chore(deps): update redis-cluster docker tag to v9.0.12 (#511)

Co-authored-by: Renovate Bot <renovate-bot@gitea.com>
Co-committed-by: Renovate Bot <renovate-bot@gitea.com>

.gitea/workflows/release-version.yml

@@ -5,19 +5,29 @@ on:
     tags:
       - "*"
 
+env:
+  # renovate: datasource=docker depName=alpine/helm
+  HELM_VERSION: "3.12.3"
+
 jobs:
   generate-chart-publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: install tools
         run: |
           apt update -y
-          apt install -y curl
+          apt install -y curl ca-certificates curl gnupg
+          # helm
           curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
           echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          # docker
+          install -m 0755 -d /etc/apt/keyrings
+          curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          chmod a+r /etc/apt/keyrings/docker.gpg
+          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
           apt update -y
-          apt install -y python helm python3-pip apt-transport-https
+          apt install -y python helm=${{ env.HELM_VERSION }}-1 python3-pip apt-transport-https docker-ce-cli
           pip install awscli
 
       - name: Import GPG key
@@ -31,6 +41,7 @@ jobs:
       # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
       - name: package chart
         run: |
+          echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
           # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
           helm plugin install https://github.com/pat-s/helm-gpg
           helm dependency update

.gitea/workflows/test-pr.yml

@@ -3,30 +3,29 @@ name: check-and-test
 on:
   - pull_request
 
+env:
+  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
+  HELM_UNITTEST_VERSION: "0.3.4"
+
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
+    container: alpine/helm:3.12.3
     steps:
-      - uses: actions/checkout@v3
       - name: install tools
         run: |
-          apt update -y
-          apt install -y curl make
-          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
-          apt update -y
-          apt install -y helm python3-pip
-          pip install yamllint
-      - name: dependency update
-        run: helm dependency update
+          apk update
+          apk add --update make nodejs npm yamllint
+      - uses: actions/checkout@v4
+      - name: install chart dependencies
+        run: helm dependency build
       - name: lint
         run: helm lint
       - name: template
-        run: |
-          helm template --debug gitea-helm .
+        run: helm template --debug gitea-helm .
       - name: unit tests
         run: |
-          helm plugin install --version 0.3.3 https://github.com/helm-unittest/helm-unittest
+          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
           make unittests
       - name: verify readme
         run: |

.vscode/extensions.json

@@ -0,0 +1,8 @@
+{
+    "recommendations": [
+        "yzhang.markdown-all-in-one",
+        "DavidAnson.vscode-markdownlint",
+        "Tim-Koehler.helm-intellisense",
+        "esbenp.prettier-vscode"
+    ]
+  }

.vscode/settings.json

@@ -0,0 +1,8 @@
+{
+    "yaml.schemas": {
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json": [
+            "/unittests/**/*.yaml"
+        ]
+    },
+    "yaml.schemaStore.enable": true
+}

CONTRIBUTING.md

@@ -9,12 +9,7 @@ refactorings for easier maintainability or documentation improvements.
 - [`helm`](https://helm.sh/docs/intro/install/)
 - `make` is optional; you may call the commands directly
 
-When using Visual Studio Code as IDE, following plugins might be useful:
-
-- [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
-- [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
-- [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
-- [Prettier - Code formatter](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode)
+When using Visual Studio Code as IDE, a [ready-to-use profile](.vscode/) is available.
 
 ## Documentation Requirements
 
@@ -61,7 +56,7 @@ $ helm plugin install https://github.com/helm-unittest/helm-unittest
 make unittests
 ```
 
-See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/v0.3.3/DOCUMENT.md) for usage instructions.
+See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
 
 ## Release process
 

Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.10.1
+  version: 12.12.10
 - name: postgresql-ha
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 11.9.2
+  version: 11.9.4
 - name: redis-cluster
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 8.8.2
-digest: sha256:a9506ea21ff576b301fd9d16a240a55d86ca2d5bbe20ec0fd78272c855786f7f
-generated: "2023-09-07T00:03:27.653856865Z"
+  version: 9.0.12
+digest: sha256:14cda459c5eeadc1e86835b7436f23a8a21122fcf4fb103404de6183075cb8a3
+generated: "2023-10-15T01:17:05.004977938Z"

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.20.4
+appVersion: 1.20.5
 icon: https://gitea.com/assets/img/logo.svg
 
 keywords:
@@ -33,18 +33,18 @@ maintainers:
 
 # Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
-  #https://github.com/bitnami/charts/blob/main/bitnami/postgresql
+  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
   - name: postgresql
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 12.10.1
+    version: 12.12.10
     condition: postgresql.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
   - name: postgresql-ha
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 11.9.2
+    version: 11.9.4
     condition: postgresql-ha.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
   - name: redis-cluster
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 8.8.2
+    version: 9.0.12
     condition: redis-cluster.enabled

README.md

@@ -10,7 +10,7 @@
     - [Database defaults](#database-defaults)
     - [Server defaults](#server-defaults)
     - [Metrics defaults](#metrics-defaults)
-  - [Minimal Configuration](#minimal-configuration)
+  - [Single-Pod Configurations](#single-pod-configurations)
   - [Additional _app.ini_ settings](#additional-appini-settings)
     - [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
   - [External Database](#external-database)
@@ -27,6 +27,7 @@
 - [Metrics and profiling](#metrics-and-profiling)
 - [Pod annotations](#pod-annotations)
 - [Themes](#themes)
+- [Renovate](#renovate)
 - [Parameters](#parameters)
   - [Global](#global)
   - [strategy](#strategy)
@@ -171,35 +172,77 @@ The Prometheus `/metrics` endpoint is disabled by default.
 ENABLED = false
 ```
 
-### Minimal Configuration
+### Single-Pod Configurations
 
-For a minimal installation, i.e. without HA dependencies and using the built-in SQLITE DB instead of Postgres, the following configuration can be used:
+If HA is not needed/desired, the following configurations can be used to deploy a single-pod Gitea instance.
 
-```yaml
-redis-cluster:
-  enabled: false
-postgresql:
-  enabled: false
-postgresql-ha:
-  enabled: false
+1. For a production-ready single-pod Gitea instance without external dependencies (using the chart dependency `postgresql`):
 
-persistence:
-  enabled: false
+   <details>
 
-gitea:
-  config:
-    database:
-      DB_TYPE: sqlite3
-    session:
-      PROVIDER: memory
-    cache:
-      ADAPTER: memory
-    queue:
-      TYPE: level
-```
+   <summary>values.yml</summary>
 
-This will result in a single-pod Gitea instance without any dependencies and persistence.
-Do not use this configuration for production use.
+   ```yaml
+   redis-cluster:
+     enabled: false
+   postgresql:
+     enabled: true
+   postgresql-ha:
+     enabled: false
+
+   persistence:
+     enabled: true
+
+   gitea:
+     config:
+       database:
+         DB_TYPE: postgres
+       session:
+         PROVIDER: db
+       cache:
+         ADAPTER: memory
+       queue:
+         TYPE: level
+       indexer:
+         ISSUE_INDEXER_TYPE: bleve
+         REPO_INDEXER_ENABLED: true
+   ```
+
+   </details>
+
+2. For a minimal DEV installation (using the built-in sqlite DB instead of Postgres):
+
+   This will result in a single-pod Gitea instance _without any dependencies and persistence_.
+   **Do not use this configuration for production use**.
+
+   <details>
+  
+   <summary>values.yml</summary>
+  
+   ```yaml
+   redis-cluster:
+     enabled: false
+   postgresql:
+     enabled: false
+   postgresql-ha:
+     enabled: false
+  
+   persistence:
+     enabled: false
+  
+   gitea:
+     config:
+       database:
+         DB_TYPE: sqlite3
+       session:
+         PROVIDER: memory
+       cache:
+         ADAPTER: memory
+       queue:
+         TYPE: level
+   ```
+
+   </details>
 
 ### Additional _app.ini_ settings
 
@@ -691,6 +734,34 @@ or natively via `kubectl`:
 kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --namespace gitea
 ```
 
+## Renovate
+
+To be able to use a digest value which is automatically updated by `Renovate` a [customManager](https://docs.renovatebot.com/modules/manager/regex/) is required.
+Here's an examplary `values.yml` definition which makes use of a digest:
+
+```yaml
+image:
+  repository: gitea/gitea
+  tag: 1.20.2
+  digest: sha256:6e3b85a36653894d6741d0aefb41dfaac39044e028a42e0a520cc05ebd7bfc3f
+```
+
+By default Renovate adds digest after the `tag`.
+To comply with the Gitea helm chart definition of the digest parameter, a "customManagers" definition is required:
+
+```json
+"customManagers": [
+  {
+    "customType": "regex",
+    "description": "Apply an explicit gitea digest field match",
+    "fileMatch": ["values\\.ya?ml"],
+    "matchStrings": ["(?<depName>gitea\\/gitea)\\n(?<indentation>\\s+)tag: (?<currentValue>[^@].*?)\\n\\s+digest: (?<currentDigest>sha256:[a-f0-9]+)"],
+    "datasourceTemplate": "docker",
+    "autoReplaceStringTemplate": "{{depName}}\n{{indentation}}tag: {{newValue}}\n{{indentation}}digest: {{#if newDigest}}{{{newDigest}}}{{else}}{{{currentDigest}}}{{/if}}"
+  }
+]
+```
+
 ## Parameters
 
 ### Global
@@ -719,6 +790,7 @@ kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --na
 | `image.registry`   | image registry, e.g. gcr.io,docker.io                                                                                                   | `""`          |
 | `image.repository` | Image to start for this pod                                                                                                             | `gitea/gitea` |
 | `image.tag`        | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. | `""`          |
+| `image.digest`     | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                              | `""`          |
 | `image.pullPolicy` | Image pull policy                                                                                                                       | `Always`      |
 | `image.rootless`   | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher                                               | `true`        |
 | `imagePullSecrets` | Secret to use for pulling the image                                                                                                     | `[]`          |
@@ -995,15 +1067,17 @@ The previous `memcache` default was not HA-ready, hence we decided to switch to
 If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-chart/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly:
 
 ```yaml
+gitea:
+  config:
     session:
       PROVIDER: redis-cluster
       PROVIDER_CONFIG: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
-      
+
     cache:
       ENABLED: true
       ADAPTER: redis-cluster
       HOST: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
-      
+
     queue:
       TYPE: redis
       CONN_STR: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
@@ -1011,6 +1085,7 @@ If you are coming from an existing deployment and [#356](https://gitea.com/gitea
 
 <!-- markdownlint-disable-next-line -->
 **Switch to rootless image by default**
+
 If you are facing errors like `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED` due to this automatic transition:
 Have a look at [this discussion](https://gitea.com/gitea/helm-chart/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
 

package-lock.json

@@ -8,7 +8,7 @@
       "license": "MIT",
       "devDependencies": {
         "@bitnami/readme-generator-for-helm": "^2.5.0",
-        "markdownlint-cli": "^0.36.0"
+        "markdownlint-cli": "^0.37.0"
       },
       "engines": {
         "node": ">=16.0.0",
@@ -16,9 +16,9 @@
       }
     },
     "node_modules/@bitnami/readme-generator-for-helm": {
-      "version": "2.5.1",
-      "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.5.1.tgz",
-      "integrity": "sha512-LRSq43HwfgmTJZ4rwpXHf6d7DGnY+j2BtgVlc2hPqfRtqj36NRYl83Zv9WjRGvwF8Zr6Iwa1AgvewiAxdWlMzg==",
+      "version": "2.5.2",
+      "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.5.2.tgz",
+      "integrity": "sha512-hOPksxEjC1maj5Ug0pC01M1BV0MZUU3xqvMpo1asMXvRIkKhdo649mI55sZy8mH+ow9oVWJ+0Xl5cVwCyCEXiQ==",
       "dev": true,
       "dependencies": {
         "commander": "^7.1.0",
@@ -399,9 +399,9 @@
       }
     },
     "node_modules/markdownlint": {
-      "version": "0.30.0",
-      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.30.0.tgz",
-      "integrity": "sha512-nInuFvI/rEzanAOArW5490Ez4EYpB5ODqVM0mcDYCPx9DKJWCQqCgejjiCvbSeE7sjbDscVtZmwr665qpF5xGA==",
+      "version": "0.31.1",
+      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.31.1.tgz",
+      "integrity": "sha512-CKMR2hgcIBrYlIUccDCOvi966PZ0kJExDrUi1R+oF9PvqQmCrTqjOsgIvf2403OmJ+CWomuzDoylr6KbuMyvHA==",
       "dev": true,
       "dependencies": {
         "markdown-it": "13.0.1",
@@ -412,9 +412,9 @@
       }
     },
     "node_modules/markdownlint-cli": {
-      "version": "0.36.0",
-      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.36.0.tgz",
-      "integrity": "sha512-h4WdqOam3+QOVOcJSOQuG8KvvN8dlS0OiJhbPwYWBk7VMZR40UtSSMIOpSP5B4EHPHg3W3ILSQUvqg1HNpTCxA==",
+      "version": "0.37.0",
+      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.37.0.tgz",
+      "integrity": "sha512-hNKAc0bWBBuVhJbSWbUhRzavstiB4o1jh3JeSpwC4/dt6eJ54lRfYHRxVdzVp4qGWBKbeE6Pg490PFEfrKjqSg==",
       "dev": true,
       "dependencies": {
         "commander": "~11.0.0",
@@ -423,7 +423,7 @@
         "ignore": "~5.2.4",
         "js-yaml": "^4.1.0",
         "jsonc-parser": "~3.2.0",
-        "markdownlint": "~0.30.0",
+        "markdownlint": "~0.31.1",
         "minimatch": "~9.0.3",
         "run-con": "~1.3.2"
       },
@@ -453,9 +453,9 @@
       }
     },
     "node_modules/markdownlint-cli/node_modules/glob": {
-      "version": "10.3.4",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.3.4.tgz",
-      "integrity": "sha512-6LFElP3A+i/Q8XQKEvZjkEWEOTgAIALR9AO2rwT8bgPhDd1anmqDJDZ6lLddI4ehxxxR1S5RIqKe1uapMQfYaQ==",
+      "version": "10.3.5",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-10.3.5.tgz",
+      "integrity": "sha512-bYUpUD7XDEHI4Q2O5a7PXGvyw4deKR70kHiDxzQbe925wbZknhOzUt2xBgTkYL6RBcVeXYuD9iNYeqoWbBZQnA==",
       "dev": true,
       "dependencies": {
         "foreground-child": "^3.1.0",

package.json

@@ -14,6 +14,6 @@
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.36.0"
+    "markdownlint-cli": "^0.37.0"
   }
 }

renovate.json5

@@ -1,4 +1,25 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["gitea>gitea/renovate-config"],
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: ["gitea>gitea/renovate-config"],
+  labels: ["kind/dependency"],
+  customManagers: [
+      {
+        description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
+        customType: 'regex',
+        fileMatch: ['.gitea/workflows/.+\\.ya?ml$'],
+        matchStrings: [
+          '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?<currentValue>.+?)["\']?\\s',
+        ],
+      },
+    ],
+  packageRules: [
+    {
+      description: "Automerge minor + patch dependency updates weekly",
+      matchManagers: ["helmv3"],
+      matchUpdateTypes: ["minor", "patch", "digest"],
+      automerge: true,
+      automergeStrategy: "squash",
+      extends: ["schedule:weekly"],
+    },
+  ],
 }

templates/_helpers.tpl

@@ -57,13 +57,18 @@ Create image name and tag used by the deployment.
 */}}
 {{- define "gitea.image" -}}
 {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
-{{- $name := .Values.image.repository -}}
+{{- $repository := .Values.image.repository -}}
+{{- $separator := ":" -}}
 {{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
-{{- if $registry -}}
-  {{- printf "%s/%s:%s%s" $registry $name $tag $rootless -}}
+{{- $digest := "" -}}
+{{- if .Values.image.digest }}
+    {{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}}
+{{- end -}}
+{{- if $registry }}
+    {{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}}
 {{- else -}}
-  {{- printf "%s:%s%s" $name $tag $rootless -}}
+    {{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}}
 {{- end -}}
 {{- end -}}
 
@@ -114,7 +119,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 
 {{- define "postgresql-ha.dns" -}}
 {{- if (index .Values "postgresql-ha").enabled -}}
-{{- printf "%s-postgresql-ha-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
+{{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
 {{- end -}}
 {{- end -}}
 

templates/gitea/ingress.yaml

@@ -28,14 +28,14 @@ spec:
   {{- range .Values.ingress.tls }}
     - hosts:
       {{- range .hosts }}
-        - {{ . | quote }}
+        - {{ tpl . $ | quote }}
       {{- end }}
       secretName: {{ .secretName }}
   {{- end }}
 {{- end }}
   rules:
     {{- range .Values.ingress.hosts }}
-    - host: {{ .host | quote }}
+    - host: {{ tpl .host $ | quote }}
       http:
         paths:
           {{- range .paths }}

unittests/config/database-section_postgresql-ha.yaml

@@ -0,0 +1,30 @@
+suite: config template | database section (postgresql-ha)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: connects to pgpool service
+    template: templates/gitea/config.yaml
+    set:
+      postgresql:
+        enabled: false
+      postgresql-ha:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:5432
+  - it: renders the referenced service
+    template: charts/postgresql-ha/templates/pgpool/service.yaml
+    set:
+      postgresql:
+        enabled: false
+      postgresql-ha:
+        enabled: true
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql-ha-pgpool
+          namespace: testing

unittests/config/database-section_postgresql.yaml

@@ -0,0 +1,30 @@
+suite: config template | database section (postgresql)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "connects to postgresql service"
+    template: templates/gitea/config.yaml
+    set:
+      postgresql:
+        enabled: true
+      postgresql-ha:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:5432
+  - it: "renders the referenced service"
+    template: charts/postgresql/templates/primary/svc.yaml
+    set:
+      postgresql:
+        enabled: true
+      postgresql-ha:
+        enabled: false
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql
+          namespace: testing

unittests/deployment/image-configuration.yaml

@@ -0,0 +1,78 @@
+suite: deployment template (image configuration)
+release:
+  name: gitea-unittests
+  namespace: testing
+chart:
+  # Override appVersion to be consistent with used digest :)
+  appVersion: 1.19.3
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: default values
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3-rootless"
+  - it: tag override
+    template: templates/gitea/deployment.yaml
+    set:
+      image.tag: "1.19.4"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.4-rootless"
+  - it: root-based image
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3"
+  - it: scoped registry
+    template: templates/gitea/deployment.yaml
+    set:
+      image.registry: "example.com"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "example.com/gitea/gitea:1.19.3-rootless"
+  - it: global registry
+    template: templates/gitea/deployment.yaml
+    set:
+      global.imageRegistry: "global.example.com"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "global.example.com/gitea/gitea:1.19.3-rootless"
+  - it: digest for rootless image
+    template: templates/gitea/deployment.yaml
+    set:
+      image:
+        rootless: true
+        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+  - it: digest for root-based image
+    template: templates/gitea/deployment.yaml
+    set:
+      image:
+        rootless: false
+        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+  - it: digest and global registry
+    template: templates/gitea/deployment.yaml
+    set:
+      global.imageRegistry: "global.example.com"
+      image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "global.example.com/gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"

unittests/deployment/ingress-configuration.yaml

@@ -0,0 +1,23 @@
+suite: ingress template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/ingress.yaml
+tests:
+  - it: hostname using TPL
+    set:
+      global.giteaHostName: "gitea.example.com"
+      ingress.enabled: true
+      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "{{ .Values.global.giteaHostName }}"
+    asserts:
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "gitea.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "gitea.example.com"

values.yaml

@@ -40,6 +40,7 @@ clusterDomain: cluster.local
 ## @param image.registry image registry, e.g. gcr.io,docker.io
 ## @param image.repository Image to start for this pod
 ## @param image.tag Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.
+## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
 ## @param image.pullPolicy Image pull policy
 ## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher
 image:
@@ -47,6 +48,7 @@ image:
   repository: gitea/gitea
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
+  digest: ""
   pullPolicy: Always
   rootless: true