fix release workflow

### Benefits

Less image pulls.

### Additional information

committed via GUI - so no signature on first commit.

Co-authored-by: pat-s <patrick.schratz@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/568
Reviewed-by: pat-s <pat-s@noreply.gitea.com>
Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com>
Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>

.drone.yml

@@ -1,85 +0,0 @@
----
-kind: pipeline
-type: docker
-name: lint
-
-platform:
-  os: linux
-  arch: arm64
-
-steps:
-- name: helm lint
-  pull: always
-  image: alpine:3.13
-  commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-  - helm lint
-
-- name: helm template
-  pull: always
-  image: alpine:3.13
-  commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-  - helm dependency update
-  - helm template --debug gitea-helm .
-
-- name: markdown lint
-  pull: always
-  image: docker.io/volkerraschek/markdownlint:latest
-  commands:
-  - markdownlint *.md
-
-- name: discord
-  pull: always
-  image: appleboy/drone-discord:1.2.4
-  environment:
-    DISCORD_WEBHOOK_ID:
-      from_secret: discord_webhook_id
-    DISCORD_WEBHOOK_TOKEN:
-      from_secret: discord_webhook_token
-  when:
-    status:
-    - changed
-    - failure
-
----
-kind: pipeline
-type: docker
-name: release-version
-
-platform:
-  os: linux
-  arch: arm64
-
-trigger:
-  event:
-  - tag
-
-steps:
-- name: generate-chart
-  pull: always
-  image: alpine:3.13
-  commands:
-    - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-    - apk add --no-cache curl
-    - helm dependency update
-    - helm package --version "${DRONE_TAG##v}" ./
-    - mkdir gitea
-    - mv gitea*.tgz gitea/
-    - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
-    - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
-
-- name: upload-chart
-  pull: always
-  image: plugins/s3:latest
-  settings:
-    bucket: gitea-artifacts
-    endpoint: https://storage.gitea.io
-    path_style: true
-    access_key:
-      from_secret: aws_access_key_id
-    secret_key:
-      from_secret: aws_secret_access_key
-    source: gitea/*
-    target: /charts
-    strip_prefix: gitea/

.editorconfig

@@ -0,0 +1,12 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = false
+insert_final_newline = false

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,42 @@
+<!--
+ Before you open the request please review the following guidelines and tips to help it be more easily integrated:
+
+ - Describe the scope of your change - i.e. what the change does.
+ - Describe any known limitations with your change.
+ - Please run any tests or examples that can exercise your modified code.
+
+ Thank you for contributing! We will try to review, test and integrate the change as soon as we can.
+ -->
+
+### Description of the change
+
+<!-- Describe the scope of your change - i.e. what the change does. -->
+
+### Benefits
+
+<!-- What benefits will be realized by the code change? -->
+
+### Possible drawbacks
+
+<!-- Describe any known limitations with your change -->
+
+### Applicable issues
+
+<!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
+  - fixes #
+
+### Additional information
+
+<!-- If there's anything else that's important and relevant to your pull request, mention that information here. Please remove this section if it remains empty. -->
+
+### ⚠ BREAKING
+
+<!-- If there's a breaking change, please shortly describe in which way users are affected and how they can mitigate it. If there are no breakings, please remove this section. -->
+
+### Checklist
+
+<!-- [Place an '[X]' (no spaces) in all applicable fields. Please remove unrelated fields.] -->
+
+- [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
+- [ ] Breaking changes are documented in the `README.md`
+- [ ] Templating unittests are added

.gitea/workflows/release-version.yml

@@ -0,0 +1,68 @@
+name: generate-chart
+
+on:
+  push:
+    tags:
+      - "*"
+
+env:
+  # renovate: datasource=docker depName=alpine/helm
+  HELM_VERSION: "3.13.2"
+
+jobs:
+  generate-chart-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: install tools
+        run: |
+          apt update -y
+          apt install -y curl ca-certificates curl gnupg
+          # helm
+          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          # docker
+          install -m 0755 -d /etc/apt/keyrings
+          curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          chmod a+r /etc/apt/keyrings/docker.gpg
+          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+          apt update -y
+          apt install -y python helm=${{ env.HELM_VERSION }}-1 python3-pip apt-transport-https docker-ce-cli
+          pip install awscli
+
+      - name: Import GPG key
+        id: import_gpg
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v5
+        with:
+          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
+          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
+
+      # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
+      - name: package chart
+        run: |
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
+          # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
+          helm plugin install https://github.com/pat-s/helm-gpg
+          helm dependency update
+          helm package --version "${GITHUB_REF#refs/tags/v}" ./
+          helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
+          mkdir gitea
+          mv gitea*.tgz gitea/
+          curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
+          helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
+          # push to dockerhub
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
+          helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
+          helm registry logout registry-1.docker.io
+
+      - name: aws credential configure
+        uses: https://github.com/aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Copy files to S3 and clear cache
+        run: |
+          aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/

.gitea/workflows/test-pr.yml

@@ -0,0 +1,41 @@
+name: check-and-test
+
+on:
+  pull_request:
+    branches:
+      - "*"
+  push:
+    branches:
+      - main
+      - "renovate/**"
+
+env:
+  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
+  HELM_UNITTEST_VERSION: "v0.3.6"
+
+jobs:
+  check-and-test:
+    runs-on: ubuntu-latest
+    container: alpine/helm:3.13.2
+    steps:
+      - name: install tools
+        run: |
+          apk update
+          apk add --update make nodejs npm yamllint
+      - uses: actions/checkout@v4
+      - name: install chart dependencies
+        run: helm dependency build
+      - name: lint
+        run: helm lint
+      - name: template
+        run: helm template --debug gitea-helm .
+      - name: unit tests
+        run: |
+          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
+          make unittests
+      - name: verify readme
+        run: |
+          make readme
+          git diff --exit-code --name-only README.md
+      - name: yaml lint
+        uses: https://github.com/ibiqlik/action-yamllint@v3

.gitignore

@@ -1,3 +1,4 @@
-charts
-Chart.lock
+charts/
+node_modules/
 .DS_Store
+unittests/*/__snapshot__/

.helmignore

@@ -20,5 +20,14 @@
 .idea/
 *.tmproj
 .vscode/
-#charts/
-#Chart.lock
+node_modules/
+.npmrc
+package.json
+package-lock.json
+.gitea/
+Makefile
+.markdownlintignore
+.markdownlint.yaml
+.drone.yml
+CONTRIBUTING.md
+unittests/

.markdownlint.yaml

@@ -45,9 +45,9 @@ MD012:
 # MD013/line-length - Line length
 MD013:
   # Number of characters
-  line_length: 80
+  line_length: 200
   # Number of characters for headings
-  heading_line_length: 80
+  heading_line_length: 100
   # Number of characters for code blocks
   code_block_line_length: 80
   # Include code blocks
@@ -106,7 +106,7 @@ MD030:
 # MD033/no-inline-html - Inline HTML
 MD033:
   # Allowed elements
-  allowed_elements: []
+  allowed_elements: [details, summary]
 
 # MD035/hr-style - Horizontal rule style
 MD035:
@@ -129,14 +129,12 @@ MD041:
 MD044:
   # List of proper names
   names:
-  - Gitea
-  - PostgreSQL
-  - MariaDB
-  - MySQL
-  - Memcached
-  - Prometheus
-  - Git
-  - GitOps
+    - Gitea
+    - PostgreSQL
+    - Memcached
+    - Prometheus
+    - Git
+    - GitOps
   # Include code blocks
   code_blocks: false
 

.markdownlintignore

@@ -0,0 +1,4 @@
+.gitea/
+node_modules/
+charts/
+Chart.lock

.npmrc

@@ -0,0 +1 @@
+engine-strict=true

.prettierignore

@@ -0,0 +1 @@
+Chart.lock

.vscode/extensions.json

@@ -0,0 +1,8 @@
+{
+    "recommendations": [
+        "yzhang.markdown-all-in-one",
+        "DavidAnson.vscode-markdownlint",
+        "Tim-Koehler.helm-intellisense",
+        "esbenp.prettier-vscode"
+    ]
+  }

.vscode/settings.json

@@ -0,0 +1,8 @@
+{
+    "yaml.schemas": {
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json": [
+            "/unittests/**/*.yaml"
+        ]
+    },
+    "yaml.schemaStore.enable": true
+}

.yamllint

@@ -0,0 +1,20 @@
+---
+extends: default
+
+ignore: |
+  .yamllint
+  node_modules
+  templates
+
+
+rules:
+  truthy:
+    allowed-values: ['true', 'false']
+    check-keys: False
+    level: error
+  line-length: disable
+  document-start: disable
+  comments:
+    min-spaces-from-content: 1
+  braces:
+    max-spaces-inside: 2

CONTRIBUTING.md

@@ -0,0 +1,65 @@
+# Contribution Guidelines
+
+Any type of contribution is welcome; from new features, bug fixes, tests,
+refactorings for easier maintainability or documentation improvements.
+
+## Development environment
+
+- [`node`](https://nodejs.org/en/) at least current LTS
+- [`helm`](https://helm.sh/docs/intro/install/)
+- `make` is optional; you may call the commands directly
+
+When using Visual Studio Code as IDE, a [ready-to-use profile](.vscode/) is available.
+
+## Documentation Requirements
+
+The `README.md` must include all configuration options.
+The parameters section is generated by extracting the parameter annotations from the `values.yaml` file, by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
+
+If changes were made on configuration options, run `make readme` to update the README file.
+
+The ToC is created via the VSCode [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one) extension which can/must also be used used to update it.
+
+## Pull Request Requirements
+
+When submitting or updating a PR:
+
+- make sure it passes CI builds.
+- do not make independent changes in one PR.
+- try to avoid rebases. They make code reviews for large PRs and comments much harder.
+- if applicable, use the PR template for a well-defined PR description.
+- clearly mark breaking changes.
+
+## Local development & testing
+
+For local development and testing of pull requests, the following workflow can
+be used:
+
+1. Install `minikube` and `helm`.
+1. Start a `minikube` cluster via `minikube start`.
+1. From the `gitea/helm-chart` directory execute the following command.
+   This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
+   If you want to test a branch, make sure to switch to the respective branch first.
+   `helm install --dependency-update gitea . -f values.yaml`.
+1. Gitea is now deployed in `minikube`.
+   To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace
+default port-forward svc/gitea-http 3000:3000`.
+   Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
+
+### Unit tests
+
+```bash
+# install the unittest plugin
+$ helm plugin install https://github.com/helm-unittest/helm-unittest
+
+# run the unittests
+make unittests
+```
+
+See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
+
+## Release process
+
+1. Create a tag following the tagging schema
+1. Push the tag
+1. Let CI do it's work

Chart.lock

@@ -0,0 +1,12 @@
+dependencies:
+- name: postgresql
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 12.12.10
+- name: postgresql-ha
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 11.9.4
+- name: redis-cluster
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 9.1.3
+digest: sha256:6bda620320a05a5ea4efb4189a86d30092aeb0a6f3e0009538f4bea312af0863
+generated: "2023-11-14T00:08:15.790217865Z"

Chart.yaml

@@ -3,8 +3,8 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.15.10
-icon: https://docs.gitea.io/images/gitea.png
+appVersion: 1.21.0
+icon: https://gitea.com/assets/img/logo.svg
 
 keywords:
   - git
@@ -28,21 +28,23 @@ maintainers:
     email: lucas.hahn@novum-rgi.de
   - name: Steven Kriegler
     email: sk.bunsenbrenner@gmail.com
+  - name: Patrick Schratz
+    email: patrick.schratz@gmail.com
 
+# Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
-- name: memcached
-  repository: https://charts.bitnami.com/bitnami
-  version: 5.9.0
-  condition: memcached.enabled
-- name: mysql
-  repository: https://charts.bitnami.com/bitnami
-  version: 6.14.10
-  condition: mysql.enabled
-- name: postgresql
-  repository: https://charts.bitnami.com/bitnami
-  version: 10.3.17
-  condition: postgresql.enabled
-- name: mariadb
-  repository: https://charts.bitnami.com/bitnami
-  version: 9.3.6
-  condition: mariadb.enabled
+  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
+  - name: postgresql
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 12.12.10
+    condition: postgresql.enabled
+  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
+  - name: postgresql-ha
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 11.9.4
+    condition: postgresql-ha.enabled
+  # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
+  - name: redis-cluster
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 9.1.3
+    condition: redis-cluster.enabled

Makefile

@@ -0,0 +1,17 @@
+.PHONY: prepare-environment
+prepare-environment:
+	npm install
+
+.PHONY: readme
+readme: prepare-environment
+	npm run readme:parameters
+	npm run readme:lint
+
+.PHONY: unittests
+unittests:
+	helm unittest --strict -f 'unittests/**/*.yaml' ./
+
+.PHONY: helm
+update-helm-dependencies:
+	helm dependency update
+  

docs/ha-setup.md

@@ -0,0 +1,178 @@
+# High Availability
+
+All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment.
+The following document explains how to achieve this for all individual components.
+
+The resulting Gitea deployment will consist of ~ 10 pods (depending on the chosen components and their replicas).
+One should evaluate upfront whether a HA-deployment is required as switching between HA/non-HA comes with some effort.
+For production instances, HA is always recommended to increase uptime and have a frictionless update process.
+
+A general comment about chart dependencies and external services:
+Instead of relying on chart dependencies, it is often better to rely on an external, (managed) instances (in-memory database, asset storage provider, database, etc.).
+Many cloud providers offer such services, at least for databases or in-memory databases.
+They might cost a bit more than using a self-hosted k8s variant but are usually easier to maintain and scale, if needed.
+Also they can be centrally managed and are not linked to the Gitea helm chart or namespace.
+Please consider using external services before you start with your Gitea HA setup, it will make your life (and the life of the Gitea maintainers) easier.
+
+This helm chart tries to help as much as possible to simplify and assert the provisioning of a HA-ready Gitea instance by implementing smart conditionals if `replicaCount` is set to a value > 1.
+Nevertheless, we cannot guarantee for every possible combination of Gitea settings to work together perfectly in a HA setup.
+As a general advice, we recommend to have a test environment aside on which to test possible changes/upgrades before applying these to a production installation.
+
+## Requirements for HA
+
+Storage-wise, the HA-Gitea setup requires a RWX file-system which can be shared among the deployment-based replica pods.
+In addition, the following components are required for full HA-readiness:
+
+- A HA-ready issue (and optionally code) indexer: `elasticsearch` or `meilisearch`
+- A HA-ready external object/asset storage (`minio`) (optional, assets can also be stored on the RWX file-system)
+- A HA-ready cache (`redis-cluster`)
+- A HA-ready DB
+
+`postgres.enabled`, which default to `true`, must be set to `false` for a HA setup.
+The default `postgres` chart dependency is not HA-ready (there's a dedicated `postgres-ha` chart).
+
+The following sections discuss each of the components in more detail.
+Note that for each component discussed, the shown configurations only provides a (working) starting point, not necessarily the most optimal setup.
+We try to optimize this document over time as we have gained more experience with HA setups from users.
+
+## Indexers (Issues and code/repo)
+
+The default code indexer `bleve` is not able to allow multiple connections and hence cannot be used in a HA setup.
+Alternatives are `elasticsearch` and `meilisearch` (as of >= 1.19.2).
+Unless you have an existing `elasticsearch` cluster, we recommend using `meilisearch` as it is faster and requires way less resources.
+
+Unfortunately, `meilisearch` does only support the `ISSUE_INDEXER` and not the `REPO_INDEXER` yet ([tracking issue](https://github.com/go-gitea/gitea/pull/24149)).
+This means that the `REPO_INDEXER` must still be disabled for a HA setup right now.
+An alternative to the two options above for the `ISSUE_INDEXER` is `"db"`, however we recommend to just go with `meilisearch` in this case and to not bother the DB with indexing.
+
+To configure `meilisearch` within Gitea, do the following:
+
+```yml
+gitea:
+  config:
+    indexer:
+      ISSUE_INDEXER_CONN_STR: <http://meilisearch.<namespace>.svc.cluster.local:7700>
+      ISSUE_INDEXER_ENABLED: true
+      ISSUE_INDEXER_TYPE: meilisearch
+      REPO_INDEXER_ENABLED: false
+      # REPO_INDEXER_TYPE: meilisearch # not yet working
+```
+
+Unfortunately `meilisearch` cannot be deployed in HA as of now.
+Nevertheless it allows for multiple Gitea requests at the same time and is therefore required in a HA setup.
+
+Exemplary configuration for the [meilisearch-kubernetes](https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch) chart:
+
+```yaml
+persistence:
+  enabled: true
+  accessMode: ReadWriteOnce
+  size: 5Gi
+```
+
+## Cache, session and queue
+
+A `redis` instance is required for the in-memory cache.
+Two options exist:
+
+- `redis`
+- `redis-cluster`
+
+The chart provides `redis-cluster` as a dependency as this one can be used for both HA and non-HA setups.
+You're also welcome to go with `redis` if you prefer or already have a running instance.
+
+It should be noted that `redis-cluster` support is only available starting with Gitea 1.19.2.
+You can also configure an external (managed) `redis` instance to be used.
+To do so, you need to set the following configuration values yourself:
+
+- `gitea.config.queue.TYPE`: redis`
+- `gitea.config.queue.CONN_STR`: `<your redis connection string>`
+
+- `gitea.config.session.PROVIDER`: `redis`
+- `gitea.config.session.PROVIDER_CONFIG`: `<your redis connection string>`
+
+- `gitea.config.cache.ENABLED`: `true`
+- `gitea.config.cache.ADAPTER`: `redis`
+- `gitea.config.cache.HOST`: `<your redis connection string>`
+
+By default, the `redis-cluster` chart provisions three standalone master nodes of which each has a single replica.
+To reduce the number of pods for a default Gitea deployment, we opted to omit the replicas (`replicas: 0`) by default.
+Only the minimum required number of master pods for a functional `redis-cluster` deployment are provisioned.
+For a "proper" `redis-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`.
+
+## Object and asset storage
+
+Object/asset storage refers to the storage of attachments, avatars, LFS files, etc.
+While most of these can be stored on the RWX file-system, it is recommended to use an external S3-compatible object storage for such, mainly for performance reasons.
+
+By default the chart provisions a single RWO volume to store everything (repos, avatars, packages, etc.).
+This volume cannot be mounted by multiple pods.
+Hence, a RWX volume is required and (optionally) an external HA-ready object storage.
+
+> **Note:** Double-check that the file permissions are set correctly on the RWX volume! That is everything should be owned by the `git` user which usually has `uid=1000` and `gid=1000`.
+
+To use `minio` you need to deploy and configure an external `minio` instance yourself and explicitly define the `STORAGE_TYPE` values as shown below.
+
+Note that `MINIO_BUCKET` here is just a name and does not refer to a S3 bucket.
+It's the root access point for all objects belonging to the respective application, i.e., to Gitea in this case.
+
+```yaml
+gitea:
+  config:
+    attachment:
+      STORAGE_TYPE: minio
+    lfs:
+      STORAGE_TYPE: minio
+    picture:
+      AVATAR_STORAGE_TYPE: minio
+    "storage.packages":
+      STORAGE_TYPE: minio
+
+    storage:
+      MINIO_ENDPOINT: <minio-headless.<namespace>.svc.cluster.local:9000>
+      MINIO_LOCATION: <location>
+      MINIO_ACCESS_KEY_ID: <access key>
+      MINIO_SECRET_ACCESS_KEY: <secret key>
+      MINIO_BUCKET: <bucket name>
+      MINIO_USE_SSL: false
+```
+
+Exemplary configuration for the [bitnami minio](https://github.com/bitnami/charts/blob/main/bitnami/minio) chart:
+
+```yaml
+auth:
+  rootUser: minio
+mode: distributed
+replicaCount: 4
+persistence:
+  enabled: true
+  size: 20Gi
+  accessModes:
+    - ReadWriteOnce
+```
+
+## Database
+
+If you do not have an HA-ready DB, using a managed database service in the cloud might be the easiest and most robust solution.
+Remember: disable the built-in `postgres` dependency and configure the database connection manually via `gitea.config.database`:
+
+```yml
+gitea:
+  database:
+    builtIn:
+      postgresql:
+        enabled: false
+  config:
+    database:
+      DB_TYPE: postgres
+      HOST: <host>
+      NAME: <name>
+      USER: <user>
+```
+
+## Known issues
+
+- Currently Cron jobs are run on all replicas as no leader election is implemented.
+  See [https://github.com/go-gitea/gitea/issues/13791](https://github.com/go-gitea/gitea/issues/13791) for a discussion and possible solution.
+
+- Running with multiple replicas slows down Gitea a bit, i.e. page loading time increases. 

package.json

@@ -0,0 +1,19 @@
+{
+  "name": "gitea-helm-chart",
+  "homepage": "https://gitea.com/gitea/helm-chart.git",
+  "license": "MIT",
+  "private": true,
+  "engineStrict": true,
+  "engines": {
+    "node": ">=16.0.0",
+    "npm": ">=8.0.0"
+  },
+  "scripts": {
+    "readme:lint": "markdownlint *.md -f",
+    "readme:parameters": "readme-generator -v values.yaml -r README.md"
+  },
+  "devDependencies": {
+    "@bitnami/readme-generator-for-helm": "^2.5.0",
+    "markdownlint-cli": "^0.37.0"
+  }
+}

renovate.json5

@@ -0,0 +1,33 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: [
+    'gitea>gitea/renovate-config',
+    ':automergeMinor',
+    'schedule:automergeDaily',
+    'schedule:weekends',
+  ],
+  labels: ['kind/dependency'],
+  automergeStrategy: 'squash',
+  customManagers: [
+    {
+      description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
+      customType: 'regex',
+      fileMatch: ['.gitea/workflows/.+\\.ya?ml$'],
+      matchStrings: [
+        '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?<currentValue>.+?)["\']?\\s',
+      ],
+    },
+  ],
+  packageRules: [
+    {
+      groupName: 'subcharts (minor & patch)',
+      matchManagers: ['helmv3'],
+      matchUpdateTypes: ['minor', 'patch', 'digest'],
+    },
+    {
+      groupName: 'workflow dependencies (minor & patch)',
+      matchManagers: ['github-actions', 'npm', 'regex'],
+      matchUpdateTypes: ['minor', 'patch', 'digest'],
+    },
+  ],
+}

templates/gitea/config.yaml

@@ -16,6 +16,37 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
+  assertions: |
+
+{{- /*assert that only one PG dep is enabled */ -}}
+{{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
+  {{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
+{{- end }}
+
+{{- /* multiple replicas assertions */ -}}
+{{- if gt .Values.replicaCount 1.0 -}}
+  {{- if (get (get .Values.gitea.config "cron.GIT_GC_REPOS") "ENABLED") -}}
+    {{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." -}}
+  {{- end }}
+
+  {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
+    {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
+  {{- end }}
+
+  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
+    {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
+  {{- end }}
+  {{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
+    {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_TYPE") "bleve" -}}
+      {{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
+        {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_ENABLED") "true" -}}
+          {{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  
+{{- end }}
   config_environment.sh: |-
     #!/usr/bin/env bash
     set -euo pipefail
@@ -53,16 +84,51 @@ stringData:
       env2ini::log "    + '${setting}'"
 
       if [[ -z "${section}" ]]; then
-        export "ENV_TO_INI____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+        export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
         return
       fi
 
       local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
       masked_section="${masked_section//-/_0X2D_}"
 
-      export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
+      export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
     }
 
+    function env2ini::reload_preset_envs() {
+      env2ini::log "Reloading preset envs..."
+
+      while read -r line; do
+        if [[ -z "${line}" ]]; then
+          # skip empty line
+          return
+        fi
+
+        # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+        local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+        if [[ -z "${setting}" ]]; then
+          env2ini::log '  ! invalid setting'
+          exit 1
+        fi
+
+        local value=''
+        local regex="^${setting}(\s*)=(\s*)(.*)"
+        if [[ $line =~ $regex ]]; then
+          value="${BASH_REMATCH[3]}"
+        else
+          env2ini::log '  ! invalid setting'
+          exit 1
+        fi
+
+        env2ini::log "  + '${setting}'"
+
+        export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+      done < "/tmp/existing-envs"
+
+      rm /tmp/existing-envs
+    }
+
+
     function env2ini::process_config_file() {
       local config_file="${1}"
       local section="$(basename "${config_file}")"
@@ -82,13 +148,15 @@ stringData:
     function env2ini::load_config_sources() {
       local path="${1}"
 
-      env2ini::log "Processing $(basename "${path}")..."
+      if [[ -d "${path}" ]]; then
+        env2ini::log "Processing $(basename "${path}")..."
 
-      while read -d '' configFile; do
-        env2ini::process_config_file "${configFile}"
-      done < <(find "${path}" -type l -not -name '..data' -print0)
+        while read -d '' configFile; do
+          env2ini::process_config_file "${configFile}"
+        done < <(find "${path}" -type l -not -name '..data' -print0)
 
-      env2ini::log "\n"
+        env2ini::log "\n"
+      fi
     }
 
     function env2ini::generate_initial_secrets() {
@@ -97,19 +165,26 @@ stringData:
       #   - initially used to set up Gitea
       # Anyway, they won't harm existing app.ini files
 
-      export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
-      export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
-      export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+      export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+      export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+      export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+      export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
 
       env2ini::log "...Initial secrets generated\n"
     }
-
+    
+    # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
+    env | (grep GITEA || [[ $? == 1 ]]) > /tmp/existing-envs
+    
     # MUST BE CALLED BEFORE OTHER CONFIGURATION
     env2ini::generate_initial_secrets
 
     env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
     env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
 
+    # load existing envs to override auto generated envs
+    env2ini::reload_preset_envs
+
     env2ini::log "=== All configuration sources loaded ===\n"
 
     # safety to prevent rewrite of secret keys if an app.ini already exists
@@ -118,10 +193,12 @@ stringData:
       env2ini::log '  - security.INTERNAL_TOKEN'
       env2ini::log '  - security.SECRET_KEY'
       env2ini::log '  - oauth2.JWT_SECRET'
+      env2ini::log '  - server.LFS_JWT_SECRET'
 
-      unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
-      unset ENV_TO_INI__SECURITY__SECRET_KEY
-      unset ENV_TO_INI__OAUTH2__JWT_SECRET
+      unset GITEA__SECURITY__INTERNAL_TOKEN
+      unset GITEA__SECURITY__SECRET_KEY
+      unset GITEA__OAUTH2__JWT_SECRET
+      unset GITEA__SERVER__LFS_JWT_SECRET
     fi
 
-    environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI
+    environment-to-ini -o $GITEA_APP_INI

templates/gitea/extra-list.yaml

@@ -0,0 +1,8 @@
+{{- range .Values.extraDeploy }}
+---
+{{- if typeIs "string" . }}
+    {{- tpl . $ }}
+{{- else }}
+    {{- tpl (. | toYaml) $ }}
+{{- end }}
+{{- end }}

templates/gitea/gpg-secret.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.signing.enabled -}}
+{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}}
+  {{- fail "Either specify `signing.privateKey` or `signing.existingSecret`" -}}
+{{- end }}
+{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gitea.gpg-key-secret-name" . }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+data:
+  privateKey: {{ .Values.signing.privateKey | b64enc }}
+{{- end }}
+{{- end }}

templates/gitea/http-svc.yaml

@@ -21,6 +21,13 @@ spec:
   externalIPs:
     {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
   {{- end }}
+  {{- if .Values.service.http.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.http.ipFamilyPolicy }}
+  {{- end }}
+  {{- with .Values.service.http.ipFamilies }}
+  ipFamilies:
+  {{- toYaml . | nindent 4 }}
+  {{- end -}}
   {{- if .Values.service.http.externalTrafficPolicy }}
   externalTrafficPolicy: {{ .Values.service.http.externalTrafficPolicy }}
   {{- end }}

templates/gitea/ingress.yaml

@@ -15,10 +15,10 @@ metadata:
   name: {{ $fullName }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
   annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- range $key, $value := .Values.ingress.annotations }}
+      {{ $key }}: {{ $value | quote }}
+    {{- end }}
 spec:
 {{- if .Values.ingress.className }}
   ingressClassName: {{ .Values.ingress.className }}
@@ -28,14 +28,14 @@ spec:
   {{- range .Values.ingress.tls }}
     - hosts:
       {{- range .hosts }}
-        - {{ . | quote }}
+        - {{ tpl . $ | quote }}
       {{- end }}
       secretName: {{ .secretName }}
   {{- end }}
 {{- end }}
   rules:
     {{- range .Values.ingress.hosts }}
-    - host: {{ .host | quote }}
+    - host: {{ tpl .host $ | quote }}
       http:
         paths:
           {{- range .paths }}