bump to 1.19.3 (#443 )

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/443 Reviewed-by: techknowlogick <techknowlogick@noreply.gitea.io> Co-authored-by: pat-s <patrick.schratz@gmail.com> Co-committed-by: pat-s <patrick.schratz@gmail.com>
add extraDeploy to add arbitrary objects to the release (#441 )
2023-05-04 09:45:36 +08:00 · 2023-05-02 21:32:54 +08:00 · 2023-04-30 11:05:33 +08:00 · 2023-04-19 23:01:03 +08:00 · 2023-04-15 04:21:00 +08:00 · 2023-04-14 21:06:43 +08:00
37 changed files with 2442 additions and 774 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -1,85 +0,0 @@
---
-kind: pipeline
-type: docker
-name: lint
-
-platform:
-  os: linux
-  arch: arm64
-
-steps:
- name: helm lint
-  pull: always
-  image: alpine:3.13
-  commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-  - helm lint
-
- name: helm template
-  pull: always
-  image: alpine:3.13
-  commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-  - helm dependency update
-  - helm template --debug gitea-helm .
-
- name: markdown lint
-  pull: always
-  image: docker.io/volkerraschek/markdownlint:latest
-  commands:
-  - markdownlint *.md
-
- name: discord
-  pull: always
-  image: appleboy/drone-discord:1.2.4
-  environment:
-    DISCORD_WEBHOOK_ID:
-      from_secret: discord_webhook_id
-    DISCORD_WEBHOOK_TOKEN:
-      from_secret: discord_webhook_token
-  when:
-    status:
-    - changed
-    - failure
-
---
-kind: pipeline
-type: docker
-name: release-version
-
-platform:
-  os: linux
-  arch: arm64
-
-trigger:
-  event:
-  - tag
-
-steps:
- name: generate-chart
-  pull: always
-  image: alpine:3.13
-  commands:
-    - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-    - apk add --no-cache curl
-    - helm dependency update
-    - helm package --version "${DRONE_TAG##v}" ./
-    - mkdir gitea
-    - mv gitea*.tgz gitea/
-    - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
-    - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
-
- name: upload-chart
-  pull: always
-  image: plugins/s3:latest
-  settings:
-    bucket: gitea-artifacts
-    endpoint: https://storage.gitea.io
-    path_style: true
-    access_key:
-      from_secret: aws_access_key_id
-    secret_key:
-      from_secret: aws_secret_access_key
-    source: gitea/*
-    target: /charts
-    strip_prefix: gitea/
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,12 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = false
+insert_final_newline = false
--- a/.gitea/PULL_REQUEST_TEMPLATE.md
+++ b/.gitea/PULL_REQUEST_TEMPLATE.md
@ -0,0 +1,41 @@
+<!--
+ Before you open the request please review the following guidelines and tips to help it be more easily integrated:
+
+ - Describe the scope of your change - i.e. what the change does.
+ - Describe any known limitations with your change.
+ - Please run any tests or examples that can exercise your modified code.
+
+ Thank you for contributing! We will try to review, test and integrate the change as soon as we can.
+ -->
+
+### Description of the change
+
+<!-- Describe the scope of your change - i.e. what the change does. -->
+
+### Benefits
+
+<!-- What benefits will be realized by the code change? -->
+
+### Possible drawbacks
+
+<!-- Describe any known limitations with your change -->
+
+### Applicable issues
+
+<!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
+  - fixes #
+
+### Additional information
+
+<!-- If there's anything else that's important and relevant to your pull request, mention that information here. Please remove this section if it remains empty. -->
+
+### ⚠ BREAKING
+
+<!-- If there's a breaking change, please shortly describe in which way users are affected and how they can mitigate it. If there are no breakings, please remove this section. -->
+
+### Checklist
+
+<!-- [Place an '[X]' (no spaces) in all applicable fields. Please remove unrelated fields.] -->
+
+- [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
+- [ ] Breaking changes are documented in the `README.md`
--- a/.gitea/workflows/release-version.yml
+++ b/.gitea/workflows/release-version.yml
@ -0,0 +1,42 @@
+name: generate-chart
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  generate-chart-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: install tools
+        run: |
+          apt update -y
+          apt install -y curl
+          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          apt update -y
+          apt install -y python helm python3-pip apt-transport-https
+          pip install awscli
+      - name: package chart
+        run: |
+          helm dependency update
+          helm package --version "${GITHUB_REF#refs/tags/v}" ./
+          mkdir gitea
+          mv gitea*.tgz gitea/
+          curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
+          helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
+      - name: aws credential configure
+        uses: https://github.com/aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+      - name: install aws cli
+        run: |
+          apt update -y &&
+          pip install awscli
+      - name: Copy files to S3 and clear cache
+        run: |
+          aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
--- a/.gitea/workflows/test-pr.yml
+++ b/.gitea/workflows/test-pr.yml
@ -0,0 +1,36 @@
+name: check-and-test
+
+on:
+  - pull_request
+
+jobs:
+  check-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: install tools
+        run: |
+          apt update -y
+          apt install -y curl make
+          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          apt update -y
+          apt install -y helm python3-pip
+          pip install yamllint
+      - name: dependency update
+        run: helm dependency update
+      - name: lint
+        run: helm lint
+      - name: template
+        run: |
+          helm template --debug gitea-helm .
+      - name: unit tests
+        run: |
+          helm plugin install --version 0.3.1 https://github.com/helm-unittest/helm-unittest
+          make unittests
+      - name: verify readme
+        run: |
+          make readme
+          git diff --exit-code --name-only README.md
+      - name: yaml lint
+        uses: https://github.com/ibiqlik/action-yamllint@v3
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
-charts
-Chart.lock
+charts/
+node_modules/
 .DS_Store
+unittests/*/__snapshot__/
--- a/.helmignore
+++ b/.helmignore
@ -20,5 +20,14 @@
 .idea/
 *.tmproj
 .vscode/
-#charts/
-#Chart.lock
+node_modules/
+.npmrc
+package.json
+package-lock.json
+.gitea/
+Makefile
+.markdownlintignore
+.markdownlint.yaml
+.drone.yml
+CONTRIBUTING.md
+unittests/
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@ -45,7 +45,7 @@ MD012:
 # MD013/line-length - Line length
 MD013:
  # Number of characters
-  line_length: 80
+  line_length: 200
  # Number of characters for headings
  heading_line_length: 80
  # Number of characters for code blocks
@ -129,14 +129,12 @@ MD041:
 MD044:
  # List of proper names
  names:
-  - Gitea
-  - PostgreSQL
-  - MariaDB
-  - MySQL
-  - Memcached
-  - Prometheus
-  - Git
-  - GitOps
+    - Gitea
+    - PostgreSQL
+    - Memcached
+    - Prometheus
+    - Git
+    - GitOps
  # Include code blocks
  code_blocks: false

--- a/.markdownlintignore
+++ b/.markdownlintignore
@ -0,0 +1,4 @@
+.gitea/
+node_modules/
+charts/
+Chart.lock
--- a/.npmrc
+++ b/.npmrc
@ -0,0 +1 @@
+engine-strict=true
--- a/.prettierignore
+++ b/.prettierignore
@ -0,0 +1 @@
+Chart.lock
--- a/.yamllint
+++ b/.yamllint
@ -0,0 +1,20 @@
+---
+extends: default
+
+ignore: |
+  .yamllint
+  node_modules
+  templates
+
+
+rules:
+  truthy:
+    allowed-values: ['true', 'false']
+    check-keys: False
+    level: error
+  line-length: disable
+  document-start: disable
+  comments:
+    min-spaces-from-content: 1
+  braces:
+    max-spaces-inside: 2
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,63 @@
+# Contribution Guidelines
+
+Any type of contribution is welcome; from new features, bug fixes, tests,
+refactorings for easier maintainability or documentation improvements.
+
+## Development environment
+
+- [`node`](https://nodejs.org/en/) at least current LTS
+- [`helm`](https://helm.sh/docs/intro/install/)
+- `make` is optional; you may call the commands directly
+
+When using Visual Studio Code as IDE, following plugins might be useful:
+
+- [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
+- [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
+- [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
+- [Prettier - Code formatter](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode)
+
+## Documentation Requirements
+
+The `README.md` must include all configuration options. The parameters section
+is generated by extracting the parameter annotations from the `values.yaml` file,
+by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
+
+If changes were made on configuration options, run `make readme` to update the
+README file.
+
+## Pull Request Requirements
+
+When submitting or updating a PR:
+
+- make sure it passes CI builds.
+- do not make independent changes in one PR.
+- try to avoid rebases. They make code reviews for large PRs and comments much harder.
+- if applicable, use the PR template for a well-defined PR description.
+- clearly mark breaking changes.
+
+## Local development & testing
+
+For local development and testing of pull requests, the following workflow can
+be used:
+
+1. Install `minikube` and `helm`.
+2. Start a `minikube` cluster via `minikube start`.
+3. From the `gitea/helm-chart` directory execute the following command. This
+   will install the dependencies listed in `Chart.yml` and deploy the current
+   state of the helm chart found locally. If you want to test a branch, make
+   sure to switch to the respective branch first.
+  `helm install --dependency-update gitea . -f values.yaml`.
+4. Gitea is now deployed in `minikube`. To access it, it's port needs to be
+   forwarded first from `minikube` to localhost first via `kubectl --namespace
+   default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
+   [http://localhost:3000](http://localhost:3000).
+
+### Unit tests
+
+```bash
+# install the unittest plugin
+$ helm plugin install https://github.com/helm-unittest/helm-unittest
+
+# run the unittests
+make unittests
+```
--- a/Chart.lock
+++ b/Chart.lock
@ -0,0 +1,9 @@
+dependencies:
+- name: memcached
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 6.3.14
+- name: postgresql
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 12.4.1
+digest: sha256:02d4846bf416038a42658dbca8f8001d0e3ce967b00e990048f8d420065c33fd
+generated: "2023-04-28T09:32:05.295167+02:00"
--- a/Chart.yaml
+++ b/Chart.yaml
@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.15.8
+appVersion: 1.19.3
 icon: https://docs.gitea.io/images/gitea.png

 keywords:
@ -28,21 +28,19 @@ maintainers:
    email: lucas.hahn@novum-rgi.de
  - name: Steven Kriegler
    email: sk.bunsenbrenner@gmail.com
+  - name: Patrick Schratz
+    email: patrick.schratz@gmail.com

+# Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
- name: memcached
-  repository: https://charts.bitnami.com/bitnami
-  version: 5.9.0
-  condition: memcached.enabled
- name: mysql
-  repository: https://charts.bitnami.com/bitnami
-  version: 6.14.10
-  condition: mysql.enabled
- name: postgresql
-  repository: https://charts.bitnami.com/bitnami
-  version: 10.3.17
-  condition: postgresql.enabled
- name: mariadb
-  repository: https://charts.bitnami.com/bitnami
-  version: 9.3.6
-  condition: mariadb.enabled
+  # OCI registry: https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html (2023-01)
+  # Chart release date: 2023-04
+  - name: memcached
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 6.3.14
+    condition: memcached.enabled
+  # Chart release date: 2023-04
+  - name: postgresql
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 12.4.1
+    condition: postgresql.enabled
--- a/12
+++ b/12
@ -0,0 +1,12 @@
+.PHONY: prepare-environment
+prepare-environment:
+	npm install
+
+.PHONY: readme
+readme: prepare-environment
+	npm run readme:parameters
+	npm run readme:lint
+
+.PHONY: unittests
+unittests:
+	helm unittest --strict -f 'unittests/**/*.yaml' ./
--- a/README.md
+++ b/README.md
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -0,0 +1,19 @@
+{
+  "name": "gitea-helm-chart",
+  "homepage": "https://gitea.com/gitea/helm-chart.git",
+  "license": "MIT",
+  "private": true,
+  "engineStrict": true,
+  "engines": {
+    "node": ">=16.0.0",
+    "npm": ">=8.0.0"
+  },
+  "scripts": {
+    "readme:lint": "markdownlint *.md -f",
+    "readme:parameters": "readme-generator -v values.yaml -r README.md"
+  },
+  "devDependencies": {
+    "@bitnami/readme-generator-for-helm": "^2.4.2",
+    "markdownlint-cli": "^0.31.1"
+  }
+}
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -35,10 +35,40 @@ Create chart name and version as used by the chart label.
 Create image name and tag used by the deployment.
 */}}
 {{- define "gitea.image" -}}
+{{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
 {{- $name := .Values.image.repository -}}
-{{- $tag := ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
-{{- printf "%s:%s%s" $name $tag $rootless -}}
+{{- if $registry -}}
+  {{- printf "%s/%s:%s%s" $registry $name $tag $rootless -}}
+{{- else -}}
+  {{- printf "%s:%s%s" $name $tag $rootless -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Docker Image Registry Secret Names evaluating values as templates
+*/}}
+{{- define "gitea.images.pullSecrets" -}}
+{{- $pullSecrets := .Values.imagePullSecrets -}}
+{{- range .Values.global.imagePullSecrets -}}
+    {{- $pullSecrets = append $pullSecrets (dict "name" .) -}}
+{{- end -}}
+{{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+{{ toYaml $pullSecrets }}
+{{- end }}
+{{- end -}}
+
+
+{{/*
+Storage Class
+*/}}
+{{- define "gitea.persistence.storageClass" -}}
+{{- $storageClass := .Values.global.storageClass | default .Values.persistence.storageClass }}
+{{- if $storageClass }}
+storageClassName: {{ $storageClass | quote }}
+{{- end }}
 {{- end -}}

 {{/*
@ -48,10 +78,8 @@ Common labels
 helm.sh/chart: {{ include "gitea.chart" . }}
 app: {{ include "gitea.name" . }}
 {{ include "gitea.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-version: {{ .Chart.AppVersion | quote }}
-{{- end }}
+app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}

@ -63,44 +91,12 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}

-{{- define "db.servicename" -}}
-{{- if .Values.postgresql.enabled -}}
-{{- printf "%s-postgresql" .Release.Name -}}
-{{- else if .Values.mysql.enabled -}}
-{{- printf "%s-mysql" .Release.Name -}}
-{{- else if .Values.mariadb.enabled -}}
-{{- printf "%s-mariadb" .Release.Name -}}
-{{- else if ne .Values.gitea.config.database.DB_TYPE "sqlite3" -}}
-{{- $parts := split ":" .Values.gitea.config.database.HOST -}}
-{{- printf "%s %s" $parts._0 $parts._1 -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "db.port" -}}
-{{- if .Values.postgresql.enabled -}}
-{{ .Values.postgresql.global.postgresql.servicePort }}
-{{- else if .Values.mysql.enabled -}}
-{{ .Values.mysql.service.port }}
-{{- else if .Values.mariadb.enabled -}}
-{{ .Values.mariadb.primary.service.port }}
-{{- else -}}
-{{- end -}}
-{{- end -}}
-
 {{- define "postgresql.dns" -}}
-{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.servicePort -}}
-{{- end -}}
-
-{{- define "mysql.dns" -}}
-{{- printf "%s-mysql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mysql.service.port | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{- define "mariadb.dns" -}}
-{{- printf "%s-mariadb.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mariadb.primary.service.port | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}}
 {{- end -}}

 {{- define "memcached.dns" -}}
-{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.port | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.ports.memcached | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

 {{- define "gitea.default_domain" -}}
@ -156,6 +152,14 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 {{- end -}}

+{{- define "gitea.public_protocol" -}}
+{{- if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}}
+https
+{{- else -}}
+{{ .Values.gitea.config.server.PROTOCOL }}
+{{- end -}}
+{{- end -}}
+
 {{- define "gitea.inline_configuration" -}}
  {{- include "gitea.inline_configuration.init" . -}}
  {{- include "gitea.inline_configuration.defaults" . -}}
@ -246,15 +250,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
    {{- end -}}
  {{- end -}}
  {{- if not .Values.gitea.config.server.ROOT_URL -}}
-    {{- if .Values.ingress.enabled -}}
-      {{- if gt (len .Values.ingress.tls) 0 -}}
-        {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
-      {{- else -}}
-        {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}}
-      {{- end -}}
-    {{- else -}}
-      {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
-    {{- end -}}
+    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
  {{- end -}}
  {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
    {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
@ -288,24 +284,30 @@ app.kubernetes.io/instance: {{ .Release.Name }}
    {{- if not (.Values.gitea.config.database.HOST) -}}
      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
-  {{- else if .Values.mysql.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
-  {{- else if .Values.mariadb.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.auth.database -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.auth.username -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.auth.database -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.auth.username -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.auth.password -}}
  {{- end -}}
 {{- end -}}
+
+{{- define "gitea.init-additional-mounts" -}}
+  {{- /* Honor the deprecated extraVolumeMounts variable when defined */ -}}
+  {{- if gt (len .Values.extraInitVolumeMounts) 0 -}}
+    {{- toYaml .Values.extraInitVolumeMounts -}}
+  {{- else if gt (len .Values.extraVolumeMounts) 0 -}}
+    {{- toYaml .Values.extraVolumeMounts -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.container-additional-mounts" -}}
+  {{- /* Honor the deprecated extraVolumeMounts variable when defined */ -}}
+  {{- if gt (len .Values.extraContainerVolumeMounts) 0 -}}
+    {{- toYaml .Values.extraContainerVolumeMounts -}}
+  {{- else if gt (len .Values.extraVolumeMounts) 0 -}}
+    {{- toYaml .Values.extraVolumeMounts -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.gpg-key-secret-name" -}}
+{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
+{{- end -}}
--- a/templates/gitea/config.yaml
+++ b/templates/gitea/config.yaml
@ -63,6 +63,41 @@ stringData:
      export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
    }

+    function env2ini::reload_preset_envs() {
+      env2ini::log "Reloading preset envs..."
+
+      while read -r line; do
+        if [[ -z "${line}" ]]; then
+          # skip empty line
+          return
+        fi
+
+        # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+        local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+        if [[ -z "${setting}" ]]; then
+          env2ini::log '  ! invalid setting'
+          exit 1
+        fi
+
+        local value=''
+        local regex="^${setting}(\s*)=(\s*)(.*)"
+        if [[ $line =~ $regex ]]; then
+          value="${BASH_REMATCH[3]}"
+        else
+          env2ini::log '  ! invalid setting'
+          exit 1
+        fi
+
+        env2ini::log "  + '${setting}'"
+
+        export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+      done < "/tmp/existing-envs"
+
+      rm /tmp/existing-envs
+    }
+
+
    function env2ini::process_config_file() {
      local config_file="${1}"
      local section="$(basename "${config_file}")"
@ -82,13 +117,15 @@ stringData:
    function env2ini::load_config_sources() {
      local path="${1}"

-      env2ini::log "Processing $(basename "${path}")..."
+      if [[ -d "${path}" ]]; then
+        env2ini::log "Processing $(basename "${path}")..."

-      while read -d '' configFile; do
-        env2ini::process_config_file "${configFile}"
-      done < <(find "${path}" -type l -not -name '..data' -print0)
+        while read -d '' configFile; do
+          env2ini::process_config_file "${configFile}"
+        done < <(find "${path}" -type l -not -name '..data' -print0)

-      env2ini::log "\n"
+        env2ini::log "\n"
+      fi
    }

    function env2ini::generate_initial_secrets() {
@ -100,16 +137,22 @@ stringData:
      export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
      export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
      export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+      export ENV_TO_INI__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)

      env2ini::log "...Initial secrets generated\n"
    }

+    env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs
+    
    # MUST BE CALLED BEFORE OTHER CONFIGURATION
    env2ini::generate_initial_secrets

    env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
    env2ini::load_config_sources '/env-to-ini-mounts/additionals/'

+    # load existing envs to override auto generated envs
+    env2ini::reload_preset_envs
+
    env2ini::log "=== All configuration sources loaded ===\n"

    # safety to prevent rewrite of secret keys if an app.ini already exists
@ -118,10 +161,12 @@ stringData:
      env2ini::log '  - security.INTERNAL_TOKEN'
      env2ini::log '  - security.SECRET_KEY'
      env2ini::log '  - oauth2.JWT_SECRET'
+      env2ini::log '  - server.LFS_JWT_SECRET'

      unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
      unset ENV_TO_INI__SECURITY__SECRET_KEY
      unset ENV_TO_INI__OAUTH2__JWT_SECRET
+      unset ENV_TO_INI__SERVER__LFS_JWT_SECRET
    fi

    environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI
--- a/templates/gitea/extra-list.yaml
+++ b/templates/gitea/extra-list.yaml
@ -0,0 +1,8 @@
+{{- range .Values.extraDeploy }}
+---
+{{- if typeIs "string" . }}
+    {{- tpl . $ }}
+{{- else }}
+    {{- tpl (. | toYaml) $ }}
+{{- end }}
+{{- end }}
--- a/templates/gitea/gpg-secret.yaml
+++ b/templates/gitea/gpg-secret.yaml
@ -0,0 +1,16 @@
+{{- if .Values.signing.enabled -}}
+{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}}
+  {{- fail "Either specify `signing.privateKey` or `signing.existingSecret`" -}}
+{{- end }}
+{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gitea.gpg-key-secret-name" . }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+data:
+  privateKey: {{ .Values.signing.privateKey | b64enc }}
+{{- end }}
+{{- end }}
--- a/templates/gitea/http-svc.yaml
+++ b/templates/gitea/http-svc.yaml
@ -21,6 +21,13 @@ spec:
  externalIPs:
    {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
  {{- end }}
+  {{- if .Values.service.http.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.http.ipFamilyPolicy }}
+  {{- end }}
+  {{- with .Values.service.http.ipFamilies }}
+  ipFamilies:
+  {{- toYaml . | nindent 4 }}
+  {{- end -}}
  {{- if .Values.service.http.externalTrafficPolicy }}
  externalTrafficPolicy: {{ .Values.service.http.externalTrafficPolicy }}
  {{- end }}
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@ -6,6 +6,11 @@ metadata:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
+  configure_gpg_environment.sh: |-
+    #!/usr/bin/env bash
+    set -eu
+
+    gpg --batch --import /raw/private.asc
  init_directory_structure.sh: |-
    #!/usr/bin/env bash

@ -26,7 +31,7 @@ stringData:
    {{- end }}
    mkdir -p /data/git/.ssh
    chmod -R 700 /data/git/.ssh
-    [ ! -d /data/gitea ] && mkdir -p /data/gitea/conf
+    [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf

    # prepare temp directory structure
    mkdir -p "${GITEA_TEMP}"
@ -35,36 +40,28 @@ stringData:
    {{- end }}
    chmod ug+rwx "${GITEA_TEMP}"

+    {{ if .Values.signing.enabled -}}
+    if [ ! -d "${GNUPGHOME}" ]; then
+      mkdir -p "${GNUPGHOME}"
+      chmod 700 "${GNUPGHOME}"
+      chown 1000:1000 "${GNUPGHOME}"
+    fi
+    {{- end }}
+
  configure_gitea.sh: |-
    #!/usr/bin/env bash

    set -euo pipefail

-    {{- if include "db.servicename" . }}
-    # Connection retry inspired by https://gist.github.com/dublx/e99ea94858c07d2ca6de
-    function test_db_connection() {
-      local RETRY=0
-      local MAX=30
-
-      echo 'Wait for database to become avialable...'
-      until [ "${RETRY}" -ge "${MAX}" ]; do
-        nc -vz -w2 {{ include "db.servicename" . }} {{ include "db.port" . }} && break
-        RETRY=$[${RETRY}+1]
-        echo "...not ready yet (${RETRY}/${MAX})"
-      done
-
-      if [ "${RETRY}" -ge "${MAX}" ]; then
-        echo "Database not reachable after '${MAX}' attempts!"
-        exit 1
-      fi
-    }
-
-    test_db_connection
-    {{- end }}
-
    echo '==== BEGIN GITEA CONFIGURATION ===='

-    gitea migrate
+    { # try
+      gitea migrate
+    } || { # catch
+      echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds"
+      exit 1
+    }
+    

    {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
    function configure_admin_user() {
--- a/templates/gitea/ssh-svc.yaml
+++ b/templates/gitea/ssh-svc.yaml
@ -26,6 +26,13 @@ spec:
  externalIPs:
    {{- toYaml .Values.service.ssh.externalIPs | nindent 4 }}
  {{- end }}
+  {{- if .Values.service.ssh.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ssh.ipFamilyPolicy }}
+  {{- end }}
+  {{- with .Values.service.ssh.ipFamilies }}
+  ipFamilies:
+  {{- toYaml . | nindent 4 }}
+  {{- end -}}
  {{- if .Values.service.ssh.externalTrafficPolicy }}
  externalTrafficPolicy: {{ .Values.service.ssh.externalTrafficPolicy }}
  {{- end }}
--- a/templates/gitea/statefulset.yaml
+++ b/templates/gitea/statefulset.yaml
@ -2,6 +2,10 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: {{ include "gitea.fullname" . }}
+  annotations:
+    {{- if .Values.statefulset.annotations }}
+    {{- toYaml .Values.statefulset.annotations | nindent 4 }}
+    {{- end }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 spec:
@ -35,15 +39,16 @@ spec:
      {{- if .Values.schedulerName }}
      schedulerName: "{{ .Values.schedulerName }}"
      {{- end }}
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
      {{- end }}
+      {{- include "gitea.images.pullSecrets" . | nindent 6 }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      initContainers:
        - name: init-directories
          image: "{{ include "gitea.image" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command: ["/usr/sbin/init_directory_structure.sh"]
          env:
            - name: GITEA_APP_INI
@ -57,6 +62,10 @@ spec:
            {{- if .Values.statefulset.env }}
            {{- toYaml .Values.statefulset.env | nindent 12 }}
            {{- end }}
+            {{- if .Values.signing.enabled }}
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+            {{- end }}
          volumeMounts:
            - name: init
              mountPath: /usr/sbin
@ -67,13 +76,14 @@ spec:
              {{- if .Values.persistence.subPath }}
              subPath: {{ .Values.persistence.subPath }}
              {{- end }}
-            {{- if .Values.extraVolumeMounts }}
-            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
-            {{- end }}
+            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
          securityContext:
            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
        - name: init-app-ini
          image: "{{ include "gitea.image" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command: ["/usr/sbin/config_environment.sh"]
          env:
            - name: GITEA_APP_INI
@ -87,6 +97,9 @@ spec:
            {{- if .Values.statefulset.env }}
            {{- toYaml .Values.statefulset.env | nindent 12 }}
            {{- end }}
+            {{- if .Values.gitea.additionalConfigFromEnvs }}
+            {{- toYaml .Values.gitea.additionalConfigFromEnvs | nindent 12 }}
+            {{- end }}
          volumeMounts:
            - name: config
              mountPath: /usr/sbin
@ -103,14 +116,47 @@ spec:
            - name: additional-config-sources-{{ $idx }}
              mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/"
            {{- end }}
+            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
+        {{- if .Values.signing.enabled }}
+        - name: configure-gpg
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/configure_gpg_environment.sh"]
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
+            {{- $csc := deepCopy .Values.containerSecurityContext -}}
+            {{- if not (hasKey $csc "runAsUser") -}}
+            {{- $_ := set $csc "runAsUser" 1000 -}}
+            {{- end -}}
+            {{- toYaml $csc | nindent 12 }}
+          env:
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+          volumeMounts:
+            - name: init
+              mountPath: /usr/sbin
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+            - name: gpg-private-key
+              mountPath: /raw
+              readOnly: true
            {{- if .Values.extraVolumeMounts }}
            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
            {{- end }}
-          securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
+        {{- end }}
        - name: configure-gitea
          image: "{{ include "gitea.image" . }}"
          command: ["/usr/sbin/configure_gitea.sh"]
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
          securityContext:
            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
            {{- $csc := deepCopy .Values.containerSecurityContext -}}
@ -194,9 +240,9 @@ spec:
              {{- if .Values.persistence.subPath }}
              subPath: {{ .Values.persistence.subPath }}
              {{- end }}
-            {{- if .Values.extraVolumeMounts }}
-            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
-            {{- end }}
+            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
      terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
      containers:
        - name: {{ .Chart.Name }}
@ -208,6 +254,10 @@ spec:
              value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }}
            - name: SSH_PORT
              value: {{ .Values.gitea.config.server.SSH_PORT | quote }}
+            {{- if not .Values.image.rootless }}
+            - name: SSH_LOG_LEVEL
+              value: {{ .Values.gitea.ssh.logLevel | quote }}
+            {{- end }}
            - name: GITEA_APP_INI
              value: /data/gitea/conf/app.ini
            - name: GITEA_CUSTOM
@ -228,23 +278,26 @@ spec:
          ports:
            - name: ssh
              containerPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
+            {{- if .Values.service.ssh.hostPort }}
+              hostPort: {{ .Values.service.ssh.hostPort }}
+            {{- end }}
            - name: http
              containerPort: {{ .Values.gitea.config.server.HTTP_PORT }}
            {{- if .Values.gitea.config.server.ENABLE_PPROF }}
            - name: profiler
              containerPort: 6060
            {{- end }}
-          {{- if .Values.gitea.livenessProbe }}
+          {{- if .Values.gitea.livenessProbe.enabled }}
          livenessProbe:
-            {{- toYaml .Values.gitea.livenessProbe | nindent 12 }}
+            {{- toYaml (omit .Values.gitea.livenessProbe "enabled") | nindent 12 }}
          {{- end }}
-          {{- if .Values.gitea.readinessProbe }}
+          {{- if .Values.gitea.readinessProbe.enabled }}
          readinessProbe:
-            {{- toYaml .Values.gitea.readinessProbe | nindent 12 }}
+            {{- toYaml (omit .Values.gitea.readinessProbe "enabled") | nindent 12 }}
          {{- end }}
-          {{- if .Values.gitea.startupProbe }}
+          {{- if .Values.gitea.startupProbe.enabled }}
          startupProbe:
-            {{- toYaml .Values.gitea.startupProbe | nindent 12 }}
+            {{- toYaml (omit .Values.gitea.startupProbe "enabled") | nindent 12 }}
          {{- end }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
@ -263,9 +316,11 @@ spec:
              {{- if .Values.persistence.subPath }}
              subPath: {{ .Values.persistence.subPath }}
              {{- end }}
-            {{- if .Values.extraVolumeMounts }}
-            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
-            {{- end }}
+            {{- include "gitea.container-additional-mounts" . | nindent 12 }}
+      {{- with .Values.global.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@ -277,6 +332,10 @@ spec:
    {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- if .Values.dnsConfig }}
+      dnsConfig:
+        {{- toYaml .Values.dnsConfig | nindent 8 }}
    {{- end }}
      volumes:
        - name: init
@ -287,7 +346,7 @@ spec:
          secret:
            secretName: {{ include "gitea.fullname" . }}
            defaultMode: 110
-        {{- if .Values.extraVolumes }}
+        {{- if gt (len .Values.extraVolumes) 0 }}
        {{- toYaml .Values.extraVolumes | nindent 8 }}
        {{- end }}
        - name: inline-config-sources
@ -299,6 +358,15 @@ spec:
        {{- end }}
        - name: temp
          emptyDir: {}
+        {{- if .Values.signing.enabled }}
+        - name: gpg-private-key
+          secret:
+            secretName: {{ include "gitea.gpg-key-secret-name" . }}
+            items:
+              - key: privateKey
+                path: private.asc
+            defaultMode: 0100
+        {{- end }}
  {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
        - name: data
          persistentVolumeClaim:
@ -329,9 +397,7 @@ spec:
          {{- range .Values.persistence.accessModes }}
            - {{ . | quote }}
          {{- end }}
-        {{- if .Values.persistence.storageClass }}
-        storageClassName: {{ .Values.persistence.storageClass | quote }}
-        {{- end }}
+        {{- include "gitea.persistence.storageClass" . | indent 8 }}
        resources:
          requests:
            storage: {{ .Values.persistence.size | quote }}
--- a/templates/tests/test-http-connection.yaml
+++ b/templates/tests/test-http-connection.yaml
@ -1,3 +1,4 @@
+{{- if .Values.test.enabled }}
 apiVersion: v1
 kind: Pod
 metadata:
@ -9,7 +10,8 @@ metadata:
 spec:
  containers:
    - name: wget
-      image: busybox
+      image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}"
      command: ['wget']
      args:  ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
  restartPolicy: Never
+{{- end }}
--- a/unittests/gpg-secret/signing-disabled.yaml
+++ b/unittests/gpg-secret/signing-disabled.yaml
@ -0,0 +1,13 @@
+suite: GPG secret template (signing disabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/gpg-secret.yaml
+tests:
+  - it: renders nothing
+    set:
+      signing.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/gpg-secret/signing-enabled.yaml
+++ b/unittests/gpg-secret/signing-enabled.yaml
@ -0,0 +1,40 @@
+suite: GPG secret template (signing enabled)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/gpg-secret.yaml
+tests:
+  - it: fails rendering when nothing is configured
+    set:
+      signing:
+        enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: Either specify `signing.privateKey` or `signing.existingSecret`
+  - it: skips rendering using external secret reference
+    set:
+      signing:
+        enabled: true
+        existingSecret: "external-secret-reference"
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders secret specification using inline gpg key
+    set:
+      signing:
+        enabled: true
+        privateKey: "gpg-key-placeholder"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-gpg-key
+      - isNotEmpty:
+          path: metadata.labels
+      - equal:
+          path: data.privateKey
+          value: "Z3BnLWtleS1wbGFjZWhvbGRlcg=="
--- a/Show More
+++ b/Show More