existingSecret`
   - it: skips rendering using external secret reference
     set:
       signing:

unittests/init/basic.yaml

@@ -10,6 +10,6 @@ tests:
       - hasDocuments:
           count: 1
       - containsDocument:
-          kind: Secret  
+          kind: Secret
           apiVersion: v1
           name: gitea-unittests-init

unittests/init/init_directory_structure.sh-rootless.yaml

@@ -0,0 +1,68 @@
+suite: Init template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/init.yaml
+tests:
+  - it: runs gpg in batch mode
+    set:
+      signing.enabled: true
+      signing.privateKey: |-
+        -----BEGIN PGP PRIVATE KEY BLOCK-----
+        {placeholder}
+        -----END PGP PRIVATE KEY BLOCK-----
+    asserts:
+      - equal:
+          path: stringData["configure_gpg_environment.sh"]
+          value: |-
+            #!/usr/bin/env bash
+            set -eu
+
+            gpg --batch --import /raw/private.asc
+  - it: skips gpg script block for disabled signing
+    asserts:
+      - equal:
+          path: stringData["init_directory_structure.sh"]
+          value: |-
+            #!/usr/bin/env bash
+
+            set -euo pipefail
+
+            set -x
+            mkdir -p /data/git/.ssh
+            chmod -R 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+
+            # prepare temp directory structure
+            mkdir -p "${GITEA_TEMP}"
+            chmod ug+rwx "${GITEA_TEMP}"
+  - it: adds gpg script block for enabled signing
+    set:
+      signing.enabled: true
+      signing.privateKey: |-
+        -----BEGIN PGP PRIVATE KEY BLOCK-----
+        {placeholder}
+        -----END PGP PRIVATE KEY BLOCK-----
+    asserts:
+      - equal:
+          path: stringData["init_directory_structure.sh"]
+          value: |-
+            #!/usr/bin/env bash
+
+            set -euo pipefail
+
+            set -x
+            mkdir -p /data/git/.ssh
+            chmod -R 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+
+            # prepare temp directory structure
+            mkdir -p "${GITEA_TEMP}"
+            chmod ug+rwx "${GITEA_TEMP}"
+
+            if [ ! -d "${GNUPGHOME}" ]; then
+              mkdir -p "${GNUPGHOME}"
+              chmod 700 "${GNUPGHOME}"
+              chown 1000:1000 "${GNUPGHOME}"
+            fi

unittests/init/init_directory_structure.sh.yaml

@@ -5,10 +5,28 @@ release:
 templates:
   - templates/gitea/init.yaml
 tests:
-  - it: skips gpg script block for disabled signing
+  - it: runs gpg in batch mode
+    set:
+      image.rootless: false
+      signing.enabled: true
+      signing.privateKey: |-
+        -----BEGIN PGP PRIVATE KEY BLOCK-----
+        {placeholder}
+        -----END PGP PRIVATE KEY BLOCK-----
     asserts:
       - equal:
-          path: stringData.[init_directory_structure.sh]
+          path: stringData["configure_gpg_environment.sh"]
+          value: |-
+            #!/usr/bin/env bash
+            set -eu
+
+            gpg --batch --import /raw/private.asc
+  - it: skips gpg script block for disabled signing
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: stringData["init_directory_structure.sh"]
           value: |-
             #!/usr/bin/env bash
 
@@ -26,10 +44,15 @@ tests:
             chmod ug+rwx "${GITEA_TEMP}"
   - it: adds gpg script block for enabled signing
     set:
+      image.rootless: false
       signing.enabled: true
+      signing.privateKey: |-
+        -----BEGIN PGP PRIVATE KEY BLOCK-----
+        {placeholder}
+        -----END PGP PRIVATE KEY BLOCK-----
     asserts:
       - equal:
-          path: stringData.[init_directory_structure.sh]
+          path: stringData["init_directory_structure.sh"]
           value: |-
             #!/usr/bin/env bash
 

unittests/serviceaccount/basic.yaml

@@ -0,0 +1,82 @@
+suite: ServiceAccount template (basic)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/serviceaccount.yaml
+tests:
+  - it: skips rendering by default
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders default ServiceAccount object with serviceAccount.create=true
+    set:
+      serviceAccount.create: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: gitea-unittests
+      - equal:
+          path: automountServiceAccountToken
+          value: false
+      - notExists:
+          path: imagePullSecrets
+      - notExists:
+          path: metadata.annotations
+  - it: allows for adding custom labels
+    set:
+      serviceAccount:
+        create: true
+        labels:
+          custom: label
+    asserts:
+      - equal:
+          path: metadata.labels.custom
+          value: label
+  - it: allows for adding custom annotations
+    set:
+      serviceAccount:
+        create: true
+        annotations:
+          myCustom: annotation
+    asserts:
+      - equal:
+          path: metadata.annotations.myCustom
+          value: annotation
+  - it: allows to override the generated name
+    set:
+      serviceAccount:
+        create: true
+        name: provided-serviceaccount-name
+    asserts:
+      - equal:
+          path: metadata.name
+          value: provided-serviceaccount-name
+  - it: allows to mount the token
+    set:
+      serviceAccount:
+        create: true
+        automountServiceAccountToken: true
+    asserts:
+      - equal:
+          path: automountServiceAccountToken
+          value: true
+  - it: allows to reference image pull secrets
+    set:
+      serviceAccount:
+        create: true
+        imagePullSecrets:
+          - name: testing-image-pull-secret
+          - name: another-pull-secret
+    asserts:
+      - contains:
+          path: imagePullSecrets
+          content:
+            name: testing-image-pull-secret
+      - contains:
+          path: imagePullSecrets
+          content:
+            name: another-pull-secret

unittests/serviceaccount/reference.yaml

@@ -0,0 +1,32 @@
+suite: ServiceAccount template (reference)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/serviceaccount.yaml
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: does not modify the deployment by default
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.serviceAccountName
+  - it: adds the reference to the deployment with serviceAccount.create=true
+    template: templates/gitea/deployment.yaml
+    set:
+      serviceAccount.create: true
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: gitea-unittests
+  - it: allows referencing an externally created ServiceAccount to the deployment
+    template: templates/gitea/deployment.yaml
+    set:
+      serviceAccount:
+        create: false # explicitly set to define rendering behavior
+        name: "externally-existing-serviceaccount"
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: externally-existing-serviceaccount

values.yaml

@@ -6,6 +6,7 @@
 ## @param global.imageRegistry global image registry override
 ## @param global.imagePullSecrets global image pull secrets override; can be extended by `imagePullSecrets`
 ## @param global.storageClass global storage class override
+## @param global.hostAliases global hostAliases which will be added to the pod's hosts files
 global:
   imageRegistry: ""
   ## E.g.
@@ -14,10 +15,24 @@ global:
   ##
   imagePullSecrets: []
   storageClass: ""
+  hostAliases: []
+  # - ip: 192.168.137.2
+  #   hostnames:
+  #   - example.com
 
-## @param replicaCount number of replicas for the statefulset
+## @param replicaCount number of replicas for the deployment
 replicaCount: 1
 
+## @section strategy
+## @param strategy.type strategy type
+## @param strategy.rollingUpdate.maxSurge maxSurge
+## @param strategy.rollingUpdate.maxUnavailable maxUnavailable
+strategy:
+  type: "RollingUpdate"
+  rollingUpdate:
+    maxSurge: "100%"
+    maxUnavailable: 0
+
 ## @param clusterDomain cluster domain
 clusterDomain: cluster.local
 
@@ -33,7 +48,7 @@ image:
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
   pullPolicy: Always
-  rootless: false # only possible when running 1.14 or later
+  rootless: true
 
 ## @param imagePullSecrets Secret to use for pulling the image
 imagePullSecrets: []
@@ -63,17 +78,22 @@ containerSecurityContext: {}
 #   runAsNonRoot: true
 #   runAsUser: 1000
 
-## @depracated The securityContext variable has been split two:
+## @deprecated The securityContext variable has been split two:
 ## - containerSecurityContext
 ## - podSecurityContext.
 ## @param securityContext Run init and Gitea containers as a specific securityContext
 securityContext: {}
 
+## @param podDisruptionBudget Pod disruption budget
+podDisruptionBudget: {}
+#  maxUnavailable: 1
+#  minAvailable: 1
+
 ## @section Service
 service:
   ## @param service.http.type Kubernetes service type for web traffic
   ## @param service.http.port Port number for web traffic
-  ## @param service.http.clusterIP ClusterIP setting for http autosetup for statefulset is None
+  ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment is None
   ## @param service.http.loadBalancerIP LoadBalancer IP setting
   ## @param service.http.nodePort NodePort for http service
   ## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@@ -96,7 +116,7 @@ service:
     annotations: {}
   ## @param service.ssh.type Kubernetes service type for ssh traffic
   ## @param service.ssh.port Port number for ssh traffic
-  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for statefulset is None
+  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None
   ## @param service.ssh.loadBalancerIP LoadBalancer IP setting
   ## @param service.ssh.nodePort NodePort for ssh service
   ## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@@ -120,7 +140,6 @@ service:
     loadBalancerSourceRanges: []
     annotations: {}
 
-
 ## @section Ingress
 ## @param ingress.enabled Enable ingress
 ## @param ingress.className Ingress class name
@@ -134,7 +153,8 @@ ingress:
   enabled: false
   # className: nginx
   className:
-  annotations: {}
+  annotations:
+    {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts:
@@ -150,10 +170,11 @@ ingress:
   # If helm doesn't correctly detect your ingress API version you can set it here.
   # apiVersion: networking.k8s.io/v1
 
-## @section StatefulSet
+## @section deployment
 #
 ## @param resources Kubernetes resources
-resources: {}
+resources:
+  {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -171,34 +192,60 @@ resources: {}
 ## @param schedulerName Use an alternate scheduler, e.g. "stork"
 schedulerName: ""
 
-## @param nodeSelector NodeSelector for the statefulset
+## @param nodeSelector NodeSelector for the deployment
 nodeSelector: {}
 
-## @param tolerations Tolerations for the statefulset
+## @param tolerations Tolerations for the deployment
 tolerations: []
 
-## @param affinity Affinity for the statefulset
+## @param affinity Affinity for the deployment
 affinity: {}
 
-## @param dnsConfig dnsConfig for the statefulset
+## @param topologySpreadConstraints TopologySpreadConstraints for the deployment
+topologySpreadConstraints: []
+
+## @param dnsConfig dnsConfig for the deployment
 dnsConfig: {}
 
-## @param statefulset.env  Additional environment variables to pass to containers
-## @param statefulset.terminationGracePeriodSeconds How long to wait until forcefully kill the pod
-## @param statefulset.labels Labels for the statefulset
-## @param statefulset.annotations Annotations for the Gitea StatefulSet to be created
-statefulset:
-  env: []
+## @param priorityClassName priorityClassName for the deployment
+priorityClassName: ""
+
+## @param deployment.env  Additional environment variables to pass to containers
+## @param deployment.terminationGracePeriodSeconds How long to wait until forcefully kill the pod
+## @param deployment.labels Labels for the deployment
+## @param deployment.annotations Annotations for the Gitea deployment to be created
+deployment:
+  env:
+    []
     # - name: VARIABLE
     #   value: my-value
   terminationGracePeriodSeconds: 60
   labels: {}
   annotations: {}
 
+## @section ServiceAccount
+
+## @param serviceAccount.create Enable the creation of a ServiceAccount
+## @param serviceAccount.name Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used.
+## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of the service account token
+## @param serviceAccount.imagePullSecrets Image pull secrets, available to the ServiceAccount
+## @param serviceAccount.annotations Custom annotations for the ServiceAccount
+## @param serviceAccount.labels Custom labels for the ServiceAccount
+serviceAccount:
+  create: false
+  name: ""
+  automountServiceAccountToken: false
+  imagePullSecrets: []
+  # - name: private-registry-access
+  annotations: {}
+  labels: {}
+
 ## @section Persistence
 #
 ## @param persistence.enabled Enable persistent storage
-## @param persistence.existingClaim Use an existing claim to store repository information
+## @param persistence.create Whether to create the persistentVolumeClaim for shared storage
+## @param persistence.mount Whether the persistentVolumeClaim should be mounted (even if not created)
+## @param persistence.claimName Use an existing claim to store repository information
 ## @param persistence.size Size for persistence to store repo information
 ## @param persistence.accessModes AccessMode for persistence
 ## @param persistence.labels Labels for the persistence volume claim to be created
@@ -207,7 +254,9 @@ statefulset:
 ## @param persistence.subPath Subdirectory of the volume to mount at
 persistence:
   enabled: true
-  existingClaim:
+  create: true
+  mount: true
+  claimName: gitea-shared-storage
   size: 10Gi
   accessModes:
     - ReadWriteOnce
@@ -216,7 +265,7 @@ persistence:
   storageClass:
   subPath:
 
-## @param extraVolumes Additional volumes to mount to the Gitea statefulset
+## @param extraVolumes Additional volumes to mount to the Gitea deployment
 extraVolumes: []
 # - name: postgres-ssl-vol
 #   secret:
@@ -228,7 +277,7 @@ extraContainerVolumeMounts: []
 ## @param extraInitVolumeMounts Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.
 extraInitVolumeMounts: []
 
-## @depracated The extraVolumeMounts variable has been split two:
+## @deprecated The extraVolumeMounts variable has been split two:
 ## - extraContainerVolumeMounts
 ## - extraInitVolumeMounts
 ## As an example, can be used to mount a client cert when connecting to an external Postgres server.
@@ -248,6 +297,16 @@ initPreScript: ""
 #   chown -R git:git /data/git/.postgresql/
 #   chmod 400 /data/git/.postgresql/postgresql.key
 
+## @param initContainers.resources.limits initContainers.limits Kubernetes resource limits for init containers
+## @param initContainers.resources.requests.cpu initContainers.requests.cpu Kubernetes cpu resource limits for init containers
+## @param initContainers.resources.requests.memory initContainers.requests.memory Kubernetes memory resource limits for init containers
+initContainers:
+  resources:
+    limits: {}
+    requests:
+      cpu: 100m
+      memory: 128Mi
+
 # Configure commit/action signing prerequisites
 ## @section Signing
 #
@@ -273,7 +332,7 @@ gitea:
   ## @param gitea.admin.password Password for the Gitea admin user
   ## @param gitea.admin.email Email for the Gitea admin user
   admin:
-    #existingSecret: gitea-admin-secret
+    # existingSecret: gitea-admin-secret
     existingSecret:
     username: gitea_admin
     password: r8sA8CPHD9!bt6d
@@ -289,7 +348,8 @@ gitea:
       #    prometheus-release: prom1
 
   ## @param gitea.ldap LDAP configuration
-  ldap: []
+  ldap:
+    []
     # - name: "LDAP 1"
     #  existingSecret:
     #  securityProtocol:
@@ -306,7 +366,8 @@ gitea:
 
   # Either specify inline `key` and `secret` or refer to them via `existingSecret`
   ## @param gitea.oauth OAuth configuration
-  oauth: []
+  oauth:
+    []
     # - name: 'OAuth 1'
     #   provider:
     #   key:
@@ -319,13 +380,14 @@ gitea:
     #   customProfileUrl:
     #   customEmailUrl:
 
-  ## @param gitea.config  Configuration for the Gitea server,ref: [config-cheat-sheet](https://docs.gitea.io/en-us/config-cheat-sheet/)
-  config: {}
-  #  APP_NAME: "Gitea: Git with a cup of tea"
-  #  RUN_MODE: dev
-  #
-  #  server:
-  #    SSH_PORT: 22
+  ## @param gitea.config.server.SSH_PORT SSH port for rootlful Gitea image
+  ## @param gitea.config.server.SSH_LISTEN_PORT SSH port for rootless Gitea image
+  config:
+    #  APP_NAME: "Gitea: Git with a cup of tea"
+    #  RUN_MODE: dev
+    server:
+      SSH_PORT: 22 # rootful image
+      SSH_LISTEN_PORT: 2222 # rootless image
   #
   #  security:
   #    PASSWORD_COMPLEXITY: spec
@@ -343,6 +405,10 @@ gitea:
   ## @param gitea.podAnnotations Annotations for the Gitea pod
   podAnnotations: {}
 
+  ## @param gitea.ssh.logLevel Configure OpenSSH's log level. Only available for root-based Gitea image.
+  ssh:
+    logLevel: "INFO"
+
   ## @section LivenessProbe
   #
   ## @param gitea.livenessProbe.enabled Enable liveness probe
@@ -403,75 +469,58 @@ gitea:
     successThreshold: 1
     failureThreshold: 10
 
-## @section Memcached
-#
-## @param memcached.enabled Memcached is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if enabled in the values. Complete Configuration can be taken from their website.
-## @param memcached.service.port Port for Memcached
-memcached:
+## @section redis-cluster
+## @param redis-cluster.enabled Enable redis
+## @param redis-cluster.global.redis.password Password for the "gitea" user (overrides `password`)
+redis-cluster:
   enabled: true
-  service:
-    port: 11211
+  global:
+    redis:
+      password: gitea
+
+## @section postgresql-ha
+#
+## @param postgresql-ha.enabled Enable postgresql-ha
+## @param postgresql-ha.global.postgresql-ha.auth.password Password for the `gitea` user (overrides `auth.password`)
+## @param postgresql-ha.global.postgresql-ha.auth.database Name for a custom database to create (overrides `auth.database`)
+## @param postgresql-ha.global.postgresql-ha.auth.username Name for a custom user to create (overrides `auth.username`)
+## @param postgresql-ha.global.postgresql-ha.service.ports.postgresql-ha postgresql-ha service port (overrides `service.ports.postgresql-ha`)
+## @param postgresql-ha.primary.persistence.size PVC Storage Request for postgresql-ha volume
+postgresql-ha:
+  enabled: true
+  global:
+    postgresql-ha:
+      auth:
+        password: gitea
+        database: gitea
+        username: gitea
+      service:
+        ports:
+          postgresql-ha: 5432
+  primary:
+    persistence:
+      size: 10Gi
 
 ## @section PostgreSQL
 #
 ## @param postgresql.enabled Enable PostgreSQL
-## @param postgresql.global.postgresql.postgresqlDatabase PostgreSQL database (overrides postgresqlDatabase)
-## @param postgresql.global.postgresql.postgresqlUsername PostgreSQL username (overrides postgresqlUsername)
-## @param postgresql.global.postgresql.postgresqlPassword PostgreSQL admin password (overrides postgresqlPassword)
-## @param postgresql.global.postgresql.servicePort PostgreSQL port (overrides service.port)
-## @param postgresql.persistence.size PVC Storage Request for PostgreSQL volume
+## @param postgresql.global.postgresql.auth.password Password for the `gitea` user (overrides `auth.password`)
+## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
+## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
+## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
+## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
 postgresql:
-  enabled: true
+  enabled: false
   global:
     postgresql:
-      postgresqlDatabase: gitea
-      postgresqlUsername: gitea
-      postgresqlPassword: gitea
-      servicePort: 5432
-  persistence:
-    size: 10Gi
-
-## @section MySQL
-#
-## @param mysql.enabled Enable MySQL
-## @param mysql.root.password Password for the root user. Ignored if existing secret is provided
-## @param mysql.db.user Username of new user to create.
-## @param mysql.db.password Password for the new user.Ignored if existing secret is provided
-## @param mysql.db.name Name for new database to create.
-## @param mysql.service.port Port to connect to MySQL service
-## @param mysql.persistence.size PVC Storage Request for MySQL volume
-mysql:
-  enabled: false
-  root:
-    password: gitea
-  db:
-    user: gitea
-    password: gitea
-    name: gitea
-  service:
-    port: 3306
-  persistence:
-    size: 10Gi
-
-## @section MariaDB
-#
-## @param mariadb.enabled Enable MariaDB
-## @param mariadb.auth.database Name of the database to create.
-## @param mariadb.auth.username Username of the new user to create.
-## @param mariadb.auth.password Password for the new user. Ignored if existing secret is provided
-## @param mariadb.auth.rootPassword Password for the root user.
-## @param mariadb.primary.service.port Port to connect to MariaDB service
-## @param mariadb.primary.persistence.size Persistence size for MariaDB
-mariadb:
-  enabled: false
-  auth:
-    database: gitea
-    username: gitea
-    password: gitea
-    rootPassword: gitea
+      auth:
+        password: gitea
+        database: gitea
+        username: gitea
+      service:
+        ports:
+          postgresql: 5432
   primary:
-    service:
-      port: 3306
     persistence:
       size: 10Gi
 
@@ -479,4 +528,16 @@ mariadb:
 # Set it to false to skip this basic validation check.
 ## @section Advanced
 ## @param checkDeprecation Set it to false to skip this basic validation check.
+## @param test.enabled Set it to false to disable test-connection Pod.
+## @param test.image.name Image name for the wget container used in the test-connection Pod.
+## @param test.image.tag Image tag for the wget container used in the test-connection Pod.
 checkDeprecation: true
+test:
+  enabled: true
+  image:
+    name: busybox
+    tag: latest
+
+## @param extraDeploy Array of extra objects to deploy with the release
+##
+extraDeploy: []