docs: set full path of values.yaml key in output to user (#832 )

Currently, the reported path of the values to be changed is not always correct (especially `gitea.persistence` vs. `persistence`). Co-authored-by: techknowlogick <techknowlogick@noreply.gitea.com> Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/832 Reviewed-by: techknowlogick <techknowlogick@noreply.gitea.com> Co-authored-by: bachorp <bachorp@noreply.gitea.com> Co-committed-by: bachorp <bachorp@noreply.gitea.com>
docs: fix typo in initialization script (#842 )
2025-03-26 17:16:17 +00:00 · 2025-03-26 17:12:56 +00:00 · 2025-03-25 00:18:08 +00:00 · 2025-03-24 00:16:56 +00:00 · 2025-03-24 00:05:48 +00:00 · 2025-03-23 00:05:43 +00:00
105 changed files with 5556 additions and 654 deletions
--- a/.commitlintrc.json
+++ b/.commitlintrc.json
@ -0,0 +1,7 @@
+{
+  "extends": ["@commitlint/config-conventional"],
+  "rules": {
+    "type-enum": [2, "always", ["feat", "fix", "chore", "docs", "style", "refactor", "test", "perf", "ci", "WIP"]],
+    "type-case": [0, "always", "lower-case"]
+  }
+}
--- a/.gitea/PULL_REQUEST_TEMPLATE.md
+++ b/.gitea/PULL_REQUEST_TEMPLATE.md
@ -23,7 +23,7 @@
 ### Applicable issues

 <!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
-  - fixes #
+- Fixes #

 ### Additional information

@ -39,4 +39,6 @@

 - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
 - [ ] Breaking changes are documented in the `README.md`
- [ ] Templating unittests are added
+- [ ] Helm templating unittests are added (required when changing anything in `templates` folder)
+- [ ] Bash unittests are added (required when changing anything in `scripts` folder)
+- [ ] All added template resources MUST render a namespace in metadata
--- a/.gitea/workflows/changelog.yml
+++ b/.gitea/workflows/changelog.yml
@ -0,0 +1,32 @@
+name: changelog
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  changelog:
+    runs-on: ubuntu-latest
+    container: docker.io/thegeeklab/git-sv:1.0.12
+    steps:
+      - name: install tools
+        run: |
+          apk add -q --update --no-cache nodejs curl jq sed
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Generate upcoming changelog
+        run: |
+          git sv rn -o changelog.md
+          export RELEASE_NOTES=$(cat changelog.md)
+          export ISSUE_NUMBER=$(curl -s "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues?state=open&q=Changelog%20for%20upcoming%20version" | jq '.[].number')
+
+          echo $RELEASE_NOTES
+          JSON_DATA=$(echo "" | jq -Rs --arg title 'Changelog for upcoming version' --arg body "$(cat changelog.md)" '{title: $title, body: $body}')
+
+          if [ -z "$ISSUE_NUMBER" ]; then
+            curl -s -X POST "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
+          else
+            curl -s -X PATCH "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues/$ISSUE_NUMBER" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA"
+          fi
--- a/.gitea/workflows/commitlint.yml
+++ b/.gitea/workflows/commitlint.yml
@ -0,0 +1,19 @@
+name: commitlint
+
+on:
+  pull_request:
+    branches:
+      - "*"
+    types:
+      - opened
+      - edited
+
+jobs:
+  check-and-test:
+    runs-on: ubuntu-latest
+    container: commitlint/commitlint:19.7.1
+    steps:
+      - uses: actions/checkout@v4
+      - name: check PR title
+        run: |
+          echo "${{ gitea.event.pull_request.title }}" | commitlint --config .commitlintrc.json
--- a/.gitea/workflows/release-version.yml
+++ b/.gitea/workflows/release-version.yml
@ -5,24 +5,37 @@ on:
    tags:
      - "*"

+env:
+  # renovate: datasource=docker depName=alpine/helm
+  HELM_VERSION: "3.17.1"
+
 jobs:
  generate-chart-publish:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: install tools
        run: |
          apt update -y
-          apt install -y curl
-          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          apt install -y curl ca-certificates curl gnupg
+          # helm
+          curl -O https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
+          tar -xzf helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
+          mv linux-amd64/helm /usr/local/bin/
+          rm -rf linux-amd64 helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
+          helm version
+          # docker
+          install -m 0755 -d /etc/apt/keyrings
+          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          chmod a+r /etc/apt/keyrings/docker.gpg
+          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
          apt update -y
-          apt install -y python helm python3-pip apt-transport-https
-          pip install awscli
+          apt install -y python3 python3-pip apt-transport-https docker-ce-cli
+          pip install awscli --break-system-packages

      - name: Import GPG key
        id: import_gpg
-        uses: https://github.com/crazy-max/ghaction-import-gpg@v5
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
@ -31,18 +44,22 @@ jobs:
      # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
      - name: package chart
        run: |
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
          # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
          helm plugin install https://github.com/pat-s/helm-gpg
-          helm dependency update
+          helm dependency build
          helm package --version "${GITHUB_REF#refs/tags/v}" ./
-          helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
          mkdir gitea
          mv gitea*.tgz gitea/
-          curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
+          curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
          helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
+          # push to dockerhub
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
+          helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
+          helm registry logout registry-1.docker.io

      - name: aws credential configure
-        uses: https://github.com/aws-actions/configure-aws-credentials@v2
+        uses: https://github.com/aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
--- a/.gitea/workflows/test-pr.yml
+++ b/.gitea/workflows/test-pr.yml
@ -1,32 +1,41 @@
 name: check-and-test

 on:
-  - pull_request
+  pull_request:
+    branches:
+      - "*"
+  push:
+    branches:
+      - main
+
+env:
+  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
+  HELM_UNITTEST_VERSION: "v0.7.2"

 jobs:
  check-and-test:
    runs-on: ubuntu-latest
+    container: alpine/helm:3.17.1
    steps:
-      - uses: actions/checkout@v3
      - name: install tools
        run: |
-          apt update -y
-          apt install -y curl make
-          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
-          apt update -y
-          apt install -y helm python3-pip
-          pip install yamllint
-      - name: dependency update
-        run: helm dependency update
+          apk update
+          apk add --update bash make nodejs npm yamllint ncurses
+      - uses: actions/checkout@v4
+      - name: install chart dependencies
+        run: helm dependency build
      - name: lint
        run: helm lint
      - name: template
+        run: helm template --debug gitea-helm .
+      - name: prepare unit test environment
        run: |
-          helm template --debug gitea-helm .
+          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
+          git submodule update --init --recursive
      - name: unit tests
+        env:
+          TERM: xterm
        run: |
-          helm plugin install --version 0.3.3 https://github.com/helm-unittest/helm-unittest
          make unittests
      - name: verify readme
        run: |
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,12 @@
+[submodule "unittests/bash/bats"]
+	path = unittests/bash/bats
+	url = https://github.com/bats-core/bats-core.git
+[submodule "unittests/bash/test_helper/bats-support"]
+	path = unittests/bash/test_helper/bats-support
+	url = https://github.com/bats-core/bats-support.git
+[submodule "unittests/bash/test_helper/bats-assert"]
+	path = unittests/bash/test_helper/bats-assert
+	url = https://github.com/bats-core/bats-assert.git
+[submodule "unittests/bash/test_helper/bats-mock"]
+	path = unittests/bash/test_helper/bats-mock
+	url = https://github.com/jasonkarns/bats-mock.git
--- a/.gitsv/config.yaml
+++ b/.gitsv/config.yaml
@ -0,0 +1,57 @@
+version: '1.1' # Configuration version.
+
+versioning:
+  update-major: [breaking] # Commit types used to bump major.
+  update-minor: [feat, perf] # Commit types used to bump minor.
+  update-patch: [build, ci, chore, fix, perf, refactor, test] # Commit types used to bump patch.
+  # When type is not present on update rules and is unknown (not mapped on commit message types);
+  # if ignore-unknown=false bump patch, if ignore-unknown=true do not bump version.
+  ignore-unknown: false
+
+tag:
+  pattern: 'v%d.%d.%d' # Pattern used to create git tag.
+  filter: '' # Enables you to filter for considerable tags using git pattern syntax.
+
+release-notes:
+  sections: # Array with each section of release note. Check template section for more information.
+    - name: Breaking Changes
+      section-type: breaking-changes
+    - name: Features # Name used on section.
+      section-type: commits # Type of the section, supported types: commits, breaking-changes.
+      commit-types: [feat, perf] # Commit types for commit section-type, one commit type cannot be in more than one section.
+    - name: Bug Fixes
+      section-type: commits
+      commit-types: [fix]
+    - name: Maintenance
+      section-type: commits
+      commit-types: [chore, refactor]
+    - name: Documentation
+      commit-types: [docs]
+      section-type: commits
+    - name: CI
+      commit-types: [ci]
+      section-type: commits
+
+branches: # Git branches config.
+  prefix: ([a-z]+\/)? # Prefix used on branch name, it should be a regex group.
+  suffix: (-.*)? # Suffix used on branch name, it should be a regex group.
+  disable-issue: false # Set true if there is no need to recover issue id from branch name.
+  skip: [] # List of branch names ignored on commit message validation.
+  skip-detached: false # Set true if a detached branch should be ignored on commit message validation.
+
+commit-message:
+  # Supported commit types.
+  types: [build, ci, chore, docs, feat, fix, perf, refactor, revert, style, test]
+  header-selector: '' # You can put in a regex here to select only a certain part of the commit message. Please define a regex group 'header'.
+  scope:
+    # Define supported scopes, if blank, scope will not be validated, if not, only scope listed will be valid.
+    # Don't forget to add "" on your list if you need to define scopes and keep it optional.
+    values: []
+  footer:
+    issue: # Use "issue: {}" if you wish to disable issue footer.
+      key: jira # Name used to define an issue on footer metadata.
+      key-synonyms: [Jira, JIRA] # Supported variations for footer metadata.
+      use-hash: false # If false, use :<space> separator. If true, use <space># separator.
+      add-value-prefix: '' # Add a prefix to issue value.
+  issue:
+    regex: '[A-Z]+-[0-9]+' # Regex for issue id.
--- a/.helmignore
+++ b/.helmignore
@ -5,6 +5,7 @@
 # Common VCS dirs
 .git/
 .gitignore
+.gitmodules
 .bzr/
 .bzrignore
 .hg/
@ -31,3 +32,10 @@ Makefile
 .drone.yml
 CONTRIBUTING.md
 unittests/
+.editorconfig
+.prettierignore
+.yamllint
+CODEOWNERS
+renovate.json5
+.commitlintrc.json
+.gitsv/
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@ -73,7 +73,7 @@ MD022:
 # MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
 MD024:
  # Only check sibling headings
-  allow_different_nesting: true
+  siblings_only: true

 # MD025/single-title/single-h1 - Multiple top-level headings in the same document
 MD025:
@ -129,6 +129,7 @@ MD041:
 MD044:
  # List of proper names
  names:
+    - docker.gitea.com
    - Gitea
    - PostgreSQL
    - Memcached
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -0,0 +1,9 @@
+{
+    "recommendations": [
+        "yzhang.markdown-all-in-one",
+        "DavidAnson.vscode-markdownlint",
+        "Tim-Koehler.helm-intellisense",
+        "esbenp.prettier-vscode",
+        "jetmartin.bats"
+    ]
+  }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,15 @@
+{
+    "yaml.schemas": {
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.2/schema/helm-testsuite.json": [
+            "/unittests/**/*.yaml"
+        ]
+    },
+    "yaml.schemaStore.enable": true,
+    "[bats]": {
+        "editor.tabSize": 2
+    },
+    "[shellscript]": {
+        "files.eol": "\n",
+        "editor.tabSize": 2
+    }
+}
--- a/.yamllint
+++ b/.yamllint
@ -5,7 +5,7 @@ ignore: |
  .yamllint
  node_modules
  templates
-
+  unittests/bash

 rules:
  truthy:
@ -17,4 +17,4 @@ rules:
  comments:
    min-spaces-from-content: 1
  braces:
-    max-spaces-inside: 2
+    max-spaces-inside: 2
--- a/1
+++ b/1
@ -0,0 +1 @@
+* @justusbunsi @pat-s
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -9,12 +9,7 @@ refactorings for easier maintainability or documentation improvements.
 - [`helm`](https://helm.sh/docs/intro/install/)
 - `make` is optional; you may call the commands directly

-When using Visual Studio Code as IDE, following plugins might be useful:
-
- [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
- [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
- [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
- [Prettier - Code formatter](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode)
+When using Visual Studio Code as IDE, a [ready-to-use profile](.vscode/) is available.

 ## Documentation Requirements

@ -34,6 +29,7 @@ When submitting or updating a PR:
 - try to avoid rebases. They make code reviews for large PRs and comments much harder.
 - if applicable, use the PR template for a well-defined PR description.
 - clearly mark breaking changes.
+- format the PR title following the [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/#specification) schema

 ## Local development & testing

@ -42,7 +38,7 @@ be used:

 1. Install `minikube` and `helm`.
 1. Start a `minikube` cluster via `minikube start`.
-1. From the `gitea/helm-chart` directory execute the following command.
+1. From the `gitea/helm-gitea` directory execute the following command.
   This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
   If you want to test a branch, make sure to switch to the respective branch first.
   `helm install --dependency-update gitea . -f values.yaml`.
@ -53,15 +49,29 @@ default port-forward svc/gitea-http 3000:3000`.

 ### Unit tests

+#### Helm templating tests
+
 ```bash
 # install the unittest plugin
 $ helm plugin install https://github.com/helm-unittest/helm-unittest

-# run the unittests
-make unittests
+# run the Helm unittests
+make unittests-helm
 ```

-See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/v0.3.3/DOCUMENT.md) for usage instructions.
+See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
+
+#### Bash script tests
+
+```bash
+# setup the environment
+git submodule update --init --recursive
+
+# run the bash tests
+make unittests-bash
+```
+
+See [bats documentation](https://bats-core.readthedocs.io/en/stable/) for usage instructions.

 ## Release process

--- a/Chart.lock
+++ b/Chart.lock
@ -1,12 +1,15 @@
 dependencies:
 - name: postgresql
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.6.6
+  version: 16.4.14
 - name: postgresql-ha
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 11.7.9
+  version: 15.2.3
 - name: redis-cluster
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 8.6.9
-digest: sha256:52296a48610712a8eb69a32b1b5818b014bfb8dac79d883e11ebdaf97d41e85d
-generated: "2023-07-17T21:24:06.888357+02:00"
+  version: 11.4.3
+- name: redis
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 20.8.0
+digest: sha256:ce1a2a02c3e1adb764cae42ccce1efd2d41adb5024576e6d8a92b30b8dfe67db
+generated: "2025-02-23T00:12:41.541107288Z"
--- a/Chart.yaml
+++ b/Chart.yaml
@ -3,7 +3,8 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.20.3
+# renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
+appVersion: 1.23.6
 icon: https://gitea.com/assets/img/logo.svg

 keywords:
@ -14,9 +15,9 @@ keywords:
  - gitea
  - gogs
 sources:
-  - https://gitea.com/gitea/helm-chart
+  - https://gitea.com/gitea/helm-gitea
  - https://github.com/go-gitea/gitea
-  - https://hub.docker.com/r/gitea/gitea/
+  - https://docker.gitea.com/gitea
 maintainers:
  - name: Charlie Drage
    email: charlie@charliedrage.com
@ -31,20 +32,24 @@ maintainers:
  - name: Patrick Schratz
    email: patrick.schratz@gmail.com

-# Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
-  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)
+  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
  - name: postgresql
    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 12.6.6
+    version: 16.4.14
    condition: postgresql.enabled
-  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml)
+  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
  - name: postgresql-ha
    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 11.7.9
+    version: 15.2.3
    condition: postgresql-ha.enabled
-  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml)
+  # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
  - name: redis-cluster
    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 8.6.9
+    version: 11.4.3
    condition: redis-cluster.enabled
+  # https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml
+  - name: redis
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 20.8.0
+    condition: redis.enabled
--- a/13
+++ b/13
@ -1,3 +1,5 @@
+SHELL := /usr/bin/env bash -O globstar
+
 .PHONY: prepare-environment
 prepare-environment:
 	npm install
@ -8,8 +10,15 @@ readme: prepare-environment
 	npm run readme:lint

 .PHONY: unittests
-unittests:
-	helm unittest --strict -f 'unittests/**/*.yaml' ./
+unittests: unittests-helm unittests-bash
+
+.PHONY: unittests-helm
+unittests-helm:
+	helm unittest --strict -f 'unittests/helm/**/*.yaml' -f 'unittests/helm/values-conflicting-checks.yaml' ./
+
+.PHONY: unittests-bash
+unittests-bash:
+	./unittests/bash/bats/bin/bats --pretty ./unittests/bash/tests/**/*.bats

 .PHONY: helm
 update-helm-dependencies:
--- a/README.md
+++ b/README.md
@ -3,14 +3,20 @@
 - [Introduction](#introduction)
 - [Update and versioning policy](#update-and-versioning-policy)
 - [Dependencies](#dependencies)
+  - [HA Dependencies](#ha-dependencies)
+  - [Non-HA Dependencies](#non-ha-dependencies)
+  - [Dependency Versioning](#dependency-versioning)
 - [Installing](#installing)
 - [High Availability](#high-availability)
+- [Limit resources](#limit-resources)
 - [Configuration](#configuration)
  - [Default Configuration](#default-configuration)
    - [Database defaults](#database-defaults)
    - [Server defaults](#server-defaults)
    - [Metrics defaults](#metrics-defaults)
-  - [Minimal Configuration](#minimal-configuration)
+    - [Rootless Defaults](#rootless-defaults)
+    - [Session, Cache and Queue](#session-cache-and-queue)
+  - [Single-Pod Configurations](#single-pod-configurations)
  - [Additional _app.ini_ settings](#additional-appini-settings)
    - [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
  - [External Database](#external-database)
@ -25,8 +31,10 @@
  - [OAuth2 Settings](#oauth2-settings)
 - [Configure commit signing](#configure-commit-signing)
 - [Metrics and profiling](#metrics-and-profiling)
+  - [Secure Metrics Endpoint](#secure-metrics-endpoint)
 - [Pod annotations](#pod-annotations)
 - [Themes](#themes)
+- [Renovate](#renovate)
 - [Parameters](#parameters)
  - [Global](#global)
  - [strategy](#strategy)
@ -39,12 +47,14 @@
  - [Persistence](#persistence-1)
  - [Init](#init)
  - [Signing](#signing)
+  - [Gitea Actions](#gitea-actions)
  - [Gitea](#gitea)
  - [LivenessProbe](#livenessprobe)
  - [ReadinessProbe](#readinessprobe)
  - [StartupProbe](#startupprobe)
  - [redis-cluster](#redis-cluster)
-  - [PostgreSQL-ha](#postgresql-ha)
+  - [redis](#redis)
+  - [PostgreSQL HA](#postgresql-ha)
  - [PostgreSQL](#postgresql)
  - [Advanced](#advanced)
 - [Contributing](#contributing)
@ -62,7 +72,7 @@ Additionally, this chart allows to provide LDAP and admin user configuration wit
 ## Update and versioning policy

 The Gitea helm chart versioning does not follow Gitea's versioning.
-The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-chart/releases).
+The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-gitea/releases).

 The chart aims to follow Gitea's releases closely.
 There might be times when the chart is behind the latest Gitea release.
@ -77,13 +87,44 @@ Yet most often no issues will be encountered and the chart maintainers aim to co

 ## Dependencies

-Gitea can be run with an external database and cache.
-This chart provides those dependencies, which can be enabled, or disabled via configuration.
+Gitea is most performant when run with an external database and cache.
+This chart provides those dependencies via sub-charts.
+Users can also configure their own external providers via the configuration.

-Dependencies:
+### HA Dependencies

- PostgreSQL HA ([configuration](#postgresql))
- Redis Cluster ([configuration](#cache))
+These dependencies are enabled by default:
+
+- PostgreSQL HA ([Bitnami PostgreSQL-HA](https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml))
+- Redis-Cluster ([Bitnami Redis-Cluster](https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml))
+
+### Non-HA Dependencies
+
+Alternatively, the following non-HA replacements are available:
+
+- PostgreSQL ([Bitnami PostgreSQL](<Postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)>))
+- Redis ([Bitnami Redis](<Redis](https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml)>))
+
+### Dependency Versioning
+
+Updates of sub-charts will be incorporated into the Gitea chart as they are released.
+The reasoning behind this is that new users of the chart will start with the most recent sub-chart dependency versions.
+
+**Note** If you want to stay on an older appVersion of a sub-chart dependency (e.g. PostgreSQL), you need to override the image tag in your `values.yaml` file.
+In fact, we recommend to do so right from the start to be independent of major sub-chart dependency changes as they are released.
+There is no need to update to every new PostgreSQL major version - you can happily skip some and do larger updates when you are ready for them.
+
+We recommend to use a rolling tag like `:<majorVersion>-debian-<debian major version>` to incorporate minor and patch updates for the respective major version as they are released.
+Alternatively you can also use a versioning helper tool like [renovate](https://github.com/renovatebot/renovate).
+
+Please double-check the image repository and available tags in the sub-chart:
+
+- [PostgreSQL-HA](https://hub.docker.com/r/bitnami/postgresql-repmgr/tags)
+- [PostgreSQL](https://hub.docker.com/r/bitnami/postgresql/tags)
+- [Redis Cluster](https://hub.docker.com/r/bitnami/redis-cluster/tags)
+- [Redis](https://hub.docker.com/r/bitnami/redis/tags)
+
+and look up the image tag which fits your needs on Dockerhub.

 ## Installing

@ -93,18 +134,66 @@ helm repo update
 helm install gitea gitea-charts/gitea
 ```

+Alternatively, the chart can also be installed from Dockerhub (since v9.6.0)
+
+```sh
+helm install gitea oci://registry-1.docker.io/giteacharts/gitea
+```
+
+To avoid potential Dockerhub rate limits, the chart can also be installed via [docker.gitea.com](https://blog.gitea.com/docker-registry-update/) (since v9.6.0)
+
+```sh
+helm install gitea oci://docker.gitea.com/charts/gitea
+```
+
 When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes.

 ## High Availability

-⚠️ **EXPERIMENTAL** ⚠️
-
-Since version 9.0.0 this chart has experimental support for running Gitea and it's dependencies in a HA setup.
-The setup is still experimental and care must be taken for production use as Gitea core is not yet officially HA-ready.
+Since version 9.0.0 this chart supports running Gitea and it's dependencies in HA mode.
+Care must be taken for production use as not all implementation details of Gitea core are officially HA-ready yet.

 Deploying a HA-ready Gitea instance requires some effort including using HA-ready dependencies.
 See the [HA Setup](docs/ha-setup.md) document for more details.

+## Limit resources
+
+If the application is deployed with a CPU resource limit, Prometheus may throw a CPU throttling warning for the
+application. This has more or less to do with the fact that the application finds the number of CPUs of the host, but
+cannot use the available CPU time to perform computing operations.
+
+The application must be informed that despite several CPUs only a part (limit) of the available computing time is
+available. As this is a Golang application, this can be implemented using `GOMAXPROCS`. The following example is one way
+of defining `GOMAXPROCS` automatically based on the defined CPU limit like `1000m`. Please keep in mind, that the CFS
+rate of `100ms` - default on each kubernetes node, is also very important to avoid CPU throttling.
+
+Further information about this topic can be found [here](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
+
+> [!NOTE]
+> The environment variable `GOMAXPROCS` is set automatically, when a CPU limit is defined. An explicit configuration is
+> not anymore required.
+>
+> Please note that a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
+
+```yaml
+deployment:
+  env:
+  # Will be automatically defined!
+  - name: GOMAXPROCS
+    valueFrom:
+      resourceFieldRef:
+        divisor: "1" # Is required for GitDevOps systems like ArgoCD/Flux. Otherwise throw the system a diff error. (k8s-default=1)
+        resource: limits.cpu
+
+resources:
+  limits:
+    cpu: 1000m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 512Mi
+```
+
 ## Configuration

 Gitea offers lots of configuration options.
@ -171,35 +260,105 @@ The Prometheus `/metrics` endpoint is disabled by default.
 ENABLED = false
 ```

-### Minimal Configuration
+#### Rootless Defaults

-For a minimal installation, i.e. without HA dependencies and using the built-in SQLITE DB instead of Postgres, the following configuration can be used:
+If `.Values.image.rootless: true`, then the following will occur. In case you use `.Values.image.fullOverride`, check that this works in your image:

-```yaml
-redis-cluster:
-  enabled: false
-postgresql:
-  enabled: false
-postgresql-ha:
-  enabled: false
+- `$HOME` becomes `/data/gitea/git`

-persistence:
-  enabled: false
+  [see deployment.yaml](./templates/gitea/deployment.yaml) template inside (init-)container "env" declarations

-gitea:
-  config:
-    database:
-      DB_TYPE: sqlite3
-    session:
-      PROVIDER: memory
-    cache:
-      ADAPTER: memory
-    queue:
-      TYPE: level
-```
+- `START_SSH_SERVER: true` (Unless explicity overwritten by `gitea.config.server.START_SSH_SERVER`)

-This will result in a single-pod Gitea instance without any dependencies and persistence.
-Do not use this configuration for production use.
+  [see \_helpers.tpl](./templates/_helpers.tpl) in `gitea.inline_configuration.defaults.server` definition
+
+- `SSH_LISTEN_PORT: 2222` (Unless explicity overwritten by `gitea.config.server.SSH_LISTEN_PORT`)
+
+  [see \_helpers.tpl](./templates/_helpers.tpl) in `gitea.inline_configuration.defaults.server` definition
+
+- `SSH_LOG_LEVEL` environment variable is not injected into the container
+
+  [see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations
+
+#### Session, Cache and Queue
+
+The session, cache and queue settings are set to use the built-in Redis Cluster sub-chart dependency.
+If Redis Cluster is disabled, the chart will fall back to the Gitea defaults which use "memory" for `session` and `cache` and "level" for `queue`.
+
+While these will work and even not cause immediate issues after startup, **they are not recommended for production use**.
+Reasons being that a single pod will take on all the work for `session` and `cache` tasks in its available memory.
+It is likely that the pod will run out of memory or will face substantial memory spikes, depending on the workload.
+External tools such as `redis-cluster` or `memcached` handle these workloads much better.
+
+### Single-Pod Configurations
+
+If HA is not needed/desired, the following configurations can be used to deploy a single-pod Gitea instance.
+
+1. For a production-ready single-pod Gitea instance without external dependencies (using the chart dependency `postgresql` and `redis`):
+
+   <details>
+
+   <summary>values.yml</summary>
+
+   ```yaml
+   redis-cluster:
+     enabled: false
+   redis:
+     enabled: true
+   postgresql:
+     enabled: true
+   postgresql-ha:
+     enabled: false
+
+   persistence:
+     enabled: true
+
+   gitea:
+     config:
+       database:
+         DB_TYPE: postgres
+       indexer:
+         ISSUE_INDEXER_TYPE: bleve
+         REPO_INDEXER_ENABLED: true
+   ```
+
+   </details>
+
+2. For a minimal DEV installation (using the built-in sqlite DB instead of Postgres):
+
+   This will result in a single-pod Gitea instance _without any dependencies and persistence_.
+   **Do not use this configuration for production use**.
+
+   <details>
+
+   <summary>values.yml</summary>
+
+   ```yaml
+   redis-cluster:
+     enabled: false
+   redis:
+     enabled: false
+   postgresql:
+     enabled: false
+   postgresql-ha:
+     enabled: false
+
+   persistence:
+     enabled: false
+
+   gitea:
+     config:
+       database:
+         DB_TYPE: sqlite3
+       session:
+         PROVIDER: memory
+       cache:
+         ADAPTER: memory
+       queue:
+         TYPE: level
+   ```
+
+   </details>

 ### Additional _app.ini_ settings

@ -308,6 +467,9 @@ gitea:

 postgresql:
  enabled: false
+
+postgresql-ha:
+  enabled: false
 ```

 ### Ports and external url
@ -372,7 +534,7 @@ and the repository exists.
 ```

 To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
-More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
+More about this issue [here](https://gitea.com/gitea/helm-gitea/issues/161).

 ### Cache

@ -386,6 +548,9 @@ redis-cluster:
  enabled: true
 ```

+⚠️ The redis charts [do not work well with special characters in the password](https://gitea.com/gitea/helm-gitea/issues/690).
+Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
+
 ### Persistence

 Gitea will be deployed as a deployment.
@ -419,7 +584,7 @@ You can interact with the postgres settings as displayed in the following exampl
 postgresql:
  persistence:
    enabled: true
-    claimName: MyAwesomeGiteaPostgresClaim
+    existingClaim: MyAwesomeGiteaPostgresClaim
 ```

 ### Admin User
@ -457,6 +622,20 @@ gitea:
    existingSecret: gitea-admin-secret
 ```

+Whether you use the existing Secret or specify a user name and password, there are three modes for how the admin user password is created or set.
+
+- `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated.
+- `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password.
+- `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login.
+
+These modes can be set like the following:
+
+```yaml
+gitea:
+  admin:
+    passwordMode: initialOnlyRequireReset
+```
+
 ### LDAP Settings

 Like the admin user the LDAP settings can be updated.
@ -560,7 +739,7 @@ gitea:

 When using the rootless image the gpg key folder is not persistent by default.
 If you consider using signed commits for internal Gitea activities (e.g. initial commit), you'd need to provide a signing key.
-Prior to [PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.
+Prior to [PR186](https://gitea.com/gitea/helm-gitea/pulls/186), imported keys had to be re-imported once the container got replaced by another.

 The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing.
 By default this section is disabled to maintain backwards compatibility.
@ -614,6 +793,21 @@ gitea:
      ENABLE_PPROF: true
 ```

+### Secure Metrics Endpoint
+
+Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication.
+
+**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`.
+
+```yaml
+gitea:
+  metrics:
+    token: "secure-token"
+    enabled: true
+    serviceMonitor:
+      enabled: true
+```
+
 ## Pod annotations

 Annotations can be added to the Gitea pod.
@ -638,7 +832,7 @@ extraVolumes:
 extraVolumeMounts:
  - name: gitea-themes
    readOnly: true
-    mountPath: "/data/gitea/public/css"
+    mountPath: "/data/gitea/public/assets/css"
 ```

 The secret can be created via `terraform`:
@ -691,17 +885,46 @@ or natively via `kubectl`:
 kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --namespace gitea
 ```

+## Renovate
+
+To be able to use a digest value which is automatically updated by `Renovate` a [customManager](https://docs.renovatebot.com/modules/manager/regex/) is required.
+Here's an examplary `values.yml` definition which makes use of a digest:
+
+```yaml
+image:
+  repository: gitea/gitea
+  tag: 1.20.2
+  digest: sha256:6e3b85a36653894d6741d0aefb41dfaac39044e028a42e0a520cc05ebd7bfc3f
+```
+
+By default Renovate adds digest after the `tag`.
+To comply with the Gitea helm chart definition of the digest parameter, a "customManagers" definition is required:
+
+```json
+"customManagers": [
+  {
+    "customType": "regex",
+    "description": "Apply an explicit gitea digest field match",
+    "fileMatch": ["values\\.ya?ml"],
+    "matchStrings": ["(?<depName>gitea\\/gitea)\\n(?<indentation>\\s+)tag: (?<currentValue>[^@].*?)\\n\\s+digest: (?<currentDigest>sha256:[a-f0-9]+)"],
+    "datasourceTemplate": "docker",
+    "autoReplaceStringTemplate": "{{depName}}\n{{indentation}}tag: {{newValue}}\n{{indentation}}digest: {{#if newDigest}}{{{newDigest}}}{{else}}{{{currentDigest}}}{{/if}}"
+  }
+]
+```
+
 ## Parameters

 ### Global

-| Name                      | Description                                                               | Value |
-| ------------------------- | ------------------------------------------------------------------------- | ----- |
-| `global.imageRegistry`    | global image registry override                                            | `""`  |
-| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]`  |
-| `global.storageClass`     | global storage class override                                             | `""`  |
-| `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files           | `[]`  |
-| `replicaCount`            | number of replicas for the deployment                                     | `1`   |
+| Name                      | Description                                                                                    | Value |
+| ------------------------- | ---------------------------------------------------------------------------------------------- | ----- |
+| `global.imageRegistry`    | global image registry override                                                                 | `""`  |
+| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets`                      | `[]`  |
+| `global.storageClass`     | global storage class override                                                                  | `""`  |
+| `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files                                | `[]`  |
+| `namespace`               | An explicit namespace to deploy Gitea into. Defaults to the release namespace if not specified | `""`  |
+| `replicaCount`            | number of replicas for the deployment                                                          | `1`   |

 ### strategy

@ -714,14 +937,16 @@ kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --na

 ### Image

-| Name               | Description                                                                                                                             | Value         |
-| ------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
-| `image.registry`   | image registry, e.g. gcr.io,docker.io                                                                                                   | `""`          |
-| `image.repository` | Image to start for this pod                                                                                                             | `gitea/gitea` |
-| `image.tag`        | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. | `""`          |
-| `image.pullPolicy` | Image pull policy                                                                                                                       | `Always`      |
-| `image.rootless`   | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher                                               | `true`        |
-| `imagePullSecrets` | Secret to use for pulling the image                                                                                                     | `[]`          |
+| Name                 | Description                                                                                                                                                      | Value              |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
+| `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `docker.gitea.com` |
+| `image.repository`   | Image to start for this pod                                                                                                                                      | `gitea`            |
+| `image.tag`          | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.                          | `""`               |
+| `image.digest`       | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                                       | `""`               |
+| `image.pullPolicy`   | Image pull policy                                                                                                                                                | `IfNotPresent`     |
+| `image.rootless`     | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher                                                                        | `true`             |
+| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""`               |
+| `imagePullSecrets`   | Secret to use for pulling the image                                                                                                                              | `[]`               |

 ### Security

@ -747,6 +972,8 @@ kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --na
 | `service.http.ipFamilies`               | HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). | `nil`       |
 | `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer                                                                                                                                                            | `[]`        |
 | `service.http.annotations`              | HTTP service annotations                                                                                                                                                                             | `{}`        |
+| `service.http.labels`                   | HTTP service additional labels                                                                                                                                                                       | `{}`        |
+| `service.http.loadBalancerClass`        | Loadbalancer class                                                                                                                                                                                   | `nil`       |
 | `service.ssh.type`                      | Kubernetes service type for ssh traffic                                                                                                                                                              | `ClusterIP` |
 | `service.ssh.port`                      | Port number for ssh traffic                                                                                                                                                                          | `22`        |
 | `service.ssh.clusterIP`                 | ClusterIP setting for ssh autosetup for deployment is None                                                                                                                                           | `None`      |
@ -759,6 +986,8 @@ kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --na
 | `service.ssh.hostPort`                  | HostPort for ssh service                                                                                                                                                                             | `nil`       |
 | `service.ssh.loadBalancerSourceRanges`  | Source range filter for ssh loadbalancer                                                                                                                                                             | `[]`        |
 | `service.ssh.annotations`               | SSH service annotations                                                                                                                                                                              | `{}`        |
+| `service.ssh.labels`                    | SSH service additional labels                                                                                                                                                                        | `{}`        |
+| `service.ssh.loadBalancerClass`         | Loadbalancer class                                                                                                                                                                                   | `nil`       |

 ### Ingress

@ -816,6 +1045,7 @@ kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --na
 | `persistence.storageClass`                        | Name of the storage class to use                                                                      | `nil`                  |
 | `persistence.subPath`                             | Subdirectory of the volume to mount at                                                                | `nil`                  |
 | `persistence.volumeName`                          | Name of persistent volume in PVC                                                                      | `""`                   |
+| `extraContainers`                                 | Additional sidecar containers to run in the pod                                                       | `[]`                   |
 | `extraVolumes`                                    | Additional volumes to mount to the Gitea deployment                                                   | `[]`                   |
 | `extraContainerVolumeMounts`                      | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]`                   |
 | `extraInitVolumeMounts`                           | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.    | `[]`                   |
@ -836,27 +1066,72 @@ kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --na
 | ------------------------ | ----------------------------------------------------------------- | ------------------ |
 | `signing.enabled`        | Enable commit/action signing                                      | `false`            |
 | `signing.gpgHome`        | GPG home directory                                                | `/data/git/.gnupg` |
-| `signing.privateKey`     | Inline private gpg key for signed Gitea actions                   | `""`               |
+| `signing.privateKey`     | Inline private gpg key for signed internal Git activity           | `""`               |
 | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""`               |

+### Gitea Actions
+
+| Name                                              | Description                                                                                                                                 | Value                          |
+| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
+| `actions.enabled`                                 | Create an act runner StatefulSet.                                                                                                           | `false`                        |
+| `actions.init.image.repository`                   | The image used for the init containers                                                                                                      | `busybox`                      |
+| `actions.init.image.tag`                          | The image tag used for the init containers                                                                                                  | `1.37.0`                       |
+| `actions.statefulset.annotations`                 | Act runner annotations                                                                                                                      | `{}`                           |
+| `actions.statefulset.labels`                      | Act runner labels                                                                                                                           | `{}`                           |
+| `actions.statefulset.resources`                   | Act runner resources                                                                                                                        | `{}`                           |
+| `actions.statefulset.nodeSelector`                | NodeSelector for the statefulset                                                                                                            | `{}`                           |
+| `actions.statefulset.tolerations`                 | Tolerations for the statefulset                                                                                                             | `[]`                           |
+| `actions.statefulset.affinity`                    | Affinity for the statefulset                                                                                                                | `{}`                           |
+| `actions.statefulset.extraVolumes`                | Extra volumes for the statefulset                                                                                                           | `[]`                           |
+| `actions.statefulset.actRunner.repository`        | The Gitea act runner image                                                                                                                  | `gitea/act_runner`             |
+| `actions.statefulset.actRunner.tag`               | The Gitea act runner tag                                                                                                                    | `0.2.11`                       |
+| `actions.statefulset.actRunner.pullPolicy`        | The Gitea act runner pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.actRunner.extraVolumeMounts` | Allows mounting extra volumes in the act runner container                                                                                   | `[]`                           |
+| `actions.statefulset.actRunner.config`            | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
+| `actions.statefulset.dind.repository`             | The Docker-in-Docker image                                                                                                                  | `docker`                       |
+| `actions.statefulset.dind.tag`                    | The Docker-in-Docker image tag                                                                                                              | `25.0.2-dind`                  |
+| `actions.statefulset.dind.pullPolicy`             | The Docker-in-Docker pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.dind.extraVolumeMounts`      | Allows mounting extra volumes in the Docker-in-Docker container                                                                             | `[]`                           |
+| `actions.statefulset.dind.extraEnvs`              | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`                                                                | `[]`                           |
+| `actions.provisioning.enabled`                    | Create a job that will create and save the token in a Kubernetes Secret                                                                     | `false`                        |
+| `actions.provisioning.annotations`                | Job's annotations                                                                                                                           | `{}`                           |
+| `actions.provisioning.labels`                     | Job's labels                                                                                                                                | `{}`                           |
+| `actions.provisioning.resources`                  | Job's resources                                                                                                                             | `{}`                           |
+| `actions.provisioning.nodeSelector`               | NodeSelector for the job                                                                                                                    | `{}`                           |
+| `actions.provisioning.tolerations`                | Tolerations for the job                                                                                                                     | `[]`                           |
+| `actions.provisioning.affinity`                   | Affinity for the job                                                                                                                        | `{}`                           |
+| `actions.provisioning.ttlSecondsAfterFinished`    | ttl for the job after finished in order to allow helm to properly recognize that the job completed                                          | `300`                          |
+| `actions.provisioning.publish.repository`         | The image that can create the secret via kubectl                                                                                            | `bitnami/kubectl`              |
+| `actions.provisioning.publish.tag`                | The publish image tag that can create the secret                                                                                            | `1.29.0`                       |
+| `actions.provisioning.publish.pullPolicy`         | The publish image pullPolicy that can create the secret                                                                                     | `IfNotPresent`                 |
+| `actions.existingSecret`                          | Secret that contains the token                                                                                                              | `""`                           |
+| `actions.existingSecretKey`                       | Secret key                                                                                                                                  | `""`                           |
+
 ### Gitea

-| Name                                   | Description                                                               | Value                |
-| -------------------------------------- | ------------------------------------------------------------------------- | -------------------- |
-| `gitea.admin.username`                 | Username for the Gitea admin user                                         | `gitea_admin`        |
-| `gitea.admin.existingSecret`           | Use an existing secret to store admin user credentials                    | `nil`                |
-| `gitea.admin.password`                 | Password for the Gitea admin user                                         | `r8sA8CPHD9!bt6d`    |
-| `gitea.admin.email`                    | Email for the Gitea admin user                                            | `gitea@local.domain` |
-| `gitea.metrics.enabled`                | Enable Gitea metrics                                                      | `false`              |
-| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor                                      | `false`              |
-| `gitea.ldap`                           | LDAP configuration                                                        | `[]`                 |
-| `gitea.oauth`                          | OAuth configuration                                                       | `[]`                 |
-| `gitea.config.server.SSH_PORT`         | SSH port for rootlful Gitea image                                         | `22`                 |
-| `gitea.config.server.SSH_LISTEN_PORT`  | SSH port for rootless Gitea image                                         | `2222`               |
-| `gitea.additionalConfigSources`        | Additional configuration from secret or configmap                         | `[]`                 |
-| `gitea.additionalConfigFromEnvs`       | Additional configuration sources from environment variables               | `[]`                 |
-| `gitea.podAnnotations`                 | Annotations for the Gitea pod                                             | `{}`                 |
-| `gitea.ssh.logLevel`                   | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO`               |
+| Name                                         | Description                                                                                                                    | Value                |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
+| `gitea.admin.username`                       | Username for the Gitea admin user                                                                                              | `gitea_admin`        |
+| `gitea.admin.existingSecret`                 | Use an existing secret to store admin user credentials                                                                         | `nil`                |
+| `gitea.admin.password`                       | Password for the Gitea admin user                                                                                              | `r8sA8CPHD9!bt6d`    |
+| `gitea.admin.email`                          | Email for the Gitea admin user                                                                                                 | `gitea@local.domain` |
+| `gitea.admin.passwordMode`                   | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated  | `keepUpdated`        |
+| `gitea.metrics.enabled`                      | Enable Gitea metrics                                                                                                           | `false`              |
+| `gitea.metrics.token`                        | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.              | `nil`                |
+| `gitea.metrics.serviceMonitor.enabled`       | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false`              |
+| `gitea.metrics.serviceMonitor.interval`      | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                      | `""`                 |
+| `gitea.metrics.serviceMonitor.relabelings`   | RelabelConfigs to apply to samples before scraping.                                                                            | `[]`                 |
+| `gitea.metrics.serviceMonitor.scheme`        | HTTP scheme to use for scraping. For example `http` or `https`. Default is http.                                               | `""`                 |
+| `gitea.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                           | `""`                 |
+| `gitea.metrics.serviceMonitor.tlsConfig`     | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                      | `{}`                 |
+| `gitea.ldap`                                 | LDAP configuration                                                                                                             | `[]`                 |
+| `gitea.oauth`                                | OAuth configuration                                                                                                            | `[]`                 |
+| `gitea.config.server.SSH_PORT`               | SSH port for rootlful Gitea image                                                                                              | `22`                 |
+| `gitea.config.server.SSH_LISTEN_PORT`        | SSH port for rootless Gitea image                                                                                              | `2222`               |
+| `gitea.additionalConfigSources`              | Additional configuration from secret or configmap                                                                              | `[]`                 |
+| `gitea.additionalConfigFromEnvs`             | Additional configuration sources from environment variables                                                                    | `[]`                 |
+| `gitea.podAnnotations`                       | Annotations for the Gitea pod                                                                                                  | `{}`                 |
+| `gitea.ssh.logLevel`                         | Configure OpenSSH's log level. Only available for root-based Gitea image.                                                      | `INFO`               |

 ### LivenessProbe

@ -896,16 +1171,31 @@ kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --na

 ### redis-cluster

-| Name                        | Description                            | Value   |
-| --------------------------- | -------------------------------------- | ------- |
-| `redis-cluster.enabled`     | Enable redis                           | `true`  |
-| `redis-cluster.usePassword` | Whether to use password authentication | `false` |
+Redis cluster and [Redis](#redis) cannot be enabled at the same time.

-### PostgreSQL-ha
+| Name                             | Description                                  | Value   |
+| -------------------------------- | -------------------------------------------- | ------- |
+| `redis-cluster.enabled`          | Enable redis cluster                         | `true`  |
+| `redis-cluster.usePassword`      | Whether to use password authentication       | `false` |
+| `redis-cluster.cluster.nodes`    | Number of redis cluster master nodes         | `3`     |
+| `redis-cluster.cluster.replicas` | Number of redis cluster master node replicas | `0`     |
+
+### redis
+
+Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
+
+| Name                          | Description                                | Value        |
+| ----------------------------- | ------------------------------------------ | ------------ |
+| `redis.enabled`               | Enable redis standalone or replicated      | `false`      |
+| `redis.architecture`          | Whether to use standalone or replication   | `standalone` |
+| `redis.global.redis.password` | Required password                          | `changeme`   |
+| `redis.master.count`          | Number of Redis master instances to deploy | `1`          |
+
+### PostgreSQL HA

 | Name                                        | Description                                                      | Value       |
 | ------------------------------------------- | ---------------------------------------------------------------- | ----------- |
-| `postgresql-ha.enabled`                     | Enable PostgreSQL-ha                                             | `true`      |
+| `postgresql-ha.enabled`                     | Enable PostgreSQL HA                                             | `true`      |
 | `postgresql-ha.postgresql.password`         | Password for the `gitea` user (overrides `auth.password`)        | `changeme4` |
 | `postgresql-ha.global.postgresql.database`  | Name for a custom database to create (overrides `auth.database`) | `gitea`     |
 | `postgresql-ha.global.postgresql.username`  | Name for a custom user to create (overrides `auth.username`)     | `gitea`     |
@ -914,7 +1204,7 @@ kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --na
 | `postgresql-ha.postgresql.postgresPassword` | postgres Password                                                | `changeme1` |
 | `postgresql-ha.pgpool.adminPassword`        | pgpool adminPassword                                             | `changeme3` |
 | `postgresql-ha.service.ports.postgresql`    | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`      |
-| `postgresql-ha.primary.persistence.size`    | PVC Storage Request for PostgreSQL-ha volume                     | `10Gi`      |
+| `postgresql-ha.persistence.size`            | PVC Storage Request for PostgreSQL HA volume                     | `10Gi`      |

 ### PostgreSQL

@ -951,6 +1241,53 @@ If you miss this, blindly upgrading may delete your Postgres instance and you ma

 <details>

+<summary>To 11.0.0</summary>
+
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable-next-line -->
+**Breaking changes**
+<!-- prettier-ignore-end -->
+
+- Update Gitea to 1.23.x (review the [1.23 release blog post](https://blog.gitea.com/release-of-1.23.0/) for all application breaking changes)
+- Update PostgreSQL sub-chart dependencies to appVersion 17.x
+- Update Redis sub-chart to version 20.x (appVersion 7.4)
+  Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes:
+  - [Redis Chart release notes (starting with v20.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis/CHANGELOG.md#2000-2024-08-09).
+  - [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES).
+- Update Redis Cluster sub-chart to version 11.x (appVersion 7.4)
+  Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes:
+  - [Redis Chart release notes (starting with v11.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis-cluster/CHANGELOG.md#1100-2024-08-09).
+  - [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES).
+
+</details>
+
+<details>
+
+<summary>To 10.0.0</summary>
+
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable-next-line -->
+**Breaking changes**
+<!-- prettier-ignore-end -->
+
+- Update PostgreSQL sub-chart dependencies to appVersion 16.x
+- Update to sub-charts versioning approach: Users are encouraged to pin the version tag of the sub-chart dependencies to a major appVersion.
+  This avoids issues during chart upgrades and allows to incorporate new sub-chart versions as they are released.
+  Please see the new [README section describing the versioning approach for sub-chart versions](#dependency-versioning).
+
+</details>
+
+<details>
+
+<summary>To 9.6.0</summary>
+
+Chart 9.6.0 ships with Gitea 1.21.0.
+While there are no breaking changes in the chart, please check the changes of the [1.21 release blog post](https://blog.gitea.com/release-of-1.21.0/).
+
+</details>
+
+<details>
+
 <summary>To 9.0.0</summary>

 This chart release comes with many breaking changes while aiming for a HA-ready setup.
@ -992,30 +1329,37 @@ The first item here (`<memcache service name>`) will be different compared to th
 The above changes are motivated by the idea to tidy dependencies but also have HA-ready ones at the same time.
 The previous `memcache` default was not HA-ready, hence we decided to switch to `redis-cluster` by default.

-If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-chart/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly:
+If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-gitea/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly:

 ```yaml
+gitea:
+  config:
    session:
      PROVIDER: redis-cluster
      PROVIDER_CONFIG: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
-      
+
    cache:
      ENABLED: true
      ADAPTER: redis-cluster
      HOST: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
-      
+
    queue:
      TYPE: redis
      CONN_STR: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 ```

+<!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
 **Switch to rootless image by default**
-If you are facing errors like `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED` due to this automatic transition:
-Have a look at [this discussion](https://gitea.com/gitea/helm-chart/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
+<!-- prettier-ignore-end -->

+If you are facing errors like `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED` due to this automatic transition:
+Have a look at [this discussion](https://gitea.com/gitea/helm-gitea/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
+
+<!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
 **Transitioning from a RWO to RWX Persistent Volume**
+<!-- prettier-ignore-end -->

 If you want to switch to a RWX volume and go for HA, you need to

@ -1023,8 +1367,10 @@ If you want to switch to a RWX volume and go for HA, you need to
 2. Let the chart create a new RWX PV (or do it statically yourself)
 3. Restore the backup to the same location in the new PV

+<!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
 **Transitioning from Postgres to Postgres HA**
+<!-- prettier-ignore-end -->

 If you are running with a non-HA PG DB from a previous chart release, you need to set

@ -1033,8 +1379,10 @@ If you are running with a non-HA PG DB from a previous chart release, you need t

 This is needed to stay with your existing single-instance DB (as the HA-variant is the new default).

+<!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
 **Change of env-to-ini prefix**
+<!-- prettier-ignore-end -->

 Before this release, the env-to-ini prefix was `ENV_TO_INI__`.
 This allowed a clear distinction between user-provided and chart-provided env-to-ini variables.
@ -1062,7 +1410,7 @@ With respect to `values.yaml`, parameters `username`, `database` and `password`
 Please adjust your `values.yaml` accordingly.

 **Attention**: The Postgres upgrade is not automatically handled by the chart and must be done by yourself.
-See [this comment](https://gitea.com/gitea/helm-chart/issues/452#issuecomment-740885) for an extensive walkthrough.
+See [this comment](https://gitea.com/gitea/helm-gitea/issues/452#issuecomment-740885) for an extensive walkthrough.
 We again highly encourage users to use an external (managed) database for production instances.

 </details>
--- a/docs/actions-dev.md
+++ b/docs/actions-dev.md
@ -0,0 +1,34 @@
+# Gitea Actions
+
+In order to use the Gitea Actions act-runner you must either:
+
+- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
+- create a secret containing the act runner token and reference it as a `existingSecret`
+
+In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
+    `gitea actions generate-runner-token`
+
+This command will out a token that is needed by the act-runner to register with the Gitea backend.
+
+Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
+
+1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
+2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
+the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
+
+After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
+
+1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
+2) `dind`: DockerInDocker image that is used to run the actions
+
+If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
+In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
+the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
+
+```yaml
+actions:
+  provisioning:
+    enabled: false
+  existingSecret: "secret-name"
+  existingSecretKey: "secret-key"
+```
--- a/docs/ha-setup.md
+++ b/docs/ha-setup.md
@ -1,7 +1,5 @@
 # High Availability

-⚠️ **EXPERIMENTAL** ⚠️
-
 All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment.
 The following document explains how to achieve this for all individual components.

@ -97,6 +95,11 @@ To do so, you need to set the following configuration values yourself:
 - `gitea.config.cache.ADAPTER`: `redis`
 - `gitea.config.cache.HOST`: `<your redis connection string>`

+By default, the `redis-cluster` chart provisions three standalone master nodes of which each has a single replica.
+To reduce the number of pods for a default Gitea deployment, we opted to omit the replicas (`replicas: 0`) by default.
+Only the minimum required number of master pods for a functional `redis-cluster` deployment are provisioned.
+For a "proper" `redis-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`.
+
 ## Object and asset storage

 Object/asset storage refers to the storage of attachments, avatars, LFS files, etc.
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
-  "name": "gitea-helm-chart",
-  "homepage": "https://gitea.com/gitea/helm-chart.git",
+  "name": "gitea-helm",
+  "homepage": "https://gitea.com/gitea/helm-gitea.git",
  "license": "MIT",
  "private": true,
  "engineStrict": true,
@ -14,6 +14,6 @@
  },
  "devDependencies": {
    "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.34.0"
+    "markdownlint-cli": "^0.44.0"
  }
-}
+}
--- a/renovate.json5
+++ b/renovate.json5
@ -0,0 +1,107 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: [
+    'gitea>gitea/renovate-config',
+    ':automergeMinor',
+    'schedule:automergeDaily',
+    'schedule:weekends',
+  ],
+  labels: [
+    'kind/dependency',
+  ],
+  "digest": {
+    "automerge": true
+  },
+  automergeStrategy: 'squash',
+  'git-submodules': {
+    'enabled': true
+  },
+  customManagers: [
+    {
+      description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
+      customType: 'regex',
+      fileMatch: [
+        '.gitea/workflows/.+\\.ya?ml$',
+      ],
+      matchStrings: [
+        '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?<currentValue>.+?)["\']?\\s',
+      ],
+    },
+    {
+      description: 'Detect helm-unittest yaml schema file',
+      customType: 'regex',
+      fileMatch: ['.vscode/settings\\.json$'],
+      matchStrings: [
+        'https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json',
+      ],
+      datasourceTemplate: 'github-releases',
+    },
+    {
+      'description': 'Automatically detect new Gitea releases',
+      'customType': 'regex',
+      'fileMatch': ['(^|/)Chart\\.yaml$'],
+      'matchStrings': [
+        '# renovate datasource=(?<datasource>\\S+) depName=(?<depName>\\S+) extractVersion=(?<extractVersion>\\S+)\\nappVersion:\\s?(?<currentValue>\\S+)\\n',
+      ],
+    },
+  ],
+  packageRules: [
+    {
+      groupName: 'subcharts (minor & patch)',
+      matchManagers: [
+        'helmv3',
+      ],
+      matchUpdateTypes: [
+        'minor',
+        'patch',
+        'digest',
+      ],
+    },
+    {
+      groupName: 'workflow dependencies (minor & patch)',
+      matchManagers: [
+        'github-actions',
+        'npm',
+        'custom.regex',
+      ],
+      matchUpdateTypes: [
+        'minor',
+        'patch',
+        'digest',
+      ],
+      matchFileNames: [
+        '!Chart.yaml',
+      ],
+    },
+    {
+      description: 'Update README.md on changes in values.yaml',
+      matchManagers: [
+        'helm-values',
+      ],
+      postUpgradeTasks: {
+        commands: [
+          'install-tool node',
+          'make readme',
+        ],
+        fileFilters: [
+          'README.md',
+        ],
+        executionMode: 'update',
+      },
+    },
+    {
+      description: 'Override changelog url for Helm image, to have release notes in our PRs',
+      matchDepNames: [
+        'alpine/helm',
+      ],
+      changelogUrl: 'https://github.com/helm/helm',
+    },
+    {
+      description: 'Bump Gitea as fast as possible - not only on weekends',
+      matchDepNames: [
+        'go-gitea/gitea',
+      ],
+      schedule: ['at any time'],
+    },
+  ],
+}
--- a/scripts/act_runner/token.sh
+++ b/scripts/act_runner/token.sh
@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -eu
+
+timeout_delay=15
+
+check_token() {
+  set +e
+
+  echo "Checking for existing token..."
+  token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
+  [ $? -ne 0 ] && return 1
+  [ -z "$token" ] && return 2
+  return 0
+}
+
+create_token() {
+  echo "Waiting for new token to be generated..."
+  begin=$(date +%s)
+  end=$((begin + timeout_delay))
+  while true; do
+    [ -f /data/actions/token ] && return 0
+    [ "$(date +%s)" -gt $end ] && return 1
+    sleep 5
+  done
+}
+
+store_token() {
+  echo "Storing the token in Kubernetes secret..."
+  kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
+}
+
+if check_token; then
+  echo "Key already in place, exiting."
+  exit
+fi
+
+if ! create_token; then
+  echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
+  exit 1
+fi
+
+store_token
--- a/scripts/init-containers/config/config_environment.sh
+++ b/scripts/init-containers/config/config_environment.sh
@ -0,0 +1,154 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+function env2ini::log() {
+  printf "${1}\n"
+}
+
+function env2ini::read_config_to_env() {
+  local section="${1}"
+  local line="${2}"
+
+  if [[ -z "${line}" ]]; then
+    # skip empty line
+    return
+  fi
+
+  # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+  local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+  if [[ -z "${setting}" ]]; then
+    env2ini::log '  ! invalid setting'
+    exit 1
+  fi
+
+  local value=''
+  local regex="^${setting}(\s*)=(\s*)(.*)"
+  if [[ $line =~ $regex ]]; then
+    value="${BASH_REMATCH[3]}"
+  else
+    env2ini::log '  ! invalid setting'
+    exit 1
+  fi
+
+  env2ini::log "    + '${setting}'"
+
+  if [[ -z "${section}" ]]; then
+    export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+    return
+  fi
+
+  local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
+  masked_section="${masked_section//-/_0X2D_}"
+
+  export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
+}
+
+function env2ini::reload_preset_envs() {
+  env2ini::log "Reloading preset envs..."
+
+  while read -r line; do
+    if [[ -z "${line}" ]]; then
+      # skip empty line
+      return
+    fi
+
+    # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+    local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+    if [[ -z "${setting}" ]]; then
+      env2ini::log '  ! invalid setting'
+      exit 1
+    fi
+
+    local value=''
+    local regex="^${setting}(\s*)=(\s*)(.*)"
+    if [[ $line =~ $regex ]]; then
+      value="${BASH_REMATCH[3]}"
+    else
+      env2ini::log '  ! invalid setting'
+      exit 1
+    fi
+
+    env2ini::log "  + '${setting}'"
+
+    export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+  done < "$TMP_EXISTING_ENVS_FILE"
+
+  rm $TMP_EXISTING_ENVS_FILE
+}
+
+
+function env2ini::process_config_file() {
+  local config_file="${1}"
+  local section="$(basename "${config_file}")"
+
+  if [[ $section == '_generals_' ]]; then
+    env2ini::log "  [ini root]"
+    section=''
+  else
+    env2ini::log "  ${section}"
+  fi
+
+  while read -r line; do
+    env2ini::read_config_to_env "${section}" "${line}"
+  done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
+}
+
+function env2ini::load_config_sources() {
+  local path="${1}"
+
+  if [[ -d "${path}" ]]; then
+    env2ini::log "Processing $(basename "${path}")..."
+
+    while read -d '' configFile; do
+      env2ini::process_config_file "${configFile}"
+    done < <(find "${path}" -type l -not -name '..data' -print0)
+
+    env2ini::log "\n"
+  fi
+}
+
+function env2ini::generate_initial_secrets() {
+  # These environment variables will either be
+  #   - overwritten with user defined values,
+  #   - initially used to set up Gitea
+  # Anyway, they won't harm existing app.ini files
+
+  export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+  export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+  export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+  export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
+
+  env2ini::log "...Initial secrets generated\n"
+}
+
+# save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
+env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE
+
+# MUST BE CALLED BEFORE OTHER CONFIGURATION
+env2ini::generate_initial_secrets
+
+env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/"
+env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/"
+
+# load existing envs to override auto generated envs
+env2ini::reload_preset_envs
+
+env2ini::log "=== All configuration sources loaded ===\n"
+
+# safety to prevent rewrite of secret keys if an app.ini already exists
+if [ -f ${GITEA_APP_INI} ]; then
+  env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
+  env2ini::log '  - security.INTERNAL_TOKEN'
+  env2ini::log '  - security.SECRET_KEY'
+  env2ini::log '  - oauth2.JWT_SECRET'
+  env2ini::log '  - server.LFS_JWT_SECRET'
+
+  unset GITEA__SECURITY__INTERNAL_TOKEN
+  unset GITEA__SECURITY__SECRET_KEY
+  unset GITEA__OAUTH2__JWT_SECRET
+  unset GITEA__SERVER__LFS_JWT_SECRET
+fi
+
+environment-to-ini -o $GITEA_APP_INI
--- a/scripts/init-containers/init/configure_gpg_environment.sh
+++ b/scripts/init-containers/init/configure_gpg_environment.sh
@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -eu
+
+gpg --batch --import "$TMP_RAW_GPG_KEY"
--- a/templates/NOTES.txt
+++ b/templates/NOTES.txt
@ -18,3 +18,19 @@
  echo "Visit http://127.0.0.1:{{ .Values.service.http.port }} to use your application"
  kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ .Release.Name }}-http {{ .Values.service.http.port }}:{{ .Values.service.http.port }}
 {{- end }}
+{{- $warnings := list -}}
+{{- if eq (get .Values.gitea.config.cache "ADAPTER") "memory" -}}
+  {{- $warnings = append $warnings "Gitea uses 'memory' for caching which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#cache-cache for available options." -}}
+{{- end }}
+{{- if eq (get .Values.gitea.config.queue "TYPE") "level" -}}
+  {{- $warnings = append $warnings "Gitea uses 'leveldb' for queue actions which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#queue-queue-and-queue for available options." -}}
+{{- end }}
+{{- if eq (get .Values.gitea.config.session "PROVIDER") "memory" -}}
+  {{- $warnings = append $warnings "Gitea uses 'memory' for sessions which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#session-session for available options." -}}
+{{- end }}
+{{- if gt (len $warnings) 0 }}
+2. Review these warnings:
+{{- range $warnings }}
+  - {{ . }}
+{{- end }}
+{{- end }}
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -3,26 +3,6 @@
 Expand the name of the chart.
 */}}

-{{- /* multiple replicas assertions */ -}}
-{{- if gt .Values.replicaCount 1.0 -}}
-  {{- fail "When using multiple replicas, a RWX file system is required" -}}
-  {{- if eq (get (.Values.persistence.accessModes 0) "ReadWriteOnce") -}}
-    {{- fail "When using multiple replicas, a RWX file system is required" -}}
-  {{- end }}
-  
-  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
-    {{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
-  {{- end }}
-  
-  {{- if and (eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve") (eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED "true") -}}
-    {{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
-  {{- end }}
-  
-  {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
-    {{- (printf "DEBUG: When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'") | fail -}}
-  {{- end }}
-{{- end }}
-
 {{- define "gitea.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
@ -45,6 +25,13 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}

+{{/*
+Create a default worker name.
+*/}}
+{{- define "gitea.workername" -}}
+{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@ -56,14 +43,22 @@ Create chart name and version as used by the chart label.
 Create image name and tag used by the deployment.
 */}}
 {{- define "gitea.image" -}}
+{{- $fullOverride := .Values.image.fullOverride | default "" -}}
 {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
-{{- $name := .Values.image.repository -}}
-{{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
+{{- $repository := .Values.image.repository -}}
+{{- $separator := ":" -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
-{{- if $registry -}}
-  {{- printf "%s/%s:%s%s" $registry $name $tag $rootless -}}
+{{- $digest := "" -}}
+{{- if .Values.image.digest }}
+    {{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}}
+{{- end -}}
+{{- if $fullOverride }}
+    {{- printf "%s" $fullOverride -}}
+{{- else if $registry }}
+    {{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}}
 {{- else -}}
-  {{- printf "%s:%s%s" $name $tag $rootless -}}
+    {{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}}
 {{- end -}}
 {{- end -}}

@ -86,7 +81,7 @@ imagePullSecrets:
 Storage Class
 */}}
 {{- define "gitea.persistence.storageClass" -}}
-{{- $storageClass := .Values.global.storageClass | default .Values.persistence.storageClass }}
+{{- $storageClass :=  (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }}
 {{- if $storageClass }}
 storageClassName: {{ $storageClass | quote }}
 {{- end }}
@ -104,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}

+{{- define "gitea.labels.actRunner" -}}
+helm.sh/chart: {{ include "gitea.chart" . }}
+app: {{ include "gitea.name" . }}-act-runner
+{{ include "gitea.selectorLabels.actRunner" . }}
+app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
 {{/*
 Selector labels
 */}}
@ -112,9 +116,14 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}

+{{- define "gitea.selectorLabels.actRunner" -}}
+app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
 {{- define "postgresql-ha.dns" -}}
 {{- if (index .Values "postgresql-ha").enabled -}}
-{{- printf "%s-postgresql-ha-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
+{{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
 {{- end -}}
 {{- end -}}

@ -125,25 +134,33 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}

 {{- define "redis.dns" -}}
-{{- if (index .Values "redis-cluster").enabled -}}
+{{- if and ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
+{{- fail "redis and redis-cluster cannot be enabled at the same time. Please only choose one." -}}
+{{- else if (index .Values "redis-cluster").enabled -}}
 {{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
+{{- else if (index .Values "redis").enabled -}}
+{{- printf "redis://:%s@%s-redis-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis").master.service.ports.redis -}}
 {{- end -}}
 {{- end -}}

 {{- define "redis.port" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{ (index .Values "redis-cluster").service.ports.redis }}
+{{- else if (index .Values "redis").enabled -}}
+{{ (index .Values "redis").master.service.ports.redis }}
 {{- end -}}
 {{- end -}}

 {{- define "redis.servicename" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
+{{- else if (index .Values "redis").enabled -}}
+{{- printf "%s-redis-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 {{- end -}}

 {{- define "gitea.default_domain" -}}
-{{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}

 {{- define "gitea.ldap_settings" -}}
@ -203,6 +220,15 @@ https
 {{- end -}}
 {{- end -}}

+{{- define "gitea.act_runner.local_root_url" -}}
+{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}}
+    {{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}}
+{{- else -}}
+  {{/* fallback for allowing to overwrite this value via inline config */}}
+  {{- .Values.gitea.config.server.LOCAL_ROOT_URL -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "gitea.inline_configuration" -}}
  {{- include "gitea.inline_configuration.init" . -}}
  {{- include "gitea.inline_configuration.defaults" . -}}
@ -267,6 +293,9 @@ https
  {{- if not (hasKey .Values.gitea.config "indexer") -}}
    {{- $_ := set .Values.gitea.config "indexer" dict -}}
  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "actions") -}}
+    {{- $_ := set .Values.gitea.config "actions" dict -}}
+  {{- end -}}
 {{- end -}}

 {{- define "gitea.inline_configuration.defaults" -}}
@ -282,27 +311,43 @@ https
  {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
  {{- end -}}
-  {{- if (index .Values "redis-cluster").enabled -}}
-    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
-    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
-    {{- if not (.Values.gitea.config.cache.HOST) -}}
-      {{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
-    {{- end -}}
+  {{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}}
+    {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}}
  {{- end -}}
  {{- /* redis queue */ -}}
-  {{- if (index .Values "redis-cluster").enabled -}}
+  {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
    {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
    {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
-  {{- end -}}
-  {{- if not (get .Values.gitea.config.session "PROVIDER") -}}
    {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
-  {{- end -}}
-  {{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
    {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "redis.dns" .) -}}
+    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
+    {{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
+  {{- else -}}
+    {{- if not (get .Values.gitea.config.session "PROVIDER") -}}
+      {{- $_ := set .Values.gitea.config.session "PROVIDER" "memory" -}}
+    {{- end -}}
+    {{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
+      {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" "" -}}
+    {{- end -}}
+    {{- if not (get .Values.gitea.config.queue "TYPE") -}}
+      {{- $_ := set .Values.gitea.config.queue "TYPE" "level" -}}
+    {{- end -}}
+    {{- if not (get .Values.gitea.config.queue "CONN_STR") -}}
+      {{- $_ := set .Values.gitea.config.queue "CONN_STR" "" -}}
+    {{- end -}}
+    {{- if not (get .Values.gitea.config.cache "ADAPTER") -}}
+      {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memory" -}}
+    {{- end -}}
+    {{- if not (get .Values.gitea.config.cache "HOST") -}}
+      {{- $_ := set .Values.gitea.config.cache "HOST" "" -}}
+    {{- end -}}
  {{- end -}}
  {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
     {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
  {{- end -}}
+  {{- if not .Values.gitea.config.actions.ENABLED -}}
+     {{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}}
+  {{- end -}}
 {{- end -}}

 {{- define "gitea.inline_configuration.defaults.server" -}}
@ -314,7 +359,7 @@ https
  {{- end -}}
  {{- if not (.Values.gitea.config.server.DOMAIN) -}}
    {{- if gt (len .Values.ingress.hosts) 0 -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
    {{- else -}}
      {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
    {{- end -}}
@ -322,6 +367,9 @@ https
  {{- if not .Values.gitea.config.server.ROOT_URL -}}
    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
  {{- end -}}
+  {{- if .Values.actions.enabled -}}
+     {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}}
+  {{- end -}}
  {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
    {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
  {{- end -}}
@ -394,3 +442,33 @@ https
 {{- define "gitea.serviceAccountName" -}}
 {{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
 {{- end -}}
+
+{{- define "gitea.admin.passwordMode" -}}
+{{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
+{{ .Values.gitea.admin.passwordMode }}
+{{- else -}}
+{{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
+{{- end -}}
+{{- end -}}
+
+{{/* Create a functioning probe object for rendering. Given argument must be either a livenessProbe, readinessProbe, or startupProbe */}}
+{{- define "gitea.deployment.probe" -}}
+  {{- $probe := unset . "enabled" -}}
+  {{- $probeKeys := keys $probe -}}
+  {{- $containsCustomMethod := false -}}
+  {{- $chartDefaultMethod := "tcpSocket" -}}
+  {{- $nonChartDefaultMethods := list "exec" "httpGet" "grpc" -}}
+  {{- range $probeKeys -}}
+    {{- if has . $nonChartDefaultMethods -}}
+      {{- $containsCustomMethod = true -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if $containsCustomMethod -}}
+    {{- $probe = unset . $chartDefaultMethod -}}
+  {{- end -}}
+  {{- toYaml $probe -}}
+{{- end -}}
+
+{{- define "gitea.metrics-secret-name" -}}
+{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }}
+{{- end -}}
--- a/templates/gitea/act_runner/01-consistency-checks.yaml
+++ b/templates/gitea/act_runner/01-consistency-checks.yaml
@ -0,0 +1,15 @@
+{{- if .Values.actions.enabled -}}
+    {{- if .Values.actions.provisioning.enabled -}}
+        {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}}
+            {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}}
+        {{- end -}}
+        {{- if and .Values.persistence.enabled .Values.persistence.mount -}}
+            {{- if .Values.actions.existingSecret -}}
+                {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}}
+            {{- end -}}
+        {{- end -}}
+    {{- end -}}
+    {{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}}
+        {{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}}
+    {{- end -}}
+{{- end -}}
--- a/templates/gitea/act_runner/config-act-runner.yaml
+++ b/templates/gitea/act_runner/config-act-runner.yaml
@ -0,0 +1,15 @@
+{{- if .Values.actions.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-act-runner-config
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- with .Values.actions.statefulset.actRunner.config -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+{{- end }}
--- a/templates/gitea/act_runner/config-scripts.yaml
+++ b/templates/gitea/act_runner/config-scripts.yaml
@ -0,0 +1,14 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-scripts
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+{{ (.Files.Glob "scripts/act_runner/*.sh").AsConfig | indent 2 }}
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/job.yaml
+++ b/templates/gitea/act_runner/job.yaml
@ -0,0 +1,115 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    {{- with .Values.actions.provisioning.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/component: token-job
+  annotations:
+    {{- with .Values.actions.provisioning.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }}
+  template:
+    metadata:
+      labels:
+        {{- include "gitea.labels" . | nindent 8 }}
+        {{- with .Values.actions.provisioning.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        app.kubernetes.io/component: token-job
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
+                sleep 5
+              done
+      containers:
+        - name: actions-token-create
+          image: "{{ include "gitea.image" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+          command:
+            - sh
+            - -c
+            - |
+              echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
+              mkdir -p /data/actions/
+              gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
+          resources:
+            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
+          volumeMounts:
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+        - name: actions-token-upload
+          image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
+          imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
+          env:
+            - name: SECRET_NAME
+              value: {{ $secretName }}
+          command:
+            - sh
+            - -c
+            - |
+              printf "Checking rights to update kubernetes act_runner secret..."
+              kubectl auth can-i update secret/${SECRET_NAME}
+              /scripts/token.sh
+          resources:
+            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+              readOnly: true
+            - mountPath: /data
+              name: data
+              readOnly: true
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+      {{- range $key, $value := .Values.actions.provisioning.nodeSelector }}
+      nodeSelector:
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+      {{- with .Values.actions.provisioning.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.provisioning.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      serviceAccount: {{ $name }}
+      volumes:
+        - name: scripts
+          configMap:
+            name: {{ include "gitea.fullname" . }}-scripts
+            defaultMode: 0755
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.claimName }}
+  parallelism: 1
+  completions: 1
+  backoffLimit: 1
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/role-job.yaml
+++ b/templates/gitea/act_runner/role-job.yaml
@ -0,0 +1,26 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - {{ $secretName }}
+    verbs:
+      - get
+      - update
+      - patch
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/rolebinding-job.yaml
+++ b/templates/gitea/act_runner/rolebinding-job.yaml
@ -0,0 +1,23 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $name }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/secret-token.yaml
+++ b/templates/gitea/act_runner/secret-token.yaml
@ -0,0 +1,20 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
+{{ if $secret -}}
+data:
+  token: {{ (b64dec (index $secret.data "token")) | b64enc }}
+{{ end -}}
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/serviceaccount-job.yaml
+++ b/templates/gitea/act_runner/serviceaccount-job.yaml
@ -0,0 +1,14 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/statefulset.yaml
+++ b/templates/gitea/act_runner/statefulset.yaml
@ -0,0 +1,129 @@
+{{- if .Values.actions.enabled }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    {{- include "gitea.labels.actRunner" . | nindent 4 }}
+    {{- with .Values.actions.statefulset.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.actions.statefulset.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "gitea.fullname" . }}-act-runner
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/gitea/act_runner/config-act-runner.yaml") . | sha256sum }}
+      labels:
+        {{- include "gitea.labels.actRunner" . | nindent 8 }}
+        {{- with .Values.actions.statefulset.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
+                sleep 5
+              done
+      containers:
+        - name: act-runner
+          image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
+          workingDir: /data
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.actions.existingSecret | default $secretName }}"
+                  key: "{{ .Values.actions.existingSecretKey | default "token" }}"
+            - name: GITEA_INSTANCE_URL
+              value: {{ include "gitea.act_runner.local_root_url" . }}
+            - name: CONFIG_FILE
+              value: /actrunner/config.yaml
+          resources:
+            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /actrunner/config.yaml
+              name: act-runner-config
+              subPath: config.yaml
+            - mountPath: /certs/server
+              name: docker-certs
+            - mountPath: /data
+              name: data-act-runner
+            {{- with .Values.actions.statefulset.actRunner.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+        - name: dind
+          image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            {{- if .Values.actions.statefulset.dind.extraEnvs }}
+            {{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }}
+            {{- end }}
+          securityContext:
+            privileged: true
+          resources:
+            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /certs/server
+              name: docker-certs
+            {{- with .Values.actions.statefulset.dind.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+      {{- range $key, $value := .Values.actions.statefulset.nodeSelector }}
+      nodeSelector:
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+      {{- with .Values.actions.statefulset.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.statefulset.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: act-runner-config
+          configMap:
+            name: {{ include "gitea.fullname" . }}-act-runner-config
+        - name: docker-certs
+          emptyDir: {}
+        {{- with .Values.actions.statefulset.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data-act-runner
+      spec:
+        accessModes: [ "ReadWriteOnce" ]
+        {{- include "gitea.persistence.storageClass" . | nindent 8 }}
+        resources:
+          requests:
+            storage: 1Mi
+{{- end }}
--- a/templates/gitea/config.yaml
+++ b/templates/gitea/config.yaml
@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}-inline-config
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@ -12,195 +13,45 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
+{{ (.Files.Glob "scripts/init-containers/config/*.sh").AsConfig | indent 2 }}
  assertions: |

-{{- /*assert that only one PG dep is enabled */ -}}
-{{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
-  {{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
-{{- end }}
-
-{{- /* multiple replicas assertions */ -}}
-{{- if gt .Values.replicaCount 1.0 -}}
-  {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
-    {{- if .Values.gitea.config.cron.GIT_GC_REPOS.enabled -}}
-      {{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'GIT_GC_REPOS.enabled = false'." -}}
+    {{- /*assert that only one PG dep is enabled */ -}}
+    {{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
+      {{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
    {{- end }}
-  {{- end }}
-
-  {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
-    {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
-  {{- end }}
-
-  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
-    {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
-  {{- end }}
-  {{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
-    {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_TYPE") "bleve" -}}
-      {{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
-        {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_ENABLED") "true" -}}
-          {{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
+    
+    {{- /* multiple replicas assertions */ -}}
+    {{- if gt .Values.replicaCount 1.0 -}}
+      {{- if .Values.gitea.config.cron -}}
+        {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
+          {{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}}
+            {{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'." }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    
+      {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
+        {{- fail "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany." -}}
+      {{- end }}
+      {{- if .Values.gitea.config.indexer -}}
+        {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
+          {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
+        {{- end }}
+        {{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
+          {{- if eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve" -}}
+            {{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
+              {{- if eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED true -}}
+                {{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
+              {{- end }}
+            {{- end }}
+          {{- end }}
        {{- end }}
      {{- end }}
-    {{- end }}
-  {{- end }}
-  
-{{- end }}
-  config_environment.sh: |-
-    #!/usr/bin/env bash
-    set -euo pipefail
-
-    function env2ini::log() {
-      printf "${1}\n"
-    }
-
-    function env2ini::read_config_to_env() {
-      local section="${1}"
-      local line="${2}"
-
-      if [[ -z "${line}" ]]; then
-        # skip empty line
-        return
-      fi
      
-      # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
-      local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
-
-      if [[ -z "${setting}" ]]; then
-        env2ini::log '  ! invalid setting'
-        exit 1
-      fi
-
-      local value=''
-      local regex="^${setting}(\s*)=(\s*)(.*)"
-      if [[ $line =~ $regex ]]; then
-        value="${BASH_REMATCH[3]}"
-      else
-        env2ini::log '  ! invalid setting'
-        exit 1
-      fi
-
-      env2ini::log "    + '${setting}'"
-
-      if [[ -z "${section}" ]]; then
-        export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-        return
-      fi
-
-      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
-      masked_section="${masked_section//-/_0X2D_}"
-
-      export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
-    }
-
-    function env2ini::reload_preset_envs() {
-      env2ini::log "Reloading preset envs..."
-
-      while read -r line; do
-        if [[ -z "${line}" ]]; then
-          # skip empty line
-          return
-        fi
-
-        # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
-        local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
-
-        if [[ -z "${setting}" ]]; then
-          env2ini::log '  ! invalid setting'
-          exit 1
-        fi
-
-        local value=''
-        local regex="^${setting}(\s*)=(\s*)(.*)"
-        if [[ $line =~ $regex ]]; then
-          value="${BASH_REMATCH[3]}"
-        else
-          env2ini::log '  ! invalid setting'
-          exit 1
-        fi
-
-        env2ini::log "  + '${setting}'"
-
-        export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-      done < "/tmp/existing-envs"
-
-      rm /tmp/existing-envs
-    }
-
-
-    function env2ini::process_config_file() {
-      local config_file="${1}"
-      local section="$(basename "${config_file}")"
-
-      if [[ $section == '_generals_' ]]; then
-        env2ini::log "  [ini root]"
-        section=''
-      else
-        env2ini::log "  ${section}"
-      fi
-
-      while read -r line; do
-        env2ini::read_config_to_env "${section}" "${line}"
-      done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
-    }
-
-    function env2ini::load_config_sources() {
-      local path="${1}"
-
-      if [[ -d "${path}" ]]; then
-        env2ini::log "Processing $(basename "${path}")..."
-
-        while read -d '' configFile; do
-          env2ini::process_config_file "${configFile}"
-        done < <(find "${path}" -type l -not -name '..data' -print0)
-
-        env2ini::log "\n"
-      fi
-    }
-
-    function env2ini::generate_initial_secrets() {
-      # These environment variables will either be
-      #   - overwritten with user defined values,
-      #   - initially used to set up Gitea
-      # Anyway, they won't harm existing app.ini files
-
-      export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
-      export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
-      export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
-      export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
-
-      env2ini::log "...Initial secrets generated\n"
-    }
-    
-    # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
-    env | (grep GITEA || [[ $? == 1 ]]) > /tmp/existing-envs
-    
-    # MUST BE CALLED BEFORE OTHER CONFIGURATION
-    env2ini::generate_initial_secrets
-
-    env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
-    env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
-
-    # load existing envs to override auto generated envs
-    env2ini::reload_preset_envs
-
-    env2ini::log "=== All configuration sources loaded ===\n"
-
-    # safety to prevent rewrite of secret keys if an app.ini already exists
-    if [ -f ${GITEA_APP_INI} ]; then
-      env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
-      env2ini::log '  - security.INTERNAL_TOKEN'
-      env2ini::log '  - security.SECRET_KEY'
-      env2ini::log '  - oauth2.JWT_SECRET'
-      env2ini::log '  - server.LFS_JWT_SECRET'
-
-      unset GITEA__SECURITY__INTERNAL_TOKEN
-      unset GITEA__SECURITY__SECRET_KEY
-      unset GITEA__OAUTH2__JWT_SECRET
-      unset GITEA__SERVER__LFS_JWT_SECRET
-    fi
-
-    environment-to-ini -o $GITEA_APP_INI
+    {{- end }}
--- a/templates/gitea/deployment.yaml
+++ b/templates/gitea/deployment.yaml
@ -2,12 +2,16 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  annotations:
    {{- if .Values.deployment.annotations }}
    {{- toYaml .Values.deployment.annotations | nindent 4 }}
    {{- end }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
+    {{- if .Values.deployment.labels }}
+    {{- toYaml .Values.deployment.labels | nindent 4 }}
+    {{- end }}
 spec:
  replicas: {{ .Values.replicaCount }}
  strategy:
@ -103,6 +107,10 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
+            - name: TMP_EXISTING_ENVS_FILE
+              value: /tmp/existing-envs
+            - name: ENV_TO_INI_MOUNT_POINT
+              value: /env-to-ini-mounts
            {{- if .Values.deployment.env }}
            {{- toYaml .Values.deployment.env | nindent 12 }}
            {{- end }}
@ -145,6 +153,8 @@ spec:
          env:
            - name: GNUPGHOME
              value: {{ .Values.signing.gpgHome }}
+            - name: TMP_RAW_GPG_KEY
+              value: /raw/private.asc
          volumeMounts:
            - name: init
              mountPath: /usr/sbin
@ -240,6 +250,8 @@ spec:
            - name: GITEA_ADMIN_PASSWORD
              value: {{ .Values.gitea.admin.password | quote }}
            {{- end }}
+            - name: GITEA_ADMIN_PASSWORD_MODE
+              value: {{ include "gitea.admin.passwordMode" $ }}
            {{- if .Values.deployment.env }}
            {{- toYaml .Values.deployment.env | nindent 12 }}
            {{- end }}
@ -279,6 +291,13 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
+            {{- if and (hasKey .Values.resources "limits") (hasKey .Values.resources.limits "cpu") }}
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  divisor: "1"
+                  resource: limits.cpu
+            {{- end }}
            - name: TMPDIR
              value: /tmp/gitea
            {{- if .Values.image.rootless }}
@ -306,15 +325,15 @@ spec:
            {{- end }}
          {{- if .Values.gitea.livenessProbe.enabled }}
          livenessProbe:
-            {{- toYaml (omit .Values.gitea.livenessProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.livenessProbe | nindent 12 }}
          {{- end }}
          {{- if .Values.gitea.readinessProbe.enabled }}
          readinessProbe:
-            {{- toYaml (omit .Values.gitea.readinessProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.readinessProbe | nindent 12 }}
          {{- end }}
          {{- if .Values.gitea.startupProbe.enabled }}
          startupProbe:
-            {{- toYaml (omit .Values.gitea.startupProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.startupProbe | nindent 12 }}
          {{- end }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
@ -334,20 +353,23 @@ spec:
              subPath: {{ .Values.persistence.subPath }}
              {{- end }}
            {{- include "gitea.container-additional-mounts" . | nindent 12 }}
+        {{- if .Values.extraContainers }}
+        {{- toYaml .Values.extraContainers | nindent 8 }}
+        {{- end }}
      {{- with .Values.global.hostAliases }}
      hostAliases:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-      {{- with .Values.nodeSelector }}
+      {{- range $key, $value := .Values.nodeSelector }}
      nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{ $key }}: {{ $value | quote }}
      {{- end }}
    {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- with .Values.topologySpreadConstraints }}
-      topologySpreadConstraints: 
+      topologySpreadConstraints:
        {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- with .Values.tolerations }}
--- a/templates/gitea/gpg-secret.yaml
+++ b/templates/gitea/gpg-secret.yaml
@ -7,6 +7,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.gpg-key-secret-name" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
--- a/templates/gitea/http-svc.yaml
+++ b/templates/gitea/http-svc.yaml
@ -2,13 +2,21 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "gitea.fullname" . }}-http
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
+    {{- if .Values.service.http.labels }}
+    {{- toYaml .Values.service.http.labels  | nindent 4 }}
+    {{- end }}
  annotations:
    {{- toYaml .Values.service.http.annotations | nindent 4 }}
 spec:
  type: {{ .Values.service.http.type }}
-  {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
+  {{- if eq .Values.service.http.type "LoadBalancer" }}
+  {{- if .Values.service.http.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.http.loadBalancerClass }}
+  {{- end }}
+  {{- if and .Values.service.http.loadBalancerIP }}
  loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
  {{- end }}
  {{- if .Values.service.http.loadBalancerSourceRanges }}
@ -17,6 +25,7 @@ spec:
    - {{ . }}
  {{- end }}
  {{- end }}
+  {{- end }}
  {{- if .Values.service.http.externalIPs }}
  externalIPs:
    {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
--- a/templates/gitea/ingress.yaml
+++ b/templates/gitea/ingress.yaml
@ -13,29 +13,30 @@ apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
  name: {{ $fullName }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- range $key, $value := .Values.ingress.annotations }}
+      {{ $key }}: {{ $value | quote }}
+    {{- end }}
 spec:
 {{- if .Values.ingress.className }}
-  ingressClassName: {{ .Values.ingress.className }}
+  ingressClassName: {{ tpl .Values.ingress.className . }}
 {{- end }}
 {{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
-        - {{ . | quote }}
+        - {{ tpl . $ | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
 {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
-    - host: {{ .host | quote }}
+    - host: {{ tpl .host $ | quote }}
      http:
        paths:
          {{- range .paths }}
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@ -2,15 +2,12 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}-init
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  configure_gpg_environment.sh: |-
-    #!/usr/bin/env bash
-    set -eu
-
-    gpg --batch --import /raw/private.asc
+{{ (.Files.Glob "scripts/init-containers/init/*.sh").AsConfig | indent 2 }}
  init_directory_structure.sh: |-
    #!/usr/bin/env bash

@ -24,27 +21,25 @@ stringData:
    # END: initPreScript
    {{- end }}

-    set -x
-
    {{- if not .Values.image.rootless }}
-    chown 1000:1000 /data
+    chown -v 1000:1000 /data
    {{- end }}
-    mkdir -p /data/git/.ssh
-    chmod -R 700 /data/git/.ssh
-    [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+    mkdir -pv /data/git/.ssh
+    chmod -Rv 700 /data/git/.ssh
+    [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf

    # prepare temp directory structure
-    mkdir -p "${GITEA_TEMP}"
+    mkdir -pv "${GITEA_TEMP}"
    {{- if not .Values.image.rootless }}
-    chown 1000:1000 "${GITEA_TEMP}"
+    chown -v 1000:1000 "${GITEA_TEMP}"
    {{- end }}
-    chmod ug+rwx "${GITEA_TEMP}"
+    chmod -v ug+rwx "${GITEA_TEMP}"

    {{ if .Values.signing.enabled -}}
    if [ ! -d "${GNUPGHOME}" ]; then
-      mkdir -p "${GNUPGHOME}"
-      chmod 700 "${GNUPGHOME}"
-      chown 1000:1000 "${GNUPGHOME}"
+      mkdir -pv "${GNUPGHOME}"
+      chmod -v 700 "${GNUPGHOME}"
+      chown -v 1000:1000 "${GNUPGHOME}"
    fi
    {{- end }}

@ -67,7 +62,7 @@ stringData:
      local RETRY=0
      local MAX=30
      
-      echo 'Wait for redis to become avialable...'
+      echo 'Wait for redis to become available...'
      until [ "${RETRY}" -ge "${MAX}" ]; do
        nc -vz -w2 {{ include "redis.servicename" . }} {{ include "redis.port" . }} && break
        RETRY=$[${RETRY}+1]
@ -86,15 +81,56 @@ stringData:

    {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
    function configure_admin_user() {
-      local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
+      local full_admin_list=$(gitea admin user list --admin)
+      local actual_user_table=''
+
+      # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
+      local regex="(.*)(ID\s+Username\s+Email\s+IsActive.*)"
+      if [[ "${full_admin_list}" =~ $regex ]]; then
+        actual_user_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
+      else
+        # This code block should never be reached, as long as the output table header remains the same.
+        # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
+
+        echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users."
+        echo "       Please review the output of 'gitea admin user list --admin' shown below."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
+        echo "DEBUG: Output of 'gitea admin user list --admin'"
+        echo "--"
+        echo "${full_admin_list}"
+        echo "--"
+        exit 1
+      fi
+
+      local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
      if [[ -z "${ACCOUNT_ID}" ]]; then
+        local -a create_args
+        create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
+          create_args+=(--must-change-password=true)
+        else
+          create_args+=(--must-change-password=false)
+        fi
        echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
-        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
+        gitea admin user create "${create_args[@]}"
        echo '...created.'
      else
-        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
-        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
-        echo '...password sync done.'
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
+          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
+          # See https://gitea.com/gitea/helm-gitea/issues/673
+          # --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior
+          #   which acted as if it were provided with =false. If the argument is present in this version of gitea, then we
+          #   should add it to prevent requiring frequent admin password resets.
+          local -a change_args
+          change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}")
+          if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then
+            change_args+=(--must-change-password=false)
+          fi
+          gitea admin user change-password "${change_args[@]}"
+          echo '...password sync done.'
+        else
+          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
+        fi
      fi
    }

@ -105,7 +141,28 @@ stringData:
      {{- if .Values.gitea.ldap }}
      {{- range $idx, $value := .Values.gitea.ldap }}
      local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
-      local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
+      local full_auth_list=$(gitea admin auth list --vertical-bars)
+      local actual_auth_table=''
+
+      # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
+      local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
+      if [[ "${full_auth_list}" =~ $regex ]]; then
+        actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
+      else
+        # This code block should never be reached, as long as the output table header remains the same.
+        # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
+
+        echo "ERROR: 'configure_ldap' was not able to determine the current list of authentication sources."
+        echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
+        echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
+        echo "--"
+        echo "${full_auth_list}"
+        echo "--"
+        exit 1
+      fi
+
+      local GITEA_AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")

      if [[ -z "${GITEA_AUTH_ID}" ]]; then
        echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
@ -128,7 +185,28 @@ stringData:
      {{- if .Values.gitea.oauth }}
      {{- range $idx, $value := .Values.gitea.oauth }}
      local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
-      local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
+      local full_auth_list=$(gitea admin auth list --vertical-bars)
+      local actual_auth_table=''
+
+      # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
+      local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
+      if [[ "${full_auth_list}" =~ $regex ]]; then
+        actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
+      else
+        # This code block should never be reached, as long as the output table header remains the same.
+        # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
+
+        echo "ERROR: 'configure_oauth' was not able to determine the current list of authentication sources."
+        echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
+        echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
+        echo "--"
+        echo "${full_auth_list}"
+        echo "--"
+        exit 1
+      fi
+
+      local AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")

      if [[ -z "${AUTH_ID}" ]]; then
        echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
--- a/templates/gitea/metrics-secret.yaml
+++ b/templates/gitea/metrics-secret.yaml
@ -0,0 +1,12 @@
+{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gitea.metrics-secret-name" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+data:
+  token: {{ .Values.gitea.metrics.token  | b64enc }}
+{{- end }}
--- a/templates/gitea/poddisruptionbudget.yaml
+++ b/templates/gitea/poddisruptionbudget.yaml
@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 spec:
--- a/templates/gitea/pvc.yaml
+++ b/templates/gitea/pvc.yaml
@ -3,9 +3,11 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ .Values.persistence.claimName }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  annotations:
 {{ .Values.persistence.annotations | toYaml | indent 4}}
+  labels:
+{{ .Values.persistence.labels | toYaml | indent 4}}
 spec:
  accessModes:
  {{- if gt .Values.replicaCount 1.0 }}
@ -14,9 +16,7 @@ spec:
    {{- .Values.persistence.accessModes | toYaml | nindent 4 }}
  {{- end }}
  volumeMode: Filesystem
-  {{- if .Values.persistence.storageClass }}
-  storageClassName: {{ .Values.persistence.storageClass }}
-  {{- end }}
+  {{- include "gitea.persistence.storageClass" . | nindent 2 }}
  {{- with .Values.persistence.volumeName }}
  volumeName: {{ . }}
  {{- end }}
--- a/templates/gitea/serviceaccount.yaml
+++ b/templates/gitea/serviceaccount.yaml
@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "gitea.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- with .Values.serviceAccount.labels }}
--- a/templates/gitea/servicemonitor.yaml
+++ b/templates/gitea/servicemonitor.yaml
@ -1,8 +1,9 @@
-{{- if .Values.gitea.metrics.serviceMonitor.enabled -}}
+{{- if and .Values.gitea.metrics.enabled .Values.gitea.metrics.serviceMonitor.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
@ -14,4 +15,29 @@ spec:
      {{- include "gitea.selectorLabels" . | nindent 6 }}
  endpoints:
  - port: http
+    {{- if .Values.gitea.metrics.serviceMonitor.interval }}
+    interval: {{ .Values.gitea.metrics.serviceMonitor.interval }}
+    {{- end }}
+    {{- with .Values.gitea.metrics.serviceMonitor.relabelings }}
+    relabelings:
+      {{- . | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.serviceMonitor.scheme }}
+    scheme: {{ .Values.gitea.metrics.serviceMonitor.scheme }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
+    scrapeTimeout: {{ .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
+    {{- end }}
+    {{- with .Values.gitea.metrics.serviceMonitor.tlsConfig }}
+    tlsConfig:
+      {{- . | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.token }}
+    authorization:
+      type: Bearer
+      credentials:
+        name: {{ include "gitea.metrics-secret-name" . }}
+        key: token
+        optional: false
+    {{- end }}
 {{- end -}}
--- a/templates/gitea/ssh-svc.yaml
+++ b/templates/gitea/ssh-svc.yaml
@ -2,13 +2,20 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "gitea.fullname" . }}-ssh
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
+    {{- if .Values.service.ssh.labels }}
+    {{- toYaml .Values.service.ssh.labels  | nindent 4 }}
+    {{- end }}
  annotations:
    {{- toYaml .Values.service.ssh.annotations | nindent 4 }}
 spec:
  type: {{ .Values.service.ssh.type }}
  {{- if eq .Values.service.ssh.type "LoadBalancer" }}
+  {{- if .Values.service.ssh.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.ssh.loadBalancerClass }}
+  {{- end }}
  {{- if .Values.service.ssh.loadBalancerIP }}
  loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
  {{- end -}}
--- a/templates/tests/test-http-connection.yaml
+++ b/templates/tests/test-http-connection.yaml
@ -3,6 +3,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: "{{ include "gitea.fullname" . }}-test-connection"
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
 {{ include "gitea.labels" . | nindent 4 }}
  annotations:
--- a/unittests/bash/bats
+++ b/unittests/bash/bats
--- a/unittests/bash/test_helper/bats-assert
+++ b/unittests/bash/test_helper/bats-assert
--- a/unittests/bash/test_helper/bats-mock
+++ b/unittests/bash/test_helper/bats-mock
--- a/unittests/bash/test_helper/bats-support
+++ b/unittests/bash/test_helper/bats-support
--- a/unittests/bash/test_helper/common-setup.bash
+++ b/unittests/bash/test_helper/common-setup.bash
@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+function common_setup() {
+  load "$TEST_ROOT/test_helper/bats-support/load"
+  load "$TEST_ROOT/test_helper/bats-assert/load"
+  load "$TEST_ROOT/test_helper/bats-mock/stub"
+}
--- a/unittests/bash/tests/init-containers/config/config_environment.bats
+++ b/unittests/bash/tests/init-containers/config/config_environment.bats
@ -0,0 +1,204 @@
+#!/usr/bin/env bats
+
+function setup() {
+  PROJECT_ROOT="$(git rev-parse --show-toplevel)"
+  TEST_ROOT="$PROJECT_ROOT/unittests/bash"
+  load "$TEST_ROOT/test_helper/common-setup"
+  common_setup
+
+  export GITEA_APP_INI="$BATS_TEST_TMPDIR/app.ini"
+  export TMP_EXISTING_ENVS_FILE="$BATS_TEST_TMPDIR/existing-envs"
+  export ENV_TO_INI_MOUNT_POINT="$BATS_TEST_TMPDIR/env-to-ini-mounts"
+
+  stub gitea \
+      "generate secret INTERNAL_TOKEN : echo 'mocked-internal-token'" \
+      "generate secret SECRET_KEY : echo 'mocked-secret-key'" \
+      "generate secret JWT_SECRET : echo 'mocked-jwt-secret'" \
+      "generate secret LFS_JWT_SECRET : echo 'mocked-lfs-jwt-secret'"
+}
+
+function teardown() {
+  unstub gitea
+  # This condition exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
+  if [ $ENV_TO_INI_EXPECTED -eq 1 ]; then
+    unstub environment-to-ini
+  fi
+}
+
+# This function exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
+function expect_environment_to_ini_call() {
+  export ENV_TO_INI_EXPECTED=1
+  stub environment-to-ini \
+    "-o $GITEA_APP_INI : echo 'Stubbed environment-to-ini was called!'"
+}
+
+function execute_test_script() {
+  currentEnvsBefore=$(env | sort)
+  source $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
+  local exitCode=$?
+  currentEnvsAfter=$(env | sort)
+
+  # diff as unified +/- output without context before/after
+  diff --unified=0 <(echo "$currentEnvsBefore") <(echo "$currentEnvsAfter")
+
+  exit $exitCode
+}
+
+function write_mounted_file() {
+  # either "inlines" or "additionals"
+  scope="${1}"
+  file="${2}"
+  content="${3}"
+
+  mkdir -p "$ENV_TO_INI_MOUNT_POINT/$scope/..data/"
+  echo "${content}" > "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file"
+  ln -sf "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file" "$ENV_TO_INI_MOUNT_POINT/$scope/$file"
+}
+
+@test "works as expected when nothing is configured" {
+  expect_environment_to_ini_call
+  run $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
+
+  assert_success
+  assert_line '...Initial secrets generated'
+  assert_line 'Reloading preset envs...'
+  assert_line '=== All configuration sources loaded ==='
+  assert_line 'Stubbed environment-to-ini was called!'
+}
+
+@test "exports initial secrets" {
+  expect_environment_to_ini_call
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  assert_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
+  assert_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
+  assert_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
+}
+
+@test "does NOT export initial secrets when app.ini already exists" {
+  expect_environment_to_ini_call
+  touch $GITEA_APP_INI
+
+  run execute_test_script
+
+  assert_success
+  assert_line --partial 'An app.ini file already exists.'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
+  refute_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
+  refute_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
+}
+
+@test "ensures that preset environment variables take precedence over auto-generated ones" {
+  expect_environment_to_ini_call
+  export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+}
+
+@test "ensures that preset environment variables take precedence over mounted ones" {
+  expect_environment_to_ini_call
+  export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
+  write_mounted_file "inlines" "oauth2" "$(cat << EOF
+JWT_SECRET=inline-jwt-secret
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
+}
+
+@test "ensures that additionals take precedence over inlines" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "oauth2" "$(cat << EOF
+JWT_SECRET=inline-jwt-secret
+EOF
+)"
+  write_mounted_file "additionals" "oauth2" "$(cat << EOF
+JWT_SECRET=additional-jwt-secret
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
+  refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=additional-jwt-secret'
+}
+
+@test "ensures that dotted/dashed sections are properly masked" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
+WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
+}
+
+###############################################################
+##### THIS IS A BUG, BUT I WANT IT TO BE COVERED BY TESTS #####
+###############################################################
+@test "ensures uppercase section and setting names (🐞)" {
+  expect_environment_to_ini_call
+  export GITEA__oauth2__JwT_Secret="pre-defined-jwt-secret"
+  write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
+WORK_IN_progress_PREFIXES=WIP:,[WIP]
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
+  assert_line '+GITEA__OAUTH2__JWT_SECRET=pre-defined-jwt-secret'
+}
+
+@test "treats top-level configuration as section-less" {
+  expect_environment_to_ini_call
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+APP_NAME=Hello top-level configuration
+RUN_MODE=dev
+EOF
+)"
+
+  run execute_test_script
+
+  assert_success
+  assert_line '+GITEA____APP_NAME=Hello top-level configuration'
+  assert_line '+GITEA____RUN_MODE=dev'
+}
+
+@test "fails on invalid setting" {
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+some random invalid string
+EOF
+)"
+
+  run execute_test_script
+
+  assert_failure
+}
+
+@test "treats empty setting name as invalid setting" {
+  write_mounted_file "inlines" "_generals_" "$(cat << EOF
+=value
+EOF
+)"
+
+  run execute_test_script
+
+  assert_failure
+}
--- a/unittests/deployment/basic.yaml
+++ b/unittests/deployment/basic.yaml
@ -1,17 +0,0 @@
-suite: deployment template (basic)
-release:
-  name: gitea-unittests
-  namespace: testing
-templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
-tests:
-  - it: renders a deployment
-    template: templates/gitea/deployment.yaml
-    asserts:
-      - hasDocuments:
-          count: 1
-      - containsDocument:
-          kind: Deployment
-          apiVersion: apps/v1
-          name: gitea-unittests
--- a/unittests/helm/act_runner/01-consistency-checks.yaml
+++ b/unittests/helm/act_runner/01-consistency-checks.yaml
@ -0,0 +1,69 @@
+suite: actions template | consistency checks
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/01-consistency-checks.yaml
+tests:
+  - it: fails when provisioning is enabled BUT persistence is completely disabled
+    set:
+      persistence:
+        enabled: false
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
+  - it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled
+    set:
+      persistence:
+        enabled: true
+        mount: false
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
+  - it: fails when provisioning is enabled AND existingSecret is given
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+        existingSecret: "secret-reference"
+    asserts:
+      - failedTemplate:
+          errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret"
+  - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
+  - it: fails when provisioning is disabled BUT existingSecretKey is missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+        existingSecret: "my-secret"
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
+  - it: fails when provisioning is disabled BUT existingSecret is missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
--- a/unittests/helm/act_runner/config-act-runner.yaml
+++ b/unittests/helm/act_runner/config-act-runner.yaml
@ -0,0 +1,45 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: actions template | config-act-runner
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/config-act-runner.yaml
+tests:
+  - it: doesn't renders a ConfigMap by default
+    template: templates/gitea/act_runner/config-act-runner.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a ConfigMap
+    template: templates/gitea/act_runner/config-act-runner.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          actRunner:
+            config: |
+              log:
+                level: info
+              cache:
+                enabled: false
+              runner:
+                labels:
+                  - "ubuntu-latest"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-act-runner-config
+      - equal:
+          path: data["config.yaml"]
+          value: |
+            log:
+              level: info
+            cache:
+              enabled: false
+            runner:
+              labels:
+                - "ubuntu-latest"
--- a/unittests/helm/act_runner/config-scripts.yaml
+++ b/unittests/helm/act_runner/config-scripts.yaml
@ -0,0 +1,49 @@
+suite: actions template | config-scripts
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/config-scripts.yaml
+tests:
+  - it: renders a ConfigMap when all criteria are met
+    template: templates/gitea/act_runner/config-scripts.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-scripts
+      - isNotNullOrEmpty:
+          path: data["token.sh"]
+  - it: doesn't renders a ConfigMap by default
+    template: templates/gitea/act_runner/config-scripts.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a ConfigMap with disabled actions but enabled provisioning
+    template: templates/gitea/act_runner/config-scripts.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria
+    template: templates/gitea/act_runner/config-scripts.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/helm/act_runner/job.yaml
+++ b/unittests/helm/act_runner/job.yaml
@ -0,0 +1,65 @@
+suite: actions template | job
+release:
+  name: gitea-unittests
+  namespace: testing
+chart:
+  # Override appVersion to have a pinned version for comparison
+  appVersion: 1.19.3
+templates:
+  - templates/gitea/act_runner/job.yaml
+tests:
+  - it: renders a Job
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Job
+          apiVersion: batch/v1
+          name: gitea-unittests-actions-token-job
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.19.3-rootless"
+  - it: tag override
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      image.tag: "1.19.4"
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+          publish:
+            tag: "1.29.0"
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.19.4-rootless"
+      - equal:
+          path: spec.template.spec.containers[1].image
+          value: "bitnami/kubectl:1.29.0"
+  - it: doesn't renders a Job by default
+    template: templates/gitea/act_runner/job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/helm/act_runner/role-job.yaml
+++ b/unittests/helm/act_runner/role-job.yaml
@ -0,0 +1,42 @@
+suite: actions template | role-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/role-job.yaml
+tests:
+  - it: doesn't renders a Role by default
+    template: templates/gitea/act_runner/role-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a Role
+    template: templates/gitea/act_runner/role-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a Role when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/role-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/helm/act_runner/rolebinding-job.yaml
+++ b/unittests/helm/act_runner/rolebinding-job.yaml
@ -0,0 +1,42 @@
+suite: actions template | rolebinding-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/rolebinding-job.yaml
+tests:
+  - it: doesn't renders a RoleBinding by default
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a RoleBinding
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/helm/act_runner/secret-token.yaml
+++ b/unittests/helm/act_runner/secret-token.yaml
@ -0,0 +1,42 @@
+suite: actions template | secret-token
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/secret-token.yaml
+tests:
+  - it: doesn't renders a Secret by default
+    template: templates/gitea/act_runner/secret-token.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a Secret
+    template: templates/gitea/act_runner/secret-token.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-actions-token
+  - it: doesn't renders a Secret when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/secret-token.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/helm/act_runner/serviceaccount-job.yaml
+++ b/unittests/helm/act_runner/serviceaccount-job.yaml
@ -0,0 +1,42 @@
+suite: actions template | serviceaccount-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/serviceaccount-job.yaml
+tests:
+  - it: doesn't renders a ServiceAccount by default
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a ServiceAccount
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/helm/act_runner/statefulset.yaml
+++ b/unittests/helm/act_runner/statefulset.yaml
@ -0,0 +1,182 @@
+suite: actions template | statefulset
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/statefulset.yaml
+  - templates/gitea/act_runner/config-act-runner.yaml
+tests:
+  - it: doesn't renders a StatefulSet by default
+    template: templates/gitea/act_runner/statefulset.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a StatefulSet (with given existingSecret/existingSecretKey)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[3]
+          value:
+            name: GITEA_RUNNER_REGISTRATION_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: "my-secret"
+                key: "my-secret-key"
+  - it: renders a StatefulSet (with secret reference defaults for enabled provisioning)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[3]
+          value:
+            name: GITEA_RUNNER_REGISTRATION_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: "gitea-unittests-actions-token"
+                key: "token"
+  - it: renders a StatefulSet (that tracks changes of the runner configuration as annotation)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      image.tag: "1.22.3" # lock image tag to prevent test failures on future Gitea upgrades
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.metadata.annotations["checksum/config"]
+          value: "2a2200e80fc29111d18b675789c265cd3d5f917754850f946f1ce3c55dcd65f8"
+  - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[4]
+          value:
+            name: GITEA_INSTANCE_URL
+            value: "http://gitea-unittests-http:3000"
+  - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env from customized LOCAL_ROOT_URL)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[4]
+          value:
+            name: GITEA_INSTANCE_URL
+            value: "http://git.example.com"
+  - it: allows adding custom environment variables to the docker-in-docker container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          dind:
+            extraEnvs:
+              - name: "CUSTOM_ENV_NAME"
+                value: "custom env value"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[1].env[3]
+          value:
+            name: "CUSTOM_ENV_NAME"
+            value: "custom env value"
+  - it: should mount an extra volume in the act runner container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          extraVolumes:
+            - name: my-act-runner-volume
+              emptyDir: {}
+          actRunner:
+            extraVolumeMounts:
+              - mountPath: /mnt
+                name: my-act-runner-volume
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - contains:
+          any: true
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /mnt
+            name: my-act-runner-volume
+  - it: should mount an extra volume in the docker-in-docker container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          extraVolumes:
+            - name: my-dind-volume
+              emptyDir: {}
+          dind:
+            extraVolumeMounts:
+              - mountPath: /mnt
+                name: my-dind-volume
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - contains:
+          any: true
+          path: spec.template.spec.containers[1].volumeMounts
+          content:
+            mountPath: /mnt
+            name: my-dind-volume
--- a/unittests/helm/config/actions-config.yaml
+++ b/unittests/helm/config/actions-config.yaml
@ -0,0 +1,61 @@
+suite: config template | actions config
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/config.yaml
+tests:
+  - it: "actions are not enabled by default"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=false
+
+  - it: "actions can be enabled via inline config"
+    template: templates/gitea/config.yaml
+    set:
+      gitea.config.actions.ENABLED: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=true
+
+  - it: "actions can be enabled via dedicated values object"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=true
+
+  - it: "defines LOCAL_ROOT_URL when actions are enabled"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nLOCAL_ROOT_URL=http://gitea-unittests-http:3000
+
+  - it: "respects custom LOCAL_ROOT_URL, even when actions are enabled"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+      gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nLOCAL_ROOT_URL=http://git.example.com
--- a/unittests/helm/config/cache-config.yaml
+++ b/unittests/helm/config/cache-config.yaml
@ -0,0 +1,66 @@
+suite: config template | cache config
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "cache is configured correctly for redis-cluster"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: true
+      redis:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.cache
+          value: |-
+            ADAPTER=redis
+            HOST=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "cache is configured correctly for redis"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.cache
+          value: |-
+            ADAPTER=redis
+            HOST=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "cache is configured correctly for 'memory' when redis (or redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.cache
+          value: |-
+            ADAPTER=memory
+            HOST=
+
+  - it: "cache can be customized when redis (or redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
+      gitea.config.cache.ADAPTER: custom-adapter
+      gitea.config.cache.HOST: custom-host
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.cache
+          value: |-
+            ADAPTER=custom-adapter
+            HOST=custom-host
--- a/unittests/helm/config/metrics-section_metrics-token.yaml
+++ b/unittests/helm/config/metrics-section_metrics-token.yaml
@ -0,0 +1,58 @@
+suite: config template | metrics section (metrics token)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: metrics token is set
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token: "somepassword"
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+            TOKEN=somepassword
+  - it: metrics token is empty
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token: ""
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+  - it: metrics token is nil
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token:
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+  - it: does not configures a token if metrics are disabled
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: false
+          token: "somepassword"
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=false
--- a/unittests/helm/config/queue-config.yaml
+++ b/unittests/helm/config/queue-config.yaml
@ -0,0 +1,66 @@
+suite: config template | queue config
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "queue is configured correctly for redis-cluster"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: true
+      redis:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.queue
+          value: |-
+            CONN_STR=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            TYPE=redis
+
+  - it: "queue is configured correctly for redis"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.queue
+          value: |-
+            CONN_STR=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            TYPE=redis
+
+  - it: "queue is configured correctly for 'levelDB' when redis (and redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.queue
+          value: |-
+            CONN_STR=
+            TYPE=level
+
+  - it: "queue can be customized when redis (and redis-cluster) are disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
+      gitea.config.queue.TYPE: custom-type
+      gitea.config.queue.CONN_STR: custom-connection-string
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.queue
+          value: |-
+            CONN_STR=custom-connection-string
+            TYPE=custom-type
--- a/unittests/helm/config/server-section_domain.yaml
+++ b/unittests/helm/config/server-section_domain.yaml
@ -0,0 +1,67 @@
+suite: config template | server section (domain related)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "[default values] uses ingress host for DOMAIN|SSH_DOMAIN|ROOT_URL"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nDOMAIN=git.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nSSH_DOMAIN=git.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=http://git.example.com
+
+  ################################################
+
+  - it: "[no ingress hosts] uses gitea http service for DOMAIN|SSH_DOMAIN|ROOT_URL"
+    template: templates/gitea/config.yaml
+    set:
+      ingress:
+        hosts: []
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nDOMAIN=gitea-unittests-http.testing.svc.cluster.local
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nSSH_DOMAIN=gitea-unittests-http.testing.svc.cluster.local
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=http://gitea-unittests-http.testing.svc.cluster.local
+
+  ################################################
+
+  - it: "[provided via values] uses that for DOMAIN|SSH_DOMAIN|ROOT_URL"
+    template: templates/gitea/config.yaml
+    set:
+      gitea.config.server.DOMAIN: provided.example.com
+      ingress:
+        hosts:
+          - host: non-used.example.com
+            paths:
+              - path: /
+                pathType: Prefix
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nDOMAIN=provided.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nSSH_DOMAIN=provided.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=http://provided.example.com
--- a/unittests/helm/config/session-config.yaml
+++ b/unittests/helm/config/session-config.yaml
@ -0,0 +1,66 @@
+suite: config template | session config
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "session is configured correctly for redis-cluster"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: true
+      redis:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.session
+          value: |-
+            PROVIDER=redis
+            PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "session is configured correctly for redis"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.session
+          value: |-
+            PROVIDER=redis
+            PROVIDER_CONFIG=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "session is configured correctly for 'memory' when redis (and redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.session
+          value: |-
+            PROVIDER=memory
+            PROVIDER_CONFIG=
+
+  - it: "session can be customized when redis (and redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
+      gitea.config.session.PROVIDER: custom-provider
+      gitea.config.session.PROVIDER_CONFIG: custom-provider-config
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.session
+          value: |-
+            PROVIDER=custom-provider
+            PROVIDER_CONFIG=custom-provider-config
--- a/unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml
+++ b/unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml
@ -0,0 +1,121 @@
+suite: Dependency checks | Customization integrity | postgresql-ha
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  postgresql:
+    enabled: false
+  postgresql-ha:
+    enabled: true
+    global:
+      postgresql:
+        database: gitea-database
+        password: gitea-password
+        username: gitea-username
+    postgresql:
+      repmgrPassword: custom-password-repmgr
+      postgresPassword: custom-password-postgres
+      password: custom-password-overwritten-by-global-postgresql-password
+    pgpool:
+      adminPassword: custom-password-pgpool
+    service:
+      ports:
+        postgresql: 1234
+    persistence:
+      size: 1337Mi
+tests:
+  - it: "[postgresql-ha] DB settings are applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_DB
+            value: "gitea-database"
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_USER
+            value: "gitea-username"
+  - it: "[postgresql-ha] DB passwords are applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["repmgr-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXJlcG1ncg=="
+      - documentIndex: 0
+        equal:
+          path: data["postgres-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBvc3RncmVz"
+      - documentIndex: 0
+        equal:
+          path: data["password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ=" # postgresql-ha.postgresql.password is overwritten by postgresql-ha.global.postgresql.password and should not be referenced here
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["admin-password"]
+          value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
+  - it: "[postgresql-ha] persistence.size is applied as expected"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
+          value: "1337Mi"
+  - it: "[postgresql-ha] service.ports.postgresql is applied as expected"
+    template: charts/postgresql-ha/templates/pgpool/service.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.ports[0].port
+          value: 1234
+  - it: "[postgresql-ha] renders the referenced service"
+    template: charts/postgresql-ha/templates/pgpool/service.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql-ha-pgpool
+          namespace: testing
+  - it: "[gitea] connects to pgpool service"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:1234
+  - it: "[gitea] connects to configured database"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: NAME=gitea-database
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: USER=gitea-username
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: PASSWD=gitea-password
--- a/unittests/helm/dependency-checks/customization-integrity-postgresql.yaml
+++ b/unittests/helm/dependency-checks/customization-integrity-postgresql.yaml
@ -0,0 +1,88 @@
+suite: Dependency checks | Customization integrity | postgresql
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  postgresql-ha:
+    enabled: false
+  postgresql:
+    enabled: true
+    global:
+      postgresql:
+        auth:
+          password: gitea-password
+          database: gitea-database
+          username: gitea-username
+        service:
+          ports:
+            postgresql: 1234
+    primary:
+      persistence:
+        size: 1337Mi
+tests:
+  - it: "[postgresql] DB settings are applied as expected"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_DATABASE
+            value: "gitea-database"
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: POSTGRES_USER
+            value: "gitea-username"
+  - it: "[postgresql] DB password is applied as expected"
+    template: charts/postgresql/templates/secrets.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ="
+  - it: "[postgresql] primary.persistence.size is applied as expected"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
+          value: "1337Mi"
+  - it: "[postgresql] global.postgresql.service.ports.postgresql is applied as expected"
+    template: charts/postgresql/templates/primary/svc.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.ports[0].port
+          value: 1234
+  - it: "[postgresql] renders the referenced service"
+    template: charts/postgresql/templates/primary/svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql
+          namespace: testing
+  - it: "[gitea] connects to postgresql service"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:1234
+  - it: "[gitea] connects to configured database"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: NAME=gitea-database
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: USER=gitea-username
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: PASSWD=gitea-password
--- a/unittests/helm/dependency-checks/customization-integrity-redis-cluster.yaml
+++ b/unittests/helm/dependency-checks/customization-integrity-redis-cluster.yaml
@ -0,0 +1,90 @@
+suite: Dependency checks | Customization integrity | redis-cluster
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  redis:
+    enabled: false
+  redis-cluster:
+    enabled: true
+    usePassword: false
+    cluster:
+      nodes: 5
+      replicas: 2
+tests:
+  - it: "[redis-cluster] configures correct nodes/replicas"
+    template: charts/redis-cluster/templates/redis-statefulset.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.replicas
+          value: 5
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].args[0]
+          pattern: REDIS_CLUSTER_REPLICAS="2"
+  - it: "[redis-cluster] support auth-less connections"
+    asserts:
+      - template: charts/redis-cluster/templates/secret.yaml
+        hasDocuments:
+          count: 0
+      - template: charts/redis-cluster/templates/redis-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOW_EMPTY_PASSWORD
+            value: "yes"
+  - it: "[redis-cluster] support auth-full connections"
+    set:
+      redis-cluster:
+        usePassword: true
+    asserts:
+      - template: charts/redis-cluster/templates/secret.yaml
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-redis-cluster
+          namespace: testing
+      - template: charts/redis-cluster/templates/redis-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDISCLI_AUTH
+            valueFrom:
+              secretKeyRef:
+                name: gitea-unittests-redis-cluster
+                key: redis-password
+      - template: charts/redis-cluster/templates/redis-statefulset.yaml
+        documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: gitea-unittests-redis-cluster
+                key: redis-password
+  - it: "[redis-cluster] renders the referenced service"
+    template: charts/redis-cluster/templates/headless-svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-redis-cluster-headless
+          namespace: testing
+      - documentIndex: 0
+        contains:
+          path: spec.ports
+          content:
+            name: tcp-redis
+            port: 6379
+            targetPort: tcp-redis
+  - it: "[gitea] waits for redis-cluster to be up and running"
+    template: templates/gitea/init.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData["configure_gitea.sh"]
+          pattern: nc -vz -w2 gitea-unittests-redis-cluster-headless.testing.svc.cluster.local 6379
--- a/unittests/helm/dependency-checks/customization-integrity-redis.yaml
+++ b/unittests/helm/dependency-checks/customization-integrity-redis.yaml
@ -0,0 +1,52 @@
+suite: Dependency checks | Customization integrity | redis
+release:
+  name: gitea-unittests
+  namespace: testing
+set:
+  redis-cluster:
+    enabled: false
+  redis:
+    enabled: true
+    architecture: standalone
+    global:
+      redis:
+        password: gitea-password
+    master:
+      count: 2
+tests:
+  - it: "[redis] configures correct 'master' nodes"
+    template: charts/redis/templates/master/application.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: spec.replicas
+          value: 2
+  - it: "[redis] redis.global.redis.password is applied as expected"
+    template: charts/redis/templates/secret.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: data["redis-password"]
+          value: "Z2l0ZWEtcGFzc3dvcmQ="
+  - it: "[redis] renders the referenced service"
+    template: charts/redis/templates/headless-svc.yaml
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-redis-headless
+          namespace: testing
+      - documentIndex: 0
+        contains:
+          path: spec.ports
+          content:
+            name: tcp-redis
+            port: 6379
+            targetPort: redis
+  - it: "[gitea] waits for redis to be up and running"
+    template: templates/gitea/init.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData["configure_gitea.sh"]
+          pattern: nc -vz -w2 gitea-unittests-redis-headless.testing.svc.cluster.local 6379
--- a/unittests/helm/dependency-checks/major-image-bump.yaml
+++ b/unittests/helm/dependency-checks/major-image-bump.yaml
@ -0,0 +1,57 @@
+suite: Dependency checks | Major image bumps
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "[postgresql-ha] ensures we detect major image version upgrades"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    set:
+      postgresql:
+        enabled: false
+      postgresql-ha:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: bitnami/postgresql-repmgr:17.+$
+  - it: "[postgresql] ensures we detect major image version upgrades"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    set:
+      postgresql:
+        enabled: true
+      postgresql-ha:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: bitnami/postgresql:17.+$
+  - it: "[redis-cluster] ensures we detect major image version upgrades"
+    template: charts/redis-cluster/templates/redis-statefulset.yaml
+    set:
+      redis-cluster:
+        enabled: true
+      redis:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: bitnami/redis-cluster:7.+$
+  - it: "[redis] ensures we detect major image version upgrades"
+    template: charts/redis/templates/master/application.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: bitnami/redis:7.+$
--- a/unittests/helm/deployment/HA.yaml
+++ b/unittests/helm/deployment/HA.yaml
@ -0,0 +1,59 @@
+suite: deployment template (HA)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: fails with multiple replicas and "GIT_GC_REPOS" enabled
+    template: templates/gitea/deployment.yaml
+    set:
+      replicaCount: 2
+      persistence:
+        accessModes:
+          - ReadWriteMany
+      gitea:
+        config:
+          cron:
+            GIT_GC_REPOS:
+              ENABLED: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'."
+  - it: fails with multiple replicas and RWX file system not set
+    template: templates/gitea/deployment.yaml
+    set:
+      replicaCount: 2
+    asserts:
+      - failedTemplate:
+          errorMessage: "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany."
+  - it: fails with multiple replicas and bleve issue indexer
+    template: templates/gitea/deployment.yaml
+    set:
+      replicaCount: 2
+      persistence:
+        accessModes:
+          - ReadWriteMany
+      gitea:
+        config:
+          indexer:
+            ISSUE_INDEXER_TYPE: bleve
+    asserts:
+      - failedTemplate:
+          errorMessage: "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)."
+  - it: fails with multiple replicas and bleve repo indexer
+    template: templates/gitea/deployment.yaml
+    set:
+      replicaCount: 2
+      persistence:
+        accessModes:
+          - ReadWriteMany
+      gitea:
+        config:
+          indexer:
+            REPO_INDEXER_TYPE: bleve
+            REPO_INDEXER_ENABLED: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled."
--- a/unittests/helm/deployment/basic.yaml
+++ b/unittests/helm/deployment/basic.yaml
@ -0,0 +1,75 @@
+suite: deployment template (basic)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders a deployment
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Deployment
+          apiVersion: apps/v1
+          name: gitea-unittests
+  - it: deployment labels are set
+    template: templates/gitea/deployment.yaml
+    set:
+      deployment.labels:
+        hello: world
+    asserts:
+      - isSubset:
+          path: metadata.labels
+          content:
+            hello: world
+      - isSubset:
+          path: spec.template.metadata.labels
+          content:
+            hello: world
+  - it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container"
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[1].env
+          content:
+            name: TMP_EXISTING_ENVS_FILE
+            value: /tmp/existing-envs
+  - it: "injects ENV_TO_INI_MOUNT_POINT as environment variable to 'init-app-ini' init container"
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[1].env
+          content:
+            name: ENV_TO_INI_MOUNT_POINT
+            value: /env-to-ini-mounts
+  - it: CPU resources are defined as well as GOMAXPROCS
+    template: templates/gitea/deployment.yaml
+    set:
+      resources:
+        limits:
+          cpu: 200ms
+          memory: 200Mi
+        requests:
+          cpu: 100ms
+          memory: 100Mi
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                divisor: "1"
+                resource: limits.cpu
+      - equal:
+          path: spec.template.spec.containers[0].resources
+          value:
+            limits:
+              cpu: 200ms
+              memory: 200Mi
+            requests:
+              cpu: 100ms
+              memory: 100Mi
--- a/unittests/helm/deployment/image-configuration.yaml
+++ b/unittests/helm/deployment/image-configuration.yaml
@ -0,0 +1,110 @@
+suite: deployment template (image configuration)
+release:
+  name: gitea-unittests
+  namespace: testing
+chart:
+  # Override appVersion to be consistent with used digest :)
+  appVersion: 1.19.3
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: default values
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.19.3-rootless"
+  - it: tag override
+    template: templates/gitea/deployment.yaml
+    set:
+      image.tag: "1.19.4"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.19.4-rootless"
+  - it: root-based image
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.19.3"
+  - it: scoped registry
+    template: templates/gitea/deployment.yaml
+    set:
+      image.registry: "example.com"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "example.com/gitea:1.19.3-rootless"
+  - it: global registry
+    template: templates/gitea/deployment.yaml
+    set:
+      global.imageRegistry: "global.example.com"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "global.example.com/gitea:1.19.3-rootless"
+  - it: digest for rootless image
+    template: templates/gitea/deployment.yaml
+    set:
+      image:
+        rootless: true
+        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+  - it: image fullOverride (does not append rootless)
+    template: templates/gitea/deployment.yaml
+    set:
+      image:
+        fullOverride: docker.gitea.com/gitea:1.19.3
+        # setting rootless, registry, repository, tag, and digest to prove that override works
+        rootless: true
+        registry: example.com
+        repository: example/image
+        tag: "1.0.0"
+        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.19.3"
+  - it: digest for root-based image
+    template: templates/gitea/deployment.yaml
+    set:
+      image:
+        rootless: false
+        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+  - it: digest and global registry
+    template: templates/gitea/deployment.yaml
+    set:
+      global.imageRegistry: "global.example.com"
+      image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "global.example.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+  - it: correctly renders floating tag references
+    template: templates/gitea/deployment.yaml
+    set:
+      image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-gitea/issues/631
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[0].image
+          value: "docker.gitea.com/gitea:1.21-rootless"
+      - equal:
+          path: spec.template.spec.initContainers[1].image
+          value: "docker.gitea.com/gitea:1.21-rootless"
+      - equal:
+          path: spec.template.spec.initContainers[2].image
+          value: "docker.gitea.com/gitea:1.21-rootless"
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "docker.gitea.com/gitea:1.21-rootless"
--- a/unittests/helm/deployment/ingress-configuration.yaml
+++ b/unittests/helm/deployment/ingress-configuration.yaml
@ -0,0 +1,47 @@
+suite: ingress template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/ingress.yaml
+tests:
+  - it: hostname using TPL
+    set:
+      global.giteaHostName: "gitea.example.com"
+      ingress.enabled: true
+      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "{{ .Values.global.giteaHostName }}"
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "gitea.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "gitea.example.com"
+  - it: Ingress Class using TPL
+    set:
+      global.ingress.className: "ingress-class"
+      ingress.className: "{{ .Values.global.ingress.className }}"
+      ingress.enabled: true
+      ingress.hosts[0].host: "some-host"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "some-host"
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "some-host"
+      - equal:
+          path: spec.rules[0].host
+          value: "some-host"
+      - equal:
+          path: spec.ingressClassName
+          value: "ingress-class"
--- a/unittests/helm/deployment/inline-config.yaml
+++ b/unittests/helm/deployment/inline-config.yaml
@ -0,0 +1,33 @@
+suite: config template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/config.yaml
+tests:
+  - it: inline config stringData.server using TPL
+    set:
+      global.giteaHostName: "gitea.example.com"
+      ingress.enabled: true
+      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "{{ .Values.global.giteaHostName }}"
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: metadata.name
+          pattern: .*-inline-config$
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: DOMAIN=gitea\.example\.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: ROOT_URL=https://gitea\.example\.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: SSH_DOMAIN=gitea\.example\.com
--- a/unittests/helm/deployment/probes.yaml
+++ b/unittests/helm/deployment/probes.yaml
@ -0,0 +1,188 @@
+suite: deployment template (probes)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders default liveness probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            failureThreshold: 10
+            initialDelaySeconds: 200
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+  - it: renders default readiness probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].readinessProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            failureThreshold: 3
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+  - it: does not render a default startup probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe
+  - it: allows enabling a startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea.startupProbe.enabled: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            failureThreshold: 10
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+
+  - it: allows overwriting the default port of the liveness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        livenessProbe:
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows overwriting the default port of the readiness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        readinessProbe:
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows overwriting the default port of the startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        startupProbe:
+          enabled: true
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows using a non-default method as liveness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        livenessProbe:
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372
+
+  - it: allows using a non-default method as readiness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        readinessProbe:
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].readinessProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372
+
+  - it: allows using a non-default method as startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        startupProbe:
+          enabled: true
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372
--- a/unittests/helm/deployment/sidecar-container.yaml
+++ b/unittests/helm/deployment/sidecar-container.yaml
@ -0,0 +1,21 @@
+suite: sidecar container
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: supports adding a sidecar container
+    template: templates/gitea/deployment.yaml
+    set:
+      extraContainers:
+        - name: sidecar-bob
+          image: busybox
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[1].name
+          value: "sidecar-bob"
+      - equal:
+          path: spec.template.spec.containers[1].image
+          value: "busybox"
--- a/unittests/helm/deployment/signing-disabled.yaml
+++ b/unittests/helm/deployment/signing-disabled.yaml
--- a/unittests/helm/deployment/signing-enabled.yaml
+++ b/unittests/helm/deployment/signing-enabled.yaml
@ -28,6 +28,8 @@ tests:
          value:
            - name: GNUPGHOME
              value: /data/git/.gnupg
+            - name: TMP_RAW_GPG_KEY
+              value: /raw/private.asc
      - equal:
          path: spec.template.spec.initContainers[2].volumeMounts
          value:
--- a/unittests/helm/deployment/ssh-configuration.yaml
+++ b/unittests/helm/deployment/ssh-configuration.yaml
@ -27,6 +27,18 @@ tests:
          content:
            name: SSH_LOG_LEVEL
            value: "DEBUG"
+  - it: supports overriding SSH log level (even when image.fullOverride set)
+    template: templates/gitea/deployment.yaml
+    set:
+      image.fullOverride: docker.gitea.com/gitea:1.19.3
+      image.rootless: false
+      gitea.ssh.logLevel: "DEBUG"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSH_LOG_LEVEL
+            value: "DEBUG"
  - it: skips SSH_LOG_LEVEL for rootless image
    template: templates/gitea/deployment.yaml
    set:
@ -38,3 +50,15 @@ tests:
          any: true
          content:
            name: SSH_LOG_LEVEL
+  - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
+    template: templates/gitea/deployment.yaml
+    set:
+      image.fullOverride: docker.gitea.com/gitea:1.19.3
+      image.rootless: true
+      gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          any: true
+          content:
+            name: SSH_LOG_LEVEL
--- a/unittests/helm/deployment/storage-class-configuration.yaml
+++ b/unittests/helm/deployment/storage-class-configuration.yaml
@ -0,0 +1,39 @@
+# File: tests/gitea-storageclass-tests.yaml
+
+suite: storage class configuration tests
+
+release:
+  name: gitea-storageclass-tests
+  namespace: testing
+
+templates:
+  - templates/gitea/pvc.yaml
+
+tests:
+  - it: should set storageClassName when persistence.storageClass is defined
+    template: templates/gitea/pvc.yaml
+    set:
+      persistence.storageClass: "my-storage-class"
+    asserts:
+      - equal:
+          path: "spec.storageClassName"
+          value: "my-storage-class"
+
+  - it: should set global.storageClass when persistence.storageClass is not defined
+    template: templates/gitea/pvc.yaml
+    set:
+      global.storageClass: "default-storage-class"
+    asserts:
+      - equal:
+          path: spec.storageClassName
+          value: "default-storage-class"
+
+  - it: should set storageClassName when persistence.storageClass is defined and global.storageClass is defined
+    template: templates/gitea/pvc.yaml
+    set:
+      global.storageClass: "default-storage-class"
+      persistence.storageClass: "my-storage-class"
+    asserts:
+      - equal:
+          path: spec.storageClassName
+          value: "my-storage-class"
--- a/unittests/helm/deployment/svc-configuration.yaml
+++ b/unittests/helm/deployment/svc-configuration.yaml
@ -0,0 +1,118 @@
+suite: ssh-svc / http-svc template (Services configuration)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/ssh-svc.yaml
+  - templates/gitea/http-svc.yaml
+tests:
+  - it: supports adding custom labels to ssh-svc
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          labels:
+            gitea/testkey: testvalue
+    asserts:
+      - equal:
+          path: metadata.labels["gitea/testkey"]
+          value: "testvalue"
+
+  - it: keeps existing labels (ssh)
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          labels: {}
+    asserts:
+      - exists:
+          path: metadata.labels["app"]
+
+  - it: supports adding custom labels to http-svc
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          labels:
+            gitea/testkey: testvalue
+    asserts:
+      - equal:
+          path: metadata.labels["gitea/testkey"]
+          value: "testvalue"
+
+  - it: keeps existing labels (http)
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          labels: {}
+    asserts:
+      - exists:
+          path: metadata.labels["app"]
+
+  - it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          loadBalancerClass: "example.com/class"
+          type: LoadBalancer
+          loadBalancerIP: "1.2.3.4"
+          loadBalancerSourceRanges:
+            - "1.2.3.4/32"
+            - "5.6.7.8/32"
+    asserts:
+      - equal:
+          path: spec.loadBalancerClass
+          value: "example.com/class"
+      - equal:
+          path: spec.loadBalancerIP
+          value: "1.2.3.4"
+      - equal:
+          path: spec.loadBalancerSourceRanges
+          value: ["1.2.3.4/32", "5.6.7.8/32"]
+
+  - it: does not render when loadbalancer properties are set but type is not loadBalancerClass
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          type: ClusterIP
+          loadBalancerClass: "example.com/class"
+          loadBalancerIP: "1.2.3.4"
+          loadBalancerSourceRanges:
+            - "1.2.3.4/32"
+            - "5.6.7.8/32"
+    asserts:
+      - notExists:
+          path: spec.loadBalancerClass
+      - notExists:
+          path: spec.loadBalancerIP
+      - notExists:
+          path: spec.loadBalancerSourceRanges
+
+  - it: does not render loadBalancerClass by default even when type is LoadBalancer
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          type: LoadBalancer
+          loadBalancerIP: "1.2.3.4"
+    asserts:
+      - notExists:
+          path: spec.loadBalancerClass
+      - equal:
+          path: spec.loadBalancerIP
+          value: "1.2.3.4"
+
+  - it: both ssh and http services exist
+    templates:
+      - templates/gitea/ssh-svc.yaml
+      - templates/gitea/http-svc.yaml
+    asserts:
+      - matchRegex:
+          path: metadata.name
+          pattern: "^gitea-unittests-(?:ssh|http)$"
+      - matchRegex:
+          path: spec.ports[0].name
+          pattern: "^(?:ssh|http)$"
--- a/unittests/helm/gpg-secret/signing-disabled.yaml
+++ b/unittests/helm/gpg-secret/signing-disabled.yaml
--- a/unittests/helm/gpg-secret/signing-enabled.yaml
+++ b/unittests/helm/gpg-secret/signing-enabled.yaml
@ -33,7 +33,7 @@ tests:
          kind: Secret
          apiVersion: v1
          name: gitea-unittests-gpg-key
-      - isNotEmpty:
+      - isNotNullOrEmpty:
          path: metadata.labels
      - equal:
          path: data.privateKey
--- a/unittests/helm/init/basic.yaml
+++ b/unittests/helm/init/basic.yaml
--- a/unittests/helm/init/init_directory_structure.sh-rootless.yaml
+++ b/unittests/helm/init/init_directory_structure.sh-rootless.yaml
@ -15,11 +15,11 @@ tests:
    asserts:
      - equal:
          path: stringData["configure_gpg_environment.sh"]
-          value: |-
+          value: |
            #!/usr/bin/env bash
            set -eu

-            gpg --batch --import /raw/private.asc
+            gpg --batch --import "$TMP_RAW_GPG_KEY"
  - it: skips gpg script block for disabled signing
    asserts:
      - equal:
@ -28,15 +28,13 @@ tests:
            #!/usr/bin/env bash

            set -euo pipefail
-
-            set -x
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf

            # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
  - it: adds gpg script block for enabled signing
    set:
      signing.enabled: true
@ -51,18 +49,34 @@ tests:
            #!/usr/bin/env bash

            set -euo pipefail
-
-            set -x
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf

            # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"

            if [ ! -d "${GNUPGHOME}" ]; then
-              mkdir -p "${GNUPGHOME}"
-              chmod 700 "${GNUPGHOME}"
-              chown 1000:1000 "${GNUPGHOME}"
+              mkdir -pv "${GNUPGHOME}"
+              chmod -v 700 "${GNUPGHOME}"
+              chown -v 1000:1000 "${GNUPGHOME}"
            fi
+  - it: it does not chown /data even when image.fullOverride is set
+    template: templates/gitea/init.yaml
+    set:
+      image.fullOverride: docker.gitea.com/gitea:1.20.5
+    asserts:
+      - equal:
+          path: stringData["init_directory_structure.sh"]
+          value: |-
+            #!/usr/bin/env bash
+
+            set -euo pipefail
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
+
+            # prepare temp directory structure
+            mkdir -pv "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
--- a/unittests/helm/init/init_directory_structure.sh.yaml
+++ b/unittests/helm/init/init_directory_structure.sh.yaml
@ -16,11 +16,11 @@ tests:
    asserts:
      - equal:
          path: stringData["configure_gpg_environment.sh"]
-          value: |-
+          value: |
            #!/usr/bin/env bash
            set -eu

-            gpg --batch --import /raw/private.asc
+            gpg --batch --import "$TMP_RAW_GPG_KEY"
  - it: skips gpg script block for disabled signing
    set:
      image.rootless: false
@ -31,17 +31,15 @@ tests:
            #!/usr/bin/env bash

            set -euo pipefail
-
-            set -x
-            chown 1000:1000 /data
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            chown -v 1000:1000 /data
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf

            # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chown 1000:1000 "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chown -v 1000:1000 "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"
  - it: adds gpg script block for enabled signing
    set:
      image.rootless: false
@ -57,20 +55,18 @@ tests:
            #!/usr/bin/env bash

            set -euo pipefail
-
-            set -x
-            chown 1000:1000 /data
-            mkdir -p /data/git/.ssh
-            chmod -R 700 /data/git/.ssh
-            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+            chown -v 1000:1000 /data
+            mkdir -pv /data/git/.ssh
+            chmod -Rv 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf

            # prepare temp directory structure
-            mkdir -p "${GITEA_TEMP}"
-            chown 1000:1000 "${GITEA_TEMP}"
-            chmod ug+rwx "${GITEA_TEMP}"
+            mkdir -pv "${GITEA_TEMP}"
+            chown -v 1000:1000 "${GITEA_TEMP}"
+            chmod -v ug+rwx "${GITEA_TEMP}"

            if [ ! -d "${GNUPGHOME}" ]; then
-              mkdir -p "${GNUPGHOME}"
-              chmod 700 "${GNUPGHOME}"
-              chown 1000:1000 "${GNUPGHOME}"
+              mkdir -pv "${GNUPGHOME}"
+              chmod -v 700 "${GNUPGHOME}"
+              chown -v 1000:1000 "${GNUPGHOME}"
            fi
--- a/unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml
+++ b/unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml
@ -0,0 +1,23 @@
+suite: Metrics secret template (monitoring disabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/metrics-secret.yaml
+tests:
+  - it: renders nothing if monitoring disabled and gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.serviceMonitor.enabled: false
+      gitea.metrics.token: ""
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders nothing if monitoring disabled and gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: false
+      gitea.metrics.serviceMonitor.enabled: false
+      gitea.metrics.token: "test-token"
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml
+++ b/unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml
@ -0,0 +1,33 @@
+suite: Metrics secret template (monitoring enabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/metrics-secret.yaml
+tests:
+  - it: renders nothing if monitoring enabled and gitea.metrics.token empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+      gitea.metrics.token: ""
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders Secret if monitoring enabled and gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.serviceMonitor.enabled: true
+      gitea.metrics.token: "test-token"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-metrics-secret
+      - isNotNullOrEmpty:
+          path: metadata.labels
+      - equal:
+          path: data.token
+          value: "dGVzdC10b2tlbg=="
--- a/unittests/helm/pvc/pvc-configuration.yaml
+++ b/unittests/helm/pvc/pvc-configuration.yaml
@ -0,0 +1,19 @@
+suite: PVC template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/pvc.yaml
+tests:
+  - it: Storage Class using TPL
+    set:
+      global.persistence.storageClass: "storage-class"
+      persistence.enabled: true
+      persistence.create: true
+      persistence.storageClass: "{{ .Values.global.persistence.storageClass }}"
+    asserts:
+      - isKind:
+          of: PersistentVolumeClaim
+      - equal:
+          path: spec.storageClassName
+          value: "storage-class"
--- a/unittests/helm/serviceaccount/basic.yaml
+++ b/unittests/helm/serviceaccount/basic.yaml
--- a/unittests/helm/serviceaccount/reference.yaml
+++ b/unittests/helm/serviceaccount/reference.yaml
--- a/Show More
+++ b/Show More