fix workflow secrets

### Description of the change

Update README with information how to configure renovate to update digest for gitea charts.

### Benefits

Automatic digest updates for people using renovate.

Co-authored-by: Michał Małyska <999598+mmalyska@users.noreply.github.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/514
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.com>
Reviewed-by: pat-s <pat-s@noreply.gitea.com>
Co-authored-by: mmalyska <mmalyska@noreply.gitea.com>
Co-committed-by: mmalyska <mmalyska@noreply.gitea.com>

.gitea/workflows/release-version.yml

@@ -9,15 +9,21 @@ jobs:
   generate-chart-publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: install tools
         run: |
           apt update -y
-          apt install -y curl
+          apt install -y curl ca-certificates curl gnupg
+          # helm
           curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
           echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          # docker
+          install -m 0755 -d /etc/apt/keyrings
+          curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          chmod a+r /etc/apt/keyrings/docker.gpg
+          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
           apt update -y
-          apt install -y python helm python3-pip apt-transport-https
+          apt install -y python helm python3-pip apt-transport-https docker-ce-cli
           pip install awscli
 
       - name: Import GPG key
@@ -31,6 +37,7 @@ jobs:
       # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
       - name: package chart
         run: |
+          echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
           # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
           helm plugin install https://github.com/pat-s/helm-gpg
           helm dependency update
@@ -39,7 +46,7 @@ jobs:
           mkdir gitea
           mv gitea*.tgz gitea/
           curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
-          helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
+          helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
 
       - name: aws credential configure
         uses: https://github.com/aws-actions/configure-aws-credentials@v2

.gitea/workflows/test-pr.yml

@@ -7,7 +7,7 @@ jobs:
   check-and-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: install tools
         run: |
           apt update -y

Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.6.6
+  version: 12.12.5
 - name: postgresql-ha
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 11.7.9
+  version: 11.9.2
 - name: redis-cluster
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 8.6.9
-digest: sha256:52296a48610712a8eb69a32b1b5818b014bfb8dac79d883e11ebdaf97d41e85d
-generated: "2023-07-17T21:24:06.888357+02:00"
+  version: 9.0.4
+digest: sha256:aba0798b2d882a0e44119cc1e586278c3433227d65c37f9035e835ab3c554965
+generated: "2023-09-22T19:18:56.559259773Z"

Chart.yaml

@@ -1,50 +1,50 @@
-apiVersion: v2
-name: gitea
-description: Gitea Helm chart for Kubernetes
-type: application
-version: 0.0.0
-appVersion: 1.20.0
-icon: https://docs.gitea.io/images/gitea.png
-
-keywords:
-  - git
-  - issue tracker
-  - code review
-  - wiki
-  - gitea
-  - gogs
-sources:
-  - https://gitea.com/gitea/helm-chart
-  - https://github.com/go-gitea/gitea
-  - https://hub.docker.com/r/gitea/gitea/
-maintainers:
-  - name: Charlie Drage
-    email: charlie@charliedrage.com
-  - name: Gitea Authors
-    email: maintainers@gitea.io
-  - name: Konrad Lother
-    email: konrad.lother@novum-rgi.de
-  - name: Lucas Hahn
-    email: lucas.hahn@novum-rgi.de
-  - name: Steven Kriegler
-    email: sk.bunsenbrenner@gmail.com
-  - name: Patrick Schratz
-    email: patrick.schratz@gmail.com
-
-# Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
-dependencies:
-  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)
-  - name: postgresql
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 12.6.6
-    condition: postgresql.enabled
-  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml)
-  - name: postgresql-ha
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 11.7.9
-    condition: postgresql-ha.enabled
-  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml)
-  - name: redis-cluster
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 8.6.9
-    condition: redis-cluster.enabled
+apiVersion: v2
+name: gitea
+description: Gitea Helm chart for Kubernetes
+type: application
+version: 0.0.0
+appVersion: 1.20.5
+icon: https://gitea.com/assets/img/logo.svg
+
+keywords:
+  - git
+  - issue tracker
+  - code review
+  - wiki
+  - gitea
+  - gogs
+sources:
+  - https://gitea.com/gitea/helm-chart
+  - https://github.com/go-gitea/gitea
+  - https://hub.docker.com/r/gitea/gitea/
+maintainers:
+  - name: Charlie Drage
+    email: charlie@charliedrage.com
+  - name: Gitea Authors
+    email: maintainers@gitea.io
+  - name: Konrad Lother
+    email: konrad.lother@novum-rgi.de
+  - name: Lucas Hahn
+    email: lucas.hahn@novum-rgi.de
+  - name: Steven Kriegler
+    email: sk.bunsenbrenner@gmail.com
+  - name: Patrick Schratz
+    email: patrick.schratz@gmail.com
+
+# Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
+dependencies:
+  #https://github.com/bitnami/charts/blob/main/bitnami/postgresql
+  - name: postgresql
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 12.12.5
+    condition: postgresql.enabled
+  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
+  - name: postgresql-ha
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 11.9.2
+    condition: postgresql-ha.enabled
+  # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
+  - name: redis-cluster
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 9.0.4
+    condition: redis-cluster.enabled

README.md

@@ -7,7 +7,12 @@
 - [High Availability](#high-availability)
 - [Configuration](#configuration)
   - [Default Configuration](#default-configuration)
+    - [Database defaults](#database-defaults)
+    - [Server defaults](#server-defaults)
+    - [Metrics defaults](#metrics-defaults)
+  - [Minimal Configuration](#minimal-configuration)
   - [Additional _app.ini_ settings](#additional-appini-settings)
+    - [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
   - [External Database](#external-database)
   - [Ports and external url](#ports-and-external-url)
   - [ClusterIP](#clusterip)
@@ -22,6 +27,7 @@
 - [Metrics and profiling](#metrics-and-profiling)
 - [Pod annotations](#pod-annotations)
 - [Themes](#themes)
+- [Renovate](#renovate)
 - [Parameters](#parameters)
   - [Global](#global)
   - [strategy](#strategy)
@@ -45,7 +51,7 @@
 - [Contributing](#contributing)
 - [Upgrading](#upgrading)
 
-[Gitea](https://gitea.io/en-us/) is a community managed lightweight code hosting solution written in Go.
+[Gitea](https://gitea.com) is a community managed lightweight code hosting solution written in Go.
 It is published under the MIT license.
 
 ## Introduction
@@ -83,7 +89,7 @@ Dependencies:
 ## Installing
 
 ```sh
-helm repo add gitea-charts https://dl.gitea.io/charts/
+helm repo add gitea-charts https://dl.gitea.com/charts/
 helm repo update
 helm install gitea gitea-charts/gitea
 ```
@@ -103,7 +109,7 @@ See the [HA Setup](docs/ha-setup.md) document for more details.
 ## Configuration
 
 Gitea offers lots of configuration options.
-This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
+This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.com/administration/config-cheat-sheet).
 
 ```yaml
 gitea:
@@ -166,9 +172,39 @@ The Prometheus `/metrics` endpoint is disabled by default.
 ENABLED = false
 ```
 
+### Minimal Configuration
+
+For a minimal installation, i.e. without HA dependencies and using the built-in SQLITE DB instead of Postgres, the following configuration can be used:
+
+```yaml
+redis-cluster:
+  enabled: false
+postgresql:
+  enabled: false
+postgresql-ha:
+  enabled: false
+
+persistence:
+  enabled: false
+
+gitea:
+  config:
+    database:
+      DB_TYPE: sqlite3
+    session:
+      PROVIDER: memory
+    cache:
+      ADAPTER: memory
+    queue:
+      TYPE: level
+```
+
+This will result in a single-pod Gitea instance without any dependencies and persistence.
+Do not use this configuration for production use.
+
 ### Additional _app.ini_ settings
 
-> **The [generic](https://docs.gitea.io/en-us/config-cheat-sheet/#overall-default)
+> **The [generic](https://docs.gitea.com/administration/config-cheat-sheet#overall-default)
 > section cannot be defined that way.**
 
 Some settings inside _app.ini_ (like passwords or whole authentication configurations) must be considered sensitive and therefore should not be passed via plain text inside the _values.yaml_ file.
@@ -255,7 +291,7 @@ Priority (highest to lowest) for defining app.ini variables:
 
 ### External Database
 
-Any external database listed in [https://docs.gitea.io/en-us/database-prep/](https://docs.gitea.io/en-us/database-prep/) can be used instead of the built-in PostgreSQL.
+Any external database listed in [https://docs.gitea.com/installation/database-prep](https://docs.gitea.com/installation/database-prep) can be used instead of the built-in PostgreSQL.
 In fact, it is **highly recommended** to use an external database to ensure a stable Gitea installation longterm.
 
 If an external database is used, no matter which type, make sure to set `postgresql.enabled` to `false` to disable the use of the built-in PostgreSQL.
@@ -425,7 +461,7 @@ gitea:
 ### LDAP Settings
 
 Like the admin user the LDAP settings can be updated.
-All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
+All LDAP values from <https://docs.gitea.com/administration/command-line#admin> are available.
 
 Multiple LDAP sources can be configured with additional LDAP list items.
 
@@ -480,7 +516,7 @@ Affected options:
 
 Like the admin user, OAuth2 settings can be updated and disabled but not deleted.
 Deleting OAuth2 settings has to be done in the ui.
-All OAuth2 values, which are documented [here](https://docs.gitea.io/en-us/command-line/#admin), are
+All OAuth2 values, which are documented [here](https://docs.gitea.com/administration/command-line#admin), are
 available.
 
 Multiple OAuth2 sources can be configured with additional OAuth list items.
@@ -558,7 +594,7 @@ signing:
 ```
 
 To use the gpg key, Gitea needs to be configured accordingly.
-A detailed description can be found in the [official Gitea documentation](https://docs.gitea.io/en-us/signing/#general-configuration).
+A detailed description can be found in the [official Gitea documentation](https://docs.gitea.com/administration/signing#general-configuration).
 
 ## Metrics and profiling
 
@@ -592,6 +628,8 @@ gitea:
 
 Custom themes can be added via k8s secrets and referencing them in `values.yaml`.
 
+The [http provider](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) is useful here.
+
 ```yaml
 extraVolumes:
   - name: gitea-themes
@@ -614,13 +652,37 @@ resource "kubernetes_secret" "gitea-themes" {
   }
 
   data = {
-    "theme-custom.css"      = "${file("FULL-PATH-TO-CSS")}"
-    "theme-custom-dark.css" = "${file("FULL-PATH-TO-CSS")}"
+    "my-theme.css"      = data.http.gitea-theme-light.body
+    "my-theme-dark.css" = data.http.gitea-theme-dark.body
+    "my-theme-auto.css" = data.http.gitea-theme-auto.body
   }
 
   type = "Opaque"
+}
 
-  depends_on = [kubernetes_namespace.gitea]
+
+data "http" "gitea-theme-light" {
+  url = "<raw theme url>"
+
+  request_headers = {
+    Accept = "application/json"
+  }
+}
+
+data "http" "gitea-theme-dark" {
+  url = "<raw theme url>"
+
+  request_headers = {
+    Accept = "application/json"
+  }
+}
+
+data "http" "gitea-theme-auto" {
+  url = "<raw theme url>"
+
+  request_headers = {
+    Accept = "application/json"
+  }
 }
 ```
 
@@ -630,6 +692,34 @@ or natively via `kubectl`:
 kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --namespace gitea
 ```
 
+## Renovate
+
+To be able to use a digest value which is automatically updated by `Renovate` a [customManager](https://docs.renovatebot.com/modules/manager/regex/) is required.
+Here's an examplary `values.yml` definition which makes use of a digest:
+
+```yaml
+image:
+  repository: gitea/gitea
+  tag: 1.20.2
+  digest: sha256:6e3b85a36653894d6741d0aefb41dfaac39044e028a42e0a520cc05ebd7bfc3f
+```
+
+By default Renovate adds digest after the `tag`.
+To comply with the Gitea helm chart definition of the digest parameter, a "customManagers" definition is required:
+
+```json
+"customManagers": [
+  {
+    "customType": "regex",
+    "description": "Apply an explicit gitea digest field match",
+    "fileMatch": ["values\\.ya?ml"],
+    "matchStrings": ["(?<depName>gitea\\/gitea)\\n(?<indentation>\\s+)tag: (?<currentValue>[^@].*?)\\n\\s+digest: (?<currentDigest>sha256:[a-f0-9]+)"],
+    "datasourceTemplate": "docker",
+    "autoReplaceStringTemplate": "{{depName}}\n{{indentation}}tag: {{newValue}}\n{{indentation}}digest: {{#if newDigest}}{{{newDigest}}}{{else}}{{{currentDigest}}}{{/if}}"
+  }
+]
+```
+
 ## Parameters
 
 ### Global
@@ -658,6 +748,7 @@ kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --na
 | `image.registry`   | image registry, e.g. gcr.io,docker.io                                                                                                   | `""`          |
 | `image.repository` | Image to start for this pod                                                                                                             | `gitea/gitea` |
 | `image.tag`        | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. | `""`          |
+| `image.digest`     | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                              | `""`          |
 | `image.pullPolicy` | Image pull policy                                                                                                                       | `Always`      |
 | `image.rootless`   | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher                                               | `true`        |
 | `imagePullSecrets` | Secret to use for pulling the image                                                                                                     | `[]`          |
@@ -848,6 +939,7 @@ kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --na
 | `postgresql-ha.postgresql.password`         | Password for the `gitea` user (overrides `auth.password`)        | `changeme4` |
 | `postgresql-ha.global.postgresql.database`  | Name for a custom database to create (overrides `auth.database`) | `gitea`     |
 | `postgresql-ha.global.postgresql.username`  | Name for a custom user to create (overrides `auth.username`)     | `gitea`     |
+| `postgresql-ha.global.postgresql.password`  | Name for a custom password to create (overrides `auth.password`) | `gitea`     |
 | `postgresql-ha.postgresql.repmgrPassword`   | Repmgr Password                                                  | `changeme2` |
 | `postgresql-ha.postgresql.postgresPassword` | postgres Password                                                | `changeme1` |
 | `postgresql-ha.pgpool.adminPassword`        | pgpool adminPassword                                             | `changeme3` |
@@ -947,6 +1039,11 @@ If you are coming from an existing deployment and [#356](https://gitea.com/gitea
       CONN_STR: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 ```
 
+<!-- markdownlint-disable-next-line -->
+**Switch to rootless image by default**
+If you are facing errors like `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED` due to this automatic transition:
+Have a look at [this discussion](https://gitea.com/gitea/helm-chart/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
+
 <!-- markdownlint-disable-next-line -->
 **Transitioning from a RWO to RWX Persistent Volume**
 

package-lock.json

@@ -8,7 +8,7 @@
       "license": "MIT",
       "devDependencies": {
         "@bitnami/readme-generator-for-helm": "^2.5.0",
-        "markdownlint-cli": "^0.34.0"
+        "markdownlint-cli": "^0.37.0"
       },
       "engines": {
         "node": ">=16.0.0",
@@ -16,9 +16,9 @@
       }
     },
     "node_modules/@bitnami/readme-generator-for-helm": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.5.0.tgz",
-      "integrity": "sha512-bYggL/kWwyxjctSrIBMOcrTQSj8LA3yYcEzfGTJIFoHKl5M7ifZtox//8G5K3FTw6qdOnPZcA10fl2y4N6uB/g==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.5.1.tgz",
+      "integrity": "sha512-LRSq43HwfgmTJZ4rwpXHf6d7DGnY+j2BtgVlc2hPqfRtqj36NRYl83Zv9WjRGvwF8Zr6Iwa1AgvewiAxdWlMzg==",
       "dev": true,
       "dependencies": {
         "commander": "^7.1.0",
@@ -286,12 +286,12 @@
       "dev": true
     },
     "node_modules/ini": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/ini/-/ini-3.0.1.tgz",
-      "integrity": "sha512-it4HyVAUTKBc6m8e1iXWvXSTdndF7HbdN713+kvLrymxTaU4AUBWrJ4vEooP+V7fexnVD3LKcBshjGGPefSMUQ==",
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/ini/-/ini-4.1.1.tgz",
+      "integrity": "sha512-QQnnxNyfvmHFIsj7gkPcYymR8Jdw/o7mp5ZFihxn6h8Ci6fh3Dx4E1gPjpQEpIuPo9XVNY/ZUwh4BPMjGyL01g==",
       "dev": true,
       "engines": {
-        "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
+        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
       }
     },
     "node_modules/is-fullwidth-code-point": {
@@ -399,39 +399,39 @@
       }
     },
     "node_modules/markdownlint": {
-      "version": "0.28.2",
-      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.28.2.tgz",
-      "integrity": "sha512-yYaQXoKKPV1zgrFsyAuZPEQoe+JrY9GDag9ObKpk09twx4OCU5lut+0/kZPrQ3W7w82SmgKhd7D8m34aG1unVw==",
+      "version": "0.31.1",
+      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.31.1.tgz",
+      "integrity": "sha512-CKMR2hgcIBrYlIUccDCOvi966PZ0kJExDrUi1R+oF9PvqQmCrTqjOsgIvf2403OmJ+CWomuzDoylr6KbuMyvHA==",
       "dev": true,
       "dependencies": {
         "markdown-it": "13.0.1",
-        "markdownlint-micromark": "0.1.2"
+        "markdownlint-micromark": "0.1.7"
       },
       "engines": {
-        "node": ">=14.18.0"
+        "node": ">=16"
       }
     },
     "node_modules/markdownlint-cli": {
-      "version": "0.34.0",
-      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.34.0.tgz",
-      "integrity": "sha512-4G9I++VBTZkaye6Yfc/7dU6HQHcyldZEVB+bYyQJLcpJOHKk/q5ZpGqK80oKMIdlxzsA3aWOJLZ4DkoaoUWXbQ==",
+      "version": "0.37.0",
+      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.37.0.tgz",
+      "integrity": "sha512-hNKAc0bWBBuVhJbSWbUhRzavstiB4o1jh3JeSpwC4/dt6eJ54lRfYHRxVdzVp4qGWBKbeE6Pg490PFEfrKjqSg==",
       "dev": true,
       "dependencies": {
-        "commander": "~10.0.1",
+        "commander": "~11.0.0",
         "get-stdin": "~9.0.0",
-        "glob": "~10.2.2",
+        "glob": "~10.3.4",
         "ignore": "~5.2.4",
         "js-yaml": "^4.1.0",
         "jsonc-parser": "~3.2.0",
-        "markdownlint": "~0.28.2",
-        "minimatch": "~9.0.0",
-        "run-con": "~1.2.11"
+        "markdownlint": "~0.31.1",
+        "minimatch": "~9.0.3",
+        "run-con": "~1.3.2"
       },
       "bin": {
         "markdownlint": "markdownlint.js"
       },
       "engines": {
-        "node": ">=14"
+        "node": ">=16"
       }
     },
     "node_modules/markdownlint-cli/node_modules/brace-expansion": {
@@ -444,25 +444,25 @@
       }
     },
     "node_modules/markdownlint-cli/node_modules/commander": {
-      "version": "10.0.1",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-10.0.1.tgz",
-      "integrity": "sha512-y4Mg2tXshplEbSGzx7amzPwKKOCGuoSRP/CjEdwwk0FOGlUbq6lKuoyDZTNZkmxHdJtp54hdfY/JUrdL7Xfdug==",
+      "version": "11.0.0",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-11.0.0.tgz",
+      "integrity": "sha512-9HMlXtt/BNoYr8ooyjjNRdIilOTkVJXB+GhxMTtOKwk0R4j4lS4NpjuqmRxroBfnfTSHQIHQB7wryHhXarNjmQ==",
       "dev": true,
       "engines": {
-        "node": ">=14"
+        "node": ">=16"
       }
     },
     "node_modules/markdownlint-cli/node_modules/glob": {
-      "version": "10.2.2",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.2.2.tgz",
-      "integrity": "sha512-Xsa0BcxIC6th9UwNjZkhrMtNo/MnyRL8jGCP+uEwhA5oFOCY1f2s1/oNKY47xQ0Bg5nkjsfAEIej1VeH62bDDQ==",
+      "version": "10.3.5",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-10.3.5.tgz",
+      "integrity": "sha512-bYUpUD7XDEHI4Q2O5a7PXGvyw4deKR70kHiDxzQbe925wbZknhOzUt2xBgTkYL6RBcVeXYuD9iNYeqoWbBZQnA==",
       "dev": true,
       "dependencies": {
         "foreground-child": "^3.1.0",
         "jackspeak": "^2.0.3",
-        "minimatch": "^9.0.0",
-        "minipass": "^5.0.0",
-        "path-scurry": "^1.7.0"
+        "minimatch": "^9.0.1",
+        "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0",
+        "path-scurry": "^1.10.1"
       },
       "bin": {
         "glob": "dist/cjs/src/bin.js"
@@ -475,9 +475,9 @@
       }
     },
     "node_modules/markdownlint-cli/node_modules/minimatch": {
-      "version": "9.0.0",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.0.tgz",
-      "integrity": "sha512-0jJj8AvgKqWN05mrwuqi8QYKx1WmYSUoKSxu5Qhs9prezTz10sxAHGNZe9J9cqIJzta8DWsleh2KaVaLl6Ru2w==",
+      "version": "9.0.3",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
+      "integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
       "dev": true,
       "dependencies": {
         "brace-expansion": "^2.0.1"
@@ -490,12 +490,12 @@
       }
     },
     "node_modules/markdownlint-micromark": {
-      "version": "0.1.2",
-      "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.2.tgz",
-      "integrity": "sha512-jRxlQg8KpOfM2IbCL9RXM8ZiYWz2rv6DlZAnGv8ASJQpUh6byTBnEsbuMZ6T2/uIgntyf7SKg/mEaEBo1164fQ==",
+      "version": "0.1.7",
+      "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.7.tgz",
+      "integrity": "sha512-BbRPTC72fl5vlSKv37v/xIENSRDYL/7X/XoFzZ740FGEbs9vZerLrIkFRY0rv7slQKxDczToYuMmqQFN61fi4Q==",
       "dev": true,
       "engines": {
-        "node": ">=14.18.0"
+        "node": ">=16"
       }
     },
     "node_modules/mdurl": {
@@ -562,13 +562,13 @@
       }
     },
     "node_modules/path-scurry": {
-      "version": "1.7.0",
-      "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.7.0.tgz",
-      "integrity": "sha512-UkZUeDjczjYRE495+9thsgcVgsaCPkaw80slmfVFgllxY+IO8ubTsOpFVjDPROBqJdHfVPUFRHPBV/WciOVfWg==",
+      "version": "1.10.1",
+      "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.10.1.tgz",
+      "integrity": "sha512-MkhCqzzBEpPvxxQ71Md0b1Kk51W01lrYvlMzSUaIzNsODdd7mqhiimSZlr+VegAz5Z6Vzt9Xg2ttE//XBhH3EQ==",
       "dev": true,
       "dependencies": {
-        "lru-cache": "^9.0.0",
-        "minipass": "^5.0.0"
+        "lru-cache": "^9.1.1 || ^10.0.0",
+        "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -587,14 +587,14 @@
       }
     },
     "node_modules/run-con": {
-      "version": "1.2.11",
-      "resolved": "https://registry.npmjs.org/run-con/-/run-con-1.2.11.tgz",
-      "integrity": "sha512-NEMGsUT+cglWkzEr4IFK21P4Jca45HqiAbIIZIBdX5+UZTB24Mb/21iNGgz9xZa8tL6vbW7CXmq7MFN42+VjNQ==",
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/run-con/-/run-con-1.3.2.tgz",
+      "integrity": "sha512-CcfE+mYiTcKEzg0IqS08+efdnH0oJ3zV0wSUFBNrMHMuxCtXvBCLzCJHatwuXDcu/RlhjTziTo/a1ruQik6/Yg==",
       "dev": true,
       "dependencies": {
         "deep-extend": "^0.6.0",
-        "ini": "~3.0.0",
-        "minimist": "^1.2.6",
+        "ini": "~4.1.0",
+        "minimist": "^1.2.8",
         "strip-json-comments": "~3.1.1"
       },
       "bin": {

package.json

@@ -14,6 +14,6 @@
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.34.0"
+    "markdownlint-cli": "^0.37.0"
   }
 }

renovate.json5

@@ -0,0 +1,14 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: ["gitea>gitea/renovate-config"],
+  packageRules: [
+    {
+      description: "Automerge minor + patch dependency updates weekly",
+      matchManagers: ["helmv3"],
+      matchUpdateTypes: ["minor", "patch", "digest"],
+      automerge: true,
+      automergeStrategy: "squash",
+      extends: ["schedule:weekly"],
+    },
+  ],
+}

templates/_helpers.tpl

@@ -57,13 +57,18 @@ Create image name and tag used by the deployment.
 */}}
 {{- define "gitea.image" -}}
 {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
-{{- $name := .Values.image.repository -}}
+{{- $repository := .Values.image.repository -}}
+{{- $separator := ":" -}}
 {{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
-{{- if $registry -}}
-  {{- printf "%s/%s:%s%s" $registry $name $tag $rootless -}}
+{{- $digest := "" -}}
+{{- if .Values.image.digest }}
+    {{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}}
+{{- end -}}
+{{- if $registry }}
+    {{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}}
 {{- else -}}
-  {{- printf "%s:%s%s" $name $tag $rootless -}}
+    {{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}}
 {{- end -}}
 {{- end -}}
 
@@ -112,9 +117,17 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
-{{- define "postgresql.dns" -}}
+{{- define "postgresql-ha.dns" -}}
+{{- if (index .Values "postgresql-ha").enabled -}}
 {{- printf "%s-postgresql-ha-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
 {{- end -}}
+{{- end -}}
+
+{{- define "postgresql.dns" -}}
+{{- if (index .Values "postgresql").enabled -}}
+{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}}
+{{- end -}}
+{{- end -}}
 
 {{- define "redis.dns" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
@@ -344,12 +357,21 @@ https
   {{- if (index .Values "postgresql-ha" "enabled") -}}
     {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
     {{- if not (.Values.gitea.config.database.HOST) -}}
-      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
+      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql-ha.dns" .) -}}
     {{- end -}}
     {{- $_ := set .Values.gitea.config.database "NAME"      (index .Values "postgresql-ha" "global" "postgresql" "database") -}}
     {{- $_ := set .Values.gitea.config.database "USER"      (index .Values "postgresql-ha" "global" "postgresql" "username") -}}
     {{- $_ := set .Values.gitea.config.database "PASSWD"    (index .Values "postgresql-ha" "global" "postgresql" "password") -}}
   {{- end -}}
+  {{- if (index .Values "postgresql" "enabled") -}}
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
+    {{- if not (.Values.gitea.config.database.HOST) -}}
+      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
+    {{- end -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.auth.database -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.auth.username -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.auth.password -}}
+  {{- end -}}
 {{- end -}}
 
 {{- define "gitea.init-additional-mounts" -}}

templates/gitea/config.yaml

@@ -17,17 +17,22 @@ metadata:
 type: Opaque
 stringData:
   assertions: |
+
+{{- /*assert that only one PG dep is enabled */ -}}
+{{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
+  {{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
+{{- end }}
+
 {{- /* multiple replicas assertions */ -}}
 {{- if gt .Values.replicaCount 1.0 -}}
-  {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
-    {{- if .Values.gitea.config.cron.GIT_GC_REPOS.enabled -}}
-      {{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'GIT_GC_REPOS.enabled = false'." -}}
-    {{- end }}
+  {{- if (get (get .Values.gitea.config "cron.GIT_GC_REPOS") "ENABLED") -}}
+    {{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." -}}
   {{- end }}
+
   {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
     {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
   {{- end }}
-  
+
   {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
     {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
   {{- end }}
@@ -130,7 +135,7 @@ stringData:
 
       if [[ $section == '_generals_' ]]; then
         env2ini::log "  [ini root]"
-        section='DEFAULT'
+        section=''
       else
         env2ini::log "  ${section}"
       fi
@@ -197,7 +202,3 @@ stringData:
     fi
 
     environment-to-ini -o $GITEA_APP_INI
-
-    env
-
-    cat /data/gitea/conf/app.ini

templates/gitea/ingress.yaml

@@ -15,10 +15,10 @@ metadata:
   name: {{ $fullName }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
   annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- range $key, $value := .Values.ingress.annotations }}
+      {{ $key }}: {{ $value | quote }}
+    {{- end }}
 spec:
 {{- if .Values.ingress.className }}
   ingressClassName: {{ .Values.ingress.className }}
@@ -28,14 +28,14 @@ spec:
   {{- range .Values.ingress.tls }}
     - hosts:
       {{- range .hosts }}
-        - {{ . | quote }}
+        - {{ tpl . $ | quote }}
       {{- end }}
       secretName: {{ .secretName }}
   {{- end }}
 {{- end }}
   rules:
     {{- range .Values.ingress.hosts }}
-    - host: {{ .host | quote }}
+    - host: {{ tpl .host $ | quote }}
       http:
         paths:
           {{- range .paths }}

unittests/deployment/image-configuration.yaml

@@ -0,0 +1,78 @@
+suite: deployment template (image configuration)
+release:
+  name: gitea-unittests
+  namespace: testing
+chart:
+  # Override appVersion to be consistent with used digest :)
+  appVersion: 1.19.3
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: default values
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3-rootless"
+  - it: tag override
+    template: templates/gitea/deployment.yaml
+    set:
+      image.tag: "1.19.4"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.4-rootless"
+  - it: root-based image
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3"
+  - it: scoped registry
+    template: templates/gitea/deployment.yaml
+    set:
+      image.registry: "example.com"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "example.com/gitea/gitea:1.19.3-rootless"
+  - it: global registry
+    template: templates/gitea/deployment.yaml
+    set:
+      global.imageRegistry: "global.example.com"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "global.example.com/gitea/gitea:1.19.3-rootless"
+  - it: digest for rootless image
+    template: templates/gitea/deployment.yaml
+    set:
+      image:
+        rootless: true
+        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+  - it: digest for root-based image
+    template: templates/gitea/deployment.yaml
+    set:
+      image:
+        rootless: false
+        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+  - it: digest and global registry
+    template: templates/gitea/deployment.yaml
+    set:
+      global.imageRegistry: "global.example.com"
+      image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "global.example.com/gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"

unittests/deployment/ingress-configuration.yaml

@@ -0,0 +1,23 @@
+suite: ingress template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/ingress.yaml
+tests:
+  - it: hostname using TPL
+    set:
+      global.giteaHostName: "gitea.example.com"
+      ingress.enabled: true
+      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "{{ .Values.global.giteaHostName }}"
+    asserts:
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "gitea.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "gitea.example.com"

values.yaml

@@ -40,6 +40,7 @@ clusterDomain: cluster.local
 ## @param image.registry image registry, e.g. gcr.io,docker.io
 ## @param image.repository Image to start for this pod
 ## @param image.tag Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.
+## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
 ## @param image.pullPolicy Image pull policy
 ## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher
 image:
@@ -47,6 +48,7 @@ image:
   repository: gitea/gitea
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
+  digest: ""
   pullPolicy: Always
   rootless: true
 
@@ -485,6 +487,7 @@ redis-cluster:
 ## @param postgresql-ha.postgresql.password Password for the `gitea` user (overrides `auth.password`)
 ## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`)
 ## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`)
+## @param postgresql-ha.global.postgresql.password Name for a custom password to create (overrides `auth.password`)
 ## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password
 ## @param postgresql-ha.postgresql.postgresPassword postgres Password
 ## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword