bump to gitea 1.21.3

### Description of the change

With https://github.com/go-gitea/gitea/pull/28390, Gitea 1.21.2 introduced warning log output within the result of `gitea admin <subcommand>` and therefore affects the current provisioning script.
That script previously assumed a clean result set and was therefore doomed to fail at _some_ point.

This introduces output sanitizing to trim such logs above the actual result table.

### Applicable issues

- fixes #589

### Additional information

The non-sanitized output were only an issue for admin account provisioning, and only when the username matched one of these words (in case of #589 it was `gitea`):
```text
.../setting/security.go:168:loadSecurityFrom() [W] Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.
```

LDAP and OAuth sources were not affected by this particular log line, but also processed non-sanitized result sets. Changing their code is a precaution.

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/590
Reviewed-by: pat-s <pat-s@noreply.gitea.com>
Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com>
Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>

.gitea/workflows/release-version.yml

@@ -5,19 +5,29 @@ on:
     tags:
       - "*"
 
+env:
+  # renovate: datasource=docker depName=alpine/helm
+  HELM_VERSION: "3.13.2"
+
 jobs:
   generate-chart-publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: install tools
         run: |
           apt update -y
-          apt install -y curl
+          apt install -y curl ca-certificates curl gnupg
+          # helm
           curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
           echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          # docker
+          install -m 0755 -d /etc/apt/keyrings
+          curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          chmod a+r /etc/apt/keyrings/docker.gpg
+          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
           apt update -y
-          apt install -y python helm python3-pip apt-transport-https
+          apt install -y python helm=${{ env.HELM_VERSION }}-1 python3-pip apt-transport-https docker-ce-cli
           pip install awscli
 
       - name: Import GPG key
@@ -31,15 +41,20 @@ jobs:
       # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
       - name: package chart
         run: |
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
           # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
           helm plugin install https://github.com/pat-s/helm-gpg
-          helm dependency update
+          helm dependency build
           helm package --version "${GITHUB_REF#refs/tags/v}" ./
           helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
           mkdir gitea
           mv gitea*.tgz gitea/
-          curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
+          curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
           helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
+          # push to dockerhub
+          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
+          helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
+          helm registry logout registry-1.docker.io
 
       - name: aws credential configure
         uses: https://github.com/aws-actions/configure-aws-credentials@v2

.gitea/workflows/test-pr.yml

@@ -1,32 +1,37 @@
 name: check-and-test
 
 on:
-  - pull_request
+  pull_request:
+    branches:
+      - "*"
+  push:
+    branches:
+      - main
+      - "renovate/**"
+
+env:
+  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
+  HELM_UNITTEST_VERSION: "v0.3.6"
 
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
+    container: alpine/helm:3.13.2
     steps:
-      - uses: actions/checkout@v3
       - name: install tools
         run: |
-          apt update -y
-          apt install -y curl make
-          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
-          apt update -y
-          apt install -y helm python3-pip
-          pip install yamllint
-      - name: dependency update
-        run: helm dependency update
+          apk update
+          apk add --update make nodejs npm yamllint
+      - uses: actions/checkout@v4
+      - name: install chart dependencies
+        run: helm dependency build
       - name: lint
         run: helm lint
       - name: template
-        run: |
-          helm template --debug gitea-helm .
+        run: helm template --debug gitea-helm .
       - name: unit tests
         run: |
-          helm plugin install --version 0.3.3 https://github.com/helm-unittest/helm-unittest
+          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
           make unittests
       - name: verify readme
         run: |

.vscode/extensions.json

@@ -0,0 +1,8 @@
+{
+    "recommendations": [
+        "yzhang.markdown-all-in-one",
+        "DavidAnson.vscode-markdownlint",
+        "Tim-Koehler.helm-intellisense",
+        "esbenp.prettier-vscode"
+    ]
+  }

.vscode/settings.json

@@ -0,0 +1,8 @@
+{
+    "yaml.schemas": {
+        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.3.6/schema/helm-testsuite.json": [
+            "/unittests/**/*.yaml"
+        ]
+    },
+    "yaml.schemaStore.enable": true
+}

CONTRIBUTING.md

@@ -9,12 +9,7 @@ refactorings for easier maintainability or documentation improvements.
 - [`helm`](https://helm.sh/docs/intro/install/)
 - `make` is optional; you may call the commands directly
 
-When using Visual Studio Code as IDE, following plugins might be useful:
-
-- [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
-- [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
-- [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
-- [Prettier - Code formatter](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode)
+When using Visual Studio Code as IDE, a [ready-to-use profile](.vscode/) is available.
 
 ## Documentation Requirements
 
@@ -61,7 +56,7 @@ $ helm plugin install https://github.com/helm-unittest/helm-unittest
 make unittests
 ```
 
-See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/v0.3.3/DOCUMENT.md) for usage instructions.
+See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
 
 ## Release process
 

Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.6.6
+  version: 13.2.24
 - name: postgresql-ha
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 11.7.9
+  version: 12.3.3
 - name: redis-cluster
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 8.6.9
-digest: sha256:52296a48610712a8eb69a32b1b5818b014bfb8dac79d883e11ebdaf97d41e85d
-generated: "2023-07-17T21:24:06.888357+02:00"
+  version: 9.1.3
+digest: sha256:c4ae8a7ddfb6670acc7f39d5728a0929f6c7666d32459229b5e4e66b19749677
+generated: "2023-12-17T00:11:27.841588235Z"

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.20.3
+appVersion: 1.21.3
 icon: https://gitea.com/assets/img/logo.svg
 
 keywords:
@@ -33,18 +33,18 @@ maintainers:
 
 # Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
-  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)
+  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
   - name: postgresql
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 12.6.6
+    version: 13.2.24
     condition: postgresql.enabled
-  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml)
+  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
   - name: postgresql-ha
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 11.7.9
+    version: 12.3.3
     condition: postgresql-ha.enabled
-  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml)
+  # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
   - name: redis-cluster
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 8.6.9
+    version: 9.1.3
     condition: redis-cluster.enabled

Makefile

@@ -9,7 +9,7 @@ readme: prepare-environment
 
 .PHONY: unittests
 unittests:
-	helm unittest --strict -f 'unittests/**/*.yaml' ./
+	helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' ./
 
 .PHONY: helm
 update-helm-dependencies:

docs/ha-setup.md

@@ -1,7 +1,5 @@
 # High Availability
 
-⚠️ **EXPERIMENTAL** ⚠️
-
 All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment.
 The following document explains how to achieve this for all individual components.
 
@@ -97,6 +95,11 @@ To do so, you need to set the following configuration values yourself:
 - `gitea.config.cache.ADAPTER`: `redis`
 - `gitea.config.cache.HOST`: `<your redis connection string>`
 
+By default, the `redis-cluster` chart provisions three standalone master nodes of which each has a single replica.
+To reduce the number of pods for a default Gitea deployment, we opted to omit the replicas (`replicas: 0`) by default.
+Only the minimum required number of master pods for a functional `redis-cluster` deployment are provisioned.
+For a "proper" `redis-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`.
+
 ## Object and asset storage
 
 Object/asset storage refers to the storage of attachments, avatars, LFS files, etc.

package-lock.json

@@ -8,7 +8,7 @@
       "license": "MIT",
       "devDependencies": {
         "@bitnami/readme-generator-for-helm": "^2.5.0",
-        "markdownlint-cli": "^0.34.0"
+        "markdownlint-cli": "^0.38.0"
       },
       "engines": {
         "node": ">=16.0.0",
@@ -16,9 +16,9 @@
       }
     },
     "node_modules/@bitnami/readme-generator-for-helm": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.5.0.tgz",
-      "integrity": "sha512-bYggL/kWwyxjctSrIBMOcrTQSj8LA3yYcEzfGTJIFoHKl5M7ifZtox//8G5K3FTw6qdOnPZcA10fl2y4N6uB/g==",
+      "version": "2.6.0",
+      "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.6.0.tgz",
+      "integrity": "sha512-LcByNCryaC2OJExL9rnhyFJ18+vrZu1gVoN2Z7j/HI42EjV4kLgT4G1KEPNnrKbls9HvozBqMG+sKZIDh0McFg==",
       "dev": true,
       "dependencies": {
         "commander": "^7.1.0",
@@ -261,9 +261,9 @@
       }
     },
     "node_modules/ignore": {
-      "version": "5.2.4",
-      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.2.4.tgz",
-      "integrity": "sha512-MAb38BcSbH0eHNBxn7ql2NH/kX33OkB3lZ1BNdh7ENeRChHTYsTvWrMubiIAMNS2llXEEgZ1MUOBtXChP3kaFQ==",
+      "version": "5.3.0",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.0.tgz",
+      "integrity": "sha512-g7dmpshy+gD7mh88OC9NwSGTKoc3kyLAZQRU1mt53Aw/vnvfXnbC+F/7F7QoYVKbV+KNvJx8wArewKy1vXMtlg==",
       "dev": true,
       "engines": {
         "node": ">= 4"
@@ -286,12 +286,12 @@
       "dev": true
     },
     "node_modules/ini": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/ini/-/ini-3.0.1.tgz",
-      "integrity": "sha512-it4HyVAUTKBc6m8e1iXWvXSTdndF7HbdN713+kvLrymxTaU4AUBWrJ4vEooP+V7fexnVD3LKcBshjGGPefSMUQ==",
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/ini/-/ini-4.1.1.tgz",
+      "integrity": "sha512-QQnnxNyfvmHFIsj7gkPcYymR8Jdw/o7mp5ZFihxn6h8Ci6fh3Dx4E1gPjpQEpIuPo9XVNY/ZUwh4BPMjGyL01g==",
       "dev": true,
       "engines": {
-        "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
+        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
       }
     },
     "node_modules/is-fullwidth-code-point": {
@@ -310,9 +310,9 @@
       "dev": true
     },
     "node_modules/jackspeak": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-2.2.0.tgz",
-      "integrity": "sha512-r5XBrqIJfwRIjRt/Xr5fv9Wh09qyhHfKnYddDlpM+ibRR20qrYActpCAgU6U+d53EOEjzkvxPMVHSlgR7leXrQ==",
+      "version": "2.3.6",
+      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-2.3.6.tgz",
+      "integrity": "sha512-N3yCS/NegsOBokc8GAdM8UcmfsKiSS8cipheD/nivzr700H+nsMOxJjQnvwOcRYVuFkdH0wGUvW2WbXGmrZGbQ==",
       "dev": true,
       "dependencies": {
         "@isaacs/cliui": "^8.0.2"
@@ -370,9 +370,9 @@
       }
     },
     "node_modules/markdown-it": {
-      "version": "13.0.1",
-      "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-13.0.1.tgz",
-      "integrity": "sha512-lTlxriVoy2criHP0JKRhO2VDG9c2ypWCsT237eDiLqi09rmbKoUetyGHq2uOIRoRS//kfoJckS0eUzzkDR+k2Q==",
+      "version": "13.0.2",
+      "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-13.0.2.tgz",
+      "integrity": "sha512-FtwnEuuK+2yVU7goGn/MJ0WBZMM9ZPgU9spqlFs7/A/pDIUNSOQZhUgOqYCficIuR2QaFnrt8LHqBWsbTAoI5w==",
       "dev": true,
       "dependencies": {
         "argparse": "^2.0.1",
@@ -399,39 +399,42 @@
       }
     },
     "node_modules/markdownlint": {
-      "version": "0.28.2",
-      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.28.2.tgz",
-      "integrity": "sha512-yYaQXoKKPV1zgrFsyAuZPEQoe+JrY9GDag9ObKpk09twx4OCU5lut+0/kZPrQ3W7w82SmgKhd7D8m34aG1unVw==",
+      "version": "0.32.1",
+      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.32.1.tgz",
+      "integrity": "sha512-3sx9xpi4xlHlokGyHO9k0g3gJbNY4DI6oNEeEYq5gQ4W7UkiJ90VDAnuDl2U+yyXOUa6BX+0gf69ZlTUGIBp6A==",
       "dev": true,
       "dependencies": {
-        "markdown-it": "13.0.1",
-        "markdownlint-micromark": "0.1.2"
+        "markdown-it": "13.0.2",
+        "markdownlint-micromark": "0.1.7"
       },
       "engines": {
-        "node": ">=14.18.0"
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/DavidAnson"
       }
     },
     "node_modules/markdownlint-cli": {
-      "version": "0.34.0",
-      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.34.0.tgz",
-      "integrity": "sha512-4G9I++VBTZkaye6Yfc/7dU6HQHcyldZEVB+bYyQJLcpJOHKk/q5ZpGqK80oKMIdlxzsA3aWOJLZ4DkoaoUWXbQ==",
+      "version": "0.38.0",
+      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.38.0.tgz",
+      "integrity": "sha512-qkZRKJ4LVq6CJIkRIuJsEHvhWhm+FP0E7yhHvOMrrgdykgFWNYD4wuhZTjvigbJLTKPooP79yPiUDDZBCBI5JA==",
       "dev": true,
       "dependencies": {
-        "commander": "~10.0.1",
+        "commander": "~11.1.0",
         "get-stdin": "~9.0.0",
-        "glob": "~10.2.2",
-        "ignore": "~5.2.4",
+        "glob": "~10.3.10",
+        "ignore": "~5.3.0",
         "js-yaml": "^4.1.0",
         "jsonc-parser": "~3.2.0",
-        "markdownlint": "~0.28.2",
-        "minimatch": "~9.0.0",
-        "run-con": "~1.2.11"
+        "markdownlint": "~0.32.1",
+        "minimatch": "~9.0.3",
+        "run-con": "~1.3.2"
       },
       "bin": {
         "markdownlint": "markdownlint.js"
       },
       "engines": {
-        "node": ">=14"
+        "node": ">=18"
       }
     },
     "node_modules/markdownlint-cli/node_modules/brace-expansion": {
@@ -444,28 +447,28 @@
       }
     },
     "node_modules/markdownlint-cli/node_modules/commander": {
-      "version": "10.0.1",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-10.0.1.tgz",
-      "integrity": "sha512-y4Mg2tXshplEbSGzx7amzPwKKOCGuoSRP/CjEdwwk0FOGlUbq6lKuoyDZTNZkmxHdJtp54hdfY/JUrdL7Xfdug==",
+      "version": "11.1.0",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-11.1.0.tgz",
+      "integrity": "sha512-yPVavfyCcRhmorC7rWlkHn15b4wDVgVmBA7kV4QVBsF7kv/9TKJAbAXVTxvTnwP8HHKjRCJDClKbciiYS7p0DQ==",
       "dev": true,
       "engines": {
-        "node": ">=14"
+        "node": ">=16"
       }
     },
     "node_modules/markdownlint-cli/node_modules/glob": {
-      "version": "10.2.2",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.2.2.tgz",
-      "integrity": "sha512-Xsa0BcxIC6th9UwNjZkhrMtNo/MnyRL8jGCP+uEwhA5oFOCY1f2s1/oNKY47xQ0Bg5nkjsfAEIej1VeH62bDDQ==",
+      "version": "10.3.10",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-10.3.10.tgz",
+      "integrity": "sha512-fa46+tv1Ak0UPK1TOy/pZrIybNNt4HCv7SDzwyfiOZkvZLEbjsZkJBPtDHVshZjbecAoAGSC20MjLDG/qr679g==",
       "dev": true,
       "dependencies": {
         "foreground-child": "^3.1.0",
-        "jackspeak": "^2.0.3",
-        "minimatch": "^9.0.0",
-        "minipass": "^5.0.0",
-        "path-scurry": "^1.7.0"
+        "jackspeak": "^2.3.5",
+        "minimatch": "^9.0.1",
+        "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0",
+        "path-scurry": "^1.10.1"
       },
       "bin": {
-        "glob": "dist/cjs/src/bin.js"
+        "glob": "dist/esm/bin.mjs"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -475,9 +478,9 @@
       }
     },
     "node_modules/markdownlint-cli/node_modules/minimatch": {
-      "version": "9.0.0",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.0.tgz",
-      "integrity": "sha512-0jJj8AvgKqWN05mrwuqi8QYKx1WmYSUoKSxu5Qhs9prezTz10sxAHGNZe9J9cqIJzta8DWsleh2KaVaLl6Ru2w==",
+      "version": "9.0.3",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
+      "integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
       "dev": true,
       "dependencies": {
         "brace-expansion": "^2.0.1"
@@ -490,12 +493,12 @@
       }
     },
     "node_modules/markdownlint-micromark": {
-      "version": "0.1.2",
-      "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.2.tgz",
-      "integrity": "sha512-jRxlQg8KpOfM2IbCL9RXM8ZiYWz2rv6DlZAnGv8ASJQpUh6byTBnEsbuMZ6T2/uIgntyf7SKg/mEaEBo1164fQ==",
+      "version": "0.1.7",
+      "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.7.tgz",
+      "integrity": "sha512-BbRPTC72fl5vlSKv37v/xIENSRDYL/7X/XoFzZ740FGEbs9vZerLrIkFRY0rv7slQKxDczToYuMmqQFN61fi4Q==",
       "dev": true,
       "engines": {
-        "node": ">=14.18.0"
+        "node": ">=16"
       }
     },
     "node_modules/mdurl": {
@@ -562,13 +565,13 @@
       }
     },
     "node_modules/path-scurry": {
-      "version": "1.7.0",
-      "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.7.0.tgz",
-      "integrity": "sha512-UkZUeDjczjYRE495+9thsgcVgsaCPkaw80slmfVFgllxY+IO8ubTsOpFVjDPROBqJdHfVPUFRHPBV/WciOVfWg==",
+      "version": "1.10.1",
+      "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.10.1.tgz",
+      "integrity": "sha512-MkhCqzzBEpPvxxQ71Md0b1Kk51W01lrYvlMzSUaIzNsODdd7mqhiimSZlr+VegAz5Z6Vzt9Xg2ttE//XBhH3EQ==",
       "dev": true,
       "dependencies": {
-        "lru-cache": "^9.0.0",
-        "minipass": "^5.0.0"
+        "lru-cache": "^9.1.1 || ^10.0.0",
+        "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -587,14 +590,14 @@
       }
     },
     "node_modules/run-con": {
-      "version": "1.2.11",
-      "resolved": "https://registry.npmjs.org/run-con/-/run-con-1.2.11.tgz",
-      "integrity": "sha512-NEMGsUT+cglWkzEr4IFK21P4Jca45HqiAbIIZIBdX5+UZTB24Mb/21iNGgz9xZa8tL6vbW7CXmq7MFN42+VjNQ==",
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/run-con/-/run-con-1.3.2.tgz",
+      "integrity": "sha512-CcfE+mYiTcKEzg0IqS08+efdnH0oJ3zV0wSUFBNrMHMuxCtXvBCLzCJHatwuXDcu/RlhjTziTo/a1ruQik6/Yg==",
       "dev": true,
       "dependencies": {
         "deep-extend": "^0.6.0",
-        "ini": "~3.0.0",
-        "minimist": "^1.2.6",
+        "ini": "~4.1.0",
+        "minimist": "^1.2.8",
         "strip-json-comments": "~3.1.1"
       },
       "bin": {

package.json

@@ -14,6 +14,6 @@
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.34.0"
+    "markdownlint-cli": "^0.38.0"
   }
 }

renovate.json5

@@ -0,0 +1,60 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: [
+    'gitea>gitea/renovate-config',
+    ':automergeMinor',
+    'schedule:automergeDaily',
+    'schedule:weekends',
+  ],
+  labels: [
+    'kind/dependency',
+  ],
+  automergeStrategy: 'squash',
+  customManagers: [
+    {
+      description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
+      customType: 'regex',
+      fileMatch: [
+        '.gitea/workflows/.+\\.ya?ml$',
+      ],
+      matchStrings: [
+        '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?<currentValue>.+?)["\']?\\s',
+      ],
+    },
+    {
+      description: 'Detect helm-unittest yaml schema file',
+      customType: 'regex',
+      fileMatch: ['.vscode/settings\\.json$'],
+      matchStrings: [
+        'https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json',
+      ],
+      datasourceTemplate: 'github-releases',
+    },
+  ],
+  packageRules: [
+    {
+      groupName: 'subcharts (minor & patch)',
+      matchManagers: [
+        'helmv3',
+      ],
+      matchUpdateTypes: [
+        'minor',
+        'patch',
+        'digest',
+      ],
+    },
+    {
+      groupName: 'workflow dependencies (minor & patch)',
+      matchManagers: [
+        'github-actions',
+        'npm',
+        'custom.regex',
+      ],
+      matchUpdateTypes: [
+        'minor',
+        'patch',
+        'digest',
+      ],
+    },
+  ],
+}

templates/NOTES.txt

@@ -18,3 +18,19 @@
   echo "Visit http://127.0.0.1:{{ .Values.service.http.port }} to use your application"
   kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ .Release.Name }}-http {{ .Values.service.http.port }}:{{ .Values.service.http.port }}
 {{- end }}
+{{- $warnings := list -}}
+{{- if eq (get .Values.gitea.config.cache "ADAPTER") "memory" -}}
+  {{- $warnings = append $warnings "Gitea uses 'memory' for caching which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#cache-cache for available options." -}}
+{{- end }}
+{{- if eq (get .Values.gitea.config.queue "TYPE") "level" -}}
+  {{- $warnings = append $warnings "Gitea uses 'leveldb' for queue actions which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#queue-queue-and-queue for available options." -}}
+{{- end }}
+{{- if eq (get .Values.gitea.config.session "PROVIDER") "memory" -}}
+  {{- $warnings = append $warnings "Gitea uses 'memory' for sessions which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#session-session for available options." -}}
+{{- end }}
+{{- if gt (len $warnings) 0 }}
+2. Review these warnings:
+{{- range $warnings }}
+  - {{ . }}
+{{- end }}
+{{- end }}

templates/_helpers.tpl

@@ -56,14 +56,22 @@ Create chart name and version as used by the chart label.
 Create image name and tag used by the deployment.
 */}}
 {{- define "gitea.image" -}}
+{{- $fullOverride := .Values.image.fullOverride | default "" -}}
 {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
-{{- $name := .Values.image.repository -}}
+{{- $repository := .Values.image.repository -}}
+{{- $separator := ":" -}}
 {{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
-{{- if $registry -}}
-  {{- printf "%s/%s:%s%s" $registry $name $tag $rootless -}}
+{{- $digest := "" -}}
+{{- if .Values.image.digest }}
+    {{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}}
+{{- end -}}
+{{- if $fullOverride }}
+    {{- printf "%s" $fullOverride -}}
+{{- else if $registry }}
+    {{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}}
 {{- else -}}
-  {{- printf "%s:%s%s" $name $tag $rootless -}}
+    {{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}}
 {{- end -}}
 {{- end -}}
 
@@ -114,7 +122,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 
 {{- define "postgresql-ha.dns" -}}
 {{- if (index .Values "postgresql-ha").enabled -}}
-{{- printf "%s-postgresql-ha-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
+{{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
 {{- end -}}
 {{- end -}}
 
@@ -143,7 +151,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "gitea.default_domain" -}}
-{{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 
 {{- define "gitea.ldap_settings" -}}
@@ -282,23 +290,33 @@ https
   {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
     {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
   {{- end -}}
-  {{- if (index .Values "redis-cluster").enabled -}}
-    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
-    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
-    {{- if not (.Values.gitea.config.cache.HOST) -}}
-      {{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
-    {{- end -}}
-  {{- end -}}
   {{- /* redis queue */ -}}
   {{- if (index .Values "redis-cluster").enabled -}}
     {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
     {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
-  {{- end -}}
-  {{- if not (get .Values.gitea.config.session "PROVIDER") -}}
     {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
-  {{- end -}}
-  {{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
     {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "redis.dns" .) -}}
+    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
+    {{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
+  {{- else -}}
+    {{- if not (get .Values.gitea.config.session "PROVIDER") -}}
+      {{- $_ := set .Values.gitea.config.session "PROVIDER" "memory" -}}
+    {{- end -}}
+    {{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
+      {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" "" -}}
+    {{- end -}}
+    {{- if not (get .Values.gitea.config.queue "TYPE") -}}
+      {{- $_ := set .Values.gitea.config.queue "TYPE" "level" -}}
+    {{- end -}}
+    {{- if not (get .Values.gitea.config.queue "CONN_STR") -}}
+      {{- $_ := set .Values.gitea.config.queue "CONN_STR" "" -}}
+    {{- end -}}
+    {{- if not (get .Values.gitea.config.cache "ADAPTER") -}}
+      {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memory" -}}
+    {{- end -}}
+    {{- if not (get .Values.gitea.config.cache "HOST") -}}
+      {{- $_ := set .Values.gitea.config.cache "HOST" "" -}}
+    {{- end -}}
   {{- end -}}
   {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
      {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
@@ -314,7 +332,7 @@ https
   {{- end -}}
   {{- if not (.Values.gitea.config.server.DOMAIN) -}}
     {{- if gt (len .Values.ingress.hosts) 0 -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
     {{- else -}}
       {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
     {{- end -}}

templates/gitea/config.yaml

@@ -174,7 +174,7 @@ stringData:
     }
     
     # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
-    env | (grep GITEA || [[ $? == 1 ]]) > /tmp/existing-envs
+    env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > /tmp/existing-envs
     
     # MUST BE CALLED BEFORE OTHER CONFIGURATION
     env2ini::generate_initial_secrets

templates/gitea/ingress.yaml

@@ -15,10 +15,10 @@ metadata:
   name: {{ $fullName }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
   annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- range $key, $value := .Values.ingress.annotations }}
+      {{ $key }}: {{ $value | quote }}
+    {{- end }}
 spec:
 {{- if .Values.ingress.className }}
   ingressClassName: {{ .Values.ingress.className }}
@@ -28,14 +28,14 @@ spec:
   {{- range .Values.ingress.tls }}
     - hosts:
       {{- range .hosts }}
-        - {{ . | quote }}
+        - {{ tpl . $ | quote }}
       {{- end }}
       secretName: {{ .secretName }}
   {{- end }}
 {{- end }}
   rules:
     {{- range .Values.ingress.hosts }}
-    - host: {{ .host | quote }}
+    - host: {{ tpl .host $ | quote }}
       http:
         paths:
           {{- range .paths }}

templates/gitea/init.yaml

@@ -86,7 +86,28 @@ stringData:
 
     {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
     function configure_admin_user() {
-      local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
+      local full_admin_list=$(gitea admin user list --admin)
+      local actual_user_table=''
+
+      # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
+      local regex="(.*)(ID\s+Username\s+Email\s+IsActive.*)"
+      if [[ "${full_admin_list}" =~ $regex ]]; then
+        actual_user_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
+      else
+        # This code block should never be reached, as long as the output table header remains the same.
+        # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
+
+        echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users."
+        echo "       Please review the output of 'gitea admin user list --admin' shown below."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "DEBUG: Output of 'gitea admin user list --admin'"
+        echo "--"
+        echo "${full_admin_list}"
+        echo "--"
+        exit 1
+      fi
+
+      local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
       if [[ -z "${ACCOUNT_ID}" ]]; then
         echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
         gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
@@ -105,7 +126,28 @@ stringData:
       {{- if .Values.gitea.ldap }}
       {{- range $idx, $value := .Values.gitea.ldap }}
       local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
-      local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
+      local full_auth_list=$(gitea admin auth list --vertical-bars)
+      local actual_auth_table=''
+
+      # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
+      local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
+      if [[ "${full_auth_list}" =~ $regex ]]; then
+        actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
+      else
+        # This code block should never be reached, as long as the output table header remains the same.
+        # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
+
+        echo "ERROR: 'configure_ldap' was not able to determine the current list of authentication sources."
+        echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
+        echo "--"
+        echo "${full_auth_list}"
+        echo "--"
+        exit 1
+      fi
+
+      local GITEA_AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
 
       if [[ -z "${GITEA_AUTH_ID}" ]]; then
         echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
@@ -128,7 +170,28 @@ stringData:
       {{- if .Values.gitea.oauth }}
       {{- range $idx, $value := .Values.gitea.oauth }}
       local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
-      local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
+      local full_auth_list=$(gitea admin auth list --vertical-bars)
+      local actual_auth_table=''
+
+      # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
+      local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
+      if [[ "${full_auth_list}" =~ $regex ]]; then
+        actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
+      else
+        # This code block should never be reached, as long as the output table header remains the same.
+        # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
+
+        echo "ERROR: 'configure_oauth' was not able to determine the current list of authentication sources."
+        echo "       Please review the output of 'gitea admin auth list --vertical-bars' shown below."
+        echo "       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
+        echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
+        echo "--"
+        echo "${full_auth_list}"
+        echo "--"
+        exit 1
+      fi
+
+      local AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
 
       if [[ -z "${AUTH_ID}" ]]; then
         echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."

unittests/config/cache-config.yaml

@@ -0,0 +1,45 @@
+suite: config template | cache config
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "cache is configured correctly for redis-cluster"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.cache
+          value: |-
+            ADAPTER=redis
+            HOST=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "cache is configured correctly for 'memory' when redis-cluster is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.cache
+          value: |-
+            ADAPTER=memory
+            HOST=
+
+  - it: "cache can be customized when redis-cluster is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      gitea.config.cache.ADAPTER: custom-adapter
+      gitea.config.cache.HOST: custom-host
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.cache
+          value: |-
+            ADAPTER=custom-adapter
+            HOST=custom-host

unittests/config/database-section_postgresql-ha.yaml

@@ -0,0 +1,30 @@
+suite: config template | database section (postgresql-ha)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: connects to pgpool service
+    template: templates/gitea/config.yaml
+    set:
+      postgresql:
+        enabled: false
+      postgresql-ha:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:5432
+  - it: renders the referenced service
+    template: charts/postgresql-ha/templates/pgpool/service.yaml
+    set:
+      postgresql:
+        enabled: false
+      postgresql-ha:
+        enabled: true
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql-ha-pgpool
+          namespace: testing

unittests/config/database-section_postgresql.yaml

@@ -0,0 +1,30 @@
+suite: config template | database section (postgresql)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "connects to postgresql service"
+    template: templates/gitea/config.yaml
+    set:
+      postgresql:
+        enabled: true
+      postgresql-ha:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.database
+          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:5432
+  - it: "renders the referenced service"
+    template: charts/postgresql/templates/primary/svc.yaml
+    set:
+      postgresql:
+        enabled: true
+      postgresql-ha:
+        enabled: false
+    asserts:
+      - containsDocument:
+          kind: Service
+          apiVersion: v1
+          name: gitea-unittests-postgresql
+          namespace: testing

unittests/config/queue-config.yaml

@@ -0,0 +1,45 @@
+suite: config template | queue config
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "queue is configured correctly for redis-cluster"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.queue
+          value: |-
+            CONN_STR=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            TYPE=redis
+
+  - it: "queue is configured correctly for 'levelDB' when redis-cluster is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.queue
+          value: |-
+            CONN_STR=
+            TYPE=level
+
+  - it: "queue can be customized when redis-cluster is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      gitea.config.queue.TYPE: custom-type
+      gitea.config.queue.CONN_STR: custom-connection-string
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.queue
+          value: |-
+            CONN_STR=custom-connection-string
+            TYPE=custom-type

unittests/config/server-section_domain.yaml

@@ -0,0 +1,67 @@
+suite: config template | server section (domain related)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "[default values] uses ingress host for DOMAIN|SSH_DOMAIN|ROOT_URL"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nDOMAIN=git.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nSSH_DOMAIN=git.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=http://git.example.com
+
+  ################################################
+
+  - it: "[no ingress hosts] uses gitea http service for DOMAIN|SSH_DOMAIN|ROOT_URL"
+    template: templates/gitea/config.yaml
+    set:
+      ingress:
+        hosts: []
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nDOMAIN=gitea-unittests-http.testing.svc.cluster.local
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nSSH_DOMAIN=gitea-unittests-http.testing.svc.cluster.local
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=http://gitea-unittests-http.testing.svc.cluster.local
+
+  ################################################
+
+  - it: "[provided via values] uses that for DOMAIN|SSH_DOMAIN|ROOT_URL"
+    template: templates/gitea/config.yaml
+    set:
+      gitea.config.server.DOMAIN: provided.example.com
+      ingress:
+        hosts:
+          - host: non-used.example.com
+            paths:
+              - path: /
+                pathType: Prefix
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nDOMAIN=provided.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nSSH_DOMAIN=provided.example.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nROOT_URL=http://provided.example.com

unittests/config/session-config.yaml

@@ -0,0 +1,45 @@
+suite: config template | session config
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "session is configured correctly for redis-cluster"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.session
+          value: |-
+            PROVIDER=redis
+            PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "session is configured correctly for 'memory' when redis-cluster is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.session
+          value: |-
+            PROVIDER=memory
+            PROVIDER_CONFIG=
+
+  - it: "session can be customized when redis-cluster is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      gitea.config.session.PROVIDER: custom-provider
+      gitea.config.session.PROVIDER_CONFIG: custom-provider-config
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.session
+          value: |-
+            PROVIDER=custom-provider
+            PROVIDER_CONFIG=custom-provider-config

unittests/dependency-major-image-check.yaml

@@ -0,0 +1,42 @@
+suite: Dependency update consistency
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: "[postgresql-ha] ensures we detect major image version upgrades"
+    template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
+    set:
+      postgresql:
+        enabled: false
+      postgresql-ha:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: ^docker.io/bitnami/postgresql-repmgr:16.+$
+  - it: "[postgresql] ensures we detect major image version upgrades"
+    template: charts/postgresql/templates/primary/statefulset.yaml
+    set:
+      postgresql:
+        enabled: true
+      postgresql-ha:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: ^docker.io/bitnami/postgresql:16.+$
+  - it: "[redis-cluster] ensures we detect major image version upgrades"
+    template: charts/redis-cluster/templates/redis-statefulset.yaml
+    set:
+      redis-cluster:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: ^docker.io/bitnami/redis-cluster:7.+$

unittests/deployment/image-configuration.yaml

@@ -0,0 +1,93 @@
+suite: deployment template (image configuration)
+release:
+  name: gitea-unittests
+  namespace: testing
+chart:
+  # Override appVersion to be consistent with used digest :)
+  appVersion: 1.19.3
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: default values
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3-rootless"
+  - it: tag override
+    template: templates/gitea/deployment.yaml
+    set:
+      image.tag: "1.19.4"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.4-rootless"
+  - it: root-based image
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3"
+  - it: scoped registry
+    template: templates/gitea/deployment.yaml
+    set:
+      image.registry: "example.com"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "example.com/gitea/gitea:1.19.3-rootless"
+  - it: global registry
+    template: templates/gitea/deployment.yaml
+    set:
+      global.imageRegistry: "global.example.com"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "global.example.com/gitea/gitea:1.19.3-rootless"
+  - it: digest for rootless image
+    template: templates/gitea/deployment.yaml
+    set:
+      image:
+        rootless: true
+        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+  - it: image fullOverride (does not append rootless)
+    template: templates/gitea/deployment.yaml
+    set:
+      image:
+        fullOverride: gitea/gitea:1.19.3
+        # setting rootless, registry, repository, tag, and digest to prove that override works
+        rootless: true
+        registry: example.com
+        repository: example/image
+        tag: "1.0.0"
+        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3"
+  - it: digest for root-based image
+    template: templates/gitea/deployment.yaml
+    set:
+      image:
+        rootless: false
+        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+  - it: digest and global registry
+    template: templates/gitea/deployment.yaml
+    set:
+      global.imageRegistry: "global.example.com"
+      image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "global.example.com/gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"

unittests/deployment/ingress-configuration.yaml

@@ -0,0 +1,23 @@
+suite: ingress template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/ingress.yaml
+tests:
+  - it: hostname using TPL
+    set:
+      global.giteaHostName: "gitea.example.com"
+      ingress.enabled: true
+      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "{{ .Values.global.giteaHostName }}"
+    asserts:
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "gitea.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "gitea.example.com"

unittests/deployment/inline-config.yaml

@@ -0,0 +1,33 @@
+suite: config template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/config.yaml
+tests:
+  - it: inline config stringData.server using TPL
+    set:
+      global.giteaHostName: "gitea.example.com"
+      ingress.enabled: true
+      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - "{{ .Values.global.giteaHostName }}"
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: metadata.name
+          pattern: .*-inline-config$
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: DOMAIN=gitea\.example\.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: ROOT_URL=https://gitea\.example\.com
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: SSH_DOMAIN=gitea\.example\.com

unittests/deployment/ssh-configuration.yaml

@@ -27,6 +27,18 @@ tests:
           content:
             name: SSH_LOG_LEVEL
             value: "DEBUG"
+  - it: supports overriding SSH log level (even when image.fullOverride set)
+    template: templates/gitea/deployment.yaml
+    set:
+      image.fullOverride: gitea/gitea:1.19.3
+      image.rootless: false
+      gitea.ssh.logLevel: "DEBUG"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSH_LOG_LEVEL
+            value: "DEBUG"
   - it: skips SSH_LOG_LEVEL for rootless image
     template: templates/gitea/deployment.yaml
     set:
@@ -38,3 +50,15 @@ tests:
           any: true
           content:
             name: SSH_LOG_LEVEL
+  - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
+    template: templates/gitea/deployment.yaml
+    set:
+      image.fullOverride: gitea/gitea:1.19.3
+      image.rootless: true
+      gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          any: true
+          content:
+            name: SSH_LOG_LEVEL

unittests/gpg-secret/signing-enabled.yaml

@@ -33,7 +33,7 @@ tests:
           kind: Secret
           apiVersion: v1
           name: gitea-unittests-gpg-key
-      - isNotEmpty:
+      - isNotNullOrEmpty:
           path: metadata.labels
       - equal:
           path: data.privateKey