create initial secrets before app.ini removal

condition on existence
remove existing app.ini before creating it
2023-05-29 20:13:00 +02:00 · 2023-05-29 12:07:24 +02:00 · 2023-05-29 11:54:19 +02:00
40 changed files with 456 additions and 1890 deletions
@@ -39,4 +39,3 @@

 - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
 - [ ] Breaking changes are documented in the `README.md`
- [ ] Templating unittests are added
@@ -5,29 +5,19 @@ on:
    tags:
      - "*"

-env:
-  # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.13.2"
-
 jobs:
  generate-chart-publish:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - name: install tools
        run: |
          apt update -y
-          apt install -y curl ca-certificates curl gnupg
-          # helm
+          apt install -y curl
          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
-          # docker
-          install -m 0755 -d /etc/apt/keyrings
-          curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
-          chmod a+r /etc/apt/keyrings/docker.gpg
-          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
          apt update -y
-          apt install -y python helm=${{ env.HELM_VERSION }}-1 python3-pip apt-transport-https docker-ce-cli
+          apt install -y python helm python3-pip apt-transport-https
          pip install awscli

      - name: Import GPG key
@@ -41,7 +31,6 @@ jobs:
      # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
      - name: package chart
        run: |
-          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
          # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
          helm plugin install https://github.com/pat-s/helm-gpg
          helm dependency update
@@ -49,12 +38,8 @@ jobs:
          helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
          mkdir gitea
          mv gitea*.tgz gitea/
-          curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
-          helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
-          # push to dockerhub
-          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
-          helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
-          helm registry logout registry-1.docker.io
+          curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
+          helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml

      - name: aws credential configure
        uses: https://github.com/aws-actions/configure-aws-credentials@v2
@@ -1,37 +1,32 @@
 name: check-and-test

 on:
-  pull_request:
-    branches:
-      - "*"
-  push:
-    branches:
-      - main
-      - "renovate/**"
-
-env:
-  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v0.3.6"
+  - pull_request

 jobs:
  check-and-test:
    runs-on: ubuntu-latest
-    container: alpine/helm:3.13.2
    steps:
+      - uses: actions/checkout@v3
      - name: install tools
        run: |
-          apk update
-          apk add --update make nodejs npm yamllint
-      - uses: actions/checkout@v4
-      - name: install chart dependencies
-        run: helm dependency build
+          apt update -y
+          apt install -y curl make
+          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          apt update -y
+          apt install -y helm python3-pip
+          pip install yamllint
+      - name: dependency update
+        run: helm dependency update
      - name: lint
        run: helm lint
      - name: template
-        run: helm template --debug gitea-helm .
+        run: |
+          helm template --debug gitea-helm .
      - name: unit tests
        run: |
-          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
+          helm plugin install --version 0.3.1 https://github.com/helm-unittest/helm-unittest
          make unittests
      - name: verify readme
        run: |
@@ -47,7 +47,7 @@ MD013:
  # Number of characters
  line_length: 200
  # Number of characters for headings
-  heading_line_length: 100
+  heading_line_length: 80
  # Number of characters for code blocks
  code_block_line_length: 80
  # Include code blocks
@@ -106,7 +106,7 @@ MD030:
 # MD033/no-inline-html - Inline HTML
 MD033:
  # Allowed elements
-  allowed_elements: [details, summary]
+  allowed_elements: []

 # MD035/hr-style - Horizontal rule style
 MD035:
@@ -1,8 +0,0 @@
-{
-    "recommendations": [
-        "yzhang.markdown-all-in-one",
-        "DavidAnson.vscode-markdownlint",
-        "Tim-Koehler.helm-intellisense",
-        "esbenp.prettier-vscode"
-    ]
-  }
@@ -1,8 +0,0 @@
-{
-    "yaml.schemas": {
-        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json": [
-            "/unittests/**/*.yaml"
-        ]
-    },
-    "yaml.schemaStore.enable": true
-}
@@ -9,16 +9,21 @@ refactorings for easier maintainability or documentation improvements.
 - [`helm`](https://helm.sh/docs/intro/install/)
 - `make` is optional; you may call the commands directly

-When using Visual Studio Code as IDE, a [ready-to-use profile](.vscode/) is available.
+When using Visual Studio Code as IDE, following plugins might be useful:
+
+- [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
+- [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
+- [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
+- [Prettier - Code formatter](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode)

 ## Documentation Requirements

-The `README.md` must include all configuration options.
-The parameters section is generated by extracting the parameter annotations from the `values.yaml` file, by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
+The `README.md` must include all configuration options. The parameters section
+is generated by extracting the parameter annotations from the `values.yaml` file,
+by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).

-If changes were made on configuration options, run `make readme` to update the README file.
-
-The ToC is created via the VSCode [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one) extension which can/must also be used used to update it.
+If changes were made on configuration options, run `make readme` to update the
+README file.

 ## Pull Request Requirements

@@ -36,15 +41,16 @@ For local development and testing of pull requests, the following workflow can
 be used:

 1. Install `minikube` and `helm`.
-1. Start a `minikube` cluster via `minikube start`.
-1. From the `gitea/helm-chart` directory execute the following command.
-   This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
-   If you want to test a branch, make sure to switch to the respective branch first.
-   `helm install --dependency-update gitea . -f values.yaml`.
-1. Gitea is now deployed in `minikube`.
-   To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace
-default port-forward svc/gitea-http 3000:3000`.
-   Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
+2. Start a `minikube` cluster via `minikube start`.
+3. From the `gitea/helm-chart` directory execute the following command. This
+   will install the dependencies listed in `Chart.yml` and deploy the current
+   state of the helm chart found locally. If you want to test a branch, make
+   sure to switch to the respective branch first.
+  `helm install --dependency-update gitea . -f values.yaml`.
+4. Gitea is now deployed in `minikube`. To access it, it's port needs to be
+   forwarded first from `minikube` to localhost first via `kubectl --namespace
+   default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
+   [http://localhost:3000](http://localhost:3000).

 ### Unit tests

@@ -55,11 +61,3 @@ $ helm plugin install https://github.com/helm-unittest/helm-unittest
 # run the unittests
 make unittests
 ```
-
-See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
-
-## Release process
-
-1. Create a tag following the tagging schema
-1. Push the tag
-1. Let CI do it's work
@@ -1,12 +1,9 @@
 dependencies:
+- name: memcached
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 6.3.14
 - name: postgresql
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.12.10
- name: postgresql-ha
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 11.9.4
- name: redis-cluster
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 9.1.3
-digest: sha256:6bda620320a05a5ea4efb4189a86d30092aeb0a6f3e0009538f4bea312af0863
-generated: "2023-11-14T00:08:15.790217865Z"
+  version: 12.4.1
+digest: sha256:02d4846bf416038a42658dbca8f8001d0e3ce967b00e990048f8d420065c33fd
+generated: "2023-04-28T09:32:05.295167+02:00"
@@ -3,8 +3,8 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.21.0
-icon: https://gitea.com/assets/img/logo.svg
+appVersion: 1.19.3
+icon: https://docs.gitea.io/images/gitea.png

 keywords:
  - git
@@ -33,18 +33,14 @@ maintainers:

 # Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
-  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
+  # OCI registry: https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html (2023-01)
+  # Chart release date: 2023-04
+  - name: memcached
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 6.3.14
+    condition: memcached.enabled
+  # Chart release date: 2023-04
  - name: postgresql
    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 12.12.10
+    version: 12.4.1
    condition: postgresql.enabled
-  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
-  - name: postgresql-ha
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 11.9.4
-    condition: postgresql-ha.enabled
-  # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
-  - name: redis-cluster
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 9.1.3
-    condition: redis-cluster.enabled
@@ -10,8 +10,3 @@ readme: prepare-environment
 .PHONY: unittests
 unittests:
 	helm unittest --strict -f 'unittests/**/*.yaml' ./
-
-.PHONY: helm
-update-helm-dependencies:
-	helm dependency update
-  
@@ -1,178 +0,0 @@
-# High Availability
-
-All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment.
-The following document explains how to achieve this for all individual components.
-
-The resulting Gitea deployment will consist of ~ 10 pods (depending on the chosen components and their replicas).
-One should evaluate upfront whether a HA-deployment is required as switching between HA/non-HA comes with some effort.
-For production instances, HA is always recommended to increase uptime and have a frictionless update process.
-
-A general comment about chart dependencies and external services:
-Instead of relying on chart dependencies, it is often better to rely on an external, (managed) instances (in-memory database, asset storage provider, database, etc.).
-Many cloud providers offer such services, at least for databases or in-memory databases.
-They might cost a bit more than using a self-hosted k8s variant but are usually easier to maintain and scale, if needed.
-Also they can be centrally managed and are not linked to the Gitea helm chart or namespace.
-Please consider using external services before you start with your Gitea HA setup, it will make your life (and the life of the Gitea maintainers) easier.
-
-This helm chart tries to help as much as possible to simplify and assert the provisioning of a HA-ready Gitea instance by implementing smart conditionals if `replicaCount` is set to a value > 1.
-Nevertheless, we cannot guarantee for every possible combination of Gitea settings to work together perfectly in a HA setup.
-As a general advice, we recommend to have a test environment aside on which to test possible changes/upgrades before applying these to a production installation.
-
-## Requirements for HA
-
-Storage-wise, the HA-Gitea setup requires a RWX file-system which can be shared among the deployment-based replica pods.
-In addition, the following components are required for full HA-readiness:
-
- A HA-ready issue (and optionally code) indexer: `elasticsearch` or `meilisearch`
- A HA-ready external object/asset storage (`minio`) (optional, assets can also be stored on the RWX file-system)
- A HA-ready cache (`redis-cluster`)
- A HA-ready DB
-
-`postgres.enabled`, which default to `true`, must be set to `false` for a HA setup.
-The default `postgres` chart dependency is not HA-ready (there's a dedicated `postgres-ha` chart).
-
-The following sections discuss each of the components in more detail.
-Note that for each component discussed, the shown configurations only provides a (working) starting point, not necessarily the most optimal setup.
-We try to optimize this document over time as we have gained more experience with HA setups from users.
-
-## Indexers (Issues and code/repo)
-
-The default code indexer `bleve` is not able to allow multiple connections and hence cannot be used in a HA setup.
-Alternatives are `elasticsearch` and `meilisearch` (as of >= 1.19.2).
-Unless you have an existing `elasticsearch` cluster, we recommend using `meilisearch` as it is faster and requires way less resources.
-
-Unfortunately, `meilisearch` does only support the `ISSUE_INDEXER` and not the `REPO_INDEXER` yet ([tracking issue](https://github.com/go-gitea/gitea/pull/24149)).
-This means that the `REPO_INDEXER` must still be disabled for a HA setup right now.
-An alternative to the two options above for the `ISSUE_INDEXER` is `"db"`, however we recommend to just go with `meilisearch` in this case and to not bother the DB with indexing.
-
-To configure `meilisearch` within Gitea, do the following:
-
-```yml
-gitea:
-  config:
-    indexer:
-      ISSUE_INDEXER_CONN_STR: <http://meilisearch.<namespace>.svc.cluster.local:7700>
-      ISSUE_INDEXER_ENABLED: true
-      ISSUE_INDEXER_TYPE: meilisearch
-      REPO_INDEXER_ENABLED: false
-      # REPO_INDEXER_TYPE: meilisearch # not yet working
-```
-
-Unfortunately `meilisearch` cannot be deployed in HA as of now.
-Nevertheless it allows for multiple Gitea requests at the same time and is therefore required in a HA setup.
-
-Exemplary configuration for the [meilisearch-kubernetes](https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch) chart:
-
-```yaml
-persistence:
-  enabled: true
-  accessMode: ReadWriteOnce
-  size: 5Gi
-```
-
-## Cache, session and queue
-
-A `redis` instance is required for the in-memory cache.
-Two options exist:
-
- `redis`
- `redis-cluster`
-
-The chart provides `redis-cluster` as a dependency as this one can be used for both HA and non-HA setups.
-You're also welcome to go with `redis` if you prefer or already have a running instance.
-
-It should be noted that `redis-cluster` support is only available starting with Gitea 1.19.2.
-You can also configure an external (managed) `redis` instance to be used.
-To do so, you need to set the following configuration values yourself:
-
- `gitea.config.queue.TYPE`: redis`
- `gitea.config.queue.CONN_STR`: `<your redis connection string>`
-
- `gitea.config.session.PROVIDER`: `redis`
- `gitea.config.session.PROVIDER_CONFIG`: `<your redis connection string>`
-
- `gitea.config.cache.ENABLED`: `true`
- `gitea.config.cache.ADAPTER`: `redis`
- `gitea.config.cache.HOST`: `<your redis connection string>`
-
-By default, the `redis-cluster` chart provisions three standalone master nodes of which each has a single replica.
-To reduce the number of pods for a default Gitea deployment, we opted to omit the replicas (`replicas: 0`) by default.
-Only the minimum required number of master pods for a functional `redis-cluster` deployment are provisioned.
-For a "proper" `redis-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`.
-
-## Object and asset storage
-
-Object/asset storage refers to the storage of attachments, avatars, LFS files, etc.
-While most of these can be stored on the RWX file-system, it is recommended to use an external S3-compatible object storage for such, mainly for performance reasons.
-
-By default the chart provisions a single RWO volume to store everything (repos, avatars, packages, etc.).
-This volume cannot be mounted by multiple pods.
-Hence, a RWX volume is required and (optionally) an external HA-ready object storage.
-
-> **Note:** Double-check that the file permissions are set correctly on the RWX volume! That is everything should be owned by the `git` user which usually has `uid=1000` and `gid=1000`.
-
-To use `minio` you need to deploy and configure an external `minio` instance yourself and explicitly define the `STORAGE_TYPE` values as shown below.
-
-Note that `MINIO_BUCKET` here is just a name and does not refer to a S3 bucket.
-It's the root access point for all objects belonging to the respective application, i.e., to Gitea in this case.
-
-```yaml
-gitea:
-  config:
-    attachment:
-      STORAGE_TYPE: minio
-    lfs:
-      STORAGE_TYPE: minio
-    picture:
-      AVATAR_STORAGE_TYPE: minio
-    "storage.packages":
-      STORAGE_TYPE: minio
-
-    storage:
-      MINIO_ENDPOINT: <minio-headless.<namespace>.svc.cluster.local:9000>
-      MINIO_LOCATION: <location>
-      MINIO_ACCESS_KEY_ID: <access key>
-      MINIO_SECRET_ACCESS_KEY: <secret key>
-      MINIO_BUCKET: <bucket name>
-      MINIO_USE_SSL: false
-```
-
-Exemplary configuration for the [bitnami minio](https://github.com/bitnami/charts/blob/main/bitnami/minio) chart:
-
-```yaml
-auth:
-  rootUser: minio
-mode: distributed
-replicaCount: 4
-persistence:
-  enabled: true
-  size: 20Gi
-  accessModes:
-    - ReadWriteOnce
-```
-
-## Database
-
-If you do not have an HA-ready DB, using a managed database service in the cloud might be the easiest and most robust solution.
-Remember: disable the built-in `postgres` dependency and configure the database connection manually via `gitea.config.database`:
-
-```yml
-gitea:
-  database:
-    builtIn:
-      postgresql:
-        enabled: false
-  config:
-    database:
-      DB_TYPE: postgres
-      HOST: <host>
-      NAME: <name>
-      USER: <user>
-```
-
-## Known issues
-
- Currently Cron jobs are run on all replicas as no leader election is implemented.
-  See [https://github.com/go-gitea/gitea/issues/13791](https://github.com/go-gitea/gitea/issues/13791) for a discussion and possible solution.
-
- Running with multiple replicas slows down Gitea a bit, i.e. page loading time increases. 
@@ -8,7 +8,7 @@
      "license": "MIT",
      "devDependencies": {
        "@bitnami/readme-generator-for-helm": "^2.5.0",
-        "markdownlint-cli": "^0.37.0"
+        "markdownlint-cli": "^0.34.0"
      },
      "engines": {
        "node": ">=16.0.0",
@@ -16,9 +16,9 @@
      }
    },
    "node_modules/@bitnami/readme-generator-for-helm": {
-      "version": "2.6.0",
-      "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.6.0.tgz",
-      "integrity": "sha512-LcByNCryaC2OJExL9rnhyFJ18+vrZu1gVoN2Z7j/HI42EjV4kLgT4G1KEPNnrKbls9HvozBqMG+sKZIDh0McFg==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.5.0.tgz",
+      "integrity": "sha512-bYggL/kWwyxjctSrIBMOcrTQSj8LA3yYcEzfGTJIFoHKl5M7ifZtox//8G5K3FTw6qdOnPZcA10fl2y4N6uB/g==",
      "dev": true,
      "dependencies": {
        "commander": "^7.1.0",
@@ -286,12 +286,12 @@
      "dev": true
    },
    "node_modules/ini": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/ini/-/ini-4.1.1.tgz",
-      "integrity": "sha512-QQnnxNyfvmHFIsj7gkPcYymR8Jdw/o7mp5ZFihxn6h8Ci6fh3Dx4E1gPjpQEpIuPo9XVNY/ZUwh4BPMjGyL01g==",
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/ini/-/ini-3.0.1.tgz",
+      "integrity": "sha512-it4HyVAUTKBc6m8e1iXWvXSTdndF7HbdN713+kvLrymxTaU4AUBWrJ4vEooP+V7fexnVD3LKcBshjGGPefSMUQ==",
      "dev": true,
      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+        "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
      }
    },
    "node_modules/is-fullwidth-code-point": {
@@ -399,39 +399,39 @@
      }
    },
    "node_modules/markdownlint": {
-      "version": "0.31.1",
-      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.31.1.tgz",
-      "integrity": "sha512-CKMR2hgcIBrYlIUccDCOvi966PZ0kJExDrUi1R+oF9PvqQmCrTqjOsgIvf2403OmJ+CWomuzDoylr6KbuMyvHA==",
+      "version": "0.28.2",
+      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.28.2.tgz",
+      "integrity": "sha512-yYaQXoKKPV1zgrFsyAuZPEQoe+JrY9GDag9ObKpk09twx4OCU5lut+0/kZPrQ3W7w82SmgKhd7D8m34aG1unVw==",
      "dev": true,
      "dependencies": {
        "markdown-it": "13.0.1",
-        "markdownlint-micromark": "0.1.7"
+        "markdownlint-micromark": "0.1.2"
      },
      "engines": {
-        "node": ">=16"
+        "node": ">=14.18.0"
      }
    },
    "node_modules/markdownlint-cli": {
-      "version": "0.37.0",
-      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.37.0.tgz",
-      "integrity": "sha512-hNKAc0bWBBuVhJbSWbUhRzavstiB4o1jh3JeSpwC4/dt6eJ54lRfYHRxVdzVp4qGWBKbeE6Pg490PFEfrKjqSg==",
+      "version": "0.34.0",
+      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.34.0.tgz",
+      "integrity": "sha512-4G9I++VBTZkaye6Yfc/7dU6HQHcyldZEVB+bYyQJLcpJOHKk/q5ZpGqK80oKMIdlxzsA3aWOJLZ4DkoaoUWXbQ==",
      "dev": true,
      "dependencies": {
-        "commander": "~11.0.0",
+        "commander": "~10.0.1",
        "get-stdin": "~9.0.0",
-        "glob": "~10.3.4",
+        "glob": "~10.2.2",
        "ignore": "~5.2.4",
        "js-yaml": "^4.1.0",
        "jsonc-parser": "~3.2.0",
-        "markdownlint": "~0.31.1",
-        "minimatch": "~9.0.3",
-        "run-con": "~1.3.2"
+        "markdownlint": "~0.28.2",
+        "minimatch": "~9.0.0",
+        "run-con": "~1.2.11"
      },
      "bin": {
        "markdownlint": "markdownlint.js"
      },
      "engines": {
-        "node": ">=16"
+        "node": ">=14"
      }
    },
    "node_modules/markdownlint-cli/node_modules/brace-expansion": {
@@ -444,25 +444,25 @@
      }
    },
    "node_modules/markdownlint-cli/node_modules/commander": {
-      "version": "11.0.0",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-11.0.0.tgz",
-      "integrity": "sha512-9HMlXtt/BNoYr8ooyjjNRdIilOTkVJXB+GhxMTtOKwk0R4j4lS4NpjuqmRxroBfnfTSHQIHQB7wryHhXarNjmQ==",
+      "version": "10.0.1",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-10.0.1.tgz",
+      "integrity": "sha512-y4Mg2tXshplEbSGzx7amzPwKKOCGuoSRP/CjEdwwk0FOGlUbq6lKuoyDZTNZkmxHdJtp54hdfY/JUrdL7Xfdug==",
      "dev": true,
      "engines": {
-        "node": ">=16"
+        "node": ">=14"
      }
    },
    "node_modules/markdownlint-cli/node_modules/glob": {
-      "version": "10.3.5",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.3.5.tgz",
-      "integrity": "sha512-bYUpUD7XDEHI4Q2O5a7PXGvyw4deKR70kHiDxzQbe925wbZknhOzUt2xBgTkYL6RBcVeXYuD9iNYeqoWbBZQnA==",
+      "version": "10.2.2",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-10.2.2.tgz",
+      "integrity": "sha512-Xsa0BcxIC6th9UwNjZkhrMtNo/MnyRL8jGCP+uEwhA5oFOCY1f2s1/oNKY47xQ0Bg5nkjsfAEIej1VeH62bDDQ==",
      "dev": true,
      "dependencies": {
        "foreground-child": "^3.1.0",
        "jackspeak": "^2.0.3",
-        "minimatch": "^9.0.1",
-        "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0",
-        "path-scurry": "^1.10.1"
+        "minimatch": "^9.0.0",
+        "minipass": "^5.0.0",
+        "path-scurry": "^1.7.0"
      },
      "bin": {
        "glob": "dist/cjs/src/bin.js"
@@ -475,9 +475,9 @@
      }
    },
    "node_modules/markdownlint-cli/node_modules/minimatch": {
-      "version": "9.0.3",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
-      "integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
+      "version": "9.0.0",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.0.tgz",
+      "integrity": "sha512-0jJj8AvgKqWN05mrwuqi8QYKx1WmYSUoKSxu5Qhs9prezTz10sxAHGNZe9J9cqIJzta8DWsleh2KaVaLl6Ru2w==",
      "dev": true,
      "dependencies": {
        "brace-expansion": "^2.0.1"
@@ -490,12 +490,12 @@
      }
    },
    "node_modules/markdownlint-micromark": {
-      "version": "0.1.7",
-      "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.7.tgz",
-      "integrity": "sha512-BbRPTC72fl5vlSKv37v/xIENSRDYL/7X/XoFzZ740FGEbs9vZerLrIkFRY0rv7slQKxDczToYuMmqQFN61fi4Q==",
+      "version": "0.1.2",
+      "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.2.tgz",
+      "integrity": "sha512-jRxlQg8KpOfM2IbCL9RXM8ZiYWz2rv6DlZAnGv8ASJQpUh6byTBnEsbuMZ6T2/uIgntyf7SKg/mEaEBo1164fQ==",
      "dev": true,
      "engines": {
-        "node": ">=16"
+        "node": ">=14.18.0"
      }
    },
    "node_modules/mdurl": {
@@ -562,13 +562,13 @@
      }
    },
    "node_modules/path-scurry": {
-      "version": "1.10.1",
-      "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.10.1.tgz",
-      "integrity": "sha512-MkhCqzzBEpPvxxQ71Md0b1Kk51W01lrYvlMzSUaIzNsODdd7mqhiimSZlr+VegAz5Z6Vzt9Xg2ttE//XBhH3EQ==",
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.7.0.tgz",
+      "integrity": "sha512-UkZUeDjczjYRE495+9thsgcVgsaCPkaw80slmfVFgllxY+IO8ubTsOpFVjDPROBqJdHfVPUFRHPBV/WciOVfWg==",
      "dev": true,
      "dependencies": {
-        "lru-cache": "^9.1.1 || ^10.0.0",
-        "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0"
+        "lru-cache": "^9.0.0",
+        "minipass": "^5.0.0"
      },
      "engines": {
        "node": ">=16 || 14 >=14.17"
@@ -587,14 +587,14 @@
      }
    },
    "node_modules/run-con": {
-      "version": "1.3.2",
-      "resolved": "https://registry.npmjs.org/run-con/-/run-con-1.3.2.tgz",
-      "integrity": "sha512-CcfE+mYiTcKEzg0IqS08+efdnH0oJ3zV0wSUFBNrMHMuxCtXvBCLzCJHatwuXDcu/RlhjTziTo/a1ruQik6/Yg==",
+      "version": "1.2.11",
+      "resolved": "https://registry.npmjs.org/run-con/-/run-con-1.2.11.tgz",
+      "integrity": "sha512-NEMGsUT+cglWkzEr4IFK21P4Jca45HqiAbIIZIBdX5+UZTB24Mb/21iNGgz9xZa8tL6vbW7CXmq7MFN42+VjNQ==",
      "dev": true,
      "dependencies": {
        "deep-extend": "^0.6.0",
-        "ini": "~4.1.0",
-        "minimist": "^1.2.8",
+        "ini": "~3.0.0",
+        "minimist": "^1.2.6",
        "strip-json-comments": "~3.1.1"
      },
      "bin": {
@@ -14,6 +14,6 @@
  },
  "devDependencies": {
    "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.37.0"
+    "markdownlint-cli": "^0.34.0"
  }
 }
@@ -1,33 +0,0 @@
-{
-  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
-  extends: [
-    'gitea>gitea/renovate-config',
-    ':automergeMinor',
-    'schedule:automergeDaily',
-    'schedule:weekends',
-  ],
-  labels: ['kind/dependency'],
-  automergeStrategy: 'squash',
-  customManagers: [
-    {
-      description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
-      customType: 'regex',
-      fileMatch: ['.gitea/workflows/.+\\.ya?ml$'],
-      matchStrings: [
-        '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?<currentValue>.+?)["\']?\\s',
-      ],
-    },
-  ],
-  packageRules: [
-    {
-      groupName: 'subcharts (minor & patch)',
-      matchManagers: ['helmv3'],
-      matchUpdateTypes: ['minor', 'patch', 'digest'],
-    },
-    {
-      groupName: 'workflow dependencies (minor & patch)',
-      matchManagers: ['github-actions', 'npm', 'regex'],
-      matchUpdateTypes: ['minor', 'patch', 'digest'],
-    },
-  ],
-}
@@ -2,27 +2,6 @@
 {{/*
 Expand the name of the chart.
 */}}
-
-{{- /* multiple replicas assertions */ -}}
-{{- if gt .Values.replicaCount 1.0 -}}
-  {{- fail "When using multiple replicas, a RWX file system is required" -}}
-  {{- if eq (get (.Values.persistence.accessModes 0) "ReadWriteOnce") -}}
-    {{- fail "When using multiple replicas, a RWX file system is required" -}}
-  {{- end }}
-  
-  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
-    {{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
-  {{- end }}
-  
-  {{- if and (eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve") (eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED "true") -}}
-    {{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
-  {{- end }}
-  
-  {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
-    {{- (printf "DEBUG: When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'") | fail -}}
-  {{- end }}
-{{- end }}
-
 {{- define "gitea.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
@@ -56,22 +35,14 @@ Create chart name and version as used by the chart label.
 Create image name and tag used by the deployment.
 */}}
 {{- define "gitea.image" -}}
-{{- $fullOverride := .Values.image.fullOverride | default "" -}}
 {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
-{{- $repository := .Values.image.repository -}}
-{{- $separator := ":" -}}
+{{- $name := .Values.image.repository -}}
 {{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
-{{- $digest := "" -}}
-{{- if .Values.image.digest }}
-    {{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}}
-{{- end -}}
-{{- if $fullOverride }}
-    {{- printf "%s" $fullOverride -}}
-{{- else if $registry }}
-    {{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}}
+{{- if $registry -}}
+  {{- printf "%s/%s:%s%s" $registry $name $tag $rootless -}}
 {{- else -}}
-    {{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}}
+  {{- printf "%s:%s%s" $name $tag $rootless -}}
 {{- end -}}
 {{- end -}}

@@ -120,38 +91,16 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}

-{{- define "postgresql-ha.dns" -}}
-{{- if (index .Values "postgresql-ha").enabled -}}
-{{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
-{{- end -}}
-{{- end -}}
-
 {{- define "postgresql.dns" -}}
-{{- if (index .Values "postgresql").enabled -}}
 {{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}}
 {{- end -}}
-{{- end -}}

-{{- define "redis.dns" -}}
-{{- if (index .Values "redis-cluster").enabled -}}
-{{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "redis.port" -}}
-{{- if (index .Values "redis-cluster").enabled -}}
-{{ (index .Values "redis-cluster").service.ports.redis }}
-{{- end -}}
-{{- end -}}
-
-{{- define "redis.servicename" -}}
-{{- if (index .Values "redis-cluster").enabled -}}
-{{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
-{{- end -}}
+{{- define "memcached.dns" -}}
+{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.ports.memcached | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

 {{- define "gitea.default_domain" -}}
-{{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
+{{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

 {{- define "gitea.ldap_settings" -}}
@@ -233,7 +182,6 @@ https
      {{- else -}}
        {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
      {{- end -}}
-
    {{- end }}
  {{- end }}

@@ -263,18 +211,6 @@ https
  {{- if not (hasKey .Values.gitea.config "oauth2") -}}
    {{- $_ := set .Values.gitea.config "oauth2" dict -}}
  {{- end -}}
-  {{- if not (hasKey .Values.gitea.config "session") -}}
-    {{- $_ := set .Values.gitea.config "session" dict -}}
-  {{- end -}}
-  {{- if not (hasKey .Values.gitea.config "queue") -}}
-    {{- $_ := set .Values.gitea.config "queue" dict -}}
-  {{- end -}}
-  {{- if not (hasKey .Values.gitea.config "queue.issue_indexer") -}}
-    {{- $_ := set .Values.gitea.config "queue.issue_indexer" dict -}}
-  {{- end -}}
-  {{- if not (hasKey .Values.gitea.config "indexer") -}}
-    {{- $_ := set .Values.gitea.config "indexer" dict -}}
-  {{- end -}}
 {{- end -}}

 {{- define "gitea.inline_configuration.defaults" -}}
@@ -290,27 +226,13 @@ https
  {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
  {{- end -}}
-  {{- if (index .Values "redis-cluster").enabled -}}
+  {{- if .Values.memcached.enabled -}}
    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
-    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
+    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
    {{- if not (.Values.gitea.config.cache.HOST) -}}
-      {{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
+      {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
    {{- end -}}
  {{- end -}}
-  {{- /* redis queue */ -}}
-  {{- if (index .Values "redis-cluster").enabled -}}
-    {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
-    {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
-  {{- end -}}
-  {{- if not (get .Values.gitea.config.session "PROVIDER") -}}
-    {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
-  {{- end -}}
-  {{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
-    {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "redis.dns" .) -}}
-  {{- end -}}
-  {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
-     {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
-  {{- end -}}
 {{- end -}}

 {{- define "gitea.inline_configuration.defaults.server" -}}
@@ -322,7 +244,7 @@ https
  {{- end -}}
  {{- if not (.Values.gitea.config.server.DOMAIN) -}}
    {{- if gt (len .Values.ingress.hosts) 0 -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
    {{- else -}}
      {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
    {{- end -}}
@@ -357,16 +279,7 @@ https
 {{- end -}}

 {{- define "gitea.inline_configuration.defaults.database" -}}
-  {{- if (index .Values "postgresql-ha" "enabled") -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql-ha.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      (index .Values "postgresql-ha" "global" "postgresql" "database") -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      (index .Values "postgresql-ha" "global" "postgresql" "username") -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    (index .Values "postgresql-ha" "global" "postgresql" "password") -}}
-  {{- end -}}
-  {{- if (index .Values "postgresql" "enabled") -}}
+  {{- if .Values.postgresql.enabled -}}
    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
    {{- if not (.Values.gitea.config.database.HOST) -}}
      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
@@ -398,7 +311,3 @@ https
 {{- define "gitea.gpg-key-secret-name" -}}
 {{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
 {{- end -}}
-
-{{- define "gitea.serviceAccountName" -}}
-{{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
-{{- end -}}
@@ -16,41 +16,32 @@ metadata:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  assertions: |
-
-{{- /*assert that only one PG dep is enabled */ -}}
-{{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
-  {{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
-{{- end }}
-
-{{- /* multiple replicas assertions */ -}}
-{{- if gt .Values.replicaCount 1.0 -}}
-  {{- if (get (get .Values.gitea.config "cron.GIT_GC_REPOS") "ENABLED") -}}
-    {{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." -}}
-  {{- end }}
-
-  {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
-    {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
-  {{- end }}
-
-  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
-    {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
-  {{- end }}
-  {{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
-    {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_TYPE") "bleve" -}}
-      {{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
-        {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_ENABLED") "true" -}}
-          {{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
-        {{- end }}
-      {{- end }}
-    {{- end }}
-  {{- end }}
-  
-{{- end }}
  config_environment.sh: |-
    #!/usr/bin/env bash
    set -euo pipefail

+    ### initial creation of persistent secrets
+    if ![ -f ${GITEA_APP_INI} ]; then
+      function env2ini::generate_initial_secrets() {
+        # These environment variables will either be
+        #   - overwritten with user defined values,
+        #   - initially used to set up Gitea
+        # Anyway, they won't harm existing app.ini files
+
+        export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+        export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+        export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+        export ENV_TO_INI__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
+
+        env2ini::log "...Initial secrets generated\n"
+      }
+    fi
+
+    # ensure a clean start
+    if [ -f ${GITEA_APP_INI} ]; then
+      rm $GITEA_APP_INI
+    fi
+
    function env2ini::log() {
      printf "${1}\n"
    }
@@ -84,14 +75,14 @@ stringData:
      env2ini::log "    + '${setting}'"

      if [[ -z "${section}" ]]; then
-        export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+        export "ENV_TO_INI____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
        return
      fi

      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
      masked_section="${masked_section//-/_0X2D_}"

-      export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
+      export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
    }

    function env2ini::reload_preset_envs() {
@@ -159,22 +150,7 @@ stringData:
      fi
    }

-    function env2ini::generate_initial_secrets() {
-      # These environment variables will either be
-      #   - overwritten with user defined values,
-      #   - initially used to set up Gitea
-      # Anyway, they won't harm existing app.ini files
-
-      export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
-      export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
-      export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
-      export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
-
-      env2ini::log "...Initial secrets generated\n"
-    }
-    
-    # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
-    env | (grep GITEA || [[ $? == 1 ]]) > /tmp/existing-envs
+    env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs
    
    # MUST BE CALLED BEFORE OTHER CONFIGURATION
    env2ini::generate_initial_secrets
@@ -195,10 +171,10 @@ stringData:
      env2ini::log '  - oauth2.JWT_SECRET'
      env2ini::log '  - server.LFS_JWT_SECRET'

-      unset GITEA__SECURITY__INTERNAL_TOKEN
-      unset GITEA__SECURITY__SECRET_KEY
-      unset GITEA__OAUTH2__JWT_SECRET
-      unset GITEA__SERVER__LFS_JWT_SECRET
+      unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
+      unset ENV_TO_INI__SECURITY__SECRET_KEY
+      unset ENV_TO_INI__OAUTH2__JWT_SECRET
+      unset ENV_TO_INI__SERVER__LFS_JWT_SECRET
    fi

-    environment-to-ini -o $GITEA_APP_INI
+    environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI
@@ -15,10 +15,10 @@ metadata:
  name: {{ $fullName }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
  annotations:
-    {{- range $key, $value := .Values.ingress.annotations }}
-      {{ $key }}: {{ $value | quote }}
-    {{- end }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
 {{- if .Values.ingress.className }}
  ingressClassName: {{ .Values.ingress.className }}
@@ -28,14 +28,14 @@ spec:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
-        - {{ tpl . $ | quote }}
+        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
 {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
-    - host: {{ tpl .host $ | quote }}
+    - host: {{ .host | quote }}
      http:
        paths:
          {{- range .paths }}
@@ -61,27 +61,6 @@ stringData:
      echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds"
      exit 1
    }
-
-    {{- if include "redis.servicename" . }}
-    function test_redis_connection() {
-      local RETRY=0
-      local MAX=30
-      
-      echo 'Wait for redis to become avialable...'
-      until [ "${RETRY}" -ge "${MAX}" ]; do
-        nc -vz -w2 {{ include "redis.servicename" . }} {{ include "redis.port" . }} && break
-        RETRY=$[${RETRY}+1]
-        echo "...not ready yet (${RETRY}/${MAX})"
-      done
-
-      if [ "${RETRY}" -ge "${MAX}" ]; then
-        echo "Redis not reachable after '${MAX}' attempts!"
-        exit 1
-      fi
-    }
-
-    test_redis_connection
-    {{- end }}
    

    {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
@@ -1,17 +0,0 @@
-{{- if .Values.podDisruptionBudget -}}
-{{- if .Capabilities.APIVersions.Has "policy/v1" }}
-apiVersion: policy/v1
-{{- else }}
-apiVersion: policy/v1beta1
-{{- end }}
-kind: PodDisruptionBudget
-metadata:
-  name: {{ include "gitea.fullname" . }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-spec:
-  selector:
-    matchLabels:
-      {{- include "gitea.selectorLabels" . | nindent 6 }}
-  {{- toYaml .Values.podDisruptionBudget | nindent 2 }}
-{{- end -}}
@@ -1,26 +0,0 @@
-{{- if and .Values.persistence.enabled .Values.persistence.create }}
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: {{ .Values.persistence.claimName }}
-  namespace: {{ $.Release.Namespace }}
-  annotations:
-{{ .Values.persistence.annotations | toYaml | indent 4}}
-spec:
-  accessModes:
-  {{- if gt .Values.replicaCount 1.0 }}
-      - ReadWriteMany
-  {{- else }}
-    {{- .Values.persistence.accessModes | toYaml | nindent 4 }}
-  {{- end }}
-  volumeMode: Filesystem
-  {{- if .Values.persistence.storageClass }}
-  storageClassName: {{ .Values.persistence.storageClass }}
-  {{- end }}
-  {{- with .Values.persistence.volumeName }}
-  volumeName: {{ . }}
-  {{- end }}
-  resources:
-    requests:
-      storage: {{ .Values.persistence.size }}
-{{- end }}
@@ -1,21 +0,0 @@
-{{- if .Values.serviceAccount.create }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "gitea.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-    {{- with .Values.serviceAccount.labels }}
-    {{- . | toYaml | nindent 4 }}
-  {{- end }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- . | toYaml | nindent 4 }}
-  {{- end }}
-automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
-{{- with .Values.serviceAccount.imagePullSecrets }}
-imagePullSecrets:
-  {{- . | toYaml | nindent 2 }}
-{{- end }}
-{{- end }}
@@ -39,9 +39,7 @@ spec:
  ports:
  - name: ssh
    port: {{ .Values.service.ssh.port }}
-    {{- if .Values.gitea.config.server.SSH_LISTEN_PORT }}
    targetPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
-    {{- end }}
    protocol: TCP
    {{- if .Values.service.ssh.nodePort }}
    nodePort: {{ .Values.service.ssh.nodePort }}
@@ -1,28 +1,22 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
  name: {{ include "gitea.fullname" . }}
  annotations:
-    {{- if .Values.deployment.annotations }}
-    {{- toYaml .Values.deployment.annotations | nindent 4 }}
+    {{- if .Values.statefulset.annotations }}
+    {{- toYaml .Values.statefulset.annotations | nindent 4 }}
    {{- end }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 spec:
  replicas: {{ .Values.replicaCount }}
-  strategy:
-    type: {{ .Values.strategy.type }}
-    {{- if eq .Values.strategy.type "RollingUpdate" }}
-    rollingUpdate:
-      maxUnavailable: {{ .Values.strategy.rollingUpdate.maxUnavailable }}
-      maxSurge: {{ .Values.strategy.rollingUpdate.maxSurge }}
-    {{- end }}
  selector:
    matchLabels:
      {{- include "gitea.selectorLabels" . | nindent 6 }}
-      {{- if .Values.deployment.labels }}
-      {{- toYaml .Values.deployment.labels | nindent 6 }}
+      {{- if .Values.statefulset.labels }}
+      {{- toYaml .Values.statefulset.labels | nindent 6 }}
      {{- end }}
+  serviceName: {{ include "gitea.fullname" . }}
  template:
    metadata:
      annotations:
@@ -38,16 +32,13 @@ spec:
        {{- end }}
      labels:
        {{- include "gitea.labels" . | nindent 8 }}
-        {{- if .Values.deployment.labels }}
-        {{- toYaml .Values.deployment.labels | nindent 8 }}
+        {{- if .Values.statefulset.labels }}
+        {{- toYaml .Values.statefulset.labels | nindent 8 }}
        {{- end }}
    spec:
      {{- if .Values.schedulerName }}
      schedulerName: "{{ .Values.schedulerName }}"
      {{- end }}
-      {{- if (or .Values.serviceAccount.create .Values.serviceAccount.name) }}
-      serviceAccountName: {{ include "gitea.serviceAccountName" . }}
-      {{- end }}
      {{- if .Values.priorityClassName }}
      priorityClassName: "{{ .Values.priorityClassName }}"
      {{- end }}
@@ -68,8 +59,8 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
-            {{- if .Values.deployment.env }}
-            {{- toYaml .Values.deployment.env | nindent 12 }}
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
            {{- end }}
            {{- if .Values.signing.enabled }}
            - name: GNUPGHOME
@@ -103,8 +94,8 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
-            {{- if .Values.deployment.env }}
-            {{- toYaml .Values.deployment.env | nindent 12 }}
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
            {{- end }}
            {{- if .Values.gitea.additionalConfigFromEnvs }}
            {{- toYaml .Values.gitea.additionalConfigFromEnvs | nindent 12 }}
@@ -240,8 +231,8 @@ spec:
            - name: GITEA_ADMIN_PASSWORD
              value: {{ .Values.gitea.admin.password | quote }}
            {{- end }}
-            {{- if .Values.deployment.env }}
-            {{- toYaml .Values.deployment.env | nindent 12 }}
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
            {{- end }}
          volumeMounts:
            - name: init
@@ -256,7 +247,7 @@ spec:
            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
          resources:
            {{- toYaml .Values.initContainers.resources | nindent 12 }}
-      terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ include "gitea.image" . }}"
@@ -289,8 +280,8 @@ spec:
            - name: GNUPGHOME
              value: {{ .Values.signing.gpgHome }}
            {{- end }}
-            {{- if .Values.deployment.env }}
-            {{- toYaml .Values.deployment.env | nindent 12 }}
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
            {{- end }}
          ports:
            - name: ssh
@@ -346,10 +337,6 @@ spec:
      affinity:
        {{- toYaml . | nindent 8 }}
    {{- end }}
-    {{- with .Values.topologySpreadConstraints }}
-      topologySpreadConstraints: 
-        {{- toYaml . | nindent 8 }}
-    {{- end }}
    {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
@@ -388,13 +375,38 @@ spec:
                path: private.asc
            defaultMode: 0100
        {{- end }}
-  {{- if .Values.persistence.enabled }}
-    {{- if .Values.persistence.mount }}
+  {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
        - name: data
          persistentVolumeClaim:
-            claimName: {{ .Values.persistence.claimName }}
-    {{- end }}
+  {{- with .Values.persistence.existingClaim }}
+            claimName: {{ tpl . $ }}
+  {{- end }}
  {{- else if not .Values.persistence.enabled }}
        - name: data
          emptyDir: {}
+  {{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      {{- with .Values.persistence.annotations }}
+        annotations:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.persistence.labels }}
+        labels:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
+      spec:
+        accessModes:
+          {{- range .Values.persistence.accessModes }}
+            - {{ . | quote }}
+          {{- end }}
+        {{- include "gitea.persistence.storageClass" . | indent 8 }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size | quote }}
  {{- end }}
@@ -1,30 +0,0 @@
-suite: config template | database section (postgresql-ha)
-release:
-  name: gitea-unittests
-  namespace: testing
-tests:
-  - it: connects to pgpool service
-    template: templates/gitea/config.yaml
-    set:
-      postgresql:
-        enabled: false
-      postgresql-ha:
-        enabled: true
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.database
-          pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:5432
-  - it: renders the referenced service
-    template: charts/postgresql-ha/templates/pgpool/service.yaml
-    set:
-      postgresql:
-        enabled: false
-      postgresql-ha:
-        enabled: true
-    asserts:
-      - containsDocument:
-          kind: Service
-          apiVersion: v1
-          name: gitea-unittests-postgresql-ha-pgpool
-          namespace: testing
@@ -1,30 +0,0 @@
-suite: config template | database section (postgresql)
-release:
-  name: gitea-unittests
-  namespace: testing
-tests:
-  - it: "connects to postgresql service"
-    template: templates/gitea/config.yaml
-    set:
-      postgresql:
-        enabled: true
-      postgresql-ha:
-        enabled: false
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.database
-          pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:5432
-  - it: "renders the referenced service"
-    template: charts/postgresql/templates/primary/svc.yaml
-    set:
-      postgresql:
-        enabled: true
-      postgresql-ha:
-        enabled: false
-    asserts:
-      - containsDocument:
-          kind: Service
-          apiVersion: v1
-          name: gitea-unittests-postgresql
-          namespace: testing
@@ -1,67 +0,0 @@
-suite: config template | server section (domain related)
-release:
-  name: gitea-unittests
-  namespace: testing
-tests:
-  - it: "[default values] uses ingress host for DOMAIN|SSH_DOMAIN|ROOT_URL"
-    template: templates/gitea/config.yaml
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.server
-          pattern: \nDOMAIN=git.example.com
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.server
-          pattern: \nSSH_DOMAIN=git.example.com
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.server
-          pattern: \nROOT_URL=http://git.example.com
-
-  ################################################
-
-  - it: "[no ingress hosts] uses gitea http service for DOMAIN|SSH_DOMAIN|ROOT_URL"
-    template: templates/gitea/config.yaml
-    set:
-      ingress:
-        hosts: []
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.server
-          pattern: \nDOMAIN=gitea-unittests-http.testing.svc.cluster.local
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.server
-          pattern: \nSSH_DOMAIN=gitea-unittests-http.testing.svc.cluster.local
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.server
-          pattern: \nROOT_URL=http://gitea-unittests-http.testing.svc.cluster.local
-
-  ################################################
-
-  - it: "[provided via values] uses that for DOMAIN|SSH_DOMAIN|ROOT_URL"
-    template: templates/gitea/config.yaml
-    set:
-      gitea.config.server.DOMAIN: provided.example.com
-      ingress:
-        hosts:
-          - host: non-used.example.com
-            paths:
-              - path: /
-                pathType: Prefix
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.server
-          pattern: \nDOMAIN=provided.example.com
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.server
-          pattern: \nSSH_DOMAIN=provided.example.com
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.server
-          pattern: \nROOT_URL=http://provided.example.com
@@ -1,93 +0,0 @@
-suite: deployment template (image configuration)
-release:
-  name: gitea-unittests
-  namespace: testing
-chart:
-  # Override appVersion to be consistent with used digest :)
-  appVersion: 1.19.3
-templates:
-  - templates/gitea/deployment.yaml
-  - templates/gitea/config.yaml
-tests:
-  - it: default values
-    template: templates/gitea/deployment.yaml
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3-rootless"
-  - it: tag override
-    template: templates/gitea/deployment.yaml
-    set:
-      image.tag: "1.19.4"
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.4-rootless"
-  - it: root-based image
-    template: templates/gitea/deployment.yaml
-    set:
-      image.rootless: false
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3"
-  - it: scoped registry
-    template: templates/gitea/deployment.yaml
-    set:
-      image.registry: "example.com"
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: "example.com/gitea/gitea:1.19.3-rootless"
-  - it: global registry
-    template: templates/gitea/deployment.yaml
-    set:
-      global.imageRegistry: "global.example.com"
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: "global.example.com/gitea/gitea:1.19.3-rootless"
-  - it: digest for rootless image
-    template: templates/gitea/deployment.yaml
-    set:
-      image:
-        rootless: true
-        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
-  - it: image fullOverride (does not append rootless)
-    template: templates/gitea/deployment.yaml
-    set:
-      image:
-        fullOverride: gitea/gitea:1.19.3
-        # setting rootless, registry, repository, tag, and digest to prove that override works
-        rootless: true
-        registry: example.com
-        repository: example/image
-        tag: "1.0.0"
-        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3"
-  - it: digest for root-based image
-    template: templates/gitea/deployment.yaml
-    set:
-      image:
-        rootless: false
-        digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: "gitea/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
-  - it: digest and global registry
-    template: templates/gitea/deployment.yaml
-    set:
-      global.imageRegistry: "global.example.com"
-      image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: "global.example.com/gitea/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
@@ -1,23 +0,0 @@
-suite: ingress template
-release:
-  name: gitea-unittests
-  namespace: testing
-templates:
-  - templates/gitea/ingress.yaml
-tests:
-  - it: hostname using TPL
-    set:
-      global.giteaHostName: "gitea.example.com"
-      ingress.enabled: true
-      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
-      ingress.tls:
-        - secretName: gitea-tls
-          hosts:
-            - "{{ .Values.global.giteaHostName }}"
-    asserts:
-      - equal:
-          path: spec.tls[0].hosts[0]
-          value: "gitea.example.com"
-      - equal:
-          path: spec.rules[0].host
-          value: "gitea.example.com"
@@ -1,33 +0,0 @@
-suite: config template
-release:
-  name: gitea-unittests
-  namespace: testing
-templates:
-  - templates/gitea/config.yaml
-tests:
-  - it: inline config stringData.server using TPL
-    set:
-      global.giteaHostName: "gitea.example.com"
-      ingress.enabled: true
-      ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
-      ingress.tls:
-        - secretName: gitea-tls
-          hosts:
-            - "{{ .Values.global.giteaHostName }}"
-    asserts:
-      - documentIndex: 0
-        matchRegex:
-          path: metadata.name
-          pattern: .*-inline-config$
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.server
-          pattern: DOMAIN=gitea\.example\.com
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.server
-          pattern: ROOT_URL=https://gitea\.example\.com
-      - documentIndex: 0
-        matchRegex:
-          path: stringData.server
-          pattern: SSH_DOMAIN=gitea\.example\.com
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
pat-s	abf6e2c8a9	create initial secrets before app.ini removal	2023-05-29 20:13:00 +02:00
pat-s	b663ab88a2	condition on existence	2023-05-29 12:07:24 +02:00
pat-s	01b2cd6858	remove existing `app.ini` before creating it	2023-05-29 11:54:19 +02:00