Bump to 1.21.1 (#576)

Changelog: https://github.com/go-gitea/gitea/releases/tag/v1.21.1
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/576
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.com>
Co-authored-by: pat-s <patrick.schratz@gmail.com>
Co-committed-by: pat-s <patrick.schratz@gmail.com>

.gitea/workflows/release-version.yml

@@ -7,7 +7,7 @@ on:
 
 env:
   # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.12.3"
+  HELM_VERSION: "3.13.2"
 
 jobs:
   generate-chart-publish:
@@ -41,16 +41,20 @@ jobs:
       # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
       - name: package chart
         run: |
-          echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
           # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
           helm plugin install https://github.com/pat-s/helm-gpg
-          helm dependency update
+          helm dependency build
           helm package --version "${GITHUB_REF#refs/tags/v}" ./
           helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
           mkdir gitea
           mv gitea*.tgz gitea/
-          curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
+          curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
           helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
+          # push to dockerhub
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
+          helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
+          helm registry logout registry-1.docker.io
 
       - name: aws credential configure
         uses: https://github.com/aws-actions/configure-aws-credentials@v2

.gitea/workflows/test-pr.yml

@@ -1,16 +1,22 @@
 name: check-and-test
 
 on:
-  - pull_request
+  pull_request:
+    branches:
+      - "*"
+  push:
+    branches:
+      - main
+      - "renovate/**"
 
 env:
   # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "0.3.4"
+  HELM_UNITTEST_VERSION: "v0.3.6"
 
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: alpine/helm:3.12.3
+    container: alpine/helm:3.13.2
     steps:
       - name: install tools
         run: |

.vscode/settings.json

@@ -1,6 +1,6 @@
 {
     "yaml.schemas": {
-        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json": [
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.3.6/schema/helm-testsuite.json": [
             "/unittests/**/*.yaml"
         ]
     },

Chart.lock

@@ -7,6 +7,6 @@ dependencies:
   version: 11.9.4
 - name: redis-cluster
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 9.0.12
-digest: sha256:14cda459c5eeadc1e86835b7436f23a8a21122fcf4fb103404de6183075cb8a3
-generated: "2023-10-15T01:17:05.004977938Z"
+  version: 9.1.3
+digest: sha256:6bda620320a05a5ea4efb4189a86d30092aeb0a6f3e0009538f4bea312af0863
+generated: "2023-11-14T00:08:15.790217865Z"

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.20.5
+appVersion: 1.21.1
 icon: https://gitea.com/assets/img/logo.svg
 
 keywords:
@@ -46,5 +46,5 @@ dependencies:
   # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
   - name: redis-cluster
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 9.0.12
+    version: 9.1.3
     condition: redis-cluster.enabled

Makefile

@@ -9,7 +9,7 @@ readme: prepare-environment
 
 .PHONY: unittests
 unittests:
-	helm unittest --strict -f 'unittests/**/*.yaml' ./
+	helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' ./
 
 .PHONY: helm
 update-helm-dependencies:

README.md

@@ -10,6 +10,7 @@
     - [Database defaults](#database-defaults)
     - [Server defaults](#server-defaults)
     - [Metrics defaults](#metrics-defaults)
+    - [Rootless Defaults](#rootless-defaults)
   - [Single-Pod Configurations](#single-pod-configurations)
   - [Additional _app.ini_ settings](#additional-appini-settings)
     - [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
@@ -94,14 +95,18 @@ helm repo update
 helm install gitea gitea-charts/gitea
 ```
 
+Alternatively, the chart can also be installed from Dockerhub (since v9.6.0)
+
+```sh
+helm install gitea oci://registry-1.docker.io/giteacharts/gitea
+```
+
 When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes.
 
 ## High Availability
 
-⚠️ **EXPERIMENTAL** ⚠️
-
-Since version 9.0.0 this chart has experimental support for running Gitea and it's dependencies in a HA setup.
-The setup is still experimental and care must be taken for production use as Gitea core is not yet officially HA-ready.
+Since version 9.0.0 this chart supports running Gitea and it's dependencies in HA mode.
+Care must be taken for production use as not all implementation details of Gitea core are officially HA-ready yet.
 
 Deploying a HA-ready Gitea instance requires some effort including using HA-ready dependencies.
 See the [HA Setup](docs/ha-setup.md) document for more details.
@@ -172,6 +177,26 @@ The Prometheus `/metrics` endpoint is disabled by default.
 ENABLED = false
 ```
 
+#### Rootless Defaults
+
+If `.Values.image.rootless: true`, then the following will occur. In case you use `.Values.image.fullOverride`, check that this works in your image:
+
+- `$HOME` becomes `/data/gitea/git`
+
+  [see deployment.yaml](./templates/gitea/deployment.yaml) template inside (init-)container "env" declarations
+
+- `START_SSH_SERVER: true` (Unless explicity overwritten by `gitea.config.server.START_SSH_SERVER`)
+
+  [see \_helpers.tpl](./templates/_helpers.tpl) in `gitea.inline_configuration.defaults.server` definition
+
+- `SSH_LISTEN_PORT: 2222` (Unless explicity overwritten by `gitea.config.server.SSH_LISTEN_PORT`)
+
+  [see \_helpers.tpl](./templates/_helpers.tpl) in `gitea.inline_configuration.defaults.server` definition
+
+- `SSH_LOG_LEVEL` environment variable is not injected into the container
+
+  [see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations
+
 ### Single-Pod Configurations
 
 If HA is not needed/desired, the following configurations can be used to deploy a single-pod Gitea instance.
@@ -216,9 +241,9 @@ If HA is not needed/desired, the following configurations can be used to deploy
    **Do not use this configuration for production use**.
 
    <details>
-  
+
    <summary>values.yml</summary>
-  
+
    ```yaml
    redis-cluster:
      enabled: false
@@ -226,10 +251,10 @@ If HA is not needed/desired, the following configurations can be used to deploy
      enabled: false
    postgresql-ha:
      enabled: false
-  
+
    persistence:
      enabled: false
-  
+
    gitea:
      config:
        database:
@@ -681,7 +706,7 @@ extraVolumes:
 extraVolumeMounts:
   - name: gitea-themes
     readOnly: true
-    mountPath: "/data/gitea/public/css"
+    mountPath: "/data/gitea/public/assets/css"
 ```
 
 The secret can be created via `terraform`:
@@ -785,15 +810,16 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 
 ### Image
 
-| Name               | Description                                                                                                                             | Value         |
-| ------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
-| `image.registry`   | image registry, e.g. gcr.io,docker.io                                                                                                   | `""`          |
-| `image.repository` | Image to start for this pod                                                                                                             | `gitea/gitea` |
-| `image.tag`        | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. | `""`          |
-| `image.digest`     | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                              | `""`          |
-| `image.pullPolicy` | Image pull policy                                                                                                                       | `Always`      |
-| `image.rootless`   | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher                                               | `true`        |
-| `imagePullSecrets` | Secret to use for pulling the image                                                                                                     | `[]`          |
+| Name                 | Description                                                                                                                                                      | Value          |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- |
+| `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `""`           |
+| `image.repository`   | Image to start for this pod                                                                                                                                      | `gitea/gitea`  |
+| `image.tag`          | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.                          | `""`           |
+| `image.digest`       | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                                       | `""`           |
+| `image.pullPolicy`   | Image pull policy                                                                                                                                                | `IfNotPresent` |
+| `image.rootless`     | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher                                                                        | `true`         |
+| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""`           |
+| `imagePullSecrets`   | Secret to use for pulling the image                                                                                                                              | `[]`           |
 
 ### Security
 
@@ -968,10 +994,12 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 
 ### redis-cluster
 
-| Name                        | Description                            | Value   |
-| --------------------------- | -------------------------------------- | ------- |
-| `redis-cluster.enabled`     | Enable redis                           | `true`  |
-| `redis-cluster.usePassword` | Whether to use password authentication | `false` |
+| Name                             | Description                                  | Value   |
+| -------------------------------- | -------------------------------------------- | ------- |
+| `redis-cluster.enabled`          | Enable redis                                 | `true`  |
+| `redis-cluster.usePassword`      | Whether to use password authentication       | `false` |
+| `redis-cluster.cluster.nodes`    | Number of redis cluster master nodes         | `3`     |
+| `redis-cluster.cluster.replicas` | Number of redis cluster master node replicas | `0`     |
 
 ### PostgreSQL-ha
 
@@ -1023,6 +1051,15 @@ If you miss this, blindly upgrading may delete your Postgres instance and you ma
 
 <details>
 
+<summary>To 9.6.0</summary>
+
+Chart 9.6.0 ships with Gitea 1.21.0.
+While there are no breaking changes in the chart, please check the changes of the [1.21 release blog post](https://blog.gitea.com/release-of-1.21.0/).
+
+</details>
+
+<details>
+
 <summary>To 9.0.0</summary>
 
 This chart release comes with many breaking changes while aiming for a HA-ready setup.
@@ -1083,14 +1120,18 @@ gitea:
       CONN_STR: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 ```
 
+<!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
 **Switch to rootless image by default**
+<!-- prettier-ignore-end -->
 
 If you are facing errors like `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED` due to this automatic transition:
 Have a look at [this discussion](https://gitea.com/gitea/helm-chart/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
 
+<!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
 **Transitioning from a RWO to RWX Persistent Volume**
+<!-- prettier-ignore-end -->
 
 If you want to switch to a RWX volume and go for HA, you need to
 
@@ -1098,8 +1139,10 @@ If you want to switch to a RWX volume and go for HA, you need to
 2. Let the chart create a new RWX PV (or do it statically yourself)
 3. Restore the backup to the same location in the new PV
 
+<!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
 **Transitioning from Postgres to Postgres HA**
+<!-- prettier-ignore-end -->
 
 If you are running with a non-HA PG DB from a previous chart release, you need to set
 
@@ -1108,8 +1151,10 @@ If you are running with a non-HA PG DB from a previous chart release, you need t
 
 This is needed to stay with your existing single-instance DB (as the HA-variant is the new default).
 
+<!-- prettier-ignore-start -->
 <!-- markdownlint-disable-next-line -->
 **Change of env-to-ini prefix**
+<!-- prettier-ignore-end -->
 
 Before this release, the env-to-ini prefix was `ENV_TO_INI__`.
 This allowed a clear distinction between user-provided and chart-provided env-to-ini variables.

docs/ha-setup.md

@@ -1,7 +1,5 @@
 # High Availability
 
-⚠️ **EXPERIMENTAL** ⚠️
-
 All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment.
 The following document explains how to achieve this for all individual components.
 
@@ -97,6 +95,11 @@ To do so, you need to set the following configuration values yourself:
 - `gitea.config.cache.ADAPTER`: `redis`
 - `gitea.config.cache.HOST`: `<your redis connection string>`
 
+By default, the `redis-cluster` chart provisions three standalone master nodes of which each has a single replica.
+To reduce the number of pods for a default Gitea deployment, we opted to omit the replicas (`replicas: 0`) by default.
+Only the minimum required number of master pods for a functional `redis-cluster` deployment are provisioned.
+For a "proper" `redis-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`.
+
 ## Object and asset storage
 
 Object/asset storage refers to the storage of attachments, avatars, LFS files, etc.

package-lock.json

@@ -16,9 +16,9 @@
       }
     },
     "node_modules/@bitnami/readme-generator-for-helm": {
-      "version": "2.5.2",
-      "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.5.2.tgz",
-      "integrity": "sha512-hOPksxEjC1maj5Ug0pC01M1BV0MZUU3xqvMpo1asMXvRIkKhdo649mI55sZy8mH+ow9oVWJ+0Xl5cVwCyCEXiQ==",
+      "version": "2.6.0",
+      "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.6.0.tgz",
+      "integrity": "sha512-LcByNCryaC2OJExL9rnhyFJ18+vrZu1gVoN2Z7j/HI42EjV4kLgT4G1KEPNnrKbls9HvozBqMG+sKZIDh0McFg==",
       "dev": true,
       "dependencies": {
         "commander": "^7.1.0",

renovate.json5

@@ -1,25 +1,60 @@
 {
-  $schema: "https://docs.renovatebot.com/renovate-schema.json",
-  extends: ["gitea>gitea/renovate-config"],
-  labels: ["kind/dependency"],
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: [
+    'gitea>gitea/renovate-config',
+    ':automergeMinor',
+    'schedule:automergeDaily',
+    'schedule:weekends',
+  ],
+  labels: [
+    'kind/dependency',
+  ],
+  automergeStrategy: 'squash',
   customManagers: [
-      {
-        description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
-        customType: 'regex',
-        fileMatch: ['.gitea/workflows/.+\\.ya?ml$'],
-        matchStrings: [
-          '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?<currentValue>.+?)["\']?\\s',
-        ],
-      },
-    ],
+    {
+      description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
+      customType: 'regex',
+      fileMatch: [
+        '.gitea/workflows/.+\\.ya?ml$',
+      ],
+      matchStrings: [
+        '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?<currentValue>.+?)["\']?\\s',
+      ],
+    },
+    {
+      description: 'Detect helm-unittest yaml schema file',
+      customType: 'regex',
+      fileMatch: ['.vscode/settings\\.json$'],
+      matchStrings: [
+        'https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json',
+      ],
+      datasourceTemplate: 'github-releases',
+    },
+  ],
   packageRules: [
     {
-      description: "Automerge minor + patch dependency updates weekly",
-      matchManagers: ["helmv3"],
-      matchUpdateTypes: ["minor", "patch", "digest"],
-      automerge: true,
-      automergeStrategy: "squash",
-      extends: ["schedule:weekly"],
+      groupName: 'subcharts (minor & patch)',
+      matchManagers: [
+        'helmv3',
+      ],
+      matchUpdateTypes: [
+        'minor',
+        'patch',
+        'digest',
+      ],
+    },
+    {
+      groupName: 'workflow dependencies (minor & patch)',
+      matchManagers: [
+        'github-actions',
+        'npm',
+        'custom.regex',
+      ],
+      matchUpdateTypes: [
+        'minor',
+        'patch',
+        'digest',
+      ],
     },
   ],
 }

templates/_helpers.tpl

@@ -56,6 +56,7 @@ Create chart name and version as used by the chart label.
 Create image name and tag used by the deployment.
 */}}
 {{- define "gitea.image" -}}
+{{- $fullOverride := .Values.image.fullOverride | default "" -}}
 {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
 {{- $repository := .Values.image.repository -}}
 {{- $separator := ":" -}}
@@ -65,7 +66,9 @@ Create image name and tag used by the deployment.
 {{- if .Values.image.digest }}
     {{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}}
 {{- end -}}
-{{- if $registry }}
+{{- if $fullOverride }}
+    {{- printf "%s" $fullOverride -}}
+{{- else if $registry }}
     {{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}}
 {{- else -}}
     {{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}}
@@ -148,7 +151,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "gitea.default_domain" -}}
-{{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 
 {{- define "gitea.ldap_settings" -}}
@@ -319,7 +322,7 @@ https
   {{- end -}}
   {{- if not (.Values.gitea.config.server.DOMAIN) -}}
     {{- if gt (len .Values.ingress.hosts) 0 -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
     {{- else -}}
       {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
     {{- end -}}

unittests/config/server-section_domain.yaml

@@ -0,0 +1,67 @@
+suite: config template | server section (domain related)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "[default values] uses ingress host for DOMAIN|SSH_DOMAIN|ROOT_URL"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nDOMAIN=git.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nSSH_DOMAIN=git.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=http://git.example.com
+
+  ################################################
+
+  - it: "[no ingress hosts] uses gitea http service for DOMAIN|SSH_DOMAIN|ROOT_URL"
+    template: templates/gitea/config.yaml
+    set:
+      ingress:
+        hosts: []
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nDOMAIN=gitea-unittests-http.testing.svc.cluster.local
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nSSH_DOMAIN=gitea-unittests-http.testing.svc.cluster.local
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=http://gitea-unittests-http.testing.svc.cluster.local
+
+  ################################################
+
+  - it: "[provided via values] uses that for DOMAIN|SSH_DOMAIN|ROOT_URL"
+    template: templates/gitea/config.yaml
+    set:
+      gitea.config.server.DOMAIN: provided.example.com
+      ingress:
+        hosts:
+          - host: non-used.example.com
+            paths:
+              - path: /
+                pathType: Prefix
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nDOMAIN=provided.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nSSH_DOMAIN=provided.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=http://provided.example.com

unittests/dependency-major-image-check.yaml

@@ -0,0 +1,42 @@
+suite: Dependency update consistency
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "[postgresql-ha] ensures we detect major image version upgrades"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    set:
+      postgresql:
+        enabled: false
+      postgresql-ha:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: ^docker.io/bitnami/postgresql-repmgr:15.+$
+  - it: "[postgresql] ensures we detect major image version upgrades"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    set:
+      postgresql:
+        enabled: true
+      postgresql-ha:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: ^docker.io/bitnami/postgresql:15.+$
+  - it: "[redis-cluster] ensures we detect major image version upgrades"
+    template: charts/redis-cluster/templates/redis-statefulset.yaml
+    set:
+      redis-cluster:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: ^docker.io/bitnami/redis-cluster:7.+$

unittests/deployment/image-configuration.yaml

@@ -57,6 +57,21 @@ tests:
       - equal:
           path: spec.template.spec.containers[0].image
           value: "gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+  - it: image fullOverride (does not append rootless)
+    template: templates/gitea/deployment.yaml
+    set:
+      image:
+        fullOverride: gitea/gitea:1.19.3
+        # setting rootless, registry, repository, tag, and digest to prove that override works
+        rootless: true
+        registry: example.com
+        repository: example/image
+        tag: "1.0.0"
+        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3"
   - it: digest for root-based image
     template: templates/gitea/deployment.yaml
     set:

unittests/deployment/inline-config.yaml

@@ -0,0 +1,33 @@
+suite: config template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/config.yaml
+tests:
+  - it: inline config stringData.server using TPL
+    set:
+      global.giteaHostName: "gitea.example.com"
+      ingress.enabled: true
+      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "{{ .Values.global.giteaHostName }}"
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: metadata.name
+          pattern: .*-inline-config$
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: DOMAIN=gitea\.example\.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: ROOT_URL=https://gitea\.example\.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: SSH_DOMAIN=gitea\.example\.com

unittests/deployment/ssh-configuration.yaml

@@ -27,6 +27,18 @@ tests:
           content:
             name: SSH_LOG_LEVEL
             value: "DEBUG"
+  - it: supports overriding SSH log level (even when image.fullOverride set)
+    template: templates/gitea/deployment.yaml
+    set:
+      image.fullOverride: gitea/gitea:1.19.3
+      image.rootless: false
+      gitea.ssh.logLevel: "DEBUG"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSH_LOG_LEVEL
+            value: "DEBUG"
   - it: skips SSH_LOG_LEVEL for rootless image
     template: templates/gitea/deployment.yaml
     set:
@@ -38,3 +50,15 @@ tests:
           any: true
           content:
             name: SSH_LOG_LEVEL
+  - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
+    template: templates/gitea/deployment.yaml
+    set:
+      image.fullOverride: gitea/gitea:1.19.3
+      image.rootless: true
+      gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          any: true
+          content:
+            name: SSH_LOG_LEVEL

unittests/gpg-secret/signing-enabled.yaml

@@ -33,7 +33,7 @@ tests:
           kind: Secret
           apiVersion: v1
           name: gitea-unittests-gpg-key
-      - isNotEmpty:
+      - isNotNullOrEmpty:
           path: metadata.labels
       - equal:
           path: data.privateKey

unittests/init/init_directory_structure.sh-rootless.yaml

@@ -66,3 +66,23 @@ tests:
               chmod 700 "${GNUPGHOME}"
               chown 1000:1000 "${GNUPGHOME}"
             fi
+  - it: it does not chown /data even when image.fullOverride is set
+    template: templates/gitea/init.yaml
+    set:
+      image.fullOverride: gitea/gitea:1.20.5
+    asserts:
+      - equal:
+          path: stringData["init_directory_structure.sh"]
+          value: |-
+            #!/usr/bin/env bash
+
+            set -euo pipefail
+
+            set -x
+            mkdir -p /data/git/.ssh
+            chmod -R 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+
+            # prepare temp directory structure
+            mkdir -p "${GITEA_TEMP}"
+            chmod ug+rwx "${GITEA_TEMP}"

values.yaml

@@ -43,14 +43,16 @@ clusterDomain: cluster.local
 ## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
 ## @param image.pullPolicy Image pull policy
 ## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher
+## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).**
 image:
   registry: ""
   repository: gitea/gitea
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
   digest: ""
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
   rootless: true
+  fullOverride: ""
 
 ## @param imagePullSecrets Secret to use for pulling the image
 imagePullSecrets: []
@@ -477,9 +479,14 @@ gitea:
 ## @section redis-cluster
 ## @param redis-cluster.enabled Enable redis
 ## @param redis-cluster.usePassword Whether to use password authentication
+## @param redis-cluster.cluster.nodes Number of redis cluster master nodes
+## @param redis-cluster.cluster.replicas Number of redis cluster master node replicas
 redis-cluster:
   enabled: true
   usePassword: false
+  cluster:
+    nodes: 3 # default: 6
+    replicas: 0 # default: 1
 
 ## @section postgresql-ha
 #