Bump Gitea to 1.19.0 (#418)

As title.

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/418
Reviewed-by: John Olheiser <john+gitea@jolheiser.com>
Reviewed-by: yardenshoham <yardenshoham@noreply.gitea.io>

.drone.yml

@@ -10,22 +10,31 @@ platform:
 steps:
 - name: helm lint
   pull: always
-  image: alpine:3.16
+  image: alpine:3.17
   commands:
   - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
   - helm lint
 
 - name: helm template
   pull: always
-  image: alpine:3.16
+  image: alpine:3.17
   commands:
   - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
   - helm dependency update
   - helm template --debug gitea-helm .
 
+- name: helm unittests
+  pull: always
+  image: alpine:3.17
+  commands:
+  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make helm git bash
+  - helm plugin install https://github.com/helm-unittest/helm-unittest
+  - helm dependency update
+  - make unittests
+
 - name: verify readme
   pull: always
-  image: alpine:3.16
+  image: alpine:3.17
   commands:
   - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make npm git
   - make readme
@@ -61,7 +70,7 @@ trigger:
 steps:
 - name: generate-chart
   pull: always
-  image: alpine:3.16
+  image: alpine:3.17
   commands:
     - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
     - apk add --no-cache curl
@@ -76,8 +85,16 @@ steps:
   pull: always
   image: plugins/s3:latest
   settings:
-    bucket: gitea-artifacts
+    acl:
-    endpoint: https://ams3.digitaloceanspaces.com
+      from_secret: aws_s3_acl
+    region:
+      from_secret: aws_s3_region
+    bucket:
+      from_secret: aws_s3_bucket
+    endpoint:
+      from_secret: aws_s3_endpoint
+    path_style:
+      from_secret: aws_s3_path_style
     access_key:
       from_secret: aws_access_key_id
     secret_key:

.editorconfig

@@ -0,0 +1,12 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = false
+insert_final_newline = false

.gitignore

@@ -1,3 +1,4 @@
 charts/
 node_modules/
 .DS_Store
+unittests/*/__snapshot__/

.helmignore

@@ -25,3 +25,9 @@ node_modules/
 package.json
 package-lock.json
 .gitea/
+Makefile
+.markdownlintignore
+.markdownlint.yaml
+.drone.yml
+CONTRIBUTING.md
+unittests/

.markdownlint.yaml

@@ -131,8 +131,6 @@ MD044:
   names:
   - Gitea
   - PostgreSQL
-  - MariaDB
-  - MySQL
   - Memcached
   - Prometheus
   - Git

CONTRIBUTING.md

@@ -14,6 +14,7 @@ When using Visual Studio Code as IDE, following plugins might be useful:
 - [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
 - [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
 - [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
+- [Prettier - Code formatter](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode)
 
 ## Documentation Requirements
 
@@ -50,3 +51,13 @@ be used:
    forwarded first from `minikube` to localhost first via `kubectl --namespace
    default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
    [http://localhost:3000](http://localhost:3000).
+
+### Unit tests
+
+```bash
+# install the unittest plugin
+$ helm plugin install https://github.com/helm-unittest/helm-unittest
+
+# run the unittests
+make unittests
+```

Chart.lock

@@ -1,15 +1,9 @@
 dependencies:
 - name: memcached
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
+  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 5.9.0
+  version: 6.3.7
-- name: mysql
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 6.14.10
 - name: postgresql
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
+  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 10.3.17
+  version: 12.2.6
-- name: mariadb
+digest: sha256:c2026881f71eca24c72e9da3e798a1ad2a5af8e86a39a5341015584eaacf8b64
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
+generated: "2023-03-27T19:20:21.125036+02:00"
-  version: 9.3.6
-digest: sha256:08f967276fa0c083e9756a974a9791a487a71be0a226dc14351b3e5a2641e8fd
-generated: "2022-06-11T12:18:36.672047+02:00"

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.17.4
+appVersion: 1.19.0
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -31,19 +31,13 @@ maintainers:
 
 # Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
+# OCI registry: https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html (2023-01)
+# Chart release date: 2023-02
 - name: memcached
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
+  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 5.9.0
+  version: 6.3.7
   condition: memcached.enabled
-- name: mysql
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 6.14.10
-  condition: mysql.enabled
 - name: postgresql
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
+  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 10.3.17
+  version: 12.2.6
   condition: postgresql.enabled
-- name: mariadb
-  repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  version: 9.3.6
-  condition: mariadb.enabled

Makefile

@@ -6,3 +6,7 @@ prepare-environment:
 readme: prepare-environment
 	npm run readme:parameters
 	npm run readme:lint
+
+.PHONY: unittests
+unittests:
+	helm unittest --strict -f 'unittests/**/*.yaml' ./

README.md

@@ -11,6 +11,22 @@ different approach in providing a database and cache with dependencies.
 Additionally, this chart provides LDAP and admin user configuration with values,
 as well as being deployed as a statefulset to retain stored repositories.
 
+## Update and versioning policy
+
+The Gitea helm chart versioning does not follow Gitea's versioning.
+The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-chart/releases).
+
+The chart aims to follow Gitea's releases closely.
+There might be times when the chart is behind the latest Gitea release.
+This might be caused by different reasons, most often due to time constraints of the maintainers (remember, all work here is done voluntarily in the spare time of people).
+If you're eager to use the latest Gitea version earlier than this chart catches up, then change the tag in `values.yaml` to the latest Gitea version.
+Note that besides the exact Gitea version one can also use the `:1` tag to automatically follow the latest Gitea version.
+This should be combined with `image.pullPolicy: "Always"`.
+Important: Using the `:1` will also automatically jump to new minor release (e.g. from 1.13 to 1.14) which may eventually cause incompatibilities if major/breaking changes happened between these versions.
+This is due to Gitea not strictly following [semantic versioning](https://semver.org/#summary) as breaking changes do not increase the major version.
+I.e., "minor" version bumps are considered "major".
+Yet most often no issues will be encountered and the chart maintainers aim to communicate early/upfront if this would be the case.
+
 ## Dependencies
 
 Gitea can be run with an external database and cache. This chart provides those
@@ -21,8 +37,6 @@ Dependencies:
 
 - PostgreSQL ([configuration](#postgresql))
 - Memcached ([configuration](#memcached))
-- MySQL ([configuration](#mysql))
-- MariaDB ([configuration](#mariadb))
 
 ## Installing
 
@@ -41,24 +55,6 @@ of this document for major and breaking changes.
 - Helm 3.0+
 - PV provisioner for persistent data support
 
-## Configure Commit Signing
-
-When using the rootless image the gpg key folder was is not persistent by
-default. If you consider using signed commits for internal Gitea activities
-(e.g. initial commit), you'd need to provide a signing key. Prior to
-[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
-re-imported once the container got replaced by another.
-
-The mentioned PR introduced a new configuration object `signing` allowing you to
-configure prerequisites for commit signing. By default this section is disabled
-to maintain backwards compatibility.
-
-```yaml
-signing:
-  enabled: false
-  gpgHome: /data/git/.gnupg
-```
-
 ## Examples
 
 ### Gitea Configuration
@@ -143,7 +139,7 @@ ENABLED = false
 ### Additional _app.ini_ settings
 
 > **The [generic](https://docs.gitea.io/en-us/config-cheat-sheet/#overall-default)
-section cannot be defined that way.**
+> section cannot be defined that way.**
 
 Some settings inside _app.ini_ (like passwords or whole authentication configurations)
 must be considered sensitive and therefore should not be passed via plain text
@@ -237,14 +233,17 @@ Priority (highest to lowest) for defining app.ini variables:
 
 ### External Database
 
-An external Database can be used instead of builtIn PostgreSQL or MySQL.
+Any external Database listed in [https://docs.gitea.io/en-us/database-prep/](https://docs.gitea.io/en-us/database-prep/) can be used instead of the built-in PostgreSQL.
+In fact, it is **highly recommended** to use an external database to ensure a stable Gitea installation longterm.
+
+If an external database is used, no matter which type, make sure to set `postgresql.enabled` to `false` to disable the use of the built-in PostgreSQL.
 
 ```yaml
 gitea:
   config:
     database:
       DB_TYPE: mysql
-      HOST: 127.0.0.1:3306
+      HOST: <mysql HOST>
       NAME: gitea
       USER: root
       PASSWD: gitea
@@ -365,31 +364,21 @@ by default.
 If you want to manage your own PVC you can simply pass the PVC name to the chart.
 
 ```yaml
-  persistence:
+persistence:
-    enabled: true
+  enabled: true
-    existingClaim: MyAwesomeGiteaClaim
+  existingClaim: MyAwesomeGiteaClaim
 ```
 
-In case that peristence has been disabled it will simply use an empty dir volume.
+In case that persistence has been disabled it will simply use an empty dir volume.
 
 PostgreSQL handles the persistence in the exact same way.
 You can interact with the postgres settings as displayed in the following example:
 
 ```yaml
-  postgresql:
+postgresql:
-    persistence:
+  persistence:
-      enabled: true
+    enabled: true
-      existingClaim: MyAwesomeGiteaPostgresClaim
+    existingClaim: MyAwesomeGiteaPostgresClaim
-```
-
-MySQL also handles persistence the same, even though it is not deployed as a statefulset.
-You can interact with the postgres settings as displayed in the following example:
-
-```yaml
-  mysql:
-    persistence:
-      enabled: true
-      existingClaim: MyAwesomeGiteaMysqlClaim
 ```
 
 ### Admin User
@@ -400,11 +389,11 @@ not possible to delete an admin user after it has been created. This has to be
 done in the ui. You cannot use `admin` as username.
 
 ```yaml
-  gitea:
+gitea:
-    admin:
+  admin:
-      username: "MyAwesomeGiteaAdmin"
+    username: "MyAwesomeGiteaAdmin"
-      password: "AReallyAwesomeGiteaPassword"
+    password: "AReallyAwesomeGiteaPassword"
-      email: "gi@tea.com"
+    email: "gi@tea.com"
 ```
 
 You can also use an existing Secret to configure the admin user:
@@ -422,8 +411,8 @@ stringData:
 
 ```yaml
 gitea:
-    admin:
+  admin:
-      existingSecret: gitea-admin-secret
+    existingSecret: gitea-admin-secret
 ```
 
 ### LDAP Settings
@@ -434,20 +423,20 @@ All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are avail
 Multiple LDAP sources can be configured with additional LDAP list items.
 
 ```yaml
-  gitea:
+gitea:
-    ldap:
+  ldap:
-      - name: MyAwesomeGiteaLdap
+    - name: MyAwesomeGiteaLdap
-        securityProtocol: unencrypted
+      securityProtocol: unencrypted
-        host: "127.0.0.1"
+      host: "127.0.0.1"
-        port: "389"
+      port: "389"
-        userSearchBase: ou=Users,dc=example,dc=com
+      userSearchBase: ou=Users,dc=example,dc=com
-        userFilter: sAMAccountName=%s
+      userFilter: sAMAccountName=%s
-        adminFilter: CN=Admin,CN=Group,DC=example,DC=com
+      adminFilter: CN=Admin,CN=Group,DC=example,DC=com
-        emailAttribute: mail
+      emailAttribute: mail
-        bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
+      bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
-        bindPassword: JustAnotherBindPw
+      bindPassword: JustAnotherBindPw
-        usernameAttribute: CN
+      usernameAttribute: CN
-        publicSSHKeyAttribute: publicSSHKey
+      publicSSHKeyAttribute: publicSSHKey
 ```
 
 You can also use an existing secret to set the bindDn and bindPassword:
@@ -492,11 +481,11 @@ Multiple OAuth2 sources can be configured with additional OAuth list items.
 ```yaml
 gitea:
   oauth:
-    - name: 'MyAwesomeGiteaOAuth'
+    - name: "MyAwesomeGiteaOAuth"
-      provider: 'openidConnect'
+      provider: "openidConnect"
-      key: 'hello'
+      key: "hello"
-      secret: 'world'
+      secret: "world"
-      autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
+      autoDiscoverUrl: "https://gitea.example.com/.well-known/openid-configuration"
       #useCustomUrls:
       #customAuthUrl:
       #customTokenUrl:
@@ -520,11 +509,54 @@ stringData:
 ```yaml
 gitea:
   oauth:
-    - name: 'MyAwesomeGiteaOAuth'
+    - name: "MyAwesomeGiteaOAuth"
       existingSecret: gitea-oauth-secret
         ...
 ```
 
+## Configure commit signing
+
+When using the rootless image the gpg key folder is not persistent by
+default. If you consider using signed commits for internal Gitea activities
+(e.g. initial commit), you'd need to provide a signing key. Prior to
+[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
+re-imported once the container got replaced by another.
+
+The mentioned PR introduced a new configuration object `signing` allowing you to
+configure prerequisites for commit signing. By default this section is disabled
+to maintain backwards compatibility.
+
+```yaml
+signing:
+  enabled: false
+  gpgHome: /data/git/.gnupg
+```
+
+Regardless of the used container image the `signing` object allows to specify a
+private gpg key. Either using the `signing.privateKey` to define the key inline,
+or refer to an existing secret containing the key data by using `signing.existingSecret`.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: custom-gitea-gpg-key
+type: Opaque
+stringData:
+  privateKey: |-
+    -----BEGIN PGP PRIVATE KEY BLOCK-----
+    ...
+    -----END PGP PRIVATE KEY BLOCK-----
+```
+
+```yaml
+signing:
+  existingSecret: custom-gitea-gpg-key
+```
+
+To use the gpg key, Gitea needs to be configured accordingly. A detailed description
+can be found in the [official Gitea documentation](https://docs.gitea.io/en-us/signing/#general-configuration).
+
 ### Metrics and profiling
 
 A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling
@@ -566,6 +598,7 @@ gitea:
 | `global.imageRegistry`    | global image registry override                                            | `""`            |
 | `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]`            |
 | `global.storageClass`     | global storage class override                                             | `""`            |
+| `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files           | `[]`            |
 | `replicaCount`            | number of replicas for the statefulset                                    | `1`             |
 | `clusterDomain`           | cluster domain                                                            | `cluster.local` |
 
@@ -669,10 +702,12 @@ gitea:
 
 ### Signing
 
-| Name              | Description                  | Value              |
+| Name                     | Description                                                       | Value              |
-| ----------------- | ---------------------------- | ------------------ |
+| ------------------------ | ----------------------------------------------------------------- | ------------------ |
-| `signing.enabled` | Enable commit/action signing | `false`            |
+| `signing.enabled`        | Enable commit/action signing                                      | `false`            |
-| `signing.gpgHome` | GPG home directory           | `/data/git/.gnupg` |
+| `signing.gpgHome`        | GPG home directory                                                | `/data/git/.gnupg` |
+| `signing.privateKey`     | Inline private gpg key for signed Gitea actions                   | `""`               |
+| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""`               |
 
 ### Gitea
 
@@ -690,6 +725,7 @@ gitea:
 | `gitea.additionalConfigSources`        | Additional configuration from secret or configmap                                                             | `[]`                 |
 | `gitea.additionalConfigFromEnvs`       | Additional configuration sources from environment variables                                                   | `[]`                 |
 | `gitea.podAnnotations`                 | Annotations for the Gitea pod                                                                                 | `{}`                 |
+| `gitea.ssh.logLevel`                   | Configure OpenSSH's log level. Only available for root-based Gitea image.                                     | `INFO`               |
 
 ### LivenessProbe
 
@@ -736,44 +772,23 @@ gitea:
 
 ### PostgreSQL
 
-| Name                                              | Description                                              | Value   |
+| Name                                                    | Description                                                      | Value   |
-| ------------------------------------------------- | -------------------------------------------------------- | ------- |
+| ------------------------------------------------------- | ---------------------------------------------------------------- | ------- |
-| `postgresql.enabled`                              | Enable PostgreSQL                                        | `true`  |
+| `postgresql.enabled`                                    | Enable PostgreSQL                                                | `true`  |
-| `postgresql.global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides postgresqlDatabase)       | `gitea` |
+| `postgresql.global.postgresql.auth.password`            | Password for the "Gitea" user (overrides `auth.password`)        | `gitea` |
-| `postgresql.global.postgresql.postgresqlUsername` | PostgreSQL username (overrides postgresqlUsername)       | `gitea` |
+| `postgresql.global.postgresql.auth.database`            | Name for a custom database to create (overrides `auth.database`) | `gitea` |
-| `postgresql.global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides postgresqlPassword) | `gitea` |
+| `postgresql.global.postgresql.auth.username`            | Name for a custom user to create (overrides `auth.username`)     | `gitea` |
-| `postgresql.global.postgresql.servicePort`        | PostgreSQL port (overrides service.port)                 | `5432`  |
+| `postgresql.global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`  |
-| `postgresql.persistence.size`                     | PVC Storage Request for PostgreSQL volume                | `10Gi`  |
+| `postgresql.primary.persistence.size`                   | PVC Storage Request for PostgreSQL volume                        | `10Gi`  |
-
-### MySQL
-
-| Name                     | Description                                                        | Value   |
-| ------------------------ | ------------------------------------------------------------------ | ------- |
-| `mysql.enabled`          | Enable MySQL                                                       | `false` |
-| `mysql.root.password`    | Password for the root user. Ignored if existing secret is provided | `gitea` |
-| `mysql.db.user`          | Username of new user to create.                                    | `gitea` |
-| `mysql.db.password`      | Password for the new user.Ignored if existing secret is provided   | `gitea` |
-| `mysql.db.name`          | Name for new database to create.                                   | `gitea` |
-| `mysql.service.port`     | Port to connect to MySQL service                                   | `3306`  |
-| `mysql.persistence.size` | PVC Storage Request for MySQL volume                               | `10Gi`  |
-
-### MariaDB
-
-| Name                               | Description                                                       | Value   |
-| ---------------------------------- | ----------------------------------------------------------------- | ------- |
-| `mariadb.enabled`                  | Enable MariaDB                                                    | `false` |
-| `mariadb.auth.database`            | Name of the database to create.                                   | `gitea` |
-| `mariadb.auth.username`            | Username of the new user to create.                               | `gitea` |
-| `mariadb.auth.password`            | Password for the new user. Ignored if existing secret is provided | `gitea` |
-| `mariadb.auth.rootPassword`        | Password for the root user.                                       | `gitea` |
-| `mariadb.primary.service.port`     | Port to connect to MariaDB service                                | `3306`  |
-| `mariadb.primary.persistence.size` | Persistence size for MariaDB                                      | `10Gi`  |
 
 ### Advanced
 
-| Name               | Description                                          | Value  |
+| Name               | Description                                                        | Value     |
-| ------------------ | ---------------------------------------------------- | ------ |
+| ------------------ | ------------------------------------------------------------------ | --------- |
-| `checkDeprecation` | Set it to false to skip this basic validation check. | `true` |
+| `checkDeprecation` | Set it to false to skip this basic validation check.               | `true`    |
+| `test.enabled`     | Set it to false to disable test-connection Pod.                    | `true`    |
+| `test.image.name`  | Image name for the wget container used in the test-connection Pod. | `busybox` |
+| `test.image.tag`   | Image tag for the wget container used in the test-connection Pod.  | `latest`  |
 
 ## Contributing
 
@@ -786,6 +801,28 @@ See [CONTRIBUTORS GUIDE](CONTRIBUTING.md) for details.
 This section lists major and breaking changes of each Helm Chart version.
 Please read them carefully to upgrade successfully.
 
+### To 8.0.0
+
+#### Removal of MariaDB and MySQL DB chart dependencies
+
+In this version support for DB chart dependencies of MySQL and MariaDB have been removed to simplify the maintenance of the helm chart.
+External MySQL and MariaDB databases are still supported and will be in the future.
+
+#### Postgres Update from v11 to v15
+
+This Chart version updates the Postgres chart dependency and subsequently Postgres from v11 to v15.
+Please read the [Postgres Release Notes](https://www.postgresql.org/docs/release/) for version-specific changes.
+With respect to `values.yaml`, parameters `username`, `database` and `password` have been regrouped under `auth` and slightly renamed.
+`persistence` has also been regrouped under the `primary` key.
+Please adjust your `values.yaml` accordingly.
+
+### To 7.0.0
+
+#### Private GPG key configuration for Gitea signing actions
+
+Having `signing.enabled=true` now requires to use either `signing.privateKey` or `signing.existingSecret` so that the Chart can automatically prepare the GPG key for Gitea internal signing actions.
+See [Configure commit signing](#configure-commit-signing) for details.
+
 ### To 6.0.0
 
 #### Different volume mounts for init-containers and runtime container
@@ -818,7 +855,7 @@ after the upgrade.
 #### Enable Dependencies
 
 The values to enable the dependencies,
-such as PostgreSQL, Memcached, MySQL and MariaDB
+such as PostgreSQL, Memcached, MySQL and MariaDB.
 have been moved from `gitea.database.builtIn.` to the dependency values.
 
 You can now enable the dependencies as followed:
@@ -854,9 +891,9 @@ automatically in certain situations:
   configuration nor via auto generation. We explicitly prevent to set new secrets.
 
 > 💡 It would be possible to set new secret keys manually by entering
-the running container and rewriting the app.ini by hand. However, this it is
+> the running container and rewriting the app.ini by hand. However, this it is
-not advisable to do so for existing installations. Certain settings like
+> not advisable to do so for existing installations. Certain settings like
-_LDAP_ would not be readable anymore.
+> _LDAP_ would not be readable anymore.
 
 #### Probes
 

templates/_helpers.tpl

@@ -92,15 +92,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "postgresql.dns" -}}
-{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.servicePort -}}
+{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}}
-{{- end -}}
-
-{{- define "mysql.dns" -}}
-{{- printf "%s-mysql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mysql.service.port | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{- define "mariadb.dns" -}}
-{{- printf "%s-mariadb.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mariadb.primary.service.port | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{- define "memcached.dns" -}}
@@ -292,9 +284,9 @@ https
     {{- if not (.Values.gitea.config.database.HOST) -}}
       {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
     {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.auth.database -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.auth.username -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.auth.password -}}
   {{- else if .Values.mysql.enabled -}}
     {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
     {{- if not (.Values.gitea.config.database.HOST) -}}
@@ -331,3 +323,7 @@ https
     {{- toYaml .Values.extraVolumeMounts -}}
   {{- end -}}
 {{- end -}}
+
+{{- define "gitea.gpg-key-secret-name" -}}
+{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
+{{- end -}}

templates/gitea/gpg-secret.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.signing.enabled -}}
+{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}}
+  {{- fail "Either specify `signing.privateKey` or `signing.existingSecret`" -}}
+{{- end }}
+{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gitea.gpg-key-secret-name" . }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+data:
+  privateKey: {{ .Values.signing.privateKey | b64enc }}
+{{- end }}
+{{- end }}

templates/gitea/init.yaml

@@ -6,6 +6,11 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
+  configure_gpg_environment.sh: |-
+    #!/usr/bin/env bash
+    set -eu
+
+    gpg --batch --import /raw/private.asc
   init_directory_structure.sh: |-
     #!/usr/bin/env bash
 
@@ -35,6 +40,14 @@ stringData:
     {{- end }}
     chmod ug+rwx "${GITEA_TEMP}"
 
+    {{ if .Values.signing.enabled -}}
+    if [ ! -d "${GNUPGHOME}" ]; then
+      mkdir -p "${GNUPGHOME}"
+      chmod 700 "${GNUPGHOME}"
+      chown 1000:1000 "${GNUPGHOME}"
+    fi
+    {{- end }}
+
   configure_gitea.sh: |-
     #!/usr/bin/env bash
 

templates/gitea/statefulset.yaml

@@ -59,6 +59,10 @@ spec:
             {{- if .Values.statefulset.env }}
             {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
+            {{- if .Values.signing.enabled }}
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+            {{- end }}
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
@@ -110,6 +114,36 @@ spec:
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+        {{- if .Values.signing.enabled }}
+        - name: configure-gpg
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/configure_gpg_environment.sh"]
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
+            {{- $csc := deepCopy .Values.containerSecurityContext -}}
+            {{- if not (hasKey $csc "runAsUser") -}}
+            {{- $_ := set $csc "runAsUser" 1000 -}}
+            {{- end -}}
+            {{- toYaml $csc | nindent 12 }}
+          env:
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+          volumeMounts:
+            - name: init
+              mountPath: /usr/sbin
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+            - name: gpg-private-key
+              mountPath: /raw
+              readOnly: true
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
+        {{- end }}
         - name: configure-gitea
           image: "{{ include "gitea.image" . }}"
           command: ["/usr/sbin/configure_gitea.sh"]
@@ -209,6 +243,10 @@ spec:
               value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }}
             - name: SSH_PORT
               value: {{ .Values.gitea.config.server.SSH_PORT | quote }}
+            {{- if not .Values.image.rootless }}
+            - name: SSH_LOG_LEVEL
+              value: {{ .Values.gitea.ssh.logLevel | quote }}
+            {{- end }}
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
             - name: GITEA_CUSTOM
@@ -268,6 +306,10 @@ spec:
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
             {{- include "gitea.container-additional-mounts" . | nindent 12 }}
+      {{- with .Values.global.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -305,6 +347,15 @@ spec:
         {{- end }}
         - name: temp
           emptyDir: {}
+        {{- if .Values.signing.enabled }}
+        - name: gpg-private-key
+          secret:
+            secretName: {{ include "gitea.gpg-key-secret-name" . }}
+            items:
+              - key: privateKey
+                path: private.asc
+            defaultMode: 0100
+        {{- end }}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:

templates/tests/test-http-connection.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.test.enabled }}
 apiVersion: v1
 kind: Pod
 metadata:
@@ -9,7 +10,8 @@ metadata:
 spec:
   containers:
     - name: wget
-      image: busybox
+      image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}"
       command: ['wget']
       args:  ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
   restartPolicy: Never
+{{- end }}

unittests/gpg-secret/signing-disabled.yaml

@@ -0,0 +1,13 @@
+suite: GPG secret template (signing disabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/gpg-secret.yaml
+tests:
+  - it: renders nothing
+    set:
+      signing.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/gpg-secret/signing-enabled.yaml

@@ -0,0 +1,40 @@
+suite: GPG secret template (signing enabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/gpg-secret.yaml
+tests:
+  - it: fails rendering when nothing is configured
+    set:
+      signing:
+        enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: Either specify `signing.privateKey` or `signing.existingSecret`
+  - it: skips rendering using external secret reference
+    set:
+      signing:
+        enabled: true
+        existingSecret: "external-secret-reference"
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders secret specification using inline gpg key
+    set:
+      signing:
+        enabled: true
+        privateKey: "gpg-key-placeholder"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-gpg-key
+      - isNotEmpty:
+          path: metadata.labels
+      - equal:
+          path: data.privateKey
+          value: "Z3BnLWtleS1wbGFjZWhvbGRlcg=="

unittests/init/basic.yaml

@@ -0,0 +1,15 @@
+suite: Init template (basic)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/init.yaml
+tests:
+  - it: renders a secret
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Secret  
+          apiVersion: v1
+          name: gitea-unittests-init

unittests/init/init_directory_structure.sh.yaml

@@ -0,0 +1,64 @@
+suite: Init template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/init.yaml
+tests:
+  - it: runs gpg in batch mode
+    set:
+      signing.enabled: true
+    asserts:
+      - equal:
+          path: stringData["configure_gpg_environment.sh"]
+          value: |-
+            #!/usr/bin/env bash
+            set -eu
+
+            gpg --batch --import /raw/private.asc
+  - it: skips gpg script block for disabled signing
+    asserts:
+      - equal:
+          path: stringData["init_directory_structure.sh"]
+          value: |-
+            #!/usr/bin/env bash
+
+            set -euo pipefail
+
+            set -x
+            chown 1000:1000 /data
+            mkdir -p /data/git/.ssh
+            chmod -R 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+
+            # prepare temp directory structure
+            mkdir -p "${GITEA_TEMP}"
+            chown 1000:1000 "${GITEA_TEMP}"
+            chmod ug+rwx "${GITEA_TEMP}"
+  - it: adds gpg script block for enabled signing
+    set:
+      signing.enabled: true
+    asserts:
+      - equal:
+          path: stringData["init_directory_structure.sh"]
+          value: |-
+            #!/usr/bin/env bash
+
+            set -euo pipefail
+
+            set -x
+            chown 1000:1000 /data
+            mkdir -p /data/git/.ssh
+            chmod -R 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+
+            # prepare temp directory structure
+            mkdir -p "${GITEA_TEMP}"
+            chown 1000:1000 "${GITEA_TEMP}"
+            chmod ug+rwx "${GITEA_TEMP}"
+
+            if [ ! -d "${GNUPGHOME}" ]; then
+              mkdir -p "${GNUPGHOME}"
+              chmod 700 "${GNUPGHOME}"
+              chown 1000:1000 "${GNUPGHOME}"
+            fi

unittests/statefulset/basic.yaml

@@ -0,0 +1,17 @@
+suite: Statefulset template (basic)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/statefulset.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders a statefulset
+    template: templates/gitea/statefulset.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet  
+          apiVersion: apps/v1
+          name: gitea-unittests

unittests/statefulset/signing-disabled.yaml

@@ -0,0 +1,40 @@
+suite: Statefulset template (signing disabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/statefulset.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: skips gpg init container
+    template: templates/gitea/statefulset.yaml
+    asserts:
+      - notContains:
+          path: spec.template.spec.initContainers
+          any: true
+          content:
+            name: configure-gpg
+  - it: skips gpg env in `init-directories` init container
+    template: templates/gitea/statefulset.yaml
+    set:
+      signing.enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[0].env
+          content:
+            name: GNUPGHOME
+            value: /data/git/.gnupg
+  - it: skips gpg env in runtime container
+    template: templates/gitea/statefulset.yaml
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GNUPGHOME
+  - it: skips gpg volume spec
+    template: templates/gitea/statefulset.yaml
+    asserts:
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: gpg-private-key

unittests/statefulset/signing-enabled.yaml

@@ -0,0 +1,93 @@
+suite: Statefulset template (signing enabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/statefulset.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: adds gpg init container
+    template: templates/gitea/statefulset.yaml
+    set:
+      signing:
+        enabled: true
+        existingSecret: "custom-gpg-secret"
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[2].name
+          value: configure-gpg
+      - equal:
+          path: spec.template.spec.initContainers[2].command
+          value: ["/usr/sbin/configure_gpg_environment.sh"]
+      - equal:
+          path: spec.template.spec.initContainers[2].securityContext
+          value:
+            runAsUser: 1000
+      - equal:
+          path: spec.template.spec.initContainers[2].env
+          value:
+            - name: GNUPGHOME
+              value: /data/git/.gnupg
+      - equal:
+          path: spec.template.spec.initContainers[2].volumeMounts
+          value:
+            - name: init
+              mountPath: /usr/sbin
+            - name: data
+              mountPath: /data
+            - name: gpg-private-key
+              mountPath: /raw
+              readOnly: true
+  - it: adds gpg env in `init-directories` init container
+    template: templates/gitea/statefulset.yaml
+    set:
+      signing.enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[0].env
+          content:
+            name: GNUPGHOME
+            value: /data/git/.gnupg
+  - it: adds gpg env in runtime container
+    template: templates/gitea/statefulset.yaml
+    set:
+      signing.enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GNUPGHOME
+            value: /data/git/.gnupg
+  - it: adds gpg volume spec
+    template: templates/gitea/statefulset.yaml
+    set:
+      signing:
+        enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: gpg-private-key
+            secret:
+              secretName: gitea-unittests-gpg-key
+              items:
+                - key: privateKey
+                  path: private.asc
+              defaultMode: 0100
+  - it: supports gpg volume spec with external reference
+    template: templates/gitea/statefulset.yaml
+    set:
+      signing:
+        enabled: true
+        existingSecret: custom-gpg-secret
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: gpg-private-key
+            secret:
+              secretName: custom-gpg-secret
+              items:
+                - key: privateKey
+                  path: private.asc
+              defaultMode: 0100

unittests/statefulset/ssh-configuration.yaml

@@ -0,0 +1,40 @@
+suite: Statefulset template (SSH configuration)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/statefulset.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: supports defining SSH log level for root based image
+    template: templates/gitea/statefulset.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSH_LOG_LEVEL
+            value: "INFO"
+  - it: supports overriding SSH log level
+    template: templates/gitea/statefulset.yaml
+    set:
+      image.rootless: false
+      gitea.ssh.logLevel: "DEBUG"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSH_LOG_LEVEL
+            value: "DEBUG"
+  - it: skips SSH_LOG_LEVEL for rootless image
+    template: templates/gitea/statefulset.yaml
+    set:
+      image.rootless: true
+      gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          any: true
+          content:
+            name: SSH_LOG_LEVEL

values.yaml

@@ -6,6 +6,7 @@
 ## @param global.imageRegistry global image registry override
 ## @param global.imagePullSecrets global image pull secrets override; can be extended by `imagePullSecrets`
 ## @param global.storageClass global storage class override
+## @param global.hostAliases global hostAliases which will be added to the pod's hosts files
 global:
   imageRegistry: ""
   ## E.g.
@@ -14,6 +15,10 @@ global:
   ##
   imagePullSecrets: []
   storageClass: ""
+  hostAliases: []
+  # - ip: 192.168.137.2
+  #   hostnames:
+  #   - example.com
 
 ## @param replicaCount number of replicas for the statefulset
 replicaCount: 1
@@ -63,7 +68,7 @@ containerSecurityContext: {}
 #   runAsNonRoot: true
 #   runAsUser: 1000
 
-## @depracated The securityContext variable has been split two:
+## @deprecated The securityContext variable has been split two:
 ## - containerSecurityContext
 ## - podSecurityContext.
 ## @param securityContext Run init and Gitea containers as a specific securityContext
@@ -120,7 +125,6 @@ service:
     loadBalancerSourceRanges: []
     annotations: {}
 
-
 ## @section Ingress
 ## @param ingress.enabled Enable ingress
 ## @param ingress.className Ingress class name
@@ -228,7 +232,7 @@ extraContainerVolumeMounts: []
 ## @param extraInitVolumeMounts Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.
 extraInitVolumeMounts: []
 
-## @depracated The extraVolumeMounts variable has been split two:
+## @deprecated The extraVolumeMounts variable has been split two:
 ## - extraContainerVolumeMounts
 ## - extraInitVolumeMounts
 ## As an example, can be used to mount a client cert when connecting to an external Postgres server.
@@ -253,9 +257,17 @@ initPreScript: ""
 #
 ## @param signing.enabled Enable commit/action signing
 ## @param signing.gpgHome GPG home directory
+## @param signing.privateKey Inline private gpg key for signed Gitea actions
+## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
 signing:
   enabled: false
   gpgHome: /data/git/.gnupg
+  privateKey: ""
+  # privateKey: |-
+  #   -----BEGIN PGP PRIVATE KEY BLOCK-----
+  #   ...
+  #   -----END PGP PRIVATE KEY BLOCK-----
+  existingSecret: ""
 
 ## @section Gitea
 #
@@ -335,6 +347,10 @@ gitea:
   ## @param gitea.podAnnotations Annotations for the Gitea pod
   podAnnotations: {}
 
+  ## @param gitea.ssh.logLevel Configure OpenSSH's log level. Only available for root-based Gitea image.
+  ssh:
+    logLevel: "INFO"
+
   ## @section LivenessProbe
   #
   ## @param gitea.livenessProbe.enabled Enable liveness probe
@@ -407,63 +423,23 @@ memcached:
 ## @section PostgreSQL
 #
 ## @param postgresql.enabled Enable PostgreSQL
-## @param postgresql.global.postgresql.postgresqlDatabase PostgreSQL database (overrides postgresqlDatabase)
+## @param postgresql.global.postgresql.auth.password Password for the "gitea" user (overrides `auth.password`)
-## @param postgresql.global.postgresql.postgresqlUsername PostgreSQL username (overrides postgresqlUsername)
+## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
-## @param postgresql.global.postgresql.postgresqlPassword PostgreSQL admin password (overrides postgresqlPassword)
+## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
-## @param postgresql.global.postgresql.servicePort PostgreSQL port (overrides service.port)
+## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
-## @param postgresql.persistence.size PVC Storage Request for PostgreSQL volume
+## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
 postgresql:
   enabled: true
   global:
     postgresql:
-      postgresqlDatabase: gitea
+      auth:
-      postgresqlUsername: gitea
+        password: gitea
-      postgresqlPassword: gitea
+        database: gitea
-      servicePort: 5432
+        username: gitea
-  persistence:
+      service:
-    size: 10Gi
+        ports:
-
+          postgresql: 5432
-## @section MySQL
-#
-## @param mysql.enabled Enable MySQL
-## @param mysql.root.password Password for the root user. Ignored if existing secret is provided
-## @param mysql.db.user Username of new user to create.
-## @param mysql.db.password Password for the new user.Ignored if existing secret is provided
-## @param mysql.db.name Name for new database to create.
-## @param mysql.service.port Port to connect to MySQL service
-## @param mysql.persistence.size PVC Storage Request for MySQL volume
-mysql:
-  enabled: false
-  root:
-    password: gitea
-  db:
-    user: gitea
-    password: gitea
-    name: gitea
-  service:
-    port: 3306
-  persistence:
-    size: 10Gi
-
-## @section MariaDB
-#
-## @param mariadb.enabled Enable MariaDB
-## @param mariadb.auth.database Name of the database to create.
-## @param mariadb.auth.username Username of the new user to create.
-## @param mariadb.auth.password Password for the new user. Ignored if existing secret is provided
-## @param mariadb.auth.rootPassword Password for the root user.
-## @param mariadb.primary.service.port Port to connect to MariaDB service
-## @param mariadb.primary.persistence.size Persistence size for MariaDB
-mariadb:
-  enabled: false
-  auth:
-    database: gitea
-    username: gitea
-    password: gitea
-    rootPassword: gitea
   primary:
-    service:
-      port: 3306
     persistence:
       size: 10Gi
 
@@ -471,4 +447,12 @@ mariadb:
 # Set it to false to skip this basic validation check.
 ## @section Advanced
 ## @param checkDeprecation Set it to false to skip this basic validation check.
+## @param test.enabled Set it to false to disable test-connection Pod.
+## @param test.image.name Image name for the wget container used in the test-connection Pod.
+## @param test.image.tag Image tag for the wget container used in the test-connection Pod.
 checkDeprecation: true
+test:
+  enabled: true
+  image:
+    name: busybox
+    tag: latest