Bump Gitea to 1.19.0 (#418)

As title.

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/418
Reviewed-by: John Olheiser <john+gitea@jolheiser.com>
Reviewed-by: yardenshoham <yardenshoham@noreply.gitea.io>

.drone.yml

@@ -10,24 +10,35 @@ platform:
 steps:
 - name: helm lint
   pull: always
-  image: alpine:3.15
+  image: alpine:3.17
   commands:
   - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
   - helm lint
 
 - name: helm template
   pull: always
-  image: alpine:3.15
+  image: alpine:3.17
   commands:
   - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
   - helm dependency update
   - helm template --debug gitea-helm .
 
-- name: markdown lint
+- name: helm unittests
   pull: always
-  image: docker.io/volkerraschek/markdownlint:latest
+  image: alpine:3.17
   commands:
-  - markdownlint *.md
+  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make helm git bash
+  - helm plugin install https://github.com/helm-unittest/helm-unittest
+  - helm dependency update
+  - make unittests
+
+- name: verify readme
+  pull: always
+  image: alpine:3.17
+  commands:
+  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make npm git
+  - make readme
+  - git diff --exit-code --name-only README.md
 
 - name: discord
   pull: always
@@ -42,6 +53,7 @@ steps:
     - changed
     - failure
 
+
 ---
 kind: pipeline
 type: docker
@@ -58,7 +70,7 @@ trigger:
 steps:
 - name: generate-chart
   pull: always
-  image: alpine:3.15
+  image: alpine:3.17
   commands:
     - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
     - apk add --no-cache curl
@@ -73,8 +85,16 @@ steps:
   pull: always
   image: plugins/s3:latest
   settings:
-    bucket: gitea-artifacts
+    acl:
-    endpoint: https://ams3.digitaloceanspaces.com
+      from_secret: aws_s3_acl
+    region:
+      from_secret: aws_s3_region
+    bucket:
+      from_secret: aws_s3_bucket
+    endpoint:
+      from_secret: aws_s3_endpoint
+    path_style:
+      from_secret: aws_s3_path_style
     access_key:
       from_secret: aws_access_key_id
     secret_key:

.editorconfig

@@ -0,0 +1,12 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = false
+insert_final_newline = false

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,41 @@
+<!--
+ Before you open the request please review the following guidelines and tips to help it be more easily integrated:
+
+ - Describe the scope of your change - i.e. what the change does.
+ - Describe any known limitations with your change.
+ - Please run any tests or examples that can exercise your modified code.
+
+ Thank you for contributing! We will try to review, test and integrate the change as soon as we can.
+ -->
+
+### Description of the change
+
+<!-- Describe the scope of your change - i.e. what the change does. -->
+
+### Benefits
+
+<!-- What benefits will be realized by the code change? -->
+
+### Possible drawbacks
+
+<!-- Describe any known limitations with your change -->
+
+### Applicable issues
+
+<!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
+  - fixes #
+
+### Additional information
+
+<!-- If there's anything else that's important and relevant to your pull request, mention that information here. Please remove this section if it remains empty. -->
+
+### ⚠ BREAKING
+
+<!-- If there's a breaking change, please shortly describe in which way users are affected and how they can mitigate it. If there are no breakings, please remove this section. -->
+
+### Checklist
+
+<!-- [Place an '[X]' (no spaces) in all applicable fields. Please remove unrelated fields.] -->
+
+- [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
+- [ ] Breaking changes are documented in the `README.md`

.gitignore

@@ -1,3 +1,4 @@
-charts
+charts/
-Chart.lock
+node_modules/
 .DS_Store
+unittests/*/__snapshot__/

.helmignore

@@ -20,5 +20,14 @@
 .idea/
 *.tmproj
 .vscode/
-#charts/
+node_modules/
-#Chart.lock
+.npmrc
+package.json
+package-lock.json
+.gitea/
+Makefile
+.markdownlintignore
+.markdownlint.yaml
+.drone.yml
+CONTRIBUTING.md
+unittests/

.markdownlint.yaml

@@ -45,7 +45,7 @@ MD012:
 # MD013/line-length - Line length
 MD013:
   # Number of characters
-  line_length: 80
+  line_length: 200
   # Number of characters for headings
   heading_line_length: 80
   # Number of characters for code blocks
@@ -131,8 +131,6 @@ MD044:
   names:
   - Gitea
   - PostgreSQL
-  - MariaDB
-  - MySQL
   - Memcached
   - Prometheus
   - Git

.markdownlintignore

@@ -0,0 +1,3 @@
+.gitea/
+node_modules/
+charts/

.npmrc

@@ -0,0 +1 @@
+engine-strict=true

CONTRIBUTING.md

@@ -0,0 +1,63 @@
+# Contribution Guidelines
+
+Any type of contribution is welcome; from new features, bug fixes, tests,
+refactorings for easier maintainability or documentation improvements.
+
+## Development environment
+
+- [`node`](https://nodejs.org/en/) at least current LTS
+- [`helm`](https://helm.sh/docs/intro/install/)
+- `make` is optional; you may call the commands directly
+
+When using Visual Studio Code as IDE, following plugins might be useful:
+
+- [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
+- [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
+- [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
+- [Prettier - Code formatter](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode)
+
+## Documentation Requirements
+
+The `README.md` must include all configuration options. The parameters section
+is generated by extracting the parameter annotations from the `values.yaml` file,
+by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
+
+If changes were made on configuration options, run `make readme` to update the
+README file.
+
+## Pull Request Requirements
+
+When submitting or updating a PR:
+
+- make sure it passes CI builds.
+- do not make independent changes in one PR.
+- try to avoid rebases. They make code reviews for large PRs and comments much harder.
+- if applicable, use the PR template for a well-defined PR description.
+- clearly mark breaking changes.
+
+## Local development & testing
+
+For local development and testing of pull requests, the following workflow can
+be used:
+
+1. Install `minikube` and `helm`.
+2. Start a `minikube` cluster via `minikube start`.
+3. From the `gitea/helm-chart` directory execute the following command. This
+   will install the dependencies listed in `Chart.yml` and deploy the current
+   state of the helm chart found locally. If you want to test a branch, make
+   sure to switch to the respective branch first.
+  `helm install --dependency-update gitea . -f values.yaml`.
+4. Gitea is now deployed in `minikube`. To access it, it's port needs to be
+   forwarded first from `minikube` to localhost first via `kubectl --namespace
+   default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
+   [http://localhost:3000](http://localhost:3000).
+
+### Unit tests
+
+```bash
+# install the unittest plugin
+$ helm plugin install https://github.com/helm-unittest/helm-unittest
+
+# run the unittests
+make unittests
+```

Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: memcached
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 6.3.7
+- name: postgresql
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 12.2.6
+digest: sha256:c2026881f71eca24c72e9da3e798a1ad2a5af8e86a39a5341015584eaacf8b64
+generated: "2023-03-27T19:20:21.125036+02:00"

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.16.6
+appVersion: 1.19.0
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -29,20 +29,15 @@ maintainers:
   - name: Steven Kriegler
     email: sk.bunsenbrenner@gmail.com
 
+# Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
+# OCI registry: https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html (2023-01)
+# Chart release date: 2023-02
 - name: memcached
-  repository: https://charts.bitnami.com/bitnami
+  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 5.9.0
+  version: 6.3.7
   condition: memcached.enabled
-- name: mysql
-  repository: https://charts.bitnami.com/bitnami
-  version: 6.14.10
-  condition: mysql.enabled
 - name: postgresql
-  repository: https://charts.bitnami.com/bitnami
+  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 10.3.17
+  version: 12.2.6
   condition: postgresql.enabled
-- name: mariadb
-  repository: https://charts.bitnami.com/bitnami
-  version: 9.3.6
-  condition: mariadb.enabled

Makefile

@@ -0,0 +1,12 @@
+.PHONY: prepare-environment
+prepare-environment:
+	npm install
+
+.PHONY: readme
+readme: prepare-environment
+	npm run readme:parameters
+	npm run readme:lint
+
+.PHONY: unittests
+unittests:
+	helm unittest --strict -f 'unittests/**/*.yaml' ./

package.json

@@ -0,0 +1,19 @@
+{
+  "name": "gitea-helm-chart",
+  "homepage": "https://gitea.com/gitea/helm-chart.git",
+  "license": "MIT",
+  "private": true,
+  "engineStrict": true,
+  "engines": {
+    "node": ">=16.0.0",
+    "npm": ">=8.0.0"
+  },
+  "scripts": {
+    "readme:lint": "markdownlint *.md -f",
+    "readme:parameters": "readme-generator -v values.yaml -r README.md"
+  },
+  "devDependencies": {
+    "@bitnami/readme-generator-for-helm": "^2.4.2",
+    "markdownlint-cli": "^0.31.1"
+  }
+}

templates/_helpers.tpl

@@ -35,10 +35,40 @@ Create chart name and version as used by the chart label.
 Create image name and tag used by the deployment.
 */}}
 {{- define "gitea.image" -}}
+{{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
 {{- $name := .Values.image.repository -}}
 {{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
-{{- printf "%s:%s%s" $name $tag $rootless -}}
+{{- if $registry -}}
+  {{- printf "%s/%s:%s%s" $registry $name $tag $rootless -}}
+{{- else -}}
+  {{- printf "%s:%s%s" $name $tag $rootless -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Docker Image Registry Secret Names evaluating values as templates
+*/}}
+{{- define "gitea.images.pullSecrets" -}}
+{{- $pullSecrets := .Values.imagePullSecrets -}}
+{{- range .Values.global.imagePullSecrets -}}
+    {{- $pullSecrets = append $pullSecrets (dict "name" .) -}}
+{{- end -}}
+{{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+{{ toYaml $pullSecrets }}
+{{- end }}
+{{- end -}}
+
+
+{{/*
+Storage Class
+*/}}
+{{- define "gitea.persistence.storageClass" -}}
+{{- $storageClass := .Values.global.storageClass | default .Values.persistence.storageClass }}
+{{- if $storageClass }}
+storageClassName: {{ $storageClass | quote }}
+{{- end }}
 {{- end -}}
 
 {{/*
@@ -62,15 +92,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "postgresql.dns" -}}
-{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.servicePort -}}
+{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}}
-{{- end -}}
-
-{{- define "mysql.dns" -}}
-{{- printf "%s-mysql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mysql.service.port | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{- define "mariadb.dns" -}}
-{{- printf "%s-mariadb.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mariadb.primary.service.port | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{- define "memcached.dns" -}}
@@ -130,6 +152,14 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 {{- end -}}
 
+{{- define "gitea.public_protocol" -}}
+{{- if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}}
+https
+{{- else -}}
+{{ .Values.gitea.config.server.PROTOCOL }}
+{{- end -}}
+{{- end -}}
+
 {{- define "gitea.inline_configuration" -}}
   {{- include "gitea.inline_configuration.init" . -}}
   {{- include "gitea.inline_configuration.defaults" . -}}
@@ -220,15 +250,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
     {{- end -}}
   {{- end -}}
   {{- if not .Values.gitea.config.server.ROOT_URL -}}
-    {{- if .Values.ingress.enabled -}}
+    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
-      {{- if gt (len .Values.ingress.tls) 0 -}}
-        {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
-      {{- else -}}
-        {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}}
-      {{- end -}}
-    {{- else -}}
-      {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
-    {{- end -}}
   {{- end -}}
   {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
     {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
@@ -262,9 +284,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
     {{- if not (.Values.gitea.config.database.HOST) -}}
       {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
     {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.auth.database -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.auth.username -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.auth.password -}}
   {{- else if .Values.mysql.enabled -}}
     {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
     {{- if not (.Values.gitea.config.database.HOST) -}}
@@ -283,3 +305,25 @@ app.kubernetes.io/instance: {{ .Release.Name }}
     {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
   {{- end -}}
 {{- end -}}
+
+{{- define "gitea.init-additional-mounts" -}}
+  {{- /* Honor the deprecated extraVolumeMounts variable when defined */ -}}
+  {{- if gt (len .Values.extraInitVolumeMounts) 0 -}}
+    {{- toYaml .Values.extraInitVolumeMounts -}}
+  {{- else if gt (len .Values.extraVolumeMounts) 0 -}}
+    {{- toYaml .Values.extraVolumeMounts -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.container-additional-mounts" -}}
+  {{- /* Honor the deprecated extraVolumeMounts variable when defined */ -}}
+  {{- if gt (len .Values.extraContainerVolumeMounts) 0 -}}
+    {{- toYaml .Values.extraContainerVolumeMounts -}}
+  {{- else if gt (len .Values.extraVolumeMounts) 0 -}}
+    {{- toYaml .Values.extraVolumeMounts -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.gpg-key-secret-name" -}}
+{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
+{{- end -}}

templates/gitea/config.yaml

@@ -117,13 +117,15 @@ stringData:
     function env2ini::load_config_sources() {
       local path="${1}"
 
-      env2ini::log "Processing $(basename "${path}")..."
+      if [[ -d "${path}" ]]; then
+        env2ini::log "Processing $(basename "${path}")..."
 
-      while read -d '' configFile; do
+        while read -d '' configFile; do
-        env2ini::process_config_file "${configFile}"
+          env2ini::process_config_file "${configFile}"
-      done < <(find "${path}" -type l -not -name '..data' -print0)
+        done < <(find "${path}" -type l -not -name '..data' -print0)
 
-      env2ini::log "\n"
+        env2ini::log "\n"
+      fi
     }
 
     function env2ini::generate_initial_secrets() {
@@ -135,6 +137,7 @@ stringData:
       export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
       export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
       export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+      export ENV_TO_INI__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
 
       env2ini::log "...Initial secrets generated\n"
     }
@@ -158,10 +161,12 @@ stringData:
       env2ini::log '  - security.INTERNAL_TOKEN'
       env2ini::log '  - security.SECRET_KEY'
       env2ini::log '  - oauth2.JWT_SECRET'
+      env2ini::log '  - server.LFS_JWT_SECRET'
 
       unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
       unset ENV_TO_INI__SECURITY__SECRET_KEY
       unset ENV_TO_INI__OAUTH2__JWT_SECRET
+      unset ENV_TO_INI__SERVER__LFS_JWT_SECRET
     fi
 
     environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI

templates/gitea/gpg-secret.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.signing.enabled -}}
+{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}}
+  {{- fail "Either specify `signing.privateKey` or `signing.existingSecret`" -}}
+{{- end }}
+{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gitea.gpg-key-secret-name" . }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+data:
+  privateKey: {{ .Values.signing.privateKey | b64enc }}
+{{- end }}
+{{- end }}

templates/gitea/http-svc.yaml

@@ -21,6 +21,13 @@ spec:
   externalIPs:
     {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
   {{- end }}
+  {{- if .Values.service.http.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.http.ipFamilyPolicy }}
+  {{- end }}
+  {{- with .Values.service.http.ipFamilies }}
+  ipFamilies:
+  {{- toYaml . | nindent 4 }}
+  {{- end -}}
   {{- if .Values.service.http.externalTrafficPolicy }}
   externalTrafficPolicy: {{ .Values.service.http.externalTrafficPolicy }}
   {{- end }}

templates/gitea/init.yaml

@@ -6,6 +6,11 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
+  configure_gpg_environment.sh: |-
+    #!/usr/bin/env bash
+    set -eu
+
+    gpg --batch --import /raw/private.asc
   init_directory_structure.sh: |-
     #!/usr/bin/env bash
 
@@ -26,7 +31,7 @@ stringData:
     {{- end }}
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
-    [ ! -d /data/gitea ] && mkdir -p /data/gitea/conf
+    [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
 
     # prepare temp directory structure
     mkdir -p "${GITEA_TEMP}"
@@ -35,6 +40,14 @@ stringData:
     {{- end }}
     chmod ug+rwx "${GITEA_TEMP}"
 
+    {{ if .Values.signing.enabled -}}
+    if [ ! -d "${GNUPGHOME}" ]; then
+      mkdir -p "${GNUPGHOME}"
+      chmod 700 "${GNUPGHOME}"
+      chown 1000:1000 "${GNUPGHOME}"
+    fi
+    {{- end }}
+
   configure_gitea.sh: |-
     #!/usr/bin/env bash
 

templates/gitea/ssh-svc.yaml

@@ -26,6 +26,13 @@ spec:
   externalIPs:
     {{- toYaml .Values.service.ssh.externalIPs | nindent 4 }}
   {{- end }}
+  {{- if .Values.service.ssh.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ssh.ipFamilyPolicy }}
+  {{- end }}
+  {{- with .Values.service.ssh.ipFamilies }}
+  ipFamilies:
+  {{- toYaml . | nindent 4 }}
+  {{- end -}}
   {{- if .Values.service.ssh.externalTrafficPolicy }}
   externalTrafficPolicy: {{ .Values.service.ssh.externalTrafficPolicy }}
   {{- end }}

templates/gitea/statefulset.yaml

@@ -2,6 +2,10 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
   name: {{ include "gitea.fullname" . }}
+  annotations:
+    {{- if .Values.statefulset.annotations }}
+    {{- toYaml .Values.statefulset.annotations | nindent 4 }}
+    {{- end }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 spec:
@@ -35,15 +39,13 @@ spec:
       {{- if .Values.schedulerName }}
       schedulerName: "{{ .Values.schedulerName }}"
       {{- end }}
-      {{- with .Values.imagePullSecrets }}
+      {{- include "gitea.images.pullSecrets" . | nindent 6 }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
         - name: init-directories
           image: "{{ include "gitea.image" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: ["/usr/sbin/init_directory_structure.sh"]
           env:
             - name: GITEA_APP_INI
@@ -57,6 +59,10 @@ spec:
             {{- if .Values.statefulset.env }}
             {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
+            {{- if .Values.signing.enabled }}
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+            {{- end }}
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
@@ -67,13 +73,12 @@ spec:
               {{- if .Values.persistence.subPath }}
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
-            {{- if .Values.extraVolumeMounts }}
+            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
-            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
-            {{- end }}
           securityContext:
             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
         - name: init-app-ini
           image: "{{ include "gitea.image" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: ["/usr/sbin/config_environment.sh"]
           env:
             - name: GITEA_APP_INI
@@ -106,14 +111,43 @@ spec:
             - name: additional-config-sources-{{ $idx }}
               mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/"
             {{- end }}
+            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+        {{- if .Values.signing.enabled }}
+        - name: configure-gpg
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/configure_gpg_environment.sh"]
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
+            {{- $csc := deepCopy .Values.containerSecurityContext -}}
+            {{- if not (hasKey $csc "runAsUser") -}}
+            {{- $_ := set $csc "runAsUser" 1000 -}}
+            {{- end -}}
+            {{- toYaml $csc | nindent 12 }}
+          env:
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+          volumeMounts:
+            - name: init
+              mountPath: /usr/sbin
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+            - name: gpg-private-key
+              mountPath: /raw
+              readOnly: true
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
-          securityContext:
+        {{- end }}
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
         - name: configure-gitea
           image: "{{ include "gitea.image" . }}"
           command: ["/usr/sbin/configure_gitea.sh"]
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
             {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
             {{- $csc := deepCopy .Values.containerSecurityContext -}}
@@ -197,9 +231,7 @@ spec:
               {{- if .Values.persistence.subPath }}
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
-            {{- if .Values.extraVolumeMounts }}
+            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
-            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
-            {{- end }}
       terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
@@ -211,6 +243,10 @@ spec:
               value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }}
             - name: SSH_PORT
               value: {{ .Values.gitea.config.server.SSH_PORT | quote }}
+            {{- if not .Values.image.rootless }}
+            - name: SSH_LOG_LEVEL
+              value: {{ .Values.gitea.ssh.logLevel | quote }}
+            {{- end }}
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
             - name: GITEA_CUSTOM
@@ -240,17 +276,17 @@ spec:
             - name: profiler
               containerPort: 6060
             {{- end }}
-          {{- if .Values.gitea.livenessProbe }}
+          {{- if .Values.gitea.livenessProbe.enabled }}
           livenessProbe:
-            {{- toYaml .Values.gitea.livenessProbe | nindent 12 }}
+            {{- toYaml (omit .Values.gitea.livenessProbe "enabled") | nindent 12 }}
           {{- end }}
-          {{- if .Values.gitea.readinessProbe }}
+          {{- if .Values.gitea.readinessProbe.enabled }}
           readinessProbe:
-            {{- toYaml .Values.gitea.readinessProbe | nindent 12 }}
+            {{- toYaml (omit .Values.gitea.readinessProbe "enabled") | nindent 12 }}
           {{- end }}
-          {{- if .Values.gitea.startupProbe }}
+          {{- if .Values.gitea.startupProbe.enabled }}
           startupProbe:
-            {{- toYaml .Values.gitea.startupProbe | nindent 12 }}
+            {{- toYaml (omit .Values.gitea.startupProbe "enabled") | nindent 12 }}
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
@@ -269,9 +305,11 @@ spec:
               {{- if .Values.persistence.subPath }}
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
-            {{- if .Values.extraVolumeMounts }}
+            {{- include "gitea.container-additional-mounts" . | nindent 12 }}
-            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+      {{- with .Values.global.hostAliases }}
-            {{- end }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -283,6 +321,10 @@ spec:
     {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- if .Values.dnsConfig }}
+      dnsConfig:
+        {{- toYaml .Values.dnsConfig | nindent 8 }}
     {{- end }}
       volumes:
         - name: init
@@ -293,7 +335,7 @@ spec:
           secret:
             secretName: {{ include "gitea.fullname" . }}
             defaultMode: 110
-        {{- if .Values.extraVolumes }}
+        {{- if gt (len .Values.extraVolumes) 0 }}
         {{- toYaml .Values.extraVolumes | nindent 8 }}
         {{- end }}
         - name: inline-config-sources
@@ -305,6 +347,15 @@ spec:
         {{- end }}
         - name: temp
           emptyDir: {}
+        {{- if .Values.signing.enabled }}
+        - name: gpg-private-key
+          secret:
+            secretName: {{ include "gitea.gpg-key-secret-name" . }}
+            items:
+              - key: privateKey
+                path: private.asc
+            defaultMode: 0100
+        {{- end }}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:
@@ -335,9 +386,7 @@ spec:
           {{- range .Values.persistence.accessModes }}
             - {{ . | quote }}
           {{- end }}
-        {{- if .Values.persistence.storageClass }}
+        {{- include "gitea.persistence.storageClass" . | indent 8 }}
-        storageClassName: {{ .Values.persistence.storageClass | quote }}
-        {{- end }}
         resources:
           requests:
             storage: {{ .Values.persistence.size | quote }}

templates/tests/test-http-connection.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.test.enabled }}
 apiVersion: v1
 kind: Pod
 metadata:
@@ -9,7 +10,8 @@ metadata:
 spec:
   containers:
     - name: wget
-      image: busybox
+      image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}"
       command: ['wget']
       args:  ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
   restartPolicy: Never
+{{- end }}

unittests/gpg-secret/signing-disabled.yaml

@@ -0,0 +1,13 @@
+suite: GPG secret template (signing disabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/gpg-secret.yaml
+tests:
+  - it: renders nothing
+    set:
+      signing.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/gpg-secret/signing-enabled.yaml

@@ -0,0 +1,40 @@
+suite: GPG secret template (signing enabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/gpg-secret.yaml
+tests:
+  - it: fails rendering when nothing is configured
+    set:
+      signing:
+        enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: Either specify `signing.privateKey` or `signing.existingSecret`
+  - it: skips rendering using external secret reference
+    set:
+      signing:
+        enabled: true
+        existingSecret: "external-secret-reference"
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders secret specification using inline gpg key
+    set:
+      signing:
+        enabled: true
+        privateKey: "gpg-key-placeholder"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-gpg-key
+      - isNotEmpty:
+          path: metadata.labels
+      - equal:
+          path: data.privateKey
+          value: "Z3BnLWtleS1wbGFjZWhvbGRlcg=="

unittests/init/basic.yaml

@@ -0,0 +1,15 @@
+suite: Init template (basic)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/init.yaml
+tests:
+  - it: renders a secret
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Secret  
+          apiVersion: v1
+          name: gitea-unittests-init

unittests/init/init_directory_structure.sh.yaml

@@ -0,0 +1,64 @@
+suite: Init template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/init.yaml
+tests:
+  - it: runs gpg in batch mode
+    set:
+      signing.enabled: true
+    asserts:
+      - equal:
+          path: stringData["configure_gpg_environment.sh"]
+          value: |-
+            #!/usr/bin/env bash
+            set -eu
+
+            gpg --batch --import /raw/private.asc
+  - it: skips gpg script block for disabled signing
+    asserts:
+      - equal:
+          path: stringData["init_directory_structure.sh"]
+          value: |-
+            #!/usr/bin/env bash
+
+            set -euo pipefail
+
+            set -x
+            chown 1000:1000 /data
+            mkdir -p /data/git/.ssh
+            chmod -R 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+
+            # prepare temp directory structure
+            mkdir -p "${GITEA_TEMP}"
+            chown 1000:1000 "${GITEA_TEMP}"
+            chmod ug+rwx "${GITEA_TEMP}"
+  - it: adds gpg script block for enabled signing
+    set:
+      signing.enabled: true
+    asserts:
+      - equal:
+          path: stringData["init_directory_structure.sh"]
+          value: |-
+            #!/usr/bin/env bash
+
+            set -euo pipefail
+
+            set -x
+            chown 1000:1000 /data
+            mkdir -p /data/git/.ssh
+            chmod -R 700 /data/git/.ssh
+            [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
+
+            # prepare temp directory structure
+            mkdir -p "${GITEA_TEMP}"
+            chown 1000:1000 "${GITEA_TEMP}"
+            chmod ug+rwx "${GITEA_TEMP}"
+
+            if [ ! -d "${GNUPGHOME}" ]; then
+              mkdir -p "${GNUPGHOME}"
+              chmod 700 "${GNUPGHOME}"
+              chown 1000:1000 "${GNUPGHOME}"
+            fi

unittests/statefulset/basic.yaml

@@ -0,0 +1,17 @@
+suite: Statefulset template (basic)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/statefulset.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders a statefulset
+    template: templates/gitea/statefulset.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet  
+          apiVersion: apps/v1
+          name: gitea-unittests

unittests/statefulset/signing-disabled.yaml

@@ -0,0 +1,40 @@
+suite: Statefulset template (signing disabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/statefulset.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: skips gpg init container
+    template: templates/gitea/statefulset.yaml
+    asserts:
+      - notContains:
+          path: spec.template.spec.initContainers
+          any: true
+          content:
+            name: configure-gpg
+  - it: skips gpg env in `init-directories` init container
+    template: templates/gitea/statefulset.yaml
+    set:
+      signing.enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[0].env
+          content:
+            name: GNUPGHOME
+            value: /data/git/.gnupg
+  - it: skips gpg env in runtime container
+    template: templates/gitea/statefulset.yaml
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GNUPGHOME
+  - it: skips gpg volume spec
+    template: templates/gitea/statefulset.yaml
+    asserts:
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: gpg-private-key

unittests/statefulset/signing-enabled.yaml

@@ -0,0 +1,93 @@
+suite: Statefulset template (signing enabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/statefulset.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: adds gpg init container
+    template: templates/gitea/statefulset.yaml
+    set:
+      signing:
+        enabled: true
+        existingSecret: "custom-gpg-secret"
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[2].name
+          value: configure-gpg
+      - equal:
+          path: spec.template.spec.initContainers[2].command
+          value: ["/usr/sbin/configure_gpg_environment.sh"]
+      - equal:
+          path: spec.template.spec.initContainers[2].securityContext
+          value:
+            runAsUser: 1000
+      - equal:
+          path: spec.template.spec.initContainers[2].env
+          value:
+            - name: GNUPGHOME
+              value: /data/git/.gnupg
+      - equal:
+          path: spec.template.spec.initContainers[2].volumeMounts
+          value:
+            - name: init
+              mountPath: /usr/sbin
+            - name: data
+              mountPath: /data
+            - name: gpg-private-key
+              mountPath: /raw
+              readOnly: true
+  - it: adds gpg env in `init-directories` init container
+    template: templates/gitea/statefulset.yaml
+    set:
+      signing.enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[0].env
+          content:
+            name: GNUPGHOME
+            value: /data/git/.gnupg
+  - it: adds gpg env in runtime container
+    template: templates/gitea/statefulset.yaml
+    set:
+      signing.enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GNUPGHOME
+            value: /data/git/.gnupg
+  - it: adds gpg volume spec
+    template: templates/gitea/statefulset.yaml
+    set:
+      signing:
+        enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: gpg-private-key
+            secret:
+              secretName: gitea-unittests-gpg-key
+              items:
+                - key: privateKey
+                  path: private.asc
+              defaultMode: 0100
+  - it: supports gpg volume spec with external reference
+    template: templates/gitea/statefulset.yaml
+    set:
+      signing:
+        enabled: true
+        existingSecret: custom-gpg-secret
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: gpg-private-key
+            secret:
+              secretName: custom-gpg-secret
+              items:
+                - key: privateKey
+                  path: private.asc
+              defaultMode: 0100