fix release workflow

Switch imagePullPolicy to "IfNotPresent" (#568 )
### Benefits Less image pulls. ### Additional information committed via GUI - so no signature on first commit. Co-authored-by: pat-s <patrick.schratz@gmail.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/568 Reviewed-by: pat-s <pat-s@noreply.gitea.com> Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com> Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>
2023-11-16 22:07:25 +01:00 · 2023-11-16 21:00:39 +00:00 · 2023-11-16 20:45:10 +00:00 · 2023-11-16 20:42:17 +00:00 · 2023-11-16 10:14:34 +00:00 · 2023-11-14 23:27:27 +00:00
40 changed files with 2395 additions and 782 deletions
--- a/.gitea/PULL_REQUEST_TEMPLATE.md
+++ b/.gitea/PULL_REQUEST_TEMPLATE.md
@ -39,3 +39,4 @@
 - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
 - [ ] Breaking changes are documented in the `README.md`
 - [ ] Templating unittests are added
--- a/.gitea/workflows/release-version.yml
+++ b/.gitea/workflows/release-version.yml
@ -5,38 +5,64 @@ on:
    tags:
      - "*"
 env:
  # renovate: datasource=docker depName=alpine/helm
  HELM_VERSION: "3.13.2"
 jobs:
  generate-chart-publish:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: install tools
        run: |
          apt update -y
-          apt install -y curl
+          apt install -y curl ca-certificates curl gnupg
          # helm
          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
          # docker
          install -m 0755 -d /etc/apt/keyrings
          curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
          chmod a+r /etc/apt/keyrings/docker.gpg
          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
          apt update -y
-          apt install -y python helm python3-pip apt-transport-https
+          apt install -y python helm=${{ env.HELM_VERSION }}-1 python3-pip apt-transport-https docker-ce-cli
          pip install awscli
      - name: Import GPG key
        id: import_gpg
        uses: https://github.com/crazy-max/ghaction-import-gpg@v5
        with:
          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
      # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
      - name: package chart
        run: |
          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
          # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
          helm plugin install https://github.com/pat-s/helm-gpg
          helm dependency update
          helm package --version "${GITHUB_REF#refs/tags/v}" ./
          helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
          mkdir gitea
          mv gitea*.tgz gitea/
-          curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
+          curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
-          helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
+          helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
          # push to dockerhub
          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
          helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
          helm registry logout registry-1.docker.io
      - name: aws credential configure
        uses: https://github.com/aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION }}
-      - name: install aws cli
+
        run: |
          apt update -y &&
          pip install awscli
      - name: Copy files to S3 and clear cache
        run: |
          aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
--- a/.gitea/workflows/test-pr.yml
+++ b/.gitea/workflows/test-pr.yml
@ -1,32 +1,37 @@
 name: check-and-test
 on:
-  - pull_request
+  pull_request:
    branches:
      - "*"
  push:
    branches:
      - main
      - "renovate/**"
 env:
  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
  HELM_UNITTEST_VERSION: "v0.3.6"
 jobs:
  check-and-test:
    runs-on: ubuntu-latest
    container: alpine/helm:3.13.2
    steps:
      - uses: actions/checkout@v3
      - name: install tools
        run: |
-          apt update -y
+          apk update
-          apt install -y curl make
+          apk add --update make nodejs npm yamllint
-          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+      - uses: actions/checkout@v4
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+      - name: install chart dependencies
-          apt update -y
+        run: helm dependency build
          apt install -y helm python3-pip
          pip install yamllint
      - name: dependency update
        run: helm dependency update
      - name: lint
        run: helm lint
      - name: template
-        run: |
+        run: helm template --debug gitea-helm .
          helm template --debug gitea-helm .
      - name: unit tests
        run: |
-          helm plugin install --version 0.3.1 https://github.com/helm-unittest/helm-unittest
+          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
          make unittests
      - name: verify readme
        run: |
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@ -47,7 +47,7 @@ MD013:
  # Number of characters
  line_length: 200
  # Number of characters for headings
-  heading_line_length: 80
+  heading_line_length: 100
  # Number of characters for code blocks
  code_block_line_length: 80
  # Include code blocks
@ -106,7 +106,7 @@ MD030:
 # MD033/no-inline-html - Inline HTML
 MD033:
  # Allowed elements
-  allowed_elements: []
+  allowed_elements: [details, summary]
 # MD035/hr-style - Horizontal rule style
 MD035:
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -0,0 +1,8 @@
 {
    "recommendations": [
        "yzhang.markdown-all-in-one",
        "DavidAnson.vscode-markdownlint",
        "Tim-Koehler.helm-intellisense",
        "esbenp.prettier-vscode"
    ]
  }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,8 @@
 {
    "yaml.schemas": {
        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json": [
            "/unittests/**/*.yaml"
        ]
    },
    "yaml.schemaStore.enable": true
 }
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -9,21 +9,16 @@ refactorings for easier maintainability or documentation improvements.
 - [`helm`](https://helm.sh/docs/intro/install/)
 - `make` is optional; you may call the commands directly
-When using Visual Studio Code as IDE, following plugins might be useful:
+When using Visual Studio Code as IDE, a [ready-to-use profile](.vscode/) is available.
 - [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
 - [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
 - [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
 - [Prettier - Code formatter](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode)
 ## Documentation Requirements
-The `README.md` must include all configuration options. The parameters section
+The `README.md` must include all configuration options.
-is generated by extracting the parameter annotations from the `values.yaml` file,
+The parameters section is generated by extracting the parameter annotations from the `values.yaml` file, by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
 by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
-If changes were made on configuration options, run `make readme` to update the
+If changes were made on configuration options, run `make readme` to update the README file.
-README file.
+
 The ToC is created via the VSCode [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one) extension which can/must also be used used to update it.
 ## Pull Request Requirements
@ -41,16 +36,15 @@ For local development and testing of pull requests, the following workflow can
 be used:
 1. Install `minikube` and `helm`.
-2. Start a `minikube` cluster via `minikube start`.
+1. Start a `minikube` cluster via `minikube start`.
-3. From the `gitea/helm-chart` directory execute the following command. This
+1. From the `gitea/helm-chart` directory execute the following command.
-   will install the dependencies listed in `Chart.yml` and deploy the current
+   This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
-   state of the helm chart found locally. If you want to test a branch, make
+   If you want to test a branch, make sure to switch to the respective branch first.
   sure to switch to the respective branch first.
   `helm install --dependency-update gitea . -f values.yaml`.
-4. Gitea is now deployed in `minikube`. To access it, it's port needs to be
+1. Gitea is now deployed in `minikube`.
-   forwarded first from `minikube` to localhost first via `kubectl --namespace
+   To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace
-   default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
+default port-forward svc/gitea-http 3000:3000`.
-   [http://localhost:3000](http://localhost:3000).
+   Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
 ### Unit tests
@ -61,3 +55,11 @@ $ helm plugin install https://github.com/helm-unittest/helm-unittest
 # run the unittests
 make unittests
 ```
 See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
 ## Release process
 1. Create a tag following the tagging schema
 1. Push the tag
 1. Let CI do it's work
--- a/Chart.lock
+++ b/Chart.lock
@ -1,9 +1,12 @@
 dependencies:
 - name: memcached
  repository: oci://registry-1.docker.io/bitnamicharts
  version: 6.3.14
 - name: postgresql
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.4.1
+  version: 12.12.10
-digest: sha256:02d4846bf416038a42658dbca8f8001d0e3ce967b00e990048f8d420065c33fd
+- name: postgresql-ha
-generated: "2023-04-28T09:32:05.295167+02:00"
+  repository: oci://registry-1.docker.io/bitnamicharts
  version: 11.9.4
 - name: redis-cluster
  repository: oci://registry-1.docker.io/bitnamicharts
  version: 9.1.3
 digest: sha256:6bda620320a05a5ea4efb4189a86d30092aeb0a6f3e0009538f4bea312af0863
 generated: "2023-11-14T00:08:15.790217865Z"
--- a/Chart.yaml
+++ b/Chart.yaml
@ -3,8 +3,8 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.19.3
+appVersion: 1.21.0
-icon: https://docs.gitea.io/images/gitea.png
+icon: https://gitea.com/assets/img/logo.svg
 keywords:
  - git
@ -33,14 +33,18 @@ maintainers:
 # Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
-  # OCI registry: https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html (2023-01)
+  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
  # Chart release date: 2023-04
  - name: memcached
    repository: oci://registry-1.docker.io/bitnamicharts
    version: 6.3.14
    condition: memcached.enabled
  # Chart release date: 2023-04
  - name: postgresql
    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 12.4.1
+    version: 12.12.10
    condition: postgresql.enabled
  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
  - name: postgresql-ha
    repository: oci://registry-1.docker.io/bitnamicharts
    version: 11.9.4
    condition: postgresql-ha.enabled
  # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
  - name: redis-cluster
    repository: oci://registry-1.docker.io/bitnamicharts
    version: 9.1.3
    condition: redis-cluster.enabled
--- a/5
+++ b/5
@ -10,3 +10,8 @@ readme: prepare-environment
 .PHONY: unittests
 unittests:
 	helm unittest --strict -f 'unittests/**/*.yaml' ./
 .PHONY: helm
 update-helm-dependencies:
 	helm dependency update
--- a/README.md
+++ b/README.md
@ -1,13 +1,65 @@
-# Gitea Helm Chart
+# Gitea Helm Chart <!-- omit from toc -->
-[Gitea](https://gitea.io/en-us/) is a community managed lightweight code hosting solution written in Go.
+- [Introduction](#introduction)
 - [Update and versioning policy](#update-and-versioning-policy)
 - [Dependencies](#dependencies)
 - [Installing](#installing)
 - [High Availability](#high-availability)
 - [Configuration](#configuration)
  - [Default Configuration](#default-configuration)
    - [Database defaults](#database-defaults)
    - [Server defaults](#server-defaults)
    - [Metrics defaults](#metrics-defaults)
    - [Rootless Defaults](#rootless-defaults)
  - [Single-Pod Configurations](#single-pod-configurations)
  - [Additional _app.ini_ settings](#additional-appini-settings)
    - [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
  - [External Database](#external-database)
  - [Ports and external url](#ports-and-external-url)
  - [ClusterIP](#clusterip)
  - [SSH and Ingress](#ssh-and-ingress)
  - [SSH on crio based kubernetes cluster](#ssh-on-crio-based-kubernetes-cluster)
  - [Cache](#cache)
  - [Persistence](#persistence)
  - [Admin User](#admin-user)
  - [LDAP Settings](#ldap-settings)
  - [OAuth2 Settings](#oauth2-settings)
 - [Configure commit signing](#configure-commit-signing)
 - [Metrics and profiling](#metrics-and-profiling)
 - [Pod annotations](#pod-annotations)
 - [Themes](#themes)
 - [Renovate](#renovate)
 - [Parameters](#parameters)
  - [Global](#global)
  - [strategy](#strategy)
  - [Image](#image)
  - [Security](#security)
  - [Service](#service)
  - [Ingress](#ingress)
  - [deployment](#deployment)
  - [ServiceAccount](#serviceaccount)
  - [Persistence](#persistence-1)
  - [Init](#init)
  - [Signing](#signing)
  - [Gitea](#gitea)
  - [LivenessProbe](#livenessprobe)
  - [ReadinessProbe](#readinessprobe)
  - [StartupProbe](#startupprobe)
  - [redis-cluster](#redis-cluster)
  - [PostgreSQL-ha](#postgresql-ha)
  - [PostgreSQL](#postgresql)
  - [Advanced](#advanced)
 - [Contributing](#contributing)
 - [Upgrading](#upgrading)
 [Gitea](https://gitea.com) is a community managed lightweight code hosting solution written in Go.
 It is published under the MIT license.
 ## Introduction
 This helm chart has taken some inspiration from [jfelten's helm chart](https://github.com/jfelten/gitea-helm-chart).
-But takes a completely different approach in providing a database and cache with dependencies.
+Yet it takes a completely different approach in providing a database and cache with dependencies.
-Additionally, this chart provides LDAP and admin user configuration with values, as well as being deployed as a statefulset to retain stored repositories.
+Additionally, this chart allows to provide LDAP and admin user configuration with values.
 ## Update and versioning policy
@ -32,31 +84,37 @@ This chart provides those dependencies, which can be enabled, or disabled via co
 Dependencies:
- PostgreSQL ([configuration](#postgresql))
+- PostgreSQL HA ([configuration](#postgresql))
- Memcached ([configuration](#memcached))
+- Redis Cluster ([configuration](#cache))
 ## Installing
 ```sh
-helm repo add gitea-charts https://dl.gitea.io/charts/
+helm repo add gitea-charts https://dl.gitea.com/charts/
 helm repo update
 helm install gitea gitea-charts/gitea
 ```
 Alternatively, the chart can also be installed from Dockerhub (since v9.6.0)
 ```sh
 helm install gitea oci://registry-1.docker.io/giteacharts/gitea
 ```
 When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes.
-## Prerequisites
+## High Availability
- Kubernetes 1.12+
+Since version 9.0.0 this chart supports running Gitea and it's dependencies in HA mode.
- Helm 3.0+
+Care must be taken for production use as not all implementation details of Gitea core are officially HA-ready yet.
 - PV provisioner for persistent data support
-## Examples
+Deploying a HA-ready Gitea instance requires some effort including using HA-ready dependencies.
 See the [HA Setup](docs/ha-setup.md) document for more details.
-### Gitea Configuration
+## Configuration
 Gitea offers lots of configuration options.
-This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
+This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.com/administration/config-cheat-sheet).
 ```yaml
 gitea:
@ -75,12 +133,12 @@ All defaults can be overwritten in `gitea.config`.
 INSTALL_LOCK is always set to true, since we want to configure Gitea with this helm chart and everything is taken care of.
-_All default settings are made directly in the generated app.ini, not in the Values._
+_All default settings are made directly in the generated `app.ini`, not in the Values._
 #### Database defaults
 If a builtIn database is enabled the database configuration is set automatically.
-For example, PostgreSQL builtIn will appear in the app.ini as:
+For example, PostgreSQL builtIn will appear in the `app.ini` as:
 ```ini
 [database]
@ -91,18 +149,6 @@ PASSWD = gitea
 USER = gitea
 ```
 #### Memcached defaults
 Memcached is handled the exact same way as database builtIn.
 Once Memcached builtIn is enabled, this chart will generate the following part in the `app.ini`:
 ```ini
 [cache]
 ADAPTER = memcache
 ENABLED = true
 HOST = RELEASE-NAME-memcached.default.svc.cluster.local:11211
 ```
 #### Server defaults
 The server defaults are a bit more complex.
@ -131,9 +177,101 @@ The Prometheus `/metrics` endpoint is disabled by default.
 ENABLED = false
 ```
 #### Rootless Defaults
 If `.Values.image.rootless: true`, then the following will occur. In case you use `.Values.image.fullOverride`, check that this works in your image:
 - `$HOME` becomes `/data/gitea/git`
  [see deployment.yaml](./templates/gitea/deployment.yaml) template inside (init-)container "env" declarations
 - `START_SSH_SERVER: true` (Unless explicity overwritten by `gitea.config.server.START_SSH_SERVER`)
  [see \_helpers.tpl](./templates/_helpers.tpl) in `gitea.inline_configuration.defaults.server` definition
 - `SSH_LISTEN_PORT: 2222` (Unless explicity overwritten by `gitea.config.server.SSH_LISTEN_PORT`)
  [see \_helpers.tpl](./templates/_helpers.tpl) in `gitea.inline_configuration.defaults.server` definition
 - `SSH_LOG_LEVEL` environment variable is not injected into the container
  [see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations
 ### Single-Pod Configurations
 If HA is not needed/desired, the following configurations can be used to deploy a single-pod Gitea instance.
 1. For a production-ready single-pod Gitea instance without external dependencies (using the chart dependency `postgresql`):
   <details>
   <summary>values.yml</summary>
   ```yaml
   redis-cluster:
     enabled: false
   postgresql:
     enabled: true
   postgresql-ha:
     enabled: false
   persistence:
     enabled: true
   gitea:
     config:
       database:
         DB_TYPE: postgres
       session:
         PROVIDER: db
       cache:
         ADAPTER: memory
       queue:
         TYPE: level
       indexer:
         ISSUE_INDEXER_TYPE: bleve
         REPO_INDEXER_ENABLED: true
   ```
   </details>
 2. For a minimal DEV installation (using the built-in sqlite DB instead of Postgres):
   This will result in a single-pod Gitea instance _without any dependencies and persistence_.
   **Do not use this configuration for production use**.
   <details>
   <summary>values.yml</summary>
   ```yaml
   redis-cluster:
     enabled: false
   postgresql:
     enabled: false
   postgresql-ha:
     enabled: false
   persistence:
     enabled: false
   gitea:
     config:
       database:
         DB_TYPE: sqlite3
       session:
         PROVIDER: memory
       cache:
         ADAPTER: memory
       queue:
         TYPE: level
   ```
   </details>
 ### Additional _app.ini_ settings
-> **The [generic](https://docs.gitea.io/en-us/config-cheat-sheet/#overall-default)
+> **The [generic](https://docs.gitea.com/administration/config-cheat-sheet#overall-default)
 > section cannot be defined that way.**
 Some settings inside _app.ini_ (like passwords or whole authentication configurations) must be considered sensitive and therefore should not be passed via plain text inside the _values.yaml_ file.
@ -151,8 +289,7 @@ gitea:
        name: gitea-app-ini-plaintext
 ```
-This would mount the two additional volumes (`oauth` and `some-additionals`)
+This would mount the two additional volumes (`oauth` and `some-additionals`) from different sources to the init container where the _app.ini_ gets updated.
 from different sources to the init containerwhere the _app.ini_ gets updated.
 All files mounted that way will be read and converted to environment variables and then added to the _app.ini_ using [environment-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini).
 The key of such additional source represents the section inside the _app.ini_.
@ -196,16 +333,17 @@ We also support to directly interact with the generated _app.ini_.
 To inject self defined variables into the _app.ini_ a certain format needs to be honored.
 This is described in detail on the [env-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini) page.
-Note that the Prefix on this helm chart is `ENV_TO_INI`.
+Prior to Gitea 1.20 and Chart 9.0.0 the helm chart had a custom prefix `ENV_TO_INI`.
 After the support for a custom prefix was removed in Gite core, the prefix was changed to `GITEA`.
 For example a database setting needs to have the following format:
 ```yaml
 gitea:
  additionalConfigFromEnvs:
-    - name: ENV_TO_INI__DATABASE__HOST
+    - name: GITEA__DATABASE__HOST
      value: my.own.host
-    - name: ENV_TO_INI__DATABASE__PASSWD
+    - name: GITEA__DATABASE__PASSWD
      valueFrom:
        secretKeyRef:
          name: postgres-secret
@ -214,13 +352,13 @@ gitea:
 Priority (highest to lowest) for defining app.ini variables:
-1. Environment variables prefixed with `ENV_TO_INI`
+1. Environment variables prefixed with `GITEA`
 1. Additional config sources
 1. Values defined in `gitea.config`
 ### External Database
-Any external Database listed in [https://docs.gitea.io/en-us/database-prep/](https://docs.gitea.io/en-us/database-prep/) can be used instead of the built-in PostgreSQL.
+Any external database listed in [https://docs.gitea.com/installation/database-prep](https://docs.gitea.com/installation/database-prep) can be used instead of the built-in PostgreSQL.
 In fact, it is **highly recommended** to use an external database to ensure a stable Gitea installation longterm.
 If an external database is used, no matter which type, make sure to set `postgresql.enabled` to `false` to disable the use of the built-in PostgreSQL.
@ -306,34 +444,23 @@ More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
 ### Cache
-This helm chart can use a built in cache.
+The cache handling is done via `redis-cluster` (via the `bitnami` chart) by default.
-The default is Memcached from bitnami.
+This deployment is HA-ready but can also be used for single-pod deployments.
 By default, 6 replicas are deployed for a working `redis-cluster` deployment.
 Many cloud providers offer a managed redis service, which can be used instead of the built-in `redis-cluster`.
 ```yaml
-memcached:
+redis-cluster:
  enabled: true
 ```
 If the built in cache should not be used simply configure the cache in `gitea.config`.
 ```yaml
 gitea:
  config:
    cache:
      ENABLED: true
      ADAPTER: memory
      INTERVAL: 60
      HOST: 127.0.0.1:9090
 ```
 ### Persistence
-Gitea will be deployed as a statefulset.
+Gitea will be deployed as a deployment.
 By simply enabling the persistence and setting the storage class according to your cluster everything else will be taken care of.
-The following example will create a PVC as a part of the statefulset.
+The following example will create a PVC as a part of the deployment.
 This PVC will not be deleted even if you uninstall the chart.
-Please note, that an empty storageClass in the persistence will result in kubernetes using your default storage class.
+Please note, that an empty `storageClass` in the persistence will result in kubernetes using your default storage class.
 If you want to use your own storage class define it as follows:
@ -343,14 +470,12 @@ persistence:
  storageClass: myOwnStorageClass
 ```
 When using PostgreSQL as dependency, this will also be deployed as a statefulset by default.
 If you want to manage your own PVC you can simply pass the PVC name to the chart.
 ```yaml
 persistence:
  enabled: true
-  existingClaim: MyAwesomeGiteaClaim
+  claimName: MyAwesomeGiteaClaim
 ```
 In case that persistence has been disabled it will simply use an empty dir volume.
@ -362,13 +487,13 @@ You can interact with the postgres settings as displayed in the following exampl
 postgresql:
  persistence:
    enabled: true
-    existingClaim: MyAwesomeGiteaPostgresClaim
+    claimName: MyAwesomeGiteaPostgresClaim
 ```
 ### Admin User
 This chart enables you to create a default admin user.
-It is also possible to update the password for this user by upgrading or redeloying the chart.
+It is also possible to update the password for this user by upgrading or redeploying the chart.
 It is not possible to delete an admin user after it has been created.
 This has to be done in the ui.
 You cannot use `admin` as username.
@ -403,7 +528,7 @@ gitea:
 ### LDAP Settings
 Like the admin user the LDAP settings can be updated.
-All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
+All LDAP values from <https://docs.gitea.com/administration/command-line#admin> are available.
 Multiple LDAP sources can be configured with additional LDAP list items.
@ -458,7 +583,7 @@ Affected options:
 Like the admin user, OAuth2 settings can be updated and disabled but not deleted.
 Deleting OAuth2 settings has to be done in the ui.
-All OAuth2 values, which are documented [here](https://docs.gitea.io/en-us/command-line/#admin), are
+All OAuth2 values, which are documented [here](https://docs.gitea.com/administration/command-line#admin), are
 available.
 Multiple OAuth2 sources can be configured with additional OAuth list items.
@ -536,9 +661,9 @@ signing:
 ```
 To use the gpg key, Gitea needs to be configured accordingly.
-A detailed description can be found in the [official Gitea documentation](https://docs.gitea.io/en-us/signing/#general-configuration).
+A detailed description can be found in the [official Gitea documentation](https://docs.gitea.com/administration/signing#general-configuration).
-### Metrics and profiling
+## Metrics and profiling
 A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling endpoints on port 6060 can be enabled under `gitea`.
 Beware that the metrics endpoint is exposed via the ingress, manage access using ingress annotations for example.
@ -557,7 +682,7 @@ gitea:
      ENABLE_PPROF: true
 ```
-### Pod Annotations
+## Pod annotations
 Annotations can be added to the Gitea pod.
@ -566,28 +691,134 @@ gitea:
  podAnnotations: {}
 ```
 ## Themes
 Custom themes can be added via k8s secrets and referencing them in `values.yaml`.
 The [http provider](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) is useful here.
 ```yaml
 extraVolumes:
  - name: gitea-themes
    secret:
      secretName: gitea-themes
 extraVolumeMounts:
  - name: gitea-themes
    readOnly: true
    mountPath: "/data/gitea/public/assets/css"
 ```
 The secret can be created via `terraform`:
 ```hcl
 resource "kubernetes_secret" "gitea-themes" {
  metadata {
    name      = "gitea-themes"
    namespace = "gitea"
  }
  data = {
    "my-theme.css"      = data.http.gitea-theme-light.body
    "my-theme-dark.css" = data.http.gitea-theme-dark.body
    "my-theme-auto.css" = data.http.gitea-theme-auto.body
  }
  type = "Opaque"
 }
 data "http" "gitea-theme-light" {
  url = "<raw theme url>"
  request_headers = {
    Accept = "application/json"
  }
 }
 data "http" "gitea-theme-dark" {
  url = "<raw theme url>"
  request_headers = {
    Accept = "application/json"
  }
 }
 data "http" "gitea-theme-auto" {
  url = "<raw theme url>"
  request_headers = {
    Accept = "application/json"
  }
 }
 ```
 or natively via `kubectl`:
 ```bash
 kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --namespace gitea
 ```
 ## Renovate
 To be able to use a digest value which is automatically updated by `Renovate` a [customManager](https://docs.renovatebot.com/modules/manager/regex/) is required.
 Here's an examplary `values.yml` definition which makes use of a digest:
 ```yaml
 image:
  repository: gitea/gitea
  tag: 1.20.2
  digest: sha256:6e3b85a36653894d6741d0aefb41dfaac39044e028a42e0a520cc05ebd7bfc3f
 ```
 By default Renovate adds digest after the `tag`.
 To comply with the Gitea helm chart definition of the digest parameter, a "customManagers" definition is required:
 ```json
 "customManagers": [
  {
    "customType": "regex",
    "description": "Apply an explicit gitea digest field match",
    "fileMatch": ["values\\.ya?ml"],
    "matchStrings": ["(?<depName>gitea\\/gitea)\\n(?<indentation>\\s+)tag: (?<currentValue>[^@].*?)\\n\\s+digest: (?<currentDigest>sha256:[a-f0-9]+)"],
    "datasourceTemplate": "docker",
    "autoReplaceStringTemplate": "{{depName}}\n{{indentation}}tag: {{newValue}}\n{{indentation}}digest: {{#if newDigest}}{{{newDigest}}}{{else}}{{{currentDigest}}}{{/if}}"
  }
 ]
 ```
 ## Parameters
 ### Global
 | Name                      | Description                                                               | Value |
-| ------------------------- | ------------------------------------------------------------------------- | --------------- |
+| ------------------------- | ------------------------------------------------------------------------- | ----- |
 | `global.imageRegistry`    | global image registry override                                            | `""`  |
 | `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]`  |
 | `global.storageClass`     | global storage class override                                             | `""`  |
 | `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files           | `[]`  |
-| `replicaCount`            | number of replicas for the statefulset                                    | `1`             |
+| `replicaCount`            | number of replicas for the deployment                                     | `1`   |
 ### strategy
 | Name                                    | Description    | Value           |
 | --------------------------------------- | -------------- | --------------- |
 | `strategy.type`                         | strategy type  | `RollingUpdate` |
 | `strategy.rollingUpdate.maxSurge`       | maxSurge       | `100%`          |
 | `strategy.rollingUpdate.maxUnavailable` | maxUnavailable | `0`             |
 | `clusterDomain`                         | cluster domain | `cluster.local` |
 ### Image
 | Name                 | Description                                                                                                                                                      | Value          |
-| ------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- |
 | `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `""`           |
 | `image.repository`   | Image to start for this pod                                                                                                                                      | `gitea/gitea`  |
 | `image.tag`          | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.                          | `""`           |
-| `image.pullPolicy` | Image pull policy                                                                                                                       | `Always`      |
+| `image.digest`       | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                                       | `""`           |
-| `image.rootless`   | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher                                               | `false`       |
+| `image.pullPolicy`   | Image pull policy                                                                                                                                                | `IfNotPresent` |
 | `image.rootless`     | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher                                                                        | `true`         |
 | `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""`           |
 | `imagePullSecrets`   | Secret to use for pulling the image                                                                                                                              | `[]`           |
 ### Security
@ -597,6 +828,7 @@ gitea:
 | `podSecurityContext.fsGroup` | Set the shared file system group for all containers in the pod. | `1000` |
 | `containerSecurityContext`   | Security context                                                | `{}`   |
 | `securityContext`            | Run init and Gitea containers as a specific securityContext     | `{}`   |
 | `podDisruptionBudget`        | Pod disruption budget                                           | `{}`   |
 ### Service
@ -604,7 +836,7 @@ gitea:
 | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
 | `service.http.type`                     | Kubernetes service type for web traffic                                                                                                                                                              | `ClusterIP` |
 | `service.http.port`                     | Port number for web traffic                                                                                                                                                                          | `3000`      |
-| `service.http.clusterIP`                | ClusterIP setting for http autosetup for statefulset is None                                                                                                                                         | `None`      |
+| `service.http.clusterIP`                | ClusterIP setting for http autosetup for deployment is None                                                                                                                                          | `None`      |
 | `service.http.loadBalancerIP`           | LoadBalancer IP setting                                                                                                                                                                              | `nil`       |
 | `service.http.nodePort`                 | NodePort for http service                                                                                                                                                                            | `nil`       |
 | `service.http.externalTrafficPolicy`    | If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation                                                                                         | `nil`       |
@ -615,7 +847,7 @@ gitea:
 | `service.http.annotations`              | HTTP service annotations                                                                                                                                                                             | `{}`        |
 | `service.ssh.type`                      | Kubernetes service type for ssh traffic                                                                                                                                                              | `ClusterIP` |
 | `service.ssh.port`                      | Port number for ssh traffic                                                                                                                                                                          | `22`        |
-| `service.ssh.clusterIP`                 | ClusterIP setting for ssh autosetup for statefulset is None                                                                                                                                          | `None`      |
+| `service.ssh.clusterIP`                 | ClusterIP setting for ssh autosetup for deployment is None                                                                                                                                           | `None`      |
 | `service.ssh.loadBalancerIP`            | LoadBalancer IP setting                                                                                                                                                                              | `nil`       |
 | `service.ssh.nodePort`                  | NodePort for ssh service                                                                                                                                                                             | `nil`       |
 | `service.ssh.externalTrafficPolicy`     | If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation                                                                                          | `nil`       |
@ -639,35 +871,50 @@ gitea:
 | `ingress.tls`                        | Ingress tls settings                                                        | `[]`              |
 | `ingress.apiVersion`                 | Specify APIVersion of ingress object. Mostly would only be used for argocd. |                   |
-### StatefulSet
+### deployment
 | Name                                       | Description                                            | Value |
-| ------------------------------------------- | ------------------------------------------------------ | ----- |
+| ------------------------------------------ | ------------------------------------------------------ | ----- |
 | `resources`                                | Kubernetes resources                                   | `{}`  |
 | `schedulerName`                            | Use an alternate scheduler, e.g. "stork"               | `""`  |
-| `nodeSelector`                              | NodeSelector for the statefulset                       | `{}`  |
+| `nodeSelector`                             | NodeSelector for the deployment                        | `{}`  |
-| `tolerations`                               | Tolerations for the statefulset                        | `[]`  |
+| `tolerations`                              | Tolerations for the deployment                         | `[]`  |
-| `affinity`                                  | Affinity for the statefulset                           | `{}`  |
+| `affinity`                                 | Affinity for the deployment                            | `{}`  |
-| `dnsConfig`                                 | dnsConfig for the statefulset                          | `{}`  |
+| `topologySpreadConstraints`                | TopologySpreadConstraints for the deployment           | `[]`  |
-| `priorityClassName`                         | priorityClassName for the statefulset                  | `""`  |
+| `dnsConfig`                                | dnsConfig for the deployment                           | `{}`  |
-| `statefulset.env`                           | Additional environment variables to pass to containers | `[]`  |
+| `priorityClassName`                        | priorityClassName for the deployment                   | `""`  |
-| `statefulset.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod         | `60`  |
+| `deployment.env`                           | Additional environment variables to pass to containers | `[]`  |
-| `statefulset.labels`                        | Labels for the statefulset                             | `{}`  |
+| `deployment.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod         | `60`  |
-| `statefulset.annotations`                   | Annotations for the Gitea StatefulSet to be created    | `{}`  |
+| `deployment.labels`                        | Labels for the deployment                              | `{}`  |
 | `deployment.annotations`                   | Annotations for the Gitea deployment to be created     | `{}`  |
 ### ServiceAccount
 | Name                                          | Description                                                                                                                               | Value   |
 | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- |
 | `serviceAccount.create`                       | Enable the creation of a ServiceAccount                                                                                                   | `false` |
 | `serviceAccount.name`                         | Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used. | `""`    |
 | `serviceAccount.automountServiceAccountToken` | Enable/disable auto mounting of the service account token                                                                                 | `false` |
 | `serviceAccount.imagePullSecrets`             | Image pull secrets, available to the ServiceAccount                                                                                       | `[]`    |
 | `serviceAccount.annotations`                  | Custom annotations for the ServiceAccount                                                                                                 | `{}`    |
 | `serviceAccount.labels`                       | Custom labels for the ServiceAccount                                                                                                      | `{}`    |
 ### Persistence
 | Name                                              | Description                                                                                           | Value                  |
-| ---------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------- |
+| ------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------------------- |
 | `persistence.enabled`                             | Enable persistent storage                                                                             | `true`                 |
-| `persistence.existingClaim`  | Use an existing claim to store repository information                                                 | `nil`               |
+| `persistence.create`                              | Whether to create the persistentVolumeClaim for shared storage                                        | `true`                 |
 | `persistence.mount`                               | Whether the persistentVolumeClaim should be mounted (even if not created)                             | `true`                 |
 | `persistence.claimName`                           | Use an existing claim to store repository information                                                 | `gitea-shared-storage` |
 | `persistence.size`                                | Size for persistence to store repo information                                                        | `10Gi`                 |
 | `persistence.accessModes`                         | AccessMode for persistence                                                                            | `["ReadWriteOnce"]`    |
 | `persistence.labels`                              | Labels for the persistence volume claim to be created                                                 | `{}`                   |
-| `persistence.annotations`    | Annotations for the persistence volume claim to be created                                            | `{}`                |
+| `persistence.annotations.helm.sh/resource-policy` | Resource policy for the persistence volume claim                                                      | `keep`                 |
 | `persistence.storageClass`                        | Name of the storage class to use                                                                      | `nil`                  |
 | `persistence.subPath`                             | Subdirectory of the volume to mount at                                                                | `nil`                  |
-| `extraVolumes`               | Additional volumes to mount to the Gitea statefulset                                                  | `[]`                |
+| `persistence.volumeName`                          | Name of persistent volume in PVC                                                                      | `""`                   |
 | `extraVolumes`                                    | Additional volumes to mount to the Gitea deployment                                                   | `[]`                   |
 | `extraContainerVolumeMounts`                      | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]`                   |
 | `extraInitVolumeMounts`                           | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.    | `[]`                   |
 | `extraVolumeMounts`                               | **DEPRECATED** Additional volume mounts for init containers and the Gitea main container              | `[]`                   |
@ -693,7 +940,7 @@ gitea:
 ### Gitea
 | Name                                   | Description                                                               | Value                |
-| -------------------------------------- | ------------------------------------------------------------------------------------------------------------- | -------------------- |
+| -------------------------------------- | ------------------------------------------------------------------------- | -------------------- |
 | `gitea.admin.username`                 | Username for the Gitea admin user                                         | `gitea_admin`        |
 | `gitea.admin.existingSecret`           | Use an existing secret to store admin user credentials                    | `nil`                |
 | `gitea.admin.password`                 | Password for the Gitea admin user                                         | `r8sA8CPHD9!bt6d`    |
@ -702,7 +949,8 @@ gitea:
 | `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor                                      | `false`              |
 | `gitea.ldap`                           | LDAP configuration                                                        | `[]`                 |
 | `gitea.oauth`                          | OAuth configuration                                                       | `[]`                 |
-| `gitea.config`                         | Configuration for the Gitea server,ref: [config-cheat-sheet](https://docs.gitea.io/en-us/config-cheat-sheet/) | `{}`                 |
+| `gitea.config.server.SSH_PORT`         | SSH port for rootlful Gitea image                                         | `22`                 |
 | `gitea.config.server.SSH_LISTEN_PORT`  | SSH port for rootless Gitea image                                         | `2222`               |
 | `gitea.additionalConfigSources`        | Additional configuration from secret or configmap                         | `[]`                 |
 | `gitea.additionalConfigFromEnvs`       | Additional configuration sources from environment variables               | `[]`                 |
 | `gitea.podAnnotations`                 | Annotations for the Gitea pod                                             | `{}`                 |
@ -744,18 +992,35 @@ gitea:
 | `gitea.startupProbe.successThreshold`    | Success threshold for startup probe             | `1`     |
 | `gitea.startupProbe.failureThreshold`    | Failure threshold for startup probe             | `10`    |
-### Memcached
+### redis-cluster
 | Name                             | Description                                  | Value   |
-| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| -------------------------------- | -------------------------------------------- | ------- |
-| `memcached.enabled`                 | Memcached is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if enabled in the values. Complete Configuration can be taken from their website. | `true`  |
+| `redis-cluster.enabled`          | Enable redis                                 | `true`  |
-| `memcached.service.ports.memcached` | Port for Memcached                                                                                                                                                                                    | `11211` |
+| `redis-cluster.usePassword`      | Whether to use password authentication       | `false` |
 | `redis-cluster.cluster.nodes`    | Number of redis cluster master nodes         | `3`     |
 | `redis-cluster.cluster.replicas` | Number of redis cluster master node replicas | `0`     |
 ### PostgreSQL-ha
 | Name                                        | Description                                                      | Value       |
 | ------------------------------------------- | ---------------------------------------------------------------- | ----------- |
 | `postgresql-ha.enabled`                     | Enable PostgreSQL-ha                                             | `true`      |
 | `postgresql-ha.postgresql.password`         | Password for the `gitea` user (overrides `auth.password`)        | `changeme4` |
 | `postgresql-ha.global.postgresql.database`  | Name for a custom database to create (overrides `auth.database`) | `gitea`     |
 | `postgresql-ha.global.postgresql.username`  | Name for a custom user to create (overrides `auth.username`)     | `gitea`     |
 | `postgresql-ha.global.postgresql.password`  | Name for a custom password to create (overrides `auth.password`) | `gitea`     |
 | `postgresql-ha.postgresql.repmgrPassword`   | Repmgr Password                                                  | `changeme2` |
 | `postgresql-ha.postgresql.postgresPassword` | postgres Password                                                | `changeme1` |
 | `postgresql-ha.pgpool.adminPassword`        | pgpool adminPassword                                             | `changeme3` |
 | `postgresql-ha.service.ports.postgresql`    | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`      |
 | `postgresql-ha.primary.persistence.size`    | PVC Storage Request for PostgreSQL-ha volume                     | `10Gi`      |
 ### PostgreSQL
 | Name                                                    | Description                                                      | Value   |
 | ------------------------------------------------------- | ---------------------------------------------------------------- | ------- |
-| `postgresql.enabled`                                    | Enable PostgreSQL                                                | `true`  |
+| `postgresql.enabled`                                    | Enable PostgreSQL                                                | `false` |
 | `postgresql.global.postgresql.auth.password`            | Password for the `gitea` user (overrides `auth.password`)        | `gitea` |
 | `postgresql.global.postgresql.auth.database`            | Name for a custom database to create (overrides `auth.database`) | `gitea` |
 | `postgresql.global.postgresql.auth.username`            | Name for a custom user to create (overrides `auth.username`)     | `gitea` |
@ -781,16 +1046,134 @@ See [CONTRIBUTORS GUIDE](CONTRIBUTING.md) for details.
 ## Upgrading
 This section lists major and breaking changes of each Helm Chart version.
-Please read them carefully to upgrade successfully.
+Please read them carefully to upgrade successfully, especially the change of the **default database backend**!
 If you miss this, blindly upgrading may delete your Postgres instance and you may lose your data!
-### To 8.0.0
+<details>
-#### Removal of MariaDB and MySQL DB chart dependencies
+<summary>To 9.6.0</summary>
 Chart 9.6.0 ships with Gitea 1.21.0.
 While there are no breaking changes in the chart, please check the changes of the [1.21 release blog post](https://blog.gitea.com/release-of-1.21.0/).
 </details>
 <details>
 <summary>To 9.0.0</summary>
 This chart release comes with many breaking changes while aiming for a HA-ready setup.
 Please go through all of them carefully to perform a successful upgrade.
 Here's a brief summary again, followed by more detailed migration instructions:
 - Switch from `Statefulset` to `Deployment`
 - Switch from `Memcached` to `redis-cluster` as the default session and queue provider
 - Switch from `postgres` to `postgres-ha` as the default database provider
 - A chart-internal PVC bootstrapping logic
  - New `persistence.mount`: whether to mount an existent PVC (even if not creating it)
  - New `persistence.create`: whether to create a new PVC
  - Renamed `persistence.existingClaim` to `persistence.claimName`
 While not required, we recommend to start with a RWX PV for new installations.
 A RWX volume is required for installation aiming for HA.
 If you want to stay with a pre-existing RWO PV, you need to set
 - `persistence.mount=true`
 - `persistence.create=false`
 - `persistence.claimName` to the name of your existing PVC.
 If you do not, Gitea will create a new PVC which will in turn create a new PV.
 If this happened to you by accident, you can still recover your data by setting using the settings from above in a subsequent run.
 If you want to stay with a `memcache` instead of `redis-cluster`, you need to deploy `memcache` manually (e.g. from [bitnami](https://github.com/bitnami/charts/tree/main/bitnami/memcached)) and set
 - `cache.HOST = "<memcache connection string>"`
 - `cache.ADAPTER = "memcache"`
 - `session.PROVIDER = "memcache"`
 - `session.PROVIDER_CONFIG = "<memcache connection string>"`
 - `queue.TYPE = "memcache"`
 - `queue.CONN_STR = "<memcache connection string>"`
 The `memcache` connection string has the scheme `memcache://<memcache service name>:<memcache service port>`, e.g. `gitea-memcached.gitea.svc.cluster.local:11211`.
 The first item here (`<memcache service name>`) will be different compared to the example if you deploy `memcache` yourself.
 The above changes are motivated by the idea to tidy dependencies but also have HA-ready ones at the same time.
 The previous `memcache` default was not HA-ready, hence we decided to switch to `redis-cluster` by default.
 If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-chart/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly:
 ```yaml
 gitea:
  config:
    session:
      PROVIDER: redis-cluster
      PROVIDER_CONFIG: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
    cache:
      ENABLED: true
      ADAPTER: redis-cluster
      HOST: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
    queue:
      TYPE: redis
      CONN_STR: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 ```
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
 **Switch to rootless image by default**
 <!-- prettier-ignore-end -->
 If you are facing errors like `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED` due to this automatic transition:
 Have a look at [this discussion](https://gitea.com/gitea/helm-chart/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
 **Transitioning from a RWO to RWX Persistent Volume**
 <!-- prettier-ignore-end -->
 If you want to switch to a RWX volume and go for HA, you need to
 1. Backup the data stored under `/data`
 2. Let the chart create a new RWX PV (or do it statically yourself)
 3. Restore the backup to the same location in the new PV
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
 **Transitioning from Postgres to Postgres HA**
 <!-- prettier-ignore-end -->
 If you are running with a non-HA PG DB from a previous chart release, you need to set
 - `postgresql-ha.enabled=false`
 - `postgresql.enabled=true`
 This is needed to stay with your existing single-instance DB (as the HA-variant is the new default).
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
 **Change of env-to-ini prefix**
 <!-- prettier-ignore-end -->
 Before this release, the env-to-ini prefix was `ENV_TO_INI__`.
 This allowed a clear distinction between user-provided and chart-provided env-to-ini variables.
 Due to the removal custom prefix feature in the upstream implementation of env-to-ini, the prefix has been changed to the default `GITEA__`.
 If you previously had defined env vars that had the `ENV_TO_INI__` prefix, you need to change them to `GITEA__` in order for them to be picked up by the chart.
 </details>
 <details>
 <summary>To 8.0.0</summary>
 ### Removal of MariaDB and MySQL DB chart dependencies <!-- omit from toc -->
 In this version support for DB chart dependencies of MySQL and MariaDB have been removed to simplify the maintenance of the helm chart.
 External MySQL and MariaDB databases are still supported and will be in the future.
-#### Postgres Update from v11 to v15
+### Postgres Update from v11 to v15 <!-- omit from toc -->
 This Chart version updates the Postgres chart dependency and subsequently Postgres from v11 to v15.
 Please read the [Postgres Release Notes](https://www.postgresql.org/docs/release/) for version-specific changes.
@ -798,16 +1181,28 @@ With respect to `values.yaml`, parameters `username`, `database` and `password`
 `persistence` has also been regrouped under the `primary` key.
 Please adjust your `values.yaml` accordingly.
-### To 7.0.0
+**Attention**: The Postgres upgrade is not automatically handled by the chart and must be done by yourself.
 See [this comment](https://gitea.com/gitea/helm-chart/issues/452#issuecomment-740885) for an extensive walkthrough.
 We again highly encourage users to use an external (managed) database for production instances.
-#### Private GPG key configuration for Gitea signing actions
+</details>
 <details>
 <summary>To 7.0.0</summary>
 ### Private GPG key configuration for Gitea signing actions <!-- omit from toc -->
 Having `signing.enabled=true` now requires to use either `signing.privateKey` or `signing.existingSecret` so that the Chart can automatically prepare the GPG key for Gitea internal signing actions.
 See [Configure commit signing](#configure-commit-signing) for details.
-### To 6.0.0
+</details>
-#### Different volume mounts for init-containers and runtime container
+<details>
 <summary>To 6.0.0</summary>
 ### Different volume mounts for init-containers and runtime container <!-- omit from toc -->
 **The `extraVolumeMounts` is deprecated** in favor of `extraInitVolumeMounts` and `extraContainerVolumeMounts`.
 You can now have different mounts for the initialization phase and Gitea runtime.
@ -816,7 +1211,7 @@ If you want to switch to the new settings and want to mount specific volumes int
 **Combining values from the deprecated setting with values from the new settings is not possible.**
-#### New `enabled` flag for `startupProbe`
+### New `enabled` flag for `startupProbe` <!-- omit from toc -->
 Prior to this version the `startupProbe` was just a commented sample within the `values.yaml`.
 With the migration to an auto-generated [Parameters](#parameters) section, a new parameter `gitea.startupProbe.enabled` has been introduced set to
@ -825,11 +1220,15 @@ With the migration to an auto-generated [Parameters](#parameters) section, a new
 If you are using the `startupProbe` you need to add that new parameter and set it to `true`.
 Otherwise, your defined probe won't be considered after the upgrade.
-### To 5.0.0
+</details>
 <details>
 <summary>To 5.0.0</summary>
 > 💥 The Helm Chart now requires Gitea versions of at least 1.11.0.
-#### Enable Dependencies
+### Enable Dependencies <!-- omit from toc -->
 The values to enable the dependencies, such as PostgreSQL, Memcached, MySQL and MariaDB have been moved from `gitea.database.builtIn.` to the dependency values.
@ -849,12 +1248,12 @@ mariadb:
  enabled: false
 ```
-#### App.ini generation
+### App.ini generation <!-- omit from toc -->
 The app.ini generation has changed and now utilizes the environment-to-ini script provided by newer Gitea versions.
 This change ensures, that the app.ini is now persistent.
-##### Secret Key generation
+### Secret Key generation <!-- omit from toc -->
 Gitea secret keys (SECRET_KEY, INTERNAL_TOKEN, JWT_SECRET) are now generated automatically in certain situations:
@ -867,7 +1266,7 @@ Gitea secret keys (SECRET_KEY, INTERNAL_TOKEN, JWT_SECRET) are now generated aut
 > However, this it is not advisable to do so for existing installations.
 > Certain settings like _LDAP_ would not be readable anymore.
-#### Probes
+### Probes <!-- omit from toc -->
 `gitea.customLivenessProbe`, `gitea.customReadinessProbe` and `gitea.customStartupProbe` have been removed.
@ -884,16 +1283,20 @@ gitea:
  podAnnotations: {}
 ```
-#### Multiple OAuth and LDAP authentication sources
+### Multiple OAuth and LDAP authentication sources <!-- omit from toc -->
 With `5.0.0` of this Chart it is now possible to configure Gitea with multiple OAuth and LDAP sources.
 As a result, you need to update an existing OAuth/LDAP configuration in your customized `values.yaml` by replacing the object with settings to a list
 of settings objects.
 See [OAuth2 Settings](#oauth2-settings) and [LDAP Settings](#ldap-settings) section for details.
-### To 4.0.0
+</details>
-#### Ingress changes
+<details>
 <summary>To 4.0.0</summary>
 ### Ingress changes <!-- omit from toc -->
 To provide a more flexible Ingress configuration we now support not only host settings but also provide configuration for the path and pathType.
 So this change changes the hosts from a simple string list, to a list containing a more complex object for more configuration.
@ -925,12 +1328,12 @@ paths:
    pathType: Prefix
 ```
-#### Dropped kebab-case support
+### Dropped kebab-case support <!-- omit from toc -->
 In 3.x.x it was possible to provide an ldap configuration via kebab-case, this support has now been dropped and only camel case is supported.
 See [LDAP section](#ldap-settings) for more information.
-#### Dependency update
+### Dependency update <!-- omit from toc -->
 The chart comes with multiple databases and Memcached as dependency, the latest release updated the dependencies.
@ -940,7 +1343,7 @@ The chart comes with multiple databases and Memcached as dependency, the latest
 If you're using the builtin databases you will most likely redeploy the chart in order to update the database correctly.
-#### Execution of initPreScript
+### Execution of initPreScript <!-- omit from toc -->
 Generally spoken, this might not be a breaking change, but it is worth to be mentioned.
@ -950,11 +1353,11 @@ This also includes the execution of _initPreScript_.
 If you have such script, please be aware of this.
 Dynamically prepare the Gitea setup during execution by e.g. adding environment variables to the execution context won't work anymore.
-### Misc
+### Gitea Version 1.14.X repository ROOT <!-- omit from toc -->
 #### Gitea Version 1.14.X repository ROOT
 Previously the ROOT folder for the Gitea repositories was located at `/data/git/gitea-repositories`.
 In version `1.14` has the path been changed to `/data/gitea-repositories`.
 This chart will set the `gitea.config.repository.ROOT` value default to `/data/git/gitea-repositories`.
 </details>
--- a/docs/ha-setup.md
+++ b/docs/ha-setup.md
@ -0,0 +1,178 @@
 # High Availability
 All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment.
 The following document explains how to achieve this for all individual components.
 The resulting Gitea deployment will consist of ~ 10 pods (depending on the chosen components and their replicas).
 One should evaluate upfront whether a HA-deployment is required as switching between HA/non-HA comes with some effort.
 For production instances, HA is always recommended to increase uptime and have a frictionless update process.
 A general comment about chart dependencies and external services:
 Instead of relying on chart dependencies, it is often better to rely on an external, (managed) instances (in-memory database, asset storage provider, database, etc.).
 Many cloud providers offer such services, at least for databases or in-memory databases.
 They might cost a bit more than using a self-hosted k8s variant but are usually easier to maintain and scale, if needed.
 Also they can be centrally managed and are not linked to the Gitea helm chart or namespace.
 Please consider using external services before you start with your Gitea HA setup, it will make your life (and the life of the Gitea maintainers) easier.
 This helm chart tries to help as much as possible to simplify and assert the provisioning of a HA-ready Gitea instance by implementing smart conditionals if `replicaCount` is set to a value > 1.
 Nevertheless, we cannot guarantee for every possible combination of Gitea settings to work together perfectly in a HA setup.
 As a general advice, we recommend to have a test environment aside on which to test possible changes/upgrades before applying these to a production installation.
 ## Requirements for HA
 Storage-wise, the HA-Gitea setup requires a RWX file-system which can be shared among the deployment-based replica pods.
 In addition, the following components are required for full HA-readiness:
 - A HA-ready issue (and optionally code) indexer: `elasticsearch` or `meilisearch`
 - A HA-ready external object/asset storage (`minio`) (optional, assets can also be stored on the RWX file-system)
 - A HA-ready cache (`redis-cluster`)
 - A HA-ready DB
 `postgres.enabled`, which default to `true`, must be set to `false` for a HA setup.
 The default `postgres` chart dependency is not HA-ready (there's a dedicated `postgres-ha` chart).
 The following sections discuss each of the components in more detail.
 Note that for each component discussed, the shown configurations only provides a (working) starting point, not necessarily the most optimal setup.
 We try to optimize this document over time as we have gained more experience with HA setups from users.
 ## Indexers (Issues and code/repo)
 The default code indexer `bleve` is not able to allow multiple connections and hence cannot be used in a HA setup.
 Alternatives are `elasticsearch` and `meilisearch` (as of >= 1.19.2).
 Unless you have an existing `elasticsearch` cluster, we recommend using `meilisearch` as it is faster and requires way less resources.
 Unfortunately, `meilisearch` does only support the `ISSUE_INDEXER` and not the `REPO_INDEXER` yet ([tracking issue](https://github.com/go-gitea/gitea/pull/24149)).
 This means that the `REPO_INDEXER` must still be disabled for a HA setup right now.
 An alternative to the two options above for the `ISSUE_INDEXER` is `"db"`, however we recommend to just go with `meilisearch` in this case and to not bother the DB with indexing.
 To configure `meilisearch` within Gitea, do the following:
 ```yml
 gitea:
  config:
    indexer:
      ISSUE_INDEXER_CONN_STR: <http://meilisearch.<namespace>.svc.cluster.local:7700>
      ISSUE_INDEXER_ENABLED: true
      ISSUE_INDEXER_TYPE: meilisearch
      REPO_INDEXER_ENABLED: false
      # REPO_INDEXER_TYPE: meilisearch # not yet working
 ```
 Unfortunately `meilisearch` cannot be deployed in HA as of now.
 Nevertheless it allows for multiple Gitea requests at the same time and is therefore required in a HA setup.
 Exemplary configuration for the [meilisearch-kubernetes](https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch) chart:
 ```yaml
 persistence:
  enabled: true
  accessMode: ReadWriteOnce
  size: 5Gi
 ```
 ## Cache, session and queue
 A `redis` instance is required for the in-memory cache.
 Two options exist:
 - `redis`
 - `redis-cluster`
 The chart provides `redis-cluster` as a dependency as this one can be used for both HA and non-HA setups.
 You're also welcome to go with `redis` if you prefer or already have a running instance.
 It should be noted that `redis-cluster` support is only available starting with Gitea 1.19.2.
 You can also configure an external (managed) `redis` instance to be used.
 To do so, you need to set the following configuration values yourself:
 - `gitea.config.queue.TYPE`: redis`
 - `gitea.config.queue.CONN_STR`: `<your redis connection string>`
 - `gitea.config.session.PROVIDER`: `redis`
 - `gitea.config.session.PROVIDER_CONFIG`: `<your redis connection string>`
 - `gitea.config.cache.ENABLED`: `true`
 - `gitea.config.cache.ADAPTER`: `redis`
 - `gitea.config.cache.HOST`: `<your redis connection string>`
 By default, the `redis-cluster` chart provisions three standalone master nodes of which each has a single replica.
 To reduce the number of pods for a default Gitea deployment, we opted to omit the replicas (`replicas: 0`) by default.
 Only the minimum required number of master pods for a functional `redis-cluster` deployment are provisioned.
 For a "proper" `redis-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`.
 ## Object and asset storage
 Object/asset storage refers to the storage of attachments, avatars, LFS files, etc.
 While most of these can be stored on the RWX file-system, it is recommended to use an external S3-compatible object storage for such, mainly for performance reasons.
 By default the chart provisions a single RWO volume to store everything (repos, avatars, packages, etc.).
 This volume cannot be mounted by multiple pods.
 Hence, a RWX volume is required and (optionally) an external HA-ready object storage.
 > **Note:** Double-check that the file permissions are set correctly on the RWX volume! That is everything should be owned by the `git` user which usually has `uid=1000` and `gid=1000`.
 To use `minio` you need to deploy and configure an external `minio` instance yourself and explicitly define the `STORAGE_TYPE` values as shown below.
 Note that `MINIO_BUCKET` here is just a name and does not refer to a S3 bucket.
 It's the root access point for all objects belonging to the respective application, i.e., to Gitea in this case.
 ```yaml
 gitea:
  config:
    attachment:
      STORAGE_TYPE: minio
    lfs:
      STORAGE_TYPE: minio
    picture:
      AVATAR_STORAGE_TYPE: minio
    "storage.packages":
      STORAGE_TYPE: minio
    storage:
      MINIO_ENDPOINT: <minio-headless.<namespace>.svc.cluster.local:9000>
      MINIO_LOCATION: <location>
      MINIO_ACCESS_KEY_ID: <access key>
      MINIO_SECRET_ACCESS_KEY: <secret key>
      MINIO_BUCKET: <bucket name>
      MINIO_USE_SSL: false
 ```
 Exemplary configuration for the [bitnami minio](https://github.com/bitnami/charts/blob/main/bitnami/minio) chart:
 ```yaml
 auth:
  rootUser: minio
 mode: distributed
 replicaCount: 4
 persistence:
  enabled: true
  size: 20Gi
  accessModes:
    - ReadWriteOnce
 ```
 ## Database
 If you do not have an HA-ready DB, using a managed database service in the cloud might be the easiest and most robust solution.
 Remember: disable the built-in `postgres` dependency and configure the database connection manually via `gitea.config.database`:
 ```yml
 gitea:
  database:
    builtIn:
      postgresql:
        enabled: false
  config:
    database:
      DB_TYPE: postgres
      HOST: <host>
      NAME: <name>
      USER: <user>
 ```
 ## Known issues
 - Currently Cron jobs are run on all replicas as no leader election is implemented.
  See [https://github.com/go-gitea/gitea/issues/13791](https://github.com/go-gitea/gitea/issues/13791) for a discussion and possible solution.
 - Running with multiple replicas slows down Gitea a bit, i.e. page loading time increases. 
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -13,7 +13,7 @@
    "readme:parameters": "readme-generator -v values.yaml -r README.md"
  },
  "devDependencies": {
-    "@bitnami/readme-generator-for-helm": "^2.4.2",
+    "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.31.1"
+    "markdownlint-cli": "^0.37.0"
  }
 }
--- a/renovate.json5
+++ b/renovate.json5
@ -0,0 +1,33 @@
 {
  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
  extends: [
    'gitea>gitea/renovate-config',
    ':automergeMinor',
    'schedule:automergeDaily',
    'schedule:weekends',
  ],
  labels: ['kind/dependency'],
  automergeStrategy: 'squash',
  customManagers: [
    {
      description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
      customType: 'regex',
      fileMatch: ['.gitea/workflows/.+\\.ya?ml$'],
      matchStrings: [
        '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?<currentValue>.+?)["\']?\\s',
      ],
    },
  ],
  packageRules: [
    {
      groupName: 'subcharts (minor & patch)',
      matchManagers: ['helmv3'],
      matchUpdateTypes: ['minor', 'patch', 'digest'],
    },
    {
      groupName: 'workflow dependencies (minor & patch)',
      matchManagers: ['github-actions', 'npm', 'regex'],
      matchUpdateTypes: ['minor', 'patch', 'digest'],
    },
  ],
 }
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -2,6 +2,27 @@
 {{/*
 Expand the name of the chart.
 */}}
 {{- /* multiple replicas assertions */ -}}
 {{- if gt .Values.replicaCount 1.0 -}}
  {{- fail "When using multiple replicas, a RWX file system is required" -}}
  {{- if eq (get (.Values.persistence.accessModes 0) "ReadWriteOnce") -}}
    {{- fail "When using multiple replicas, a RWX file system is required" -}}
  {{- end }}
  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
    {{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
  {{- end }}
  {{- if and (eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve") (eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED "true") -}}
    {{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
  {{- end }}
  {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
    {{- (printf "DEBUG: When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'") | fail -}}
  {{- end }}
 {{- end }}
 {{- define "gitea.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
@ -35,14 +56,22 @@ Create chart name and version as used by the chart label.
 Create image name and tag used by the deployment.
 */}}
 {{- define "gitea.image" -}}
 {{- $fullOverride := .Values.image.fullOverride | default "" -}}
 {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
-{{- $name := .Values.image.repository -}}
+{{- $repository := .Values.image.repository -}}
 {{- $separator := ":" -}}
 {{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
-{{- if $registry -}}
+{{- $digest := "" -}}
-  {{- printf "%s/%s:%s%s" $registry $name $tag $rootless -}}
+{{- if .Values.image.digest }}
    {{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}}
 {{- end -}}
 {{- if $fullOverride }}
    {{- printf "%s" $fullOverride -}}
 {{- else if $registry }}
    {{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}}
 {{- else -}}
-  {{- printf "%s:%s%s" $name $tag $rootless -}}
+    {{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}}
 {{- end -}}
 {{- end -}}
@ -91,16 +120,38 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
-{{- define "postgresql.dns" -}}
+{{- define "postgresql-ha.dns" -}}
-{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}}
+{{- if (index .Values "postgresql-ha").enabled -}}
 {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
 {{- end -}}
 {{- end -}}
-{{- define "memcached.dns" -}}
+{{- define "postgresql.dns" -}}
-{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.ports.memcached | trunc 63 | trimSuffix "-" -}}
+{{- if (index .Values "postgresql").enabled -}}
 {{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}}
 {{- end -}}
 {{- end -}}
 {{- define "redis.dns" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
 {{- end -}}
 {{- end -}}
 {{- define "redis.port" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{ (index .Values "redis-cluster").service.ports.redis }}
 {{- end -}}
 {{- end -}}
 {{- define "redis.servicename" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 {{- end -}}
 {{- define "gitea.default_domain" -}}
-{{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 {{- define "gitea.ldap_settings" -}}
@ -182,6 +233,7 @@ https
      {{- else -}}
        {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
      {{- end -}}
    {{- end }}
  {{- end }}
@ -211,6 +263,18 @@ https
  {{- if not (hasKey .Values.gitea.config "oauth2") -}}
    {{- $_ := set .Values.gitea.config "oauth2" dict -}}
  {{- end -}}
  {{- if not (hasKey .Values.gitea.config "session") -}}
    {{- $_ := set .Values.gitea.config "session" dict -}}
  {{- end -}}
  {{- if not (hasKey .Values.gitea.config "queue") -}}
    {{- $_ := set .Values.gitea.config "queue" dict -}}
  {{- end -}}
  {{- if not (hasKey .Values.gitea.config "queue.issue_indexer") -}}
    {{- $_ := set .Values.gitea.config "queue.issue_indexer" dict -}}
  {{- end -}}
  {{- if not (hasKey .Values.gitea.config "indexer") -}}
    {{- $_ := set .Values.gitea.config "indexer" dict -}}
  {{- end -}}
 {{- end -}}
 {{- define "gitea.inline_configuration.defaults" -}}
@ -226,13 +290,27 @@ https
  {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
  {{- end -}}
-  {{- if .Values.memcached.enabled -}}
+  {{- if (index .Values "redis-cluster").enabled -}}
    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
-    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
+    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
    {{- if not (.Values.gitea.config.cache.HOST) -}}
-      {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
+      {{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
    {{- end -}}
  {{- end -}}
  {{- /* redis queue */ -}}
  {{- if (index .Values "redis-cluster").enabled -}}
    {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
    {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
  {{- end -}}
  {{- if not (get .Values.gitea.config.session "PROVIDER") -}}
    {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
  {{- end -}}
  {{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
    {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "redis.dns" .) -}}
  {{- end -}}
  {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
     {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
  {{- end -}}
 {{- end -}}
 {{- define "gitea.inline_configuration.defaults.server" -}}
@ -244,7 +322,7 @@ https
  {{- end -}}
  {{- if not (.Values.gitea.config.server.DOMAIN) -}}
    {{- if gt (len .Values.ingress.hosts) 0 -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
    {{- else -}}
      {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
    {{- end -}}
@ -279,7 +357,16 @@ https
 {{- end -}}
 {{- define "gitea.inline_configuration.defaults.database" -}}
-  {{- if .Values.postgresql.enabled -}}
+  {{- if (index .Values "postgresql-ha" "enabled") -}}
    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
    {{- if not (.Values.gitea.config.database.HOST) -}}
      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql-ha.dns" .) -}}
    {{- end -}}
    {{- $_ := set .Values.gitea.config.database "NAME"      (index .Values "postgresql-ha" "global" "postgresql" "database") -}}
    {{- $_ := set .Values.gitea.config.database "USER"      (index .Values "postgresql-ha" "global" "postgresql" "username") -}}
    {{- $_ := set .Values.gitea.config.database "PASSWD"    (index .Values "postgresql-ha" "global" "postgresql" "password") -}}
  {{- end -}}
  {{- if (index .Values "postgresql" "enabled") -}}
    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
    {{- if not (.Values.gitea.config.database.HOST) -}}
      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
@ -311,3 +398,7 @@ https
 {{- define "gitea.gpg-key-secret-name" -}}
 {{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
 {{- end -}}
 {{- define "gitea.serviceAccountName" -}}
 {{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
 {{- end -}}
--- a/templates/gitea/config.yaml
+++ b/templates/gitea/config.yaml
@ -16,6 +16,37 @@ metadata:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
  assertions: |
 {{- /*assert that only one PG dep is enabled */ -}}
 {{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
  {{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
 {{- end }}
 {{- /* multiple replicas assertions */ -}}
 {{- if gt .Values.replicaCount 1.0 -}}
  {{- if (get (get .Values.gitea.config "cron.GIT_GC_REPOS") "ENABLED") -}}
    {{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." -}}
  {{- end }}
  {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
    {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
  {{- end }}
  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
    {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
  {{- end }}
  {{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
    {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_TYPE") "bleve" -}}
      {{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
        {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_ENABLED") "true" -}}
          {{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
        {{- end }}
      {{- end }}
    {{- end }}
  {{- end }}
 {{- end }}
  config_environment.sh: |-
    #!/usr/bin/env bash
    set -euo pipefail
@ -53,14 +84,14 @@ stringData:
      env2ini::log "    + '${setting}'"
      if [[ -z "${section}" ]]; then
-        export "ENV_TO_INI____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+        export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
        return
      fi
      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
      masked_section="${masked_section//-/_0X2D_}"
-      export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
+      export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
    }
    function env2ini::reload_preset_envs() {
@ -134,15 +165,16 @@ stringData:
      #   - initially used to set up Gitea
      # Anyway, they won't harm existing app.ini files
-      export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+      export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
-      export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+      export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
-      export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+      export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
-      export ENV_TO_INI__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
+      export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
      env2ini::log "...Initial secrets generated\n"
    }
-    env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs
+    # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
    env | (grep GITEA || [[ $? == 1 ]]) > /tmp/existing-envs
    # MUST BE CALLED BEFORE OTHER CONFIGURATION
    env2ini::generate_initial_secrets
@ -163,10 +195,10 @@ stringData:
      env2ini::log '  - oauth2.JWT_SECRET'
      env2ini::log '  - server.LFS_JWT_SECRET'
-      unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
+      unset GITEA__SECURITY__INTERNAL_TOKEN
-      unset ENV_TO_INI__SECURITY__SECRET_KEY
+      unset GITEA__SECURITY__SECRET_KEY
-      unset ENV_TO_INI__OAUTH2__JWT_SECRET
+      unset GITEA__OAUTH2__JWT_SECRET
-      unset ENV_TO_INI__SERVER__LFS_JWT_SECRET
+      unset GITEA__SERVER__LFS_JWT_SECRET
    fi
-    environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI
+    environment-to-ini -o $GITEA_APP_INI
--- a/templates/gitea/statefulset.yaml
+++ b/templates/gitea/statefulset.yaml
@ -1,22 +1,28 @@
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: {{ include "gitea.fullname" . }}
  annotations:
-    {{- if .Values.statefulset.annotations }}
+    {{- if .Values.deployment.annotations }}
-    {{- toYaml .Values.statefulset.annotations | nindent 4 }}
+    {{- toYaml .Values.deployment.annotations | nindent 4 }}
    {{- end }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 spec:
  replicas: {{ .Values.replicaCount }}
  strategy:
    type: {{ .Values.strategy.type }}
    {{- if eq .Values.strategy.type "RollingUpdate" }}
    rollingUpdate:
      maxUnavailable: {{ .Values.strategy.rollingUpdate.maxUnavailable }}
      maxSurge: {{ .Values.strategy.rollingUpdate.maxSurge }}
    {{- end }}
  selector:
    matchLabels:
      {{- include "gitea.selectorLabels" . | nindent 6 }}
-      {{- if .Values.statefulset.labels }}
+      {{- if .Values.deployment.labels }}
-      {{- toYaml .Values.statefulset.labels | nindent 6 }}
+      {{- toYaml .Values.deployment.labels | nindent 6 }}
      {{- end }}
  serviceName: {{ include "gitea.fullname" . }}
  template:
    metadata:
      annotations:
@ -32,13 +38,16 @@ spec:
        {{- end }}
      labels:
        {{- include "gitea.labels" . | nindent 8 }}
-        {{- if .Values.statefulset.labels }}
+        {{- if .Values.deployment.labels }}
-        {{- toYaml .Values.statefulset.labels | nindent 8 }}
+        {{- toYaml .Values.deployment.labels | nindent 8 }}
        {{- end }}
    spec:
      {{- if .Values.schedulerName }}
      schedulerName: "{{ .Values.schedulerName }}"
      {{- end }}
      {{- if (or .Values.serviceAccount.create .Values.serviceAccount.name) }}
      serviceAccountName: {{ include "gitea.serviceAccountName" . }}
      {{- end }}
      {{- if .Values.priorityClassName }}
      priorityClassName: "{{ .Values.priorityClassName }}"
      {{- end }}
@ -59,8 +68,8 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
-            {{- if .Values.statefulset.env }}
+            {{- if .Values.deployment.env }}
-            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- toYaml .Values.deployment.env | nindent 12 }}
            {{- end }}
            {{- if .Values.signing.enabled }}
            - name: GNUPGHOME
@ -94,8 +103,8 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
-            {{- if .Values.statefulset.env }}
+            {{- if .Values.deployment.env }}
-            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- toYaml .Values.deployment.env | nindent 12 }}
            {{- end }}
            {{- if .Values.gitea.additionalConfigFromEnvs }}
            {{- toYaml .Values.gitea.additionalConfigFromEnvs | nindent 12 }}
@ -173,6 +182,10 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
            {{- if .Values.image.rootless }}
            - name: HOME
              value: /data/gitea/git
            {{- end }}
            {{- if .Values.gitea.ldap }}
            {{- range $idx, $value := .Values.gitea.ldap }}
            {{- if $value.existingSecret }}
@ -227,8 +240,8 @@ spec:
            - name: GITEA_ADMIN_PASSWORD
              value: {{ .Values.gitea.admin.password | quote }}
            {{- end }}
-            {{- if .Values.statefulset.env }}
+            {{- if .Values.deployment.env }}
-            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- toYaml .Values.deployment.env | nindent 12 }}
            {{- end }}
          volumeMounts:
            - name: init
@ -243,7 +256,7 @@ spec:
            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
          resources:
            {{- toYaml .Values.initContainers.resources | nindent 12 }}
-      terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ include "gitea.image" . }}"
@ -268,12 +281,16 @@ spec:
              value: /tmp/gitea
            - name: TMPDIR
              value: /tmp/gitea
            {{- if .Values.image.rootless }}
            - name: HOME
              value: /data/gitea/git
            {{- end }}
            {{- if .Values.signing.enabled }}
            - name: GNUPGHOME
              value: {{ .Values.signing.gpgHome }}
            {{- end }}
-            {{- if .Values.statefulset.env }}
+            {{- if .Values.deployment.env }}
-            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- toYaml .Values.deployment.env | nindent 12 }}
            {{- end }}
          ports:
            - name: ssh
@ -329,6 +346,10 @@ spec:
      affinity:
        {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- with .Values.topologySpreadConstraints }}
      topologySpreadConstraints: 
        {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
@ -367,38 +388,13 @@ spec:
                path: private.asc
            defaultMode: 0100
        {{- end }}
-  {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
+  {{- if .Values.persistence.enabled }}
    {{- if .Values.persistence.mount }}
        - name: data
          persistentVolumeClaim:
-  {{- with .Values.persistence.existingClaim }}
+            claimName: {{ .Values.persistence.claimName }}
            claimName: {{ tpl . $ }}
    {{- end }}
  {{- else if not .Values.persistence.enabled }}
        - name: data
          emptyDir: {}
  {{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
  volumeClaimTemplates:
    - metadata:
        name: data
      {{- with .Values.persistence.annotations }}
        annotations:
        {{- range $key, $value := . }}
          {{ $key }}: {{ $value }}
        {{- end }}
      {{- end }}
      {{- with .Values.persistence.labels }}
        labels:
        {{- range $key, $value := . }}
          {{ $key }}: {{ $value }}
        {{- end }}
      {{- end }}
      spec:
        accessModes:
          {{- range .Values.persistence.accessModes }}
            - {{ . | quote }}
          {{- end }}
        {{- include "gitea.persistence.storageClass" . | indent 8 }}
        resources:
          requests:
            storage: {{ .Values.persistence.size | quote }}
  {{- end }}
--- a/templates/gitea/ingress.yaml
+++ b/templates/gitea/ingress.yaml
@ -15,9 +15,9 @@ metadata:
  name: {{ $fullName }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
  annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- range $key, $value := .Values.ingress.annotations }}
      {{ $key }}: {{ $value | quote }}
    {{- end }}
 spec:
 {{- if .Values.ingress.className }}
@ -28,14 +28,14 @@ spec:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
-        - {{ . | quote }}
+        - {{ tpl . $ | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
 {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
-    - host: {{ .host | quote }}
+    - host: {{ tpl .host $ | quote }}
      http:
        paths:
          {{- range .paths }}
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@ -62,6 +62,27 @@ stringData:
      exit 1
    }
    {{- if include "redis.servicename" . }}
    function test_redis_connection() {
      local RETRY=0
      local MAX=30
      echo 'Wait for redis to become avialable...'
      until [ "${RETRY}" -ge "${MAX}" ]; do
        nc -vz -w2 {{ include "redis.servicename" . }} {{ include "redis.port" . }} && break
        RETRY=$[${RETRY}+1]
        echo "...not ready yet (${RETRY}/${MAX})"
      done
      if [ "${RETRY}" -ge "${MAX}" ]; then
        echo "Redis not reachable after '${MAX}' attempts!"
        exit 1
      fi
    }
    test_redis_connection
    {{- end }}
    {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
    function configure_admin_user() {
--- a/templates/gitea/poddisruptionbudget.yaml
+++ b/templates/gitea/poddisruptionbudget.yaml
@ -0,0 +1,17 @@
 {{- if .Values.podDisruptionBudget -}}
 {{- if .Capabilities.APIVersions.Has "policy/v1" }}
 apiVersion: policy/v1
 {{- else }}
 apiVersion: policy/v1beta1
 {{- end }}
 kind: PodDisruptionBudget
 metadata:
  name: {{ include "gitea.fullname" . }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 spec:
  selector:
    matchLabels:
      {{- include "gitea.selectorLabels" . | nindent 6 }}
  {{- toYaml .Values.podDisruptionBudget | nindent 2 }}
 {{- end -}}
--- a/templates/gitea/pvc.yaml
+++ b/templates/gitea/pvc.yaml
@ -0,0 +1,26 @@
 {{- if and .Values.persistence.enabled .Values.persistence.create }}
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ .Values.persistence.claimName }}
  namespace: {{ $.Release.Namespace }}
  annotations:
 {{ .Values.persistence.annotations | toYaml | indent 4}}
 spec:
  accessModes:
  {{- if gt .Values.replicaCount 1.0 }}
      - ReadWriteMany
  {{- else }}
    {{- .Values.persistence.accessModes | toYaml | nindent 4 }}
  {{- end }}
  volumeMode: Filesystem
  {{- if .Values.persistence.storageClass }}
  storageClassName: {{ .Values.persistence.storageClass }}
  {{- end }}
  {{- with .Values.persistence.volumeName }}
  volumeName: {{ . }}
  {{- end }}
  resources:
    requests:
      storage: {{ .Values.persistence.size }}
 {{- end }}
--- a/templates/gitea/serviceaccount.yaml
+++ b/templates/gitea/serviceaccount.yaml
@ -0,0 +1,21 @@
 {{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "gitea.serviceAccountName" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- with .Values.serviceAccount.labels }}
    {{- . | toYaml | nindent 4 }}
  {{- end }}
  {{- with .Values.serviceAccount.annotations }}
  annotations:
    {{- . | toYaml | nindent 4 }}
  {{- end }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- with .Values.serviceAccount.imagePullSecrets }}
 imagePullSecrets:
  {{- . | toYaml | nindent 2 }}
 {{- end }}
 {{- end }}
--- a/templates/gitea/ssh-svc.yaml
+++ b/templates/gitea/ssh-svc.yaml
@ -39,7 +39,9 @@ spec:
  ports:
  - name: ssh
    port: {{ .Values.service.ssh.port }}
    {{- if .Values.gitea.config.server.SSH_LISTEN_PORT }}
    targetPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
    {{- end }}
    protocol: TCP
    {{- if .Values.service.ssh.nodePort }}
    nodePort: {{ .Values.service.ssh.nodePort }}
--- a/unittests/config/database-section_postgresql-ha.yaml
+++ b/unittests/config/database-section_postgresql-ha.yaml
@ -0,0 +1,30 @@
 suite: config template | database section (postgresql-ha)
 release:
  name: gitea-unittests
  namespace: testing
 tests:
  - it: connects to pgpool service
    template: templates/gitea/config.yaml
    set:
      postgresql:
        enabled: false
      postgresql-ha:
        enabled: true
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData.database
          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:5432
  - it: renders the referenced service
    template: charts/postgresql-ha/templates/pgpool/service.yaml
    set:
      postgresql:
        enabled: false
      postgresql-ha:
        enabled: true
    asserts:
      - containsDocument:
          kind: Service
          apiVersion: v1
          name: gitea-unittests-postgresql-ha-pgpool
          namespace: testing
--- a/unittests/config/database-section_postgresql.yaml
+++ b/unittests/config/database-section_postgresql.yaml
@ -0,0 +1,30 @@
 suite: config template | database section (postgresql)
 release:
  name: gitea-unittests
  namespace: testing
 tests:
  - it: "connects to postgresql service"
    template: templates/gitea/config.yaml
    set:
      postgresql:
        enabled: true
      postgresql-ha:
        enabled: false
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData.database
          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:5432
  - it: "renders the referenced service"
    template: charts/postgresql/templates/primary/svc.yaml
    set:
      postgresql:
        enabled: true
      postgresql-ha:
        enabled: false
    asserts:
      - containsDocument:
          kind: Service
          apiVersion: v1
          name: gitea-unittests-postgresql
          namespace: testing
--- a/unittests/config/server-section_domain.yaml
+++ b/unittests/config/server-section_domain.yaml
@ -0,0 +1,67 @@
 suite: config template | server section (domain related)
 release:
  name: gitea-unittests
  namespace: testing
 tests:
  - it: "[default values] uses ingress host for DOMAIN|SSH_DOMAIN|ROOT_URL"
    template: templates/gitea/config.yaml
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nDOMAIN=git.example.com
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nSSH_DOMAIN=git.example.com
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nROOT_URL=http://git.example.com
  ################################################
  - it: "[no ingress hosts] uses gitea http service for DOMAIN|SSH_DOMAIN|ROOT_URL"
    template: templates/gitea/config.yaml
    set:
      ingress:
        hosts: []
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nDOMAIN=gitea-unittests-http.testing.svc.cluster.local
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nSSH_DOMAIN=gitea-unittests-http.testing.svc.cluster.local
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nROOT_URL=http://gitea-unittests-http.testing.svc.cluster.local
  ################################################
  - it: "[provided via values] uses that for DOMAIN|SSH_DOMAIN|ROOT_URL"
    template: templates/gitea/config.yaml
    set:
      gitea.config.server.DOMAIN: provided.example.com
      ingress:
        hosts:
          - host: non-used.example.com
            paths:
              - path: /
                pathType: Prefix
    asserts:
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nDOMAIN=provided.example.com
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nSSH_DOMAIN=provided.example.com
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: \nROOT_URL=http://provided.example.com
--- a/unittests/statefulset/basic.yaml
+++ b/unittests/statefulset/basic.yaml
@ -1,17 +1,17 @@
-suite: Statefulset template (basic)
+suite: deployment template (basic)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
-  - templates/gitea/statefulset.yaml
+  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
-  - it: renders a statefulset
+  - it: renders a deployment
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
    asserts:
      - hasDocuments:
          count: 1
      - containsDocument:
-          kind: StatefulSet
+          kind: Deployment
          apiVersion: apps/v1
          name: gitea-unittests
--- a/unittests/deployment/image-configuration.yaml
+++ b/unittests/deployment/image-configuration.yaml
@ -0,0 +1,93 @@
 suite: deployment template (image configuration)
 release:
  name: gitea-unittests
  namespace: testing
 chart:
  # Override appVersion to be consistent with used digest :)
  appVersion: 1.19.3
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: default values
    template: templates/gitea/deployment.yaml
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "gitea/gitea:1.19.3-rootless"
  - it: tag override
    template: templates/gitea/deployment.yaml
    set:
      image.tag: "1.19.4"
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "gitea/gitea:1.19.4-rootless"
  - it: root-based image
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "gitea/gitea:1.19.3"
  - it: scoped registry
    template: templates/gitea/deployment.yaml
    set:
      image.registry: "example.com"
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "example.com/gitea/gitea:1.19.3-rootless"
  - it: global registry
    template: templates/gitea/deployment.yaml
    set:
      global.imageRegistry: "global.example.com"
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "global.example.com/gitea/gitea:1.19.3-rootless"
  - it: digest for rootless image
    template: templates/gitea/deployment.yaml
    set:
      image:
        rootless: true
        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
  - it: image fullOverride (does not append rootless)
    template: templates/gitea/deployment.yaml
    set:
      image:
        fullOverride: gitea/gitea:1.19.3
        # setting rootless, registry, repository, tag, and digest to prove that override works
        rootless: true
        registry: example.com
        repository: example/image
        tag: "1.0.0"
        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "gitea/gitea:1.19.3"
  - it: digest for root-based image
    template: templates/gitea/deployment.yaml
    set:
      image:
        rootless: false
        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "gitea/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
  - it: digest and global registry
    template: templates/gitea/deployment.yaml
    set:
      global.imageRegistry: "global.example.com"
      image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: "global.example.com/gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
--- a/unittests/deployment/ingress-configuration.yaml
+++ b/unittests/deployment/ingress-configuration.yaml
@ -0,0 +1,23 @@
 suite: ingress template
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/ingress.yaml
 tests:
  - it: hostname using TPL
    set:
      global.giteaHostName: "gitea.example.com"
      ingress.enabled: true
      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
      ingress.tls:
        - secretName: gitea-tls
          hosts:
            - "{{ .Values.global.giteaHostName }}"
    asserts:
      - equal:
          path: spec.tls[0].hosts[0]
          value: "gitea.example.com"
      - equal:
          path: spec.rules[0].host
          value: "gitea.example.com"
--- a/unittests/deployment/inline-config.yaml
+++ b/unittests/deployment/inline-config.yaml
@ -0,0 +1,33 @@
 suite: config template
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/config.yaml
 tests:
  - it: inline config stringData.server using TPL
    set:
      global.giteaHostName: "gitea.example.com"
      ingress.enabled: true
      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
      ingress.tls:
        - secretName: gitea-tls
          hosts:
            - "{{ .Values.global.giteaHostName }}"
    asserts:
      - documentIndex: 0
        matchRegex:
          path: metadata.name
          pattern: .*-inline-config$
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: DOMAIN=gitea\.example\.com
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: ROOT_URL=https://gitea\.example\.com
      - documentIndex: 0
        matchRegex:
          path: stringData.server
          pattern: SSH_DOMAIN=gitea\.example\.com
--- a/unittests/statefulset/signing-disabled.yaml
+++ b/unittests/statefulset/signing-disabled.yaml
@ -1,13 +1,13 @@
-suite: Statefulset template (signing disabled)
+suite: deployment template (signing disabled)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
-  - templates/gitea/statefulset.yaml
+  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: skips gpg init container
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
    asserts:
      - notContains:
          path: spec.template.spec.initContainers
@ -15,7 +15,7 @@ tests:
          content:
            name: configure-gpg
  - it: skips gpg env in `init-directories` init container
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
    set:
      signing.enabled: false
    asserts:
@ -25,14 +25,14 @@ tests:
            name: GNUPGHOME
            value: /data/git/.gnupg
  - it: skips gpg env in runtime container
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].env
          content:
            name: GNUPGHOME
  - it: skips gpg volume spec
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
    asserts:
      - notContains:
          path: spec.template.spec.volumes
--- a/unittests/statefulset/signing-enabled.yaml
+++ b/unittests/statefulset/signing-enabled.yaml
@ -1,13 +1,13 @@
-suite: Statefulset template (signing enabled)
+suite: deployment template (signing enabled)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
-  - templates/gitea/statefulset.yaml
+  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: adds gpg init container
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
    set:
      signing:
        enabled: true
@ -39,7 +39,7 @@ tests:
              mountPath: /raw
              readOnly: true
  - it: adds gpg env in `init-directories` init container
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
    set:
      signing.enabled: true
      signing.existingSecret: "custom-gpg-secret"
@ -50,7 +50,7 @@ tests:
            name: GNUPGHOME
            value: /data/git/.gnupg
  - it: adds gpg env in runtime container
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
    set:
      signing.enabled: true
      signing.existingSecret: "custom-gpg-secret"
@ -61,7 +61,7 @@ tests:
            name: GNUPGHOME
            value: /data/git/.gnupg
  - it: adds gpg volume spec
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
    set:
      signing:
        enabled: true
@ -78,7 +78,7 @@ tests:
                  path: private.asc
              defaultMode: 0100
  - it: supports gpg volume spec with external reference
-    template: templates/gitea/statefulset.yaml
+    template: templates/gitea/deployment.yaml
    set:
      signing:
        enabled: true
--- a/unittests/deployment/ssh-configuration.yaml
+++ b/unittests/deployment/ssh-configuration.yaml
@ -0,0 +1,64 @@
 suite: deployment template (SSH configuration)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: supports defining SSH log level for root based image
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: SSH_LOG_LEVEL
            value: "INFO"
  - it: supports overriding SSH log level
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
      gitea.ssh.logLevel: "DEBUG"
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: SSH_LOG_LEVEL
            value: "DEBUG"
  - it: supports overriding SSH log level (even when image.fullOverride set)
    template: templates/gitea/deployment.yaml
    set:
      image.fullOverride: gitea/gitea:1.19.3
      image.rootless: false
      gitea.ssh.logLevel: "DEBUG"
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: SSH_LOG_LEVEL
            value: "DEBUG"
  - it: skips SSH_LOG_LEVEL for rootless image
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: true
      gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].env
          any: true
          content:
            name: SSH_LOG_LEVEL
  - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
    template: templates/gitea/deployment.yaml
    set:
      image.fullOverride: gitea/gitea:1.19.3
      image.rootless: true
      gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].env
          any: true
          content:
            name: SSH_LOG_LEVEL
--- a/unittests/init/init_directory_structure.sh-rootless.yaml
+++ b/unittests/init/init_directory_structure.sh-rootless.yaml
@ -0,0 +1,88 @@
 suite: Init template
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/init.yaml
 tests:
  - it: runs gpg in batch mode
    set:
      signing.enabled: true
      signing.privateKey: |-
        -----BEGIN PGP PRIVATE KEY BLOCK-----
        {placeholder}
        -----END PGP PRIVATE KEY BLOCK-----
    asserts:
      - equal:
          path: stringData["configure_gpg_environment.sh"]
          value: |-
            #!/usr/bin/env bash
            set -eu
            gpg --batch --import /raw/private.asc
  - it: skips gpg script block for disabled signing
    asserts:
      - equal:
          path: stringData["init_directory_structure.sh"]
          value: |-
            #!/usr/bin/env bash
            set -euo pipefail
            set -x
            mkdir -p /data/git/.ssh
            chmod -R 700 /data/git/.ssh
            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
            # prepare temp directory structure
            mkdir -p "${GITEA_TEMP}"
            chmod ug+rwx "${GITEA_TEMP}"
  - it: adds gpg script block for enabled signing
    set:
      signing.enabled: true
      signing.privateKey: |-
        -----BEGIN PGP PRIVATE KEY BLOCK-----
        {placeholder}
        -----END PGP PRIVATE KEY BLOCK-----
    asserts:
      - equal:
          path: stringData["init_directory_structure.sh"]
          value: |-
            #!/usr/bin/env bash
            set -euo pipefail
            set -x
            mkdir -p /data/git/.ssh
            chmod -R 700 /data/git/.ssh
            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
            # prepare temp directory structure
            mkdir -p "${GITEA_TEMP}"
            chmod ug+rwx "${GITEA_TEMP}"
            if [ ! -d "${GNUPGHOME}" ]; then
              mkdir -p "${GNUPGHOME}"
              chmod 700 "${GNUPGHOME}"
              chown 1000:1000 "${GNUPGHOME}"
            fi
  - it: it does not chown /data even when image.fullOverride is set
    template: templates/gitea/init.yaml
    set:
      image.fullOverride: gitea/gitea:1.20.5
    asserts:
      - equal:
          path: stringData["init_directory_structure.sh"]
          value: |-
            #!/usr/bin/env bash
            set -euo pipefail
            set -x
            mkdir -p /data/git/.ssh
            chmod -R 700 /data/git/.ssh
            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
            # prepare temp directory structure
            mkdir -p "${GITEA_TEMP}"
            chmod ug+rwx "${GITEA_TEMP}"
--- a/unittests/init/init_directory_structure.sh.yaml
+++ b/unittests/init/init_directory_structure.sh.yaml
@ -7,6 +7,7 @@ templates:
 tests:
  - it: runs gpg in batch mode
    set:
      image.rootless: false
      signing.enabled: true
      signing.privateKey: |-
        -----BEGIN PGP PRIVATE KEY BLOCK-----
@ -21,6 +22,8 @@ tests:
            gpg --batch --import /raw/private.asc
  - it: skips gpg script block for disabled signing
    set:
      image.rootless: false
    asserts:
      - equal:
          path: stringData["init_directory_structure.sh"]
@ -41,6 +44,7 @@ tests:
            chmod ug+rwx "${GITEA_TEMP}"
  - it: adds gpg script block for enabled signing
    set:
      image.rootless: false
      signing.enabled: true
      signing.privateKey: |-
        -----BEGIN PGP PRIVATE KEY BLOCK-----
--- a/unittests/serviceaccount/basic.yaml
+++ b/unittests/serviceaccount/basic.yaml
@ -0,0 +1,82 @@
 suite: ServiceAccount template (basic)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/serviceaccount.yaml
 tests:
  - it: skips rendering by default
    asserts:
      - hasDocuments:
          count: 0
  - it: renders default ServiceAccount object with serviceAccount.create=true
    set:
      serviceAccount.create: true
    asserts:
      - hasDocuments:
          count: 1
      - containsDocument:
          kind: ServiceAccount
          apiVersion: v1
          name: gitea-unittests
      - equal:
          path: automountServiceAccountToken
          value: false
      - notExists:
          path: imagePullSecrets
      - notExists:
          path: metadata.annotations
  - it: allows for adding custom labels
    set:
      serviceAccount:
        create: true
        labels:
          custom: label
    asserts:
      - equal:
          path: metadata.labels.custom
          value: label
  - it: allows for adding custom annotations
    set:
      serviceAccount:
        create: true
        annotations:
          myCustom: annotation
    asserts:
      - equal:
          path: metadata.annotations.myCustom
          value: annotation
  - it: allows to override the generated name
    set:
      serviceAccount:
        create: true
        name: provided-serviceaccount-name
    asserts:
      - equal:
          path: metadata.name
          value: provided-serviceaccount-name
  - it: allows to mount the token
    set:
      serviceAccount:
        create: true
        automountServiceAccountToken: true
    asserts:
      - equal:
          path: automountServiceAccountToken
          value: true
  - it: allows to reference image pull secrets
    set:
      serviceAccount:
        create: true
        imagePullSecrets:
          - name: testing-image-pull-secret
          - name: another-pull-secret
    asserts:
      - contains:
          path: imagePullSecrets
          content:
            name: testing-image-pull-secret
      - contains:
          path: imagePullSecrets
          content:
            name: another-pull-secret
--- a/unittests/serviceaccount/reference.yaml
+++ b/unittests/serviceaccount/reference.yaml
@ -0,0 +1,32 @@
 suite: ServiceAccount template (reference)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/serviceaccount.yaml
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: does not modify the deployment by default
    template: templates/gitea/deployment.yaml
    asserts:
      - notExists:
          path: spec.serviceAccountName
  - it: adds the reference to the deployment with serviceAccount.create=true
    template: templates/gitea/deployment.yaml
    set:
      serviceAccount.create: true
    asserts:
      - equal:
          path: spec.template.spec.serviceAccountName
          value: gitea-unittests
  - it: allows referencing an externally created ServiceAccount to the deployment
    template: templates/gitea/deployment.yaml
    set:
      serviceAccount:
        create: false # explicitly set to define rendering behavior
        name: "externally-existing-serviceaccount"
    asserts:
      - equal:
          path: spec.template.spec.serviceAccountName
          value: externally-existing-serviceaccount
--- a/unittests/statefulset/ssh-configuration.yaml
+++ b/unittests/statefulset/ssh-configuration.yaml
@ -1,40 +0,0 @@
 suite: Statefulset template (SSH configuration)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/statefulset.yaml
  - templates/gitea/config.yaml
 tests:
  - it: supports defining SSH log level for root based image
    template: templates/gitea/statefulset.yaml
    set:
      image.rootless: false
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: SSH_LOG_LEVEL
            value: "INFO"
  - it: supports overriding SSH log level
    template: templates/gitea/statefulset.yaml
    set:
      image.rootless: false
      gitea.ssh.logLevel: "DEBUG"
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: SSH_LOG_LEVEL
            value: "DEBUG"
  - it: skips SSH_LOG_LEVEL for rootless image
    template: templates/gitea/statefulset.yaml
    set:
      image.rootless: true
      gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].env
          any: true
          content:
            name: SSH_LOG_LEVEL
--- a/values.yaml
+++ b/values.yaml
@ -20,9 +20,19 @@ global:
  #   hostnames:
  #   - example.com
-## @param replicaCount number of replicas for the statefulset
+## @param replicaCount number of replicas for the deployment
 replicaCount: 1
 ## @section strategy
 ## @param strategy.type strategy type
 ## @param strategy.rollingUpdate.maxSurge maxSurge
 ## @param strategy.rollingUpdate.maxUnavailable maxUnavailable
 strategy:
  type: "RollingUpdate"
  rollingUpdate:
    maxSurge: "100%"
    maxUnavailable: 0
 ## @param clusterDomain cluster domain
 clusterDomain: cluster.local
@ -30,15 +40,19 @@ clusterDomain: cluster.local
 ## @param image.registry image registry, e.g. gcr.io,docker.io
 ## @param image.repository Image to start for this pod
 ## @param image.tag Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.
 ## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
 ## @param image.pullPolicy Image pull policy
 ## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher
 ## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).**
 image:
  registry: ""
  repository: gitea/gitea
  # Overrides the image tag whose default is the chart appVersion.
  tag: ""
-  pullPolicy: Always
+  digest: ""
-  rootless: false # only possible when running 1.14 or later
+  pullPolicy: IfNotPresent
  rootless: true
  fullOverride: ""
 ## @param imagePullSecrets Secret to use for pulling the image
 imagePullSecrets: []
@ -74,11 +88,16 @@ containerSecurityContext: {}
 ## @param securityContext Run init and Gitea containers as a specific securityContext
 securityContext: {}
 ## @param podDisruptionBudget Pod disruption budget
 podDisruptionBudget: {}
 #  maxUnavailable: 1
 #  minAvailable: 1
 ## @section Service
 service:
  ## @param service.http.type Kubernetes service type for web traffic
  ## @param service.http.port Port number for web traffic
-  ## @param service.http.clusterIP ClusterIP setting for http autosetup for statefulset is None
+  ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment is None
  ## @param service.http.loadBalancerIP LoadBalancer IP setting
  ## @param service.http.nodePort NodePort for http service
  ## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@ -101,7 +120,7 @@ service:
    annotations: {}
  ## @param service.ssh.type Kubernetes service type for ssh traffic
  ## @param service.ssh.port Port number for ssh traffic
-  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for statefulset is None
+  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None
  ## @param service.ssh.loadBalancerIP LoadBalancer IP setting
  ## @param service.ssh.nodePort NodePort for ssh service
  ## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@ -155,7 +174,7 @@ ingress:
  # If helm doesn't correctly detect your ingress API version you can set it here.
  # apiVersion: networking.k8s.io/v1
-## @section StatefulSet
+## @section deployment
 #
 ## @param resources Kubernetes resources
 resources:
@ -177,26 +196,29 @@ resources:
 ## @param schedulerName Use an alternate scheduler, e.g. "stork"
 schedulerName: ""
-## @param nodeSelector NodeSelector for the statefulset
+## @param nodeSelector NodeSelector for the deployment
 nodeSelector: {}
-## @param tolerations Tolerations for the statefulset
+## @param tolerations Tolerations for the deployment
 tolerations: []
-## @param affinity Affinity for the statefulset
+## @param affinity Affinity for the deployment
 affinity: {}
-## @param dnsConfig dnsConfig for the statefulset
+## @param topologySpreadConstraints TopologySpreadConstraints for the deployment
 topologySpreadConstraints: []
 ## @param dnsConfig dnsConfig for the deployment
 dnsConfig: {}
-## @param priorityClassName priorityClassName for the statefulset
+## @param priorityClassName priorityClassName for the deployment
 priorityClassName: ""
-## @param statefulset.env  Additional environment variables to pass to containers
+## @param deployment.env  Additional environment variables to pass to containers
-## @param statefulset.terminationGracePeriodSeconds How long to wait until forcefully kill the pod
+## @param deployment.terminationGracePeriodSeconds How long to wait until forcefully kill the pod
-## @param statefulset.labels Labels for the statefulset
+## @param deployment.labels Labels for the deployment
-## @param statefulset.annotations Annotations for the Gitea StatefulSet to be created
+## @param deployment.annotations Annotations for the Gitea deployment to be created
-statefulset:
+deployment:
  env:
    []
    # - name: VARIABLE
@ -205,28 +227,52 @@ statefulset:
  labels: {}
  annotations: {}
 ## @section ServiceAccount
 ## @param serviceAccount.create Enable the creation of a ServiceAccount
 ## @param serviceAccount.name Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used.
 ## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of the service account token
 ## @param serviceAccount.imagePullSecrets Image pull secrets, available to the ServiceAccount
 ## @param serviceAccount.annotations Custom annotations for the ServiceAccount
 ## @param serviceAccount.labels Custom labels for the ServiceAccount
 serviceAccount:
  create: false
  name: ""
  automountServiceAccountToken: false
  imagePullSecrets: []
  # - name: private-registry-access
  annotations: {}
  labels: {}
 ## @section Persistence
 #
 ## @param persistence.enabled Enable persistent storage
-## @param persistence.existingClaim Use an existing claim to store repository information
+## @param persistence.create Whether to create the persistentVolumeClaim for shared storage
 ## @param persistence.mount Whether the persistentVolumeClaim should be mounted (even if not created)
 ## @param persistence.claimName Use an existing claim to store repository information
 ## @param persistence.size Size for persistence to store repo information
 ## @param persistence.accessModes AccessMode for persistence
 ## @param persistence.labels Labels for the persistence volume claim to be created
-## @param persistence.annotations Annotations for the persistence volume claim to be created
+## @param persistence.annotations.helm.sh/resource-policy Resource policy for the persistence volume claim
 ## @param persistence.storageClass Name of the storage class to use
 ## @param persistence.subPath Subdirectory of the volume to mount at
 ## @param persistence.volumeName Name of persistent volume in PVC
 persistence:
  enabled: true
-  existingClaim:
+  create: true
  mount: true
  claimName: gitea-shared-storage
  size: 10Gi
  accessModes:
    - ReadWriteOnce
  labels: {}
  annotations: {}
  storageClass:
  subPath:
  volumeName: ""
  annotations:
    helm.sh/resource-policy: keep
-## @param extraVolumes Additional volumes to mount to the Gitea statefulset
+## @param extraVolumes Additional volumes to mount to the Gitea deployment
 extraVolumes: []
 # - name: postgres-ssl-vol
 #   secret:
@ -341,13 +387,14 @@ gitea:
    #   customProfileUrl:
    #   customEmailUrl:
-  ## @param gitea.config  Configuration for the Gitea server,ref: [config-cheat-sheet](https://docs.gitea.io/en-us/config-cheat-sheet/)
+  ## @param gitea.config.server.SSH_PORT SSH port for rootlful Gitea image
-  config: {}
+  ## @param gitea.config.server.SSH_LISTEN_PORT SSH port for rootless Gitea image
  config:
    #  APP_NAME: "Gitea: Git with a cup of tea"
    #  RUN_MODE: dev
-  #
+    server:
-  #  server:
+      SSH_PORT: 22 # rootful image
-  #    SSH_PORT: 22
+      SSH_LISTEN_PORT: 2222 # rootless image
  #
  #  security:
  #    PASSWORD_COMPLEXITY: spec
@ -429,23 +476,49 @@ gitea:
    successThreshold: 1
    failureThreshold: 10
-## @section Memcached
+## @section redis-cluster
-#
+## @param redis-cluster.enabled Enable redis
-## @param memcached.enabled Memcached is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if enabled in the values. Complete Configuration can be taken from their website.
+## @param redis-cluster.usePassword Whether to use password authentication
-## ref: https://hub.docker.com/r/bitnami/memcached/tags/
+## @param redis-cluster.cluster.nodes Number of redis cluster master nodes
-## @param memcached.service.ports.memcached Port for Memcached
+## @param redis-cluster.cluster.replicas Number of redis cluster master node replicas
-memcached:
+redis-cluster:
  enabled: true
-  # image:
+  usePassword: false
-  #   registry: docker.io
+  cluster:
-  #   repository: bitnami/memcached
+    nodes: 3 # default: 6
-  #   tag: ""
+    replicas: 0 # default: 1
-  #   digest: ""
+
-  #   pullPolicy: IfNotPresent
+## @section postgresql-ha
-  #   pullSecrets: []
+#
 ## @param postgresql-ha.enabled Enable postgresql-ha
 ## @param postgresql-ha.postgresql.password Password for the `gitea` user (overrides `auth.password`)
 ## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`)
 ## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`)
 ## @param postgresql-ha.global.postgresql.password Name for a custom password to create (overrides `auth.password`)
 ## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password
 ## @param postgresql-ha.postgresql.postgresPassword postgres Password
 ## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword
 ## @param postgresql-ha.service.ports.postgresql postgresql service port (overrides `service.ports.postgresql`)
 ## @param postgresql-ha.primary.persistence.size PVC Storage Request for postgresql-ha volume
 postgresql-ha:
  global:
    postgresql:
      database: gitea
      password: gitea
      username: gitea
  enabled: true
  postgresql:
    repmgrPassword: changeme2
    postgresPassword: changeme1
    password: changeme4
  pgpool:
    adminPassword: changeme3
  service:
    ports:
-      memcached: 11211
+      postgresql: 5432
  primary:
    persistence:
      size: 10Gi
 ## @section PostgreSQL
 #
@ -456,7 +529,7 @@ memcached:
 ## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
 ## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
 postgresql:
-  enabled: true
+  enabled: false
  global:
    postgresql:
      auth: